R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

June 19, 2016

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
 
NIST Handbook
 
Penetration Testing
 
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI
- Report finds millions of firewall ports left open unnecessarily - A survey of all the ports on the internet is designed to provide decision-makers with the statistical information they need to make informed decisions on engineering the internet - and reveals many, many are open to hackers. http://www.scmagazine.com/report-finds-millions-of-firewall-ports-left-open-unnecessarily/article/502298/

FYI - U.S. Cyber Command struggles to retain top cybersecurity talent - At U.S. Cyber Command, the top brass has made recruiting top talent a leading priority, but those efforts have been slowed by challenges in attracting and retaining the next generation of cyber warriors. http://www.cio.com/article/3080014/government/u-s-cyber-command-struggles-to-retain-top-cybersecurity-talent.html

FYI - U.S. warns banks on cyber threat after Bangladesh heist - U.S. regulators on Tuesday told banks to review cyber-security protections against fraudulent money transfers in the wake of revelations that a hacking group used such messages to steal $81 million from the Bangladesh central bank. http://www.reuters.com/article/us-cyber-heist-regulator-idUSKCN0YT25H

FYI - New device can allegedly clone 15 contactless bank cards a second - The device, named the Contactless Infusion X5, can read any bank card from 8cm away and will read 1024 bytes per second, equivalent to 15 bank cards per second. http://www.scmagazine.com/new-device-can-allegedly-clone-15-contactless-bank-cards-a-second/article/502599/

FYI - 66% of IT pros think their companies' cyberincident response plans are ineffective - Companies are failing to develop, update and execute successful incident response plans in the event of a damaging cyberattack. http://www.scmagazine.com/survey-66-of-it-pros-think-their-companies-cyberincident-response-plans-are-ineffective/article/502798/

FYI - Monitoring of Medical Device Security to Be Scrutinized - OIG Also Criticizes Washington State Health Insurance Exchange's Security Measures - A federal watchdog agency has updated its priorities for security-related reviews of Department of Health and Human Services' agencies and programs this year. http://www.govinfosecurity.com/monitoring-medical-device-security-to-be-scrutinized-a-9189

FYI - Panel Reaches Preliminary Agreement on Airliner Cybersecurity Standards - Proposals include cockpit alerts in event that critical safety systems are hacked - A panel of government and aviation-industry experts has reached a preliminary agreement on proposed cybersecurity standards for airliners, including the concept of cockpit alerts in the event that critical safety systems are hacked, according to people familiar with the matter. http://www.wsj.com/articles/panel-reaches-preliminary-agreement-on-airliner-cybersecurity-standards-1465848030

FYI - FBI "facing" questions over its facial recognition database - The U.S. Government Accountability Office has a few questions it would like the Federal Bureau of Investigation (FBI) to answer about its facial recognition database that contains 411 million photos. http://www.scmagazine.com/fbi-facing-questions-over-its-facial-recognition-database/article/503682/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - University pays $20,000 to ransomware hackers - The University of Calgary transferred 20,000 Canadian dollars-worth of bitcoins ($15,780; £10,840) after it was unable to unwind damage caused by a type of attack known as ransomware. http://www.bbc.com/news/technology-36478650

FYI - There’s the Beef: Wendy’s Breach Numbers About to Get Much Meatier - When news broke last month that the credit card breach at fast food chain Wendy’s impacted fewer than 300 out of the company’s 5,800 locations, the response from many readers was, “Where’s the Breach?” Today, Wendy’s said the number of stores impacted by the breach is “significantly higher” and that the intrusion may not yet be contained. http://krebsonsecurity.com/2016/06/theres-the-beef-wendys-breach-numbers-about-to-get-much-meatier/

FYI - Louisiana grapples with hurricanes, gators, now a hacker who posted data of 290K citizens on dark web - Looks like hurricanes, gators and massive flooding aren't the only woes that Louisianans must grapple with – now a hacker has put drivers' license and other personal information on 290,000 of the bayou state's citizens for sale on the dark web. http://www.scmagazine.com/louisiana-grapples-with-hurricanes-gators-now-a-hacker-who-posted-data-of-290k-citizens-on-dark-web/article/502789/

FYI - South Korea thwarted massive cyberattack by North targeting 140,000 government and private systems - North Korea-based hackers breached more than 140,000 computers of South Korean government agencies and firms, and allegedly planted malicious software in the systems. http://www.ibtimes.co.uk/south-korea-thwarted-massive-cyberattack-by-north-targeting-140000-government-private-systems-1565107

FYI - Russian hackers access Trump files in DNC hack - In the height of a heated presidential election year, where the rhetoric about the GOP and Democratic presumptive nominees has reached a fevered pitch, Russian government hackers apparently broke into the Democratic National Committee (DNC) computer system and accessed the party's entire database on Republican candidate Donald Trump. http://www.scmagazine.com/russian-hackers-access-trump-files-in-dnc-hack/article/503051/

FYI - Lone hacker reportedly takes credit for DNC intrusions, releases opposition files on Trump - A lone hacker claimed responsibility Wednesday for breaking into the Democratic National Committee (DNC) computer systems last summer and allegedly released the contents of the DNC's opposition research files on Republican presidential candidate Donald Trump. http://www.scmagazine.com/guccifer-20-claims-responsibility-for-dnc-hack-releases-reported-trump-opposition-files/article/503495/

FYI - Air Force loses 12 years of fraud, abuse investigation records - The U.S. Air Force lost 12 years of records containing fraud and abuse investigations from its inspector general and legislative liaison offices as a result of a database crash last month. http://www.scmagazine.com/air-force-loses-12-years-of-fraud-abuse-investigation-records/article/503354/

FYI - Access to 70,000 hacked servers sold on hacker marketplace; industry reacts - Researchers discovered a hacker marketplace on the Dark Web selling access to more than 70,000 hacked computer servers. http://www.scmagazine.com/access-to-70000-hacked-servers-sold-on-hacker-marketplace-industry-reacts/article/503818/

Return to the top of the newsletter

WEB SITE COMPLIANCE -
Expedited Funds Availability Act (Regulation CC)
 

 Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed.

Return to the top of the newsletter

FFIEC IT SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION
 

 LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
 
 
AUTHENTICATION -
Public Key Infrastructure (Part 3 of 3)
 
 When utilizing PKI policies and controls, financial institutions need to consider the following:
 
 ! Defining within the certificate issuance policy the methods of initial verification that are appropriate for different types of certificate applicants and the controls for issuing digital certificates and key pairs;
 
 ! Selecting an appropriate certificate validity period to minimize transactional and reputation risk exposure - expiration provides an opportunity to evaluate the continuing adequacy of key lengths and encryption algorithms, which can be changed as needed before issuing a new certificate;
 
 ! Ensuring that the digital certificate is valid by such means as checking a certificate revocation list before accepting transactions accompanied by a certificate;
 
 ! Defining the circumstances for authorizing a certificate's revocation, such as the compromise of a user's private key or the closure of user accounts;
 
 ! Updating the database of revoked certificates frequently, ideally in real - time mode;
 
 ! Employing stringent measures to protect the root key including limited physical access to CA facilities, tamper - resistant security modules, dual control over private keys and the process of signing certificates, as well as the storage of original and back - up keys on computers that do not connect with outside networks;
 
 ! Requiring regular independent audits to ensure controls are in place, public and private key lengths remain appropriate, cryptographic modules conform to industry standards, and procedures are followed to safeguard the CA system;
 
 ! Recording in a secure audit log all significant events performed by the CA system, including the use of the root key, where each entry is time/date stamped and signed;
 
 ! Regularly reviewing exception reports and system activity by the CA's employees to detect malfunctions and unauthorized activities; and
 
 ! Ensuring the institution's certificates and authentication systems comply with widely accepted PKI standards to retain the flexibility to participate in ventures that require the acceptance of the financial institution's certificates by other CAs.
 
 The encryption components of PKI are addressed more fully under "Encryption."


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 
11.3 Step 3: Anticipating Potential Contingencies or Disasters
 

 Although it is impossible to think of all the things that can go wrong, the next step is to identify a likely range of problems. The development of scenarios will help an organization develop a plan to address the wide range of things that can go wrong.
 
 Scenarios should include small and large contingencies. While some general classes of contingency scenarios are obvious, imagination and creativity, as well as research, can point to other possible, but less obvious, contingencies. The contingency scenarios should address each of the resources described above. The following are examples of some of the types of questions that contingency scenarios may address:
 
 Human Resources: Can people get to work? Are key personnel willing to cross a picket line? Are there critical skills and knowledge possessed by one person? Can people easily get to an alternative site?
 
 Processing Capability: Are the computers harmed? What happens if some of the computers are inoperable, but not all?
 
 Automated Applications and Data: Has data integrity been affected? Is an application sabotaged? Can an application run on a different processing platform?
 
 Computer-Based Services: Can the computers communicate? To where? Can people communicate? Are information services down? For how long?
 
 Infrastructure: Do people have a place to sit? Do they have equipment to do their jobs? Can they occupy the building?
 
 Documents/Paper: Can needed records be found? Are they readable?
 
 Examples of Some Less Obvious Contingencies
 
 
1. A computer center in the basement of a building had a minor problem with rats. Exterminators killed the rats, but the bodies were not retrieved because they were hidden under the raised flooring and in the pipe conduits. Employees could only enter the data center with gas masks because of the decomposing rats.
 
 2. After the World Trade Center explosion when people reentered the building, they turned on their computer systems to check for problems. Dust and smoke damaged many systems when they were turned on. If the systems had been cleaned first, there would not have been significant damage.


PLEASE NOTE:
 
Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  



Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated