Internet Banking News

July 19, 2015

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Legislators call for lifetime identity protection for OPM data breach victims - Nine legislators are putting their support behind a bill that, if passed, would provide free lifetime identity theft protection coverage to the victims of the Office of Personnel Management (OPM) data breaches. http://www.scmagazine.com/recover-act-proposes-lifetime-identity-protection-for-federal-workers/article/426621/

FYI - China makes internet shut-downs official with new security law - If it threatens security, China reserves the right to switch off networks - China is able to shut off internet access during major 'social security incidents' and has granted its Cyberspace Administration agency wider decision making powers under a draft law published this month. http://www.theregister.co.uk/2015/07/13/china_cyber_security_law/

FYI - Two U.S. telecoms to pay $3.5M for data breach - Two sister mobile and telecom service providers will pay a combined $3.5 million after the U.S. Federal Communications Commission found that they were storing customers' personal data on unprotected servers accessible over the Internet. http://www.computerworld.com/article/2946104/technology-law-regulation/two-us-telecoms-to-pay-35m-for-data-breach.html

FYI - Encryption backdoors for cops are unworkable, will put internet security at risk, warn experts - Demands for access to encrypted communications raise huge technical and ethical questions, according to security researchers. http://www.zdnet.com/article/encryption-back-doors-for-cops-are-unworkable-will-put-internet-security-at-risk-warn-experts/

FYI - NYC investigator convicted for hiring hackers, fears retaliation from clients - A New York City private investigator who was convicted of hiring hackers to assist in his work now fears that his former clients will retaliate after it emerged that he cooperated with authorities. http://www.scmagazine.com/nyc-private-eye-fears-retaliation-after-collaborating-with-authorities/article/426120/

FYI - Thousands of vulnerabilities identified in government system - Nearly 3,000 critical and high-risk vulnerabilities were identified in three U.S. Department of the Interior (DOI) bureaus. http://www.scmagazine.com/department-of-the-interior-system-riddled-with-critical-vulnerabilities/article/426902/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Evans Hotels announces payment card incident involving malware - California-based Evans Hotels – which operates Bahia Resort Hotel, Catamaran Resort Hotel and Spa, and The Lodge at Torrey Pines – announced that malware was installed on computers at the front desks of its properties that could have compromised payment card data. http://www.scmagazine.com/evans-hotels-announces-payment-card-incident-involving-malware/article/425744/

FYI - Mandarin Oriental says 10 properties impacted in credit card breach - Mandarin Oriental Hotel Group said Friday that 10 of its properties were affected in a malware attack on its credit card systems. http://www.scmagazine.com/malware-attack-on-mandarin-oriental-credit-card-systems-affected-10-properties/article/426139/

FYI - Software bug prompts Range Rover recall - Land Rover is recalling more than 65,000 cars to fix a software bug that can "unlatch" the vehicles' doors. http://www.bbc.com/news/technology-33506486

FYI - Recovered USB stick contains Barclays data, customers offered compensation - London-based Barclays bank will pay out more than $780,000 in compensation to the 2,000 customers who had personal information on a USB stick that was recovered at an apartment in England during a criminal investigation, The Herald in Scotland reported on Monday. http://www.scmagazine.com/barclays-will-pay-more-than-780k-to-customers-whose-data-was-on-recovered-usb-stick/article/426393/

FYI - Walmart Canada's Online Photocentre down after potential breach - Walmart Canada has taken down its online photo processing service and is investigating a possible breach that may have compromised the credit card information of up to 60,000 people, according to The Globe and Mail. http://www.scmagazine.com/breach-of-walmart-canada-online-photo-center-could-impact-60k-people/article/426387/

FYI - Hershey provides additional information on payment card breach - Payment cards used at certain Hershey Entertainment & Resorts Company (HE&R) properties may have been compromised. http://www.scmagazine.com/hershey-provides-additional-information-on-payment-card-breach/article/426640/

FYI - UPMC Health Plan compromises personal data of 722 patients - University of Pittsburgh Medical Center (UPMC) Health Plan said Tuesday that the information of 722 insurance subscribers has been compromised in its third breach in two years. http://www.scmagazine.com/in-third-upmc-breach-in-two-years-personal-info-emailed-to-wrong-contact/article/426629/

FYI - Epic Games forums compromised, passwords to be reset - The forums for Epic Games – the video game development company responsible for the Gears of War series and Infinity Blade series – have been compromised, according to a notification letter published on numerous websites. http://www.scmagazine.com/epic-games-forums-compromised-passwords-to-be-reset/article/426893/

FYI - Army National Guard breach affects 850K, not related to OPM - Personal information from more than 850,000 current and former Army National Guard members may have been compromised, according to a Friday release. http://www.scmagazine.com/breach-may-have-compromised-personal-info-on-850k-national-guard-members/article/426871/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider

Some of the factors that institutions should consider when performing due diligence in selecting a service provider are categorized and listed below. Institutions should review the service provider’s due diligence process for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties). Depending on the services being outsourced and the level of in-house expertise, institutions should consider whether to hire or consult with qualified independent sources. These sources include consultants, user groups, and trade associations that are familiar with products and services offered by third parties. Ultimately, the depth of due diligence will vary depending on the scope and importance of the outsourced services as well as the risk to the institution from these services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

Utilization of the Internet presents numerous issues and risks which must be addressed. While many aspects of system performance will present additional challenges to the bank, some will be beyond the bank's control. The reliability of the Internet continues to improve, but situations including delayed or misdirected transmissions and operating problems involving Internet Service Providers (ISPs) could also have an effect on related aspects of the bank's business.

The risks will not remain static. As technologies evolve, security controls will improve; however, so will the tools and methods used by others to compromise data and systems. Comprehensive security controls must not only be implemented, but also updated to guard against current and emerging threats. Security controls that address the risks will be presented over the next few weeks.

SECURITY MEASURES

The FDIC paper discusses the primary interrelated technologies, standards, and controls that presently exist to manage the risks of data privacy and confidentiality, data integrity, authentication, and non-repudiation.

Encryption, Digital Signatures, and Certificate Authorities

Encryption techniques directly address the security issues surrounding data privacy, confidentiality, and data integrity. Encryption technology is also employed in digital signature processes, which address the issues of authentication and non-repudiation. Certificate authorities and digital certificates are emerging to address security concerns, particularly in the area of authentication. The function of and the need for encryption, digital signatures, certificate authorities, and digital certificates differ depending on the particular security issues presented by the bank's activities. The technologies, implementation standards, and the necessary legal infrastructure continue to evolve to address the security needs posed by the Internet and electronic commerce.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.5.1 Vulnerabilities Related to Payroll Fraud

Falsified Time Sheets

The primary safeguards against falsified time sheets are review and approval by supervisory personnel, who are not permitted to approve their own time and attendance data. The risk assessment has concluded that, while imperfect, these safeguards are adequate. The related requirement that a clerk and a supervisor must cooperate closely in creating time and attendance data and submitting the data to the mainframe also safeguards against other kinds of illicit manipulation of time and attendance data by clerks or supervisors acting independently.

Unauthorized Access

When a PC user enters a password to the server during I&A, the password is sent to the server by broadcasting it over the LAN "in the clear." This allows the password to be intercepted easily by any other PC connected to the LAN. In fact, so-called "password sniffer" programs that capture passwords in this way are widely available. Similarly, a malicious program planted on a PC could also intercept passwords before transmitting them to the server. An unauthorized individual who obtained the captured passwords could then run the time and attendance application in place of a clerk or supervisor. Users might also store passwords in a log-on script file.

Bogus Time and Attendance Applications

The server's access controls are probably adequate for protection against bogus time and attendance applications that run on the server. However, the server's operating system and access controls have only been in widespread use for a few years and contain a number of security-related bugs. And the server's access controls are ineffective if not properly configured, and the administration of the server's security features in the past has been notably lax.

Unauthorized Modification of Time and Attendance Data

Protection against unauthorized modification of time and attendance data requires a variety of safeguards because each system component on which the data are stored or transmitted is a potential source of vulnerabilities.

First, the time and attendance data are entered on the server by a clerk. On occasion, the clerk may begin data entry late in the afternoon, and complete it the following morning, storing it in a temporary file between the two sessions. One way to avoid unauthorized modification is to store the data on a diskette and lock it up overnight. After being entered, the data will be stored in another temporary file until reviewed and approved by a supervisor. These files, now stored on the system, must be protected against tampering. As before, the server's access controls, if reliable and properly configured, can provide such protection (as can digital signatures, as discussed later) in conjunction with proper auditing.

Second, when the Supervisor approves a batch of time and attendance data, the time and attendance application sends the data over the WAN to the mainframe. The WAN is a collection of communications equipment and special-purpose computers called "switches" that act as relays, routing information through the network from source to destination. Each switch is a potential site at which the time and attendance data may be fraudulently modified. For example, an HGA PC user might be able to intercept time and attendance data and modify the data enroute to the payroll application on the mainframe. Opportunities include tampering with incomplete time and attendance input files while stored on the server, interception and tampering during WAN transit, or tampering on arrival to the mainframe prior to processing by the payroll application.

Third, on arrival at the mainframe, the time and attendance data are held in a temporary file on the mainframe until the payroll application is run. Consequently, the mainframe's I&A and access controls must provide a critical element of protection against unauthorized modification of the data.

According to the risk assessment, the server's access controls, with prior caveats, probably provide acceptable protection against unauthorized modification of data stored on the server. The assessment concluded that a WAN-based attack involving collusion between an employee of HGA and an employee of the WAN service provider, although unlikely, should not be dismissed entirely, especially since HGA has only cursory information about the service provider's personnel security practices and no contractual authority over how it operates the WAN.

The greatest source of vulnerabilities, however, is the mainframe. Although its operating system's access controls are mature and powerful, it uses password-based I&A. This is of particular concern, because it serves a large number of federal agencies via WAN connections. A number of these agencies are known to have poor security programs. As a result, one such agency's systems could be penetrated (e.g., from the Internet) and then used in attacks on the mainframe via the WAN. In fact, time and attendance data awaiting processing on the mainframe would probably not be as attractive a target to an attacker as other kinds of data or, indeed, disabling the system, rendering it unavailable. For example, an attacker might be able to modify the employee data base so that it disbursed paychecks or pensions checks to fictitious employees. Disclosure-sensitive law enforcement databases might also be attractive targets.

The access control on the mainframe is strong and provides good protection against intruders breaking into a second application after they have broken into a first. However, previous audits have shown that the difficulties of system administration may present some opportunities for intruders to defeat access controls.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.