Internet Banking News

September 17, 2017

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - NIST develops guidelines for dealing with ransomware recovery - The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) along with vendors and businesses within the cybersecurity community teamed up to develop a recovery guide for firms hit with ransomware attacks. https://www.scmagazine.com/feds-release-guided-on-mitigating-ransomware-threats/article/687317/

Three Equifax Managers Sold Stock Before Cyber Hack Revealed - Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers. https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack

Where Equifax falls among the top recent data breaches - Equifax's data breach exposing 143 million customer records is certainly a massive number, but it only falls more or less in the middle of the pack when it comes to some of the larger breaches experienced over the last several years. https://www.scmagazine.com/where-equifax-falls-among-the-top-recent-data-breaches/article/687611/

GAO - Health Insurance Marketplaces: Centers for Medicare & Medicaid Services Need to Improve Its Oversight of State IT Systems' Sustainability and Performance
Report: http://www.gao.gov/products/GAO-17-258
Highlights: http://www.gao.gov/assets/690/686568.pdf

Energy Dept. to invest up to $50M in infrastructure cybersecurity, resilience - The U.S. Energy Department will sink up to $50 million in multiple projects, 20 of them cybersecurity-related, under the umbrella of its National Laboratories to boost the resilience and security of the U.S. critical energy infrastructure. https://www.scmagazine.com/energy-dept-to-invest-up-to-50m-in-infrastructure-cybersecurity-resilience/article/688245/

FA readies players for inhospitable cyber World Cup cyber environment - British World Cup team members may have more to worry about than what happens on the football pitch in host country Russia as the Football Association (FA) is already expressing concerns about hackers going after the team's players and staff. https://www.scmagazine.com/fa-readies-players-for-inhospitable-cyber-world-cup-cyber-environment/article/688072/

Bluetooth ache: Protocol's security not sufficiently researched, experts claim after 'BlueBorne' disclosure - The recently disclosed collection of "BlueBorne" vulnerabilities that were found to affect at least 5.3 billion Bluetooth-enabled devices has revealed several inconvenient truths about the short-range communications protocol, experts are saying. https://www.scmagazine.com/bluetooth-ache-protocols-security-not-sufficiently-researched-experts-claim-after-blueborne-disclosure/article/688555/

U.S. bans use of Kaspersky Labs software on government systems - Acting on concerns that Russian company Kaspersky Lab has connections to cyberespionage activities, the U.S. government has banned the use of Kaspersky Lab security software, according to a binding order released Wednesday by Department of Homeland Security (DHS) Acting Secretary Elaine Duke. https://www.scmagazine.com/us-bans-use-of-kaspersky-labs-software-on-government-systems/article/688572/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Equifax breach could affect 143 million U.S. consumers - Cybercriminals gained unauthorized access to Equifax files in a breach that could affect as many as 143 million consumers in the U.S., the company said Thursday. https://www.scmagazine.com/equifax-breach-could-affect-143-million-us-consumers/article/687326/

Hackers breach AXA Insurance Singapore's Health Portal, stealing data on 5,400 customers - The Singapore division of life insurance firm AXA Insurance has reportedly suffered a data breach, after hackers stole roughly 5,400 customers' personal information from its Health Portal. https://www.scmagazine.com/hackers-breach-axa-insurance-singapores-health-portal-stealing-data-on-5400-customers/article/687129/

Data breach exposes about 4 million Time Warner Cable customer records - Time Warner Cable, now known as Spectrum, became the latest company to realize exactly how vulnerable its data is when a third-party vendor entrusted with its safety made an error exposing millions of records. https://www.scmagazine.com/data-breach-exposes-about-4-million-time-warner-cable-customer-records/article/686592/

Alaska Office of Children's Services hit with data breach - The Alaska Office of Children's Services (OCS) filed an HIPPA breach notification that states two of its computers may have been breached possibly affecting 500 individuals. https://www.scmagazine.com/alaska-office-of-childrens-services-hit-with-data-breach/article/687437/

Rural New York sheriff's department hacked - The Schuyler County (New York) Sheriff's Department's 911 emergency contact system was temporarily knocked offline by what local officials said was an attack by a foreign country. https://www.scmagazine.com/rural-new-york-sheriffs-department-hacked/article/687772/

Minnesota park computers infected with malware - Minnesota's Department of Natural Resources has warned anyone who paid for purchases at Tettegouche State Park between Aug. 22-25 to look for suspicious activity on their credit card accounts after malware was discovered on the park's computers. https://www.scmagazine.com/minnesota-park-computers-infected-with-malware/article/687735/

LinkedIn Premium accounts being used in phishing scam - LinkedIn and Wells Fargo have found themselves once again at the center of a cyber issue, but this time hackers are using the business-oriented social media site to send phishing InMails posing as a Wells Fargo document. https://www.scmagazine.com/linkedin-premium-accounts-being-used-in-phishing-scam/article/688591/

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 5 of 5) Next week we will begin our series on the Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes.

  PROCEDURES TO ADDRESS SPOOFING - Contact the OCC and Law Enforcement Authorities

  If a bank is the target of a spoofing incident, it should promptly notify its OCC supervisory office and report the incident to the FBI and appropriate state and local law enforcement authorities. Banks can also file complaints with the Internet Fraud Complaint Center (see http://www.ic3.gov), a partnership of the FBI and the National White Collar Crime Center.

  In order for law enforcement authorities to respond effectively to spoofing attacks, they must be provided with information necessary to identify and shut down the fraudulent Web site and to investigate and apprehend the persons responsible for the attack. The data discussed under the "Information Gathering" section should meet this need.

  In addition to reporting to the bank's supervisory office and law enforcement authorities, there are other less formal mechanisms that a bank can use to report these incidents and help combat fraudulent activities. For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/), which is a joint initiative of industry and law enforcement designed to support apprehension of perpetrators of phishing-related crimes, including spoofing. Members of Digital Phishnet include ISPs, online auction services, financial institutions, and financial service providers. The members work closely with the FBI, Secret Service, U.S. Postal Inspection Service, Federal Trade Commission (FTC), and several electronic crimes task forces around the country to assist in identifying persons involved in phishing-type crimes.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING

Information security is an integrated process that reduces information security risks to acceptable levels. The entire process, including testing, is driven by an assessment of risks. The greater the risk, the greater the need for the assurance and validation provided by effective information security testing.

In general, risk increases with system accessibility and the sensitivity of data and processes. For example, a high-risk system is one that is remotely accessible and allows direct access to funds, fund transfer mechanisms, or sensitive customer data. Information only Web sites that are not connected to any internal institution system or transaction capable service are lower-risk systems. Information systems that exhibit high risks should be subject to more frequent and rigorous testing than low-risk systems. Because tests only measure the security posture at a point in time, frequent testing provides increased assurance that the processes that are in place to maintain security over time are functioning.

A wide range of tests exists. Some address only discrete controls, such as password strength. Others address only technical configuration, or may consist of audits against standards. Some tests are overt studies to locate vulnerabilities. Other tests can be designed to mimic the actions of attackers. In many situations, management may decide to perform a range of tests to give a complete picture of the effectiveness of the institution's security processes. Management is responsible for selecting and designing tests so that the test results, in total, support conclusions about whether the security control objectives are being met.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -

We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING

12.2.4 Technical Platform and Communications Expertise

The technical staff members who comprise the incident handling capability need specific knowledge, skills, and abilities. Desirable qualifications for technical staff members may include the ability to:

1) work expertly with some or all of the constituency's core technology;
2) work in a group environment;
3) communicate effectively with different types of users, who will range from system administrators to unskilled users to management to law-enforcement officials;
4) be on-call 24 hours as needed; and
5) travel on short notice (of course, this depends upon the physical location of the constituency to be served).

12.2.5 Liaison With Other Organizations

Due to increasing computer connectivity, intruder activity on networks can affect many organizations, sometimes including those in foreign countries. Therefore, an organization's incident handling team may need to work with other teams or security groups to effectively handle incidents that range beyond its constituency. Additionally, the team may need to pool its knowledge with other teams at various times. Thus, it is vital to the success of an incident handling capability that it establish ties and contacts with other related counterparts and supporting organizations.

Especially important to incident handling are contacts with investigative agencies, such as federal (e.g., the FBI), state, and local law enforcement. Laws that affect computer crime vary among localities and states, and some actions may be state (but not federal) crimes. It is important for teams to be familiar with current laws and to have established contacts within law enforcement and investigative agencies.

Incidents can also garner much media attention and can reflect quite negatively on an organization's image. An incident handling capability may need to work closely with the organization's public affairs office, which is trained in dealing with the news media. In presenting information to the press, it is important that (1) attackers are not given information that would place the organization at greater risk and (2) potential legal evidence is properly protected.

The Forum of Incident Response and Security Teams

The 1988 Internet worm incident highlighted the need for better methods for responding to and sharing information about incidents. It was also clear that any single team or "hot line" would simply be overwhelmed. Out of this was born the concept of a coalition of response teams -- each with its own constituency, but working together to share information, provide alerts, and support each other in the response to incidents. The Forum of Incident Response and Security Teams (FIRST) includes teams from government, industry, computer manufacturers, and academia. NIST serves as the secretariat of FIRST.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.