Internet Banking News

September 21, 2014

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Agencies Aren’t Properly Vetting All Cyber Contractors - Vendors operating systems that handle government data are required to take security precautions, but most agencies are not making sure they do so. http://www.nextgov.com/cybersecurity/2014/09/agencies-contractor-employees-cyber-workforce/93620/?oref=ng-channelriver

FYI - Federal agency to end contracts of background-check contractor USIS - The federal Office of Personnel Management plans to terminate its massive contracts with USIS, the major security clearance contractor that was targeted last month by a cyberattack, several officials said Tuesday. http://www.stripes.com/news/us/federal-agency-to-end-contracts-of-background-check-contractor-usis-1.302244

FYI - Documents reveal NSA plans to map every internet connected device in the world - The National Security Agency (NSA) is looking to map every single internet connected device in the world, including smartphones, tablets and computers. http://www.scmagazine.com/documents-reveal-nsa-plans-to-map-every-internet-connected-device-in-the-world/article/371606/

FYI - GAO - Healthcare- Needed to Address Weaknesses in Information Security and Privacy Controls. http://www.gao.gov/products/GAO-14-730

FYI - C&K apologizes for unauthorized access that led to Goodwill breach - The web hosting service apologized Monday for the “intermittent” unauthorized access to its hosted environment over an 18-month period that likely led to the data breach incurred by Goodwill Industries International. http://www.scmagazine.com/ck-apologizes-for-unauthorized-access-that-led-to-goodwill-breach/article/372129/

FYI - Things Can Go Kaboom When a Defense Contractor's 3-D Printer Gets Hacked - Defense companies that manufacture parts with three-dimensional printers using metal powders might want to heed forthcoming government-issued standards for preventing hacks. http://www.nextgov.com/cybersecurity/2014/09/heres-why-you-dont-want-your-3-d-printer-get-hacked/93923/

FYI - 75 percent of mobile apps will fail security tests through end of 2015 - The bulk of mobile applications (75 percent) will fail basic security tests over the next 15 months or so – through the end of 2015 – leaving businesses vulnerable to attack and violations of their security policies. http://www.scmagazine.com/gartner-75-percent-of-mobile-apps-will-fail-security-tests-through-end-of-2015/article/372424/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Temple University patients impacted by possible breach - An unencrypted desktop computer with the personal information of 3,780 patients was stolen from a Temple University physician's office in July. http://www.scmagazine.com/temple-university-patients-impacted-by-possible-breach/article/371311/

FYI - George Mason University travel system targeted for malware attack - George Mason University detected a malware intrusion into its travel booking system on July 16. No personal information is thought to have been viewed, but the incident could have affected up to 4,400 users. http://www.scmagazine.com/george-mason-university-travel-system-targeted-for-malware-attack/article/371309/

FYI - Tampa General Hospital breach impacts hundreds of patients - Nearly 700 patients who were treated at Tampa General Hospital from October 2011 to August 2014 are being notified that their personal information – including Social Security numbers, in some instances – may have been accessed, without authorization, by a former employee. http://www.scmagazine.com/tampa-general-hospital-breach-impacts-hundreds-of-patients/article/371433/

FYI - Nigerian police search for ringleader in major bank heist - The Economic and Financial Crimes Commission (EFCC), a Nigerian law enforcement agency, has announced that a scammer, suspected of diverting 6.28 billion Naira (nearly $49 million US) to mule accounts, is being sought by police. http://www.scmagazine.com/nigerian-police-search-for-ringleader-in-major-bank-heist/article/371922/

FYI - Florida medical center hit with breach for third time in two years - Aventura Hospital and Medical Center has reported a data breach; the third time in two years the facility has been hit. http://www.scmagazine.com/florida-medical-center-hit-with-breach-for-third-time-in-two-years/article/372025/

FYI - Singaporean karaoke bar members' info compromised - A Singapore-based karaoke chain, K Box, had members' personal information compromised earlier this week when the hacker group “The Knowns” posted the data online. http://www.scmagazine.com/singaporean-karaoke-bar-members-info-compromised/article/372272/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Security Controls - Principle 1: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet. (Part 2 of 2)

The bank must determine which authentication methods to use based on management's assessment of the risk posed by the e-banking system as a whole or by the various sub-components. This risk analysis should evaluate the transactional capabilities of the e-banking system (e.g. funds transfer, bill payment, loan origination, account aggregation etc.), the sensitivity and value of the stored e-banking data, and the customer's ease of using the authentication method.

Robust customer identification and authentication processes are particularly important in the cross-border e-banking context given the additional difficulties that may arise from doing business electronically with customers across national borders, including the greater risk of identity impersonation and the greater difficulty in conducting effective credit checks on potential customers.

As authentication methods continue to evolve, banks are encouraged to monitor and adopt industry sound practice in this area such as ensuring that:

1) Authentication databases that provide access to e-banking customer accounts or sensitive systems are protected from tampering and corruption. Any such tampering should be detectable and audit trails should be in place to document such attempts.

2) Any addition, deletion or change of an individual, agent or system to an authentication database is duly authorized by an authenticated source.

3) Appropriate measures are in place to control the e-banking system connection such that unknown third parties cannot displace known customers.

4) Authenticated e-banking sessions remain secure throughout the full duration of the session or in the event of a security lapse the session should require re-authentication.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE

Hardening Systems

Many financial institutions use commercial off-the-shelf (COTS) software for operating systems and applications. COTS systems generally provide more functions than are required for the specific purposes for which it is employed. For example, a default installation of a server operating system may install mail, Web, and file-sharing services on a system whose sole function is a DNS server. Unnecessary software and services represent a potential security weakness. Their presence increases the potential number of discovered and undiscovered vulnerabilities present in the system. Additionally, system administrators may not install patches or monitor the unused software and services to the same degree as operational software and services. Protection against those risks begins when the systems are constructed and software installed through a process that is referred to as hardening a system.

When deploying off-the-shelf software, management should harden the resulting system. Hardening includes the following actions:

! Determining the purpose of the system and minimum software and hardware requirements;
! Documenting the minimum hardware, software and services to be included on the system;
! Installing the minimum hardware, software, and services necessary to meet the requirements using a documented installation procedure;
! Installing necessary patches;
! Installing the most secure and up-to-date versions of applications;
! Configuring privilege and access controls by first denying all, then granting back the minimum necessary to each user;
! Configuring security settings as appropriate, enabling allowed activity, and disallowing other activity;
! Enabling logging;
! Creating cryptographic hashes of key files;
! Archiving the configuration and checksums in secure storage prior to system deployment;
! Testing the system to ensure a secure configuration;
! Using secure replication procedures for additional, identically configured systems, making configuration changes on a case-by-case basis;
! Changing all default passwords; and
! Testing the resulting systems.

After deployment, the COTS systems may need updating with current security patches. Additionally, the systems should be periodically audited to ensure that the software present on the systems is authorized and properly configured.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 2 of 3)

B. Use the information gathered from step A to work through the "Privacy Notice and Opt Out Decision Tree." Identify which module(s) of procedures is (are) applicable.

C. Use the information gathered from step A to work through the Reuse and Redisclosure and Account Number Sharing Decision Trees, as necessary (Attachments B & C). Identify which module is applicable.

D. Determine the adequacy of the financial institution's internal controls and procedures to ensure compliance with the privacy regulation as applicable. Consider the following:

1) Sufficiency of internal policies and procedures, and controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;

2) Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;

3) Frequency and effectiveness of monitoring procedures;

4) Adequacy and regularity of the institution's training program;

5) Suitability of the compliance audit program for ensuring that:

      a) the procedures address all regulatory provisions as applicable;
      b) the work is accurate and comprehensive with respect to the institution's information sharing practices;
      c) the frequency is appropriate;
      d) conclusions are appropriately reached and presented to responsible parties;
      e) steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and

6) Knowledge level of management and personnel.