Internet Banking News

August 9, 2015

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet. Independent pen-testing is part of any financial institution's cybersecurity defense. To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.

FYI - On August 6, 2015 Stephen W. Warren was named Chief Information Officer (CIO) at the Office of the Comptroller of the Currency (OCC). As CIO, Mr. Warren will lead all OCC information technology (IT) programs, supporting the agency's mission of ensuring the safety and soundness of national banks as well as fair and equal access to financial services for all Americans. http://www.occ.treas.gov/news-issuances/news-releases/2015/nr-occ-2015-110.html

FYI - China announces plans to install police units at internet companies - The Chinese government plans to embed cybersecurity police units into major Chinese internet companies, according to a Wall Street Journal report. http://www.scmagazine.com/chinese-government-units-embedded-in-public-entities/article/430761/

FYI - TV5Monde in chaos as data breach costs roll into the millions - French broadcaster TV5Monde is still without Internet and other key IT functions three months after a nation-state hacker took control of its TV channels and hijacked social media accounts. Meanwhile, the data breach costs are mounting up. http://www.scmagazine.com/tv5monde-in-chaos-as-data-breach-costs-roll-into-the-millions/article/429390/

FYI - Women in IT Security: Women of influence - We enlisted a team of moderators to ask a number of prominent IT security professionals about the challenges they faced as a woman entering the field, the prejudices they deal with every day and the skills they use to navigate within their business. http://www.scmagazine.com/women-in-it-security-women-of-influence/article/421387/

FYI - Secret NSA map shows Chinese cyberespionage targets in U.S. - A secret National Security Agency (NSA) map shows the location of “Victims of Chinese Cyber Espionage" attacks launched by China against the U.S. over a five-year period, according to NBC News. http://www.scmagazine.com/map-from-nsa-briefing-details-china-cyberattacks-on-us-targets/article/429859/

FYI - Phishing campaign strikes U.K. and U.S. companies - A phishing campaign of millions of messages has been aimed at organisations in the UK and US. Discovered by Proofpoint, the campaign employs bait via an authentic voice message containing an LNK attachment—an unusual method of delivering malware. http://www.scmagazine.com/phishing-campaign-strikes-uk-and-us-companies/article/429720/

FYI - Interpol is training police to fight crime on the Darknet - Police officers from around a dozen countries have just completed a five-day course on Tor hidden services, illegal marketplaces and cryptocurrencies to help them investigate crimes on the Darknet. http://www.zdnet.com/article/interpol-is-training-police-to-fight-crime-on-the-darknet/

FYI - Sysadmin jailed for a decade after slurping US military docs - American gov contractor goes rogue? We've heard this before - A US Air Force contractor has been sentenced to 10 years in prison and three years of supervised release for stealing classified documents, in addition to conspiracy to commit naturalisation fraud. http://www.theregister.co.uk/2015/08/03/sysadmin_jailed_10_years_stealing_classified_usaf_docs/

FYI - Survey exposes consumer fears about car hacking - In the wake of two high-profile car hacking reports, a new Kelley Blue Book survey suggests consumers are increasingly concerned about automotive cybersecurity, and those concerns could influence new purchases. http://www.cnet.com/news/survey-exposes-consumer-fears-about-car-hacking/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Reported attack on United Airlines shows everyone has valuable data to protect - All information has potential value to hackers. The latest example: A reported breach of network security at United Airlines that swept up flight manifests. Yes, just lists of people on an airplane. http://www.cnet.com/news/lifes-a-breach-reported-attack-on-united-airlines-shows-everyone-has-valuable-data-to-protect/

FYI - PagerDuty requires password change for all customers following breach - Alarm aggregation and dispatching service PagerDuty detected an unauthorized intrusion by an attacker who gained access to customer information, and the company is now requiring that all customers change their passwords. http://www.scmagazine.com/pagerduty-requires-password-change-for-all-customers-following-breach/article/429865/

FYI - Oklahoma restaurant hit with POS breach, possibly from outside country - A Mexican restaurant in Durant, Okla., experienced a point-of-sale (POS) breach that may have originated from outside the country. http://www.scmagazine.com/salitas-restaurant-hit-with-pos-breach-possibly-from-outside-country/article/429993/

FYI - US authority warns hospitals over use of hackable drug pump - The US Food and Drug Administration is now "strongly encouraging" hospitals not to use a leading brand of drug pump over hacking fears. http://www.bbc.com/news/technology-33759428

FYI - Hacker steals Bitdefender customer log-in credentials, attempts blackmail - The hacker exploited a vulnerability in an outdated software component to extract information from a single server. http://www.computerworld.com/article/2955512/security/hacker-steals-bitdefender-customer-log-in-credentials-attempts-blackmail.html

FYI - Russian hackers accessed Pentagon's unclassified email system - Russian hackers allegedly accessed the Pentagon's Joint Staff unclassified email system, which led the agency to take the service offline for nearly two weeks. http://www.scmagazine.com/joint-staffs-unclassified-emails-hacked/article/431251/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Some considerations for contracting with service providers are discussed below. This listing is not all-inclusive and the institution may need to evaluate other considerations based on its unique circumstances. The level of detail and relative importance of contract provisions varies with the scope and risks of the services outsourced.

Scope of Service

The contract should clearly describe the rights and responsibilities of parties to the contract.
Considerations include:

• Timeframes and activities for implementation and assignment of responsibility. Implementation provisions should take into consideration other existing systems or interrelated systems to be developed by different service providers (e.g., an Internet banking system being integrated with existing core applications or systems customization).
• Services to be performed by the service provider including duties such as software support and maintenance, training of employees or customer service.
• Obligations of the financial institution.
• The contracting parties’ rights in modifying existing services performed under the contract.
• Guidelines for adding new or different services and for contract re-negotiation.

Performance Standards

Institutions should generally include performance standards defining minimum service level requirements and remedies for failure to meet standards in the contract. For example, common service level metrics include percent system uptime, deadlines for completing batch processing, or number of processing errors. Industry standards for service levels may provide a reference point. The institution should periodically review overall performance standards to ensure consistency with its goals and objectives.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

SECURITY MEASURES

Digital Signatures

Digital signatures authenticate the identity of a sender, through the private, cryptographic key. In addition, every digital signature is different because it is derived from the content of the message itself. T he combination of identity authentication and singularly unique signatures results in a transmission that cannot be repudiated.

Digital signatures can be applied to any data transmission, including e-mail. To generate a digital signature, the original, unencrypted message is run through a mathematical algorithm that generates what is known as a message digest (a unique, character representation of the data). This process is known as the "hash." The message digest is then encrypted with a private key, and sent along with the message. The recipient receives both the message and the encrypted message digest. The recipient decrypts the message digest, and then runs the message through the hash function again. If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified. Because the message digest was encrypted with a private key, the sender can be identified and bound to the specific message. The digital signature cannot be reused, because it is unique to the message. In the above example, data privacy and confidentiality could also be achieved by encrypting the message itself. The strength and security of a digital signature system is determined by its implementation, and the management of the cryptographic keys.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.5.5 Network-Related Vulnerabilities

The risk assessment concurred with the general approach taken by HGA, but identified several vulnerabilities. It reiterated previous concerns about the lack of assurance associated with the server's access controls and pointed out that these play a critical role in HGA's approach. The assessment noted that the e-mail utility allows a user to include a copy of any otherwise accessible file in an outgoing mail message. If an attacker dialed in to the server and succeeded in logging in as an HGA employee, the attacker could use the mail utility to export copies of all the files accessible to that employee. In fact, copies could be mailed to any host on the Internet.

The assessment also noted that the WAN service provider may rely on microwave stations or satellites as relay points, thereby exposing HGA's information to eavesdropping. Similarly, any information, including passwords and mail messages, transmitted during a dial-in session is subject to eavesdropping.

20.6 Recommendations for Mitigating the Identified Vulnerabilities

The discussions in the following subsections were chosen to illustrate a broad sampling of handbook topics. Risk management and security program management themes are integral throughout, with particular emphasis given to the selection of risk-driven safeguards.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.