Internet Banking News

September 9, 2018

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma. For more information go to On-site FFIEC IT Audits.

FYI - Fiserv Flaw Exposed Customer Data at Hundreds of Banks - Fiserv, Inc., a major provider of technology services to financial institutions, just fixed a glaring weakness in its Web platform that exposed personal and financial details of countless customers across hundreds of bank Web sites, KrebsOnSecurity has learned. https://krebsonsecurity.com/2018/08/fiserv-flaw-exposed-customer-data-at-hundreds-of-banks/

How to stop falling behind on cybersecurity training - Today's fast-paced digital world means the number of cyberthreats are multiplying by the minute and organizations' IT environments are in a constant state of flux. https://www.scmagazine.com/how-to-stop-falling-behind-on-cybersecurity-training/article/783909/

Census Bureau Must Fix 3,100 Cyber Vulnerabilities Before 2020 Count - The preparation for the 2020 Census is laboring under constricted timelines, unfixed cyber vulnerabilities and ballooning IT costs, according to a Government Accountability Office report released Thursday. https://www.nextgov.com/analytics-data/2018/08/census-bureau-must-fix-3100-cyber-vulnerabilities-2020-count/150938/

Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New Attacks - Latest campaign by the hard-to-kill cybercrime group hides malicious code behind legitimate files, Windows processes. http://www.darkreading.com/endpoint/carbanak-cobalt-fin7-group-targets-russian-romanian-banks-in-new-attacks/d/d-id/1332707

Calif. Senate approves net neutrality rules, sends bill to governor - Governor has until September 30 to sign net neutrality bill into law. The California Senate today voted to approve the toughest state-level net neutrality bill in the US, one day after the California Assembly took the same action.   https://arstechnica.com/tech-policy/2018/08/calif-senate-approves-net-neutrality-rules-sends-bill-to-governor/

Premera Blue Cross accused of destroying evidence in data breach lawsuit - Class-action lawsuit plaintiffs claim US health insurer Premera Blue Cross intentionally destroyed evidence despite ongoing litigation. https://www.zdnet.com/article/premera-blue-cross-accused-of-destroying-evidence-in-data-breach-lawsuit/

Department officials also weren’t tracking who used the system or if they were sharing passwords. The State Department’s consular division isn’t sufficiently protecting the data on a computer system it uses to analyze whether people seeking U.S. visas are being forthright about who they are and where they’ve traveled, according to an audit released Tuesday. https://www.nextgov.com/cybersecurity/2018/08/state-department-visa-analysis-system-wasnt-patched-or-scanned-viruses-audit-finds/150917/

GAO - Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation. https://www.gao.gov/products/GAO-18-622?utm_campaign=usgao_email&utm_content=topci_infosec&utm_medium=email&utm_source=govdelivery

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Missouri state Democrat mishap ends in University of Missouri phishing attempt - A Missouri State Democratic Party email seeking interns helped jumpstart a phishing attempt after the email accidentally ended up in the inboxes of most faculty, staff and student inboxes at the University of Missouri. https://www.scmagazine.com/missouri-state-democrat-mishap-ends-in-university-of-missouri-phishing-attempt/article/792338/

Cisco Data Center Network Manager flaw allows unauthorized access to sensitive information - A vulnerability in Cisco's Data Center Network Manager could allow a remote attacker to gain access to sensitive information. https://www.scmagazine.com/cisco-data-center-network-manager-flaw-allows-unauthorized-access-to-sensitive-information/article/792003/

Air Canada mobile app breach potentially impacts about 20,000 profiles - Air Canada yesterday warned customers of "unusual login behavior" on its mobile app between Aug. 22 and 24, during which time a portion of its account profiles may have been accessed in unauthorized fashion. https://www.scmagazine.com/air-canada-mobile-app-breach-potentially-impacts-about-20000-profiles/article/791996/

Chinese hotel chain warns of massive customer data theft - 130 million could be impacted by Huazhu Group hack - China’s largest hotel chain is investigating an apparent data theft that is said to involve as many as half a billion pieces of information. https://www.theregister.co.uk/2018/08/29/chinese_hotel_data_theft/

Return to the top of the newsletter

WEB SITE COMPLIANCE - "Member FDIC" Logo - When is it required?

  The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds.

  Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page. Subsidiary web pages that advertise deposits must contain the official advertising statement. Conversely, subsidiary web pages that relate to loans do not require the official advertising statement.

Return to the top of the newsletter

FFIEC IT SECURITY - Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

  The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

  Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.

  Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

  Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 17 - LOGICAL ACCESS CONTROL

17.3.1.5 Security Labels

A security label is a designation assigned to a resource (such as a file). Labels can be used for a variety of purposes, including controlling access, specifying protective measures, or indicating additional handling instructions. In many implementations, once this designator has been set, it cannot be changed (except perhaps under carefully controlled conditions that are subject to auditing).

When used for access control, labels are also assigned to user sessions. Users are permitted to initiate sessions with specific labels only. For example, a file bearing the label "Organization Proprietary Information" would not be accessible (readable) except during user sessions with the corresponding label. Moreover, only a restricted set of users would be able to initiate such sessions. The labels of the session and those of the files accessed during the session are used, in turn, to label output from the session. This ensures that information is uniformly protected throughout its life on the system.

Data Categorization - One tool that is used to increase the ease of security labeling is categorizing data by similar protection requirements. For example, a label could be developed for "organization proprietary data." This label would mark information that can be disclosed only to the organization's employees. Another label, "public data" could be used to mark information that is available to anyone.

Labels are a very strong form of acacias control; however, they are often inflexible and can be expensive to administer. Unlike permission bits or access control lists, labels cannot ordinarily be changed. Since labels are permanently linked to specific information, data cannot be disclosed by a user copying information and changing the access to that file so that the information is more accessible than the original owner intended. By removing users' ability to arbitrarily designate the accessibility of files they own, opportunities for certain kinds of human errors and malicious software problems are eliminated. In the example above, it would not be possible to copy Organization Proprietary Information into a file with a different label. This prevents inappropriate disclosure, but can interfere with legitimate extraction of some information.

Labels are well suited for consistently and uniformly enforcing access restrictions, although their administration and inflexibility can be a significant deterrent to their use.

For systems with stringent security requirements (such as those processing national security information), labels may be useful in access control.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.