Internet Banking News

June 24, 2018

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma. For more information go to On-site FFIEC IT Audits.

FYI - It's FIFA World Cup season, do you know where your cybersecurity pros are? - With nearly half the world watching the 2018 FIFA World Cup, which kicks off today, odds are several security professionals will be looking to sneak a peak at the games, which could be bad for the security of your business. https://www.scmagazine.com/its-fifa-world-cup-season-do-you-know-where-your-cybersecurity-pros-are/article/773477/

Despite advancements, training and fears of breaches, employees still practice bad cyber hygiene, study - Despite the majority of consumers being afraid of having their personal data compromised by a breach, employees are still continuing to engage in risky behavior. https://www.scmagazine.com/despite-advancements-training-and-fears-of-breaches-employees-still-practice-bad-cyber-hygiene-study/article/774026/

Marine Corps weighs wooing older members for new cyber force - The head of the Marine Corps says it’s time the U.S. military branch known for its fierce, young warriors becomes a little more mature. https://www.marinecorpstimes.com/news/your-marine-corps/2018/06/10/marine-corps-weighs-wooing-older-members-for-new-cyber-force/

Former CIA developer charged in Vault 7 hacking tools release - A former CIA employee was charged Monday with 13 counts of violating the Espionage Act and other laws for leaking the agency's hacking tools last year that ended up on WikiLeaks. https://www.scmagazine.com/former-cia-developer-charged-in-vault-7-hacking-tools-release/article/774481/

University of Texas MD Anderson Cancer Center was fined $4.3M for data breaches - The University of Texas MD Anderson Cancer Center was fined $4.3 million by the Department of Health and Human Services Office Civil Rights (OCR) for a series of breaches which resulted in the loss of 33,000 patient health records in 2012 and 2013. https://www.scmagazine.com/university-of-texas-md-anderson-cancer-center-was-fined-43m-for-data-breaches/article/774949/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Adidas phishing campaign promises free shoes, offers $50 subscription instead - An Adidas phishing campaign is offering potential victims a “free” $50 per month subscription via all under the promise of free shoes. https://www.scmagazine.com/adidas-phishing-campaign-promises-free-shoes-offers-50-subscription-instead/article/773683/

Wiper attack at Chilean bank provided cover for $10M SWIFT heist - The real target of a wiper malware attack on Banco de Chile were transactions on the SWIFT network that resulted in a $10 million heist. https://www.scmagazine.com/wiper-attack-at-chilean-bank-provided-cover-for-10m-swift-heist/article/773354/

AI startup Clarifai hacked by Russian operatives during Pentagon Maven project, lawsuit claims - Artificial intelligence startup Clarifai failed to report that it had been hacked by Russian operatives while it was working on the Defense Department's Maven project, according to a lawsuit filed by former Clarifai employee and Air Force Capt. Amy Liu. https://www.scmagazine.com/ai-startup-clarifai-hacked-by-russian-operatives-during-pentagon-maven-project-lawsuit-claims/article/773687/

HealthEquity breach exposes PII of 23,000 customers - About 23,000 accounts have been compromised by a data breach that took place at HealthEquity when an employee fell for a phishing scam. https://www.scmagazine.com/healthequity-breach-exposes-pii-of-23000-customers/article/773654/

DDoS attack aimed at Mexican opposition presidential candidate website during debate - A distributed denial of service (DDoS) attack on the website opposing a Mexican presidential candidate Tuesday during a debate, renewed fears that elections around the globe are vulnerable. https://www.scmagazine.com/ddos-attack-aimed-at-mexican-opposition-presidential-candidate-website-during-debate/article/773454/

Virginia Department of Environmental Quality website hacked - Virginia Department of Environmental Quality's website was compromised by a “malicious party” who gained access to agency system. https://www.scmagazine.com/virginia-department-of-environmental-quality-website-hacked/article/774023/

Startup Working on Contentious Pentagon AI Project Was Hacked - A sign appeared on the door to a stuffy, windowless room at the office of Manhattan artificial-intelligence startup Clarifai. “Chamber of secrets,” it read, according to three people who saw it. https://www.wired.com/story/startup-working-on-contentious-pentagon-ai-project-was-hacked/

Tesla hit by insider saboteur who changed code, exfiltrated data - Tesla has routed out a saboteur who changed code on internal products and exfiltrated data to outsiders, damaging company operations and possibly causing a fire, CEO Elon Musk told employees in an email. https://www.scmagazine.com/tesla-hit-by-insider-saboteur-who-changed-code-exfiltrated-data/article/774472/

Errant email exposes PII of Chicago Public School systems students - A Chicago Public Schools (CPS) worker accidentally emailed private student information to more than 3,700 families who have students in the system. https://www.scmagazine.com/errant-email-exposes-pii-of-chicago-public-school-systems-students/article/774171/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisement Of Membership

  The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Suspicious Activity Reporting.

  National banks are required to report intrusions and other computer crimes to the OCC and law enforcement by filing a Suspicious Activity Report (SAR) form and submitting it to the Financial Crimes Enforcement Network (FinCEN), in accordance with 12 USC 21.11. This reporting obligation exists regardless of whether the institution has reported the intrusion to the information-sharing organizations discussed below. For purposes of the regulation and the SAR form instructions, an "intrusion" is defined as gaining access to the computer system of a financial institution to remove, steal, procure or otherwise affect information or funds of the institution or customers. It also includes actions that damage, disable, or otherwise affect critical systems of the institution. For example, distributed denial of service attaches (DDoS) attacks should be reported on a SAR because they may temporarily disable critical systems of financial institutions.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION

16.4.2 Maintaining Authentication

So far, this chapter has discussed initial authentication only. It is also possible for someone to use a legitimate user's account after log-in. Many computer systems handle this problem by logging a user out or locking their display or session after a certain period of inactivity. However, these methods can affect productivity and can make the computer less user-friendly.

16.4.3 Single Log-in

From an efficiency viewpoint, it is desirable for users to authenticate themselves only once and then to be able to access a wide variety of applications and data available on local and remote systems, even if those systems require users to authenticate themselves. This is known as single log-in. If the access is within the same host computer, then the use of a modern access control system (such as an access control list) should allow for a single log-in. If the access is across multiple platforms, then the issue is more complicated, as discussed below. There are three main techniques that can provide single log-in across multiple computers: host-to-host authentication, authentication servers, and user-to-host authentication.

Host-to-Host Authentication. Under a host-to-host authentication approach, users authenticate themselves once to a host computer. That computer then authenticates itself to other computers and vouches for the specific user. Host-to-host authentication can be done by passing an identification, a password, or by a challenge-response mechanism or other one-time password scheme. Under this approach, it is necessary for the computers to recognize each other and to trust each other.

Authentication Servers. When using authentication server, the users authenticate themselves to a special host computer (the authentication server). This computer then authenticates the user to other host computers the user wants to access. Under this approach, it is necessary for the computers to trust the authentication server. (The authentication server need not be a separate computer, although in some environments this may be a cost-effective way to increase the security of the server.) Authentication servers can be distributed geographically or logically, as needed, to reduce workload.

User-to-Host. A user-to-host authentication approach requires the user to log-in to each host computer. However, a smart token (such as a smart card) can contain all authentication data and perform that service for the user. To users, it looks as though they were only authenticated once.

Kerberos and SPX are examples of network authentication server protocols. They both use cryptography to authenticate users to computers on networks.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.