Internet Banking News

August 12, 2012

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - CoNetrix released a new, complimentary online tool called tandem Compliance Calendar to help financial institutions effectively manage regulatory requirements and schedule important tasks such as audits, training, operations and compliance. This free solution is part of their tandem software suite designed to help financial institutions with their security and compliance needs. http://www.conetrix.com/ComplianceCalendar

FYI - Homeland Security pushes pay boost for cyber pros - The Homeland Security Department made a final pitch to Congress to equalize pay packages for DHS cyber professionals and their higher-paid Pentagon counterparts, as cybersecurity legislation looked likely to stall for the third consecutive year. http://www.nextgov.com/cybersecurity/2012/08/homeland-security-pushes-pay-boost-cyber-pros/57194/?oref=ng-HPtopstory

FYI - India: We DO have the BlackBerry encryption keys - Indian government officials have apparently claimed that Research in Motion has handed over the skeleton keys used to encrypt BlackBerry communications – once again ignoring the fact that such keys don't exist. http://www.theregister.co.uk/2012/08/02/rim_keys_india/

FYI - Air Force prepares to open cyberwarfare simulation center to outside users - The Air Force is slated to open a virtual cyberwarfare program to more military commands, educational institutions and other federal agencies, contracting papers indicate. http://www.nextgov.com/cybersecurity/2012/08/air-force-prepares-open-cyberwarfare-simulation-center-outside-users/57165/?oref=ng-HPriver

FYI - White House reportedly considers cyber executive order - After Senate Republicans last week blocked the passage of a cyber security bill, the White House is considering reviving the legislation through an executive order, according to a report this weekend. http://www.scmagazine.com/white-house-reportedly-considers-cyber-executive-order/article/253502/?DCMP=EMC-SCUS_Newswire

FYI - Proposed Privacy Law Demands Court Warrants for Cloud Data - Two Democratic congressmen are proposing sweeping changes to a U.S. privacy law that for the first time would require the government to obtain a probable-cause warrant to access data stored in the cloud. http://www.wired.com/threatlevel/2012/08/ecpa-warrant-reform/

FYI - Password security can improve, but the hackers will still get in - In June, millions of password hashes were disclosed from LinkedIn, eHarmony and Last.fm. And in July, more than 400,000 usernames and passwords were stolen from Yahoo, while the social networking site Formspring, clothing company Billabong, and gaming site Gamigo all suffered similar breaches. http://www.scmagazine.com/password-security-can-improve-but-the-hackers-will-still-get-in/article/253931/?DCMP=EMC-SCUS_Newswire

FYI - Gauss trojan targets Lebanese banks, likely U.S. creation - Researchers have come across another sophisticated piece of Middle Eastern-targeted espionage malware, which, at the very least, is capable of stealing bank login details, and, at the most extreme, is another Stuxnet. http://www.scmagazine.com/gauss-trojan-targets-lebanese-banks-likely-us-creation/article/254096/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Knight Capital Shows How Financial Services Firms Have Become Widow Makers - Knight Capital experienced an electronic trading malfunction that caused havoc in the trading of stocks ranging from RadioShack to Dupont. Now, Knight says its losses from the trading debacle are $440 million. http://www.forbes.com/sites/nathanvardi/2012/08/02/knight-capital-shows-how-financial-services-firms-have-become-widow-makers/

FYI - Employee password reuse behind Dropbox spam outbreak - The spam outbreak that last month flooded the inboxes of Dropbox customers has been traced back to a hacked employee account, company representatives said late Tuesday. http://www.scmagazine.com/employee-password-reuse-behind-dropbox-spam-outbreak/article/253004/

FYI - Metropolitan Police ransomware pretender ensnares 1,100 computers - The Metropolitan Police's Central e-Crime Unit (PCeU) has uncovered a ransomware scam attempting to extort money from unsuspecting members of the public by impersonating it. http://www.v3.co.uk/v3-uk/news/2196036/metropolitan-police-ransomware-pretender-ensnares-1-100-computers

FYI - Data breach costs LinkedIn up to $1 million - Due to one of the year's largest reported data breaches, business networking site LinkedIn has announced that it already has taken up to a $1 million hit. http://www.scmagazine.com/data-breach-costs-linkedin-up-to-1-million/article/253386/?DCMP=EMC-SCUS_Newswire

FYI - Yahoo faces lawsuit following data breach - As is the norm following a high-profile breach, Yahoo is facing a lawsuit following its disclosure last month that hackers stole 450,000 unencrypted email addresses and passwords of its members.
http://www.scmagazine.com/yahoo-faces-lawsuit-following-data-breach/article/253378/?DCMP=EMC-SCUS_Newswire
http://news.cnet.com/8301-1009_3-57486703-83/yahoo-user-sues-over-password-leak/

FYI - Thumb drive with data on 14k hospital patients stolen - A USB drive with data on thousands of patients of Oregon Health & Science University (OHSU) in Portland was stolen from the home of an employee on July 4 or 5. http://www.scmagazine.com/thumb-drive-with-data-on-14k-hospital-patients-stolen/article/253230/?DCMP=EMC-SCUS_Newswire

FYI - Hackers breach Environment Protection Agency database - Thousands of U.S. Environmental Protection Agency (EPA) employees had their personal information exposed through a database breach.
http://www.scmagazine.com/hackers-breach-environment-protection-agency-database/article/253595/?DCMP=EMC-SCUS_Newswire
http://www.bizjournals.com/washington/news/2012/08/02/epa-security-breach-exposes-personal.html

FYI - Patient data outage exposes risks of electronic medical records - 'Human error' is blamed for a five-hour computer outage last week. It highlights the risks of a nationwide switch to electronic medical records. http://www.latimes.com/business/la-fi-hospital-data-outage-20120803,0,5302779.story

FYI - Reuters suffers double hack - Call it a “psy-ops” attack, if you like: Reuters has suffered the embarrassment of having two platforms infiltrated and used to spread propaganda messages supporting the Syrian regime. http://www.theregister.co.uk/2012/08/05/reuters_hacked/

FYI - How Apple let a hacker remotely wipe an iPhone, iPad, MacBook - Gizmodo's Twitter account was recently hacked, after a former employee's iCloud account was breached, and all his Apple devices (iPhone, iPad, MacBook Air) were remotely wiped. It turns out the hacker didn't even have to get the password: he just tricked Apple's tech support. http://www.zdnet.com/how-apple-let-a-hacker-remotely-wipe-an-iphone-ipad-macbook-7000002141/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Security Control Practices for E-Banking

1. Security profiles should be created and maintained and specific authorization privileges assigned to all users of e-banking systems and applications, including all customers, internal bank users and outsourced service providers. Logical access controls should also be designed to support proper segregation of duties.

2. E-banking data and systems should be classified according to their sensitivity and importance and protected accordingly. Appropriate mechanisms, such as encryption, access control and data recovery plans should be used to protect all sensitive and high-risk e-banking systems, servers, databases and applications.

3. Storage of sensitive or high-risk data on the organization's desktop and laptop systems should be minimized and properly protected by encryption, access control and data recovery plans.

4. Sufficient physical controls should be in place to deter unauthorized access to all critical e-banking systems, servers, databases and applications.

5. Appropriate techniques should be employed to mitigate external threats to e-banking systems, including the use of:

a) Virus-scanning software at all critical entry points (e.g. remote access servers, e-mail proxy servers) and on each desktop system.
b) Intrusion detection software and other security assessment tools to periodically probe networks, servers and firewalls for weaknesses and/or violations of security policies and controls.
c) Penetration testing of internal and external networks.

6. A rigorous security review process should be applied to all employees and service providers holding sensitive positions.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - TESTING CONCEPTS AND APPLICATION

Measurement and Interpretation of Test Results. Institutions should design tests to produce results that are logical and objective. Results that are reduced to metrics are potentially more precise and less subject to confusion, as well as being more readily tracked over time. The interpretation and significance of test results are most useful when tied to threat scenarios. Traceability. Test results that indicate an unacceptable risk in an institution's security should be traceable to actions subsequently taken to reduce the risk to an acceptable level.

Thoroughness. Institutions should perform tests sufficient to provide a high degree of assurance that their security plan, strategy and implementation is effective in meeting the security objectives. Institutions should design their test program to draw conclusions about the operation of all critical controls. The scope of testing should encompass all systems in the institution's production environment and contingency plans and those systems within the institution that provide access to the production environment.

Frequency. Test frequency should be based on the risk that critical controls are no longer functioning. Factors to consider include the nature, extent, and results of prior tests, the value and sensitivity of data and systems, and changes to systems, policies and procedures, personnel, and contractors. For example, network vulnerability scanning on highrisk systems can occur at least as frequently as significant changes are made to the network.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

30. Does the institution allow the consumer to opt out at any time? [§7(f)]

31. Does the institution continue to honor the consumer's opt out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically? [§7(g)(1)]