Internet Banking News

June 18, 2017

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Frequently Asked Questions to Supplement - OCC Bulletin 2013-29 - The Office of the Comptroller of the Currency (OCC) is issuing frequently asked questions (FAQ) to supplement OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013. https://www.occ.treas.gov/news-issuances/bulletins/2017/bulletin-2017-21.html “

The Behavioral Economics of Why Executives Underinvest in Cybersecurity - Determining the ROI for any cybersecurity investment, from staff training to AI-enabled authentication managers, can best be described as an enigma shrouded in mystery. https://hbr.org/2017/06/the-behavioral-economics-of-why-executives-underinvest-in-cybersecurity

Cybercriminals switch from automated attacks methods to targeting humans - It would seem people are their own worst enemy when it comes to protecting their data and cybercriminals have fully taken advantage of this fact. https://www.scmagazine.com/cybercriminals-switch-from-automated-attacks-methods-to-targeting-humans/article/667076/

Quantum-powered random numbers could provide key to better cryptography - True randomness is impossible to achieve with conventional hardware, and some applications are terrible at it, but are our current random number generators 'good enough' and is it worth using quantum technology to achieve better randomness? https://www.scmagazine.com/quantum-powered-random-numbers-could-provide-key-to-better-cryptography/article/667362/

Memory-based attacks on printers on the rise, says HP - Increase in use of printers as an attack vector for hackers: recommended that purchasing decisions include security considerations, not just price. https://www.scmagazine.com/infosec-2017-memory-based-attacks-on-printers-on-the-rise-says-hp/article/667365/

Crying wolf: Combatting cybersecurity alert fatigue - Not only must security pros contend with ever-increasing attacks to their networks, they also must finagle the tool sets guarding their systems to make certain settings are as they should be, reports Greg Masters. https://www.scmagazine.com/crying-wolf-combatting-cybersecurity-alert-fatigue/article/667677/

Government System Integrators Where Cybersecurity Ninjas Most Want To Work - Using a metric identified in the 2016 Center for Strategic and International Studies (CSIS) report Recruiting and Retaining Cyber Ninjas, we identified 57 large government IT system integrators that have built teams of cyber ninjas at rates ahead of their peers and eight of those firms that have had remarkable success in recruiting and retaining ninjas. https://www.sans.org/best-places-to-work-for-cyber-ninjas?ref=195285

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - China-based Apple contractors caught selling customer data - Authorities in China have unmasked a massive underground market where Apple contractors were selling user data of Apple's Chinese customers. https://www.scmagazine.com/china-based-apple-contractors-caught-selling-customer-data/article/667675/

Al Jazeera sites being hacked, FBI assisting in investigation - An FBI team is onsite in Qatar following "systematic and continual hacking attempts" on the websites and other digital platforms of the Al Jazeera Media Network. https://www.scmagazine.com/al-jazeera-sites-being-hacked-fbi-assisting-in-investigation/article/667500/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (4 of 12)

Reaction Procedures

Assessing security incidents and identifying the unauthorized access to or misuse of customer information essentially involve organizing and developing a documented risk assessment process for determining the nature and scope of the security event. The goal is to efficiently determine the scope and magnitude of the security incident and identify whether customer information has been compromised.

Containing and controlling the security incident involves preventing any further access to or misuse of customer information or customer information systems. As there are a variety of potential threats to customer information, organizations should anticipate the ones that are more likely to occur and develop response and containment procedures commensurate with the likelihood of and the potential damage from such threats. An institution's information security risk assessment can be useful in identifying some of these potential threats. The containment procedures developed should focus on responding to and minimizing potential damage from the threats identified. Not every incident can be anticipated, but institutions should at least develop containment procedures for reasonably foreseeable incidents.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

  SERVICE PROVIDER OVERSIGHT - SAS 70 REPORTS

  Frequently TSPs or user groups will contract with an accounting firm to report on security using Statement on Auditing Standards 70 (SAS 70), an auditing standard developed by the American Institute of Certified Public Accountants. SAS 70 focuses on controls and control objectives. It allows for two types of reports. A SAS 70 Type I report gives the service provider's description of controls at a specific point in time, and an auditor's report. The auditor's report will provide an opinion on whether the control description fairly presents the relevant aspects of the controls, and whether the controls were suitably designed for their purpose.

  A SAS 70 Type II report expands upon a Type I report by addressing whether the controls were functioning. It provides a description of the auditor's tests of the controls. It also provides an expanded auditor's report that addresses whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified period.

  Financial institutions should carefully evaluate the scope and findings of any SAS 70 report. The report may be based on different security requirements than those established by the institution. It may not provide a thorough test of security controls unless requested by the TSP or augmented with additional coverage. Additionally, the report may not address the effectiveness of the security process in continually mitigating changing risks. Therefore, financial institutions may require additional reports to oversee the security program of the service provider.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

11.2 Step 2: Identifying the Resources That Support Critical Functions

Resources That Support Critical Functions:
! Human Resources
! Processing Capability
! Computer-Based Services
! Data and Applications
! Physical Infrastructure
! Documents and Papers

11.2.1 Human Resources

People are perhaps an organization's most obvious resource. Some functions require the effort of specific individuals, some require specialized expertise, and some only require individuals who can be trained to perform a specific task. Within the information technology field, human resources include both operators (such as technicians or system programmers) and users (such as data entry clerks or information analysts).

11.2.2 Processing Capability

Contingency Planning Teams - To understand what resources are needed from each of the six resource categories and to understand how the resources support critical functions, it is often necessary to establish a contingency planning team. A typical team contains representatives from various organizational elements, and is often headed by a contingency planning coordinator. It has representatives from the following three groups:

1) business-oriented groups , such as representatives from functional areas;

2) facilities management; and

3) technology management.

Various other groups are called on as needed including financial management, personnel, training, safety, computer security, physical security, and public affairs.

Traditionally contingency planning has focused on processing power (i.e., if the data center is down, how can applications dependent on it continue to be processed?). Although the need for data center backup remains vital, today's other processing alternatives are also important. Local area networks (LANs), minicomputers, workstations, and personal computers in all forms of centralized and distributed processing may be performing critical tasks.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.