Internet Banking News

September 23, 2018

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma. For more information go to On-site FFIEC IT Audits.

FYI - Equifax IT staff had to rerun hackers' database queries to work out what was nicked – audit - Equifax was so unsure how much data had been stolen during its 2017 mega-hack that its IT staff spent weeks rerunning the hackers' database queries on a test system to find out.
https://www.theregister.co.uk/2018/09/17/gao_report_equifax_mega_breach/
https://www.gao.gov/assets/700/694158.pdf

Internet companies push for national privacy law - The Internet Association, which represents more than 40 companies, including Facebook, Alphabet, Microsoft and Twitter, came out Tuesday in favor “an economy-wide, national approach to regulation that protects the privacy of all Americans” rather than adhere to a bundle of individual state laws like the recently passed California Consumer Privacy Act. https://www.scmagazine.com/home/news/internet-companies-push-for-national-privacy-law/

No fly-by-night operation: Researchers suspect Magecart group behind British Airways breach - A forensic analysis of the recent British Airways data breach has turned up evidence pointing to the involvement of Magecart, the same cybercriminal organization linked to a similar breach earlier this year affecting Ticketmaster. https://www.scmagazine.com/home/news/no-fly-by-night-operation-researchers-suspect-magecart-group-behind-british-airways-breach/

House Bill Would Create Financial Data Breach Notification Standard - A bill introduced by Rep. Blaine Luetkemeyer, R-Mo., chairman of the House Subcommittee on Financial Institutions and Consumer Credit, on Sept. 7 aims to create a national standard for financial institutions to notify consumers of data security breaches. https://www.meritalk.com/articles/house-bill-would-create-financial-data-breach-notification-standard/

Students and staff blamed in majority of UK university cyberattacks - A government-funded agency in the UK suspects students and staff may be behind university cyberattacks rather than cybergangs and foreign powers. https://www.scmagazine.com/home/news/students-and-staff-blamed-in-majority-of-uk-university-cyberattacks/

Survey: Nearly one-third of breached companies reported job losses after data breach - Nearly one-third of surveyed companies that experienced a data breach in the previous 12 months said the incident cost certain employees their jobs. https://www.scmagazine.com/home/news/survey-nearly-one-third-of-breached-companies-reported-job-losses-after-data-breach/

You’ve Been Breached! Now What? - Many companies that suffer a malicious cyber incident such as a breach hesitate to involve federal law enforcement, fearing an overbearing investigative process, loss of control over the incident response, additional pain or injury caused by law enforcement activities, and public court proceedings. https://www.scmagazine.com/home/news/youve-been-breached-now-what/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Honolulu-based Fetal Diagnostic Institute of the Pacific hit with ransomware - Honolulu-based Fetal Diagnostic Institute of the Pacific (FDIP) announced it was hit by a ransomware attack that may have compromised patient data. https://www.scmagazine.com/home/news/honolulu-based-fetal-diagnostic-institute-of-the-pacific-hit-with-ransomware/

Brit airport pulls flight info system offline after attack by 'online crims' - Bristol Airport deliberately yanked its flight screens offline for two days over the weekend in response to a cyberattack. https://www.theregister.co.uk/2018/09/17/bristol_airport_cyber_attack/

Veeam holds its hands up, admits database leak was plain 'complacency' -Co-CEO: 'We should have done a better job' - Veeam has blamed "human error" for the exposure of a marketing database containing millions of names and email addresses.
https://www.theregister.co.uk/2018/09/14/veeam_leak_follow_up/
https://www.veeam.com/executive-blog/veeam-data-incident-resolved.html

Colorado firm claims ransomware attack behind closure - A Colorado printing company is claiming it was forced out of business after being hit with a severe cyberattack from which it could not recover. https://www.scmagazine.com/home/news/colorado-firm-claims-ransomware-attack-behind-closure/

14 million customer records exposed in GovPayNow leak - GovPayNow.com, a payment system used by thousands of federal and state government agencies in the U.S. and recently acquired by Securus Technologies, has leaked 14 million customer records. https://www.scmagazine.com/home/news/14-million-customer-records-exposed-in-govpaynow-leak/

State Department email breach leaks employee PII - The State Department was hit with an email breach which exposed the personal information of some of its employees. https://www.scmagazine.com/home/news/state-department-email-breach-leaks-employee-pii/

Blue Cross and Blue Shield of Rhode Island and Independence Blue Cross report breaches - Blue Cross and Blue Shield of Rhode Island (BCBSRI) is blaming a vendor for a breach that compromised the personal health information of 1,567 people and Philadelphia-based Insurer Independence Blue Cross was breached in a separate incident. https://www.scmagazine.com/home/news/blue-cross-and-blue-shield-of-rhode-island-reports-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Non-Deposit Investment Products

  Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

  INFORMATION SECURITY RISK ASSESSMENT

  KEY RISK ASSESSMENT PRACTICES (1 of 2)

  A risk assessment is the key driver of the information security process. Its effectiveness is directly related to the following key practices:

  1) Multidisciplinary and Knowledge - based Approach - A consensus evaluation of the risks and risk mitigation practices followed by the institution requires the involvement of a broad range of users, with a range of expertise and business knowledge. Not all users may have the same opinion of the severity of various attacks, the importance of various controls, and the importance of various data elements and information system components. Management should apply a sufficient level of expertise to the assessment.

  2) Systematic and Central Control - Defined procedures and central control and coordination help to ensure standardization, consistency, and completeness of risk assessment policies and procedures, as well as coordination in planning and performance. Central control and coordination will also facilitate an organizational view of risks and lessons learned from the risk assessment process.

  3) Integrated Process - A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results, in turn, provide evidence to the risk assessment process that the controls selected and implemented are achieving their intended purpose. Testing can also validate the basis for accepting risks.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 17 - LOGICAL ACCESS CONTROL

17.3.2 External Access Controls

17.3.2.2 Secure Gateways/ Firewalls

Often called firewalls, secure gateways block or filter access between two networks, often between a privatenetwork and a larger, more public network such as the Internet, which attract malicious hackers. Secure gateways allow internal users to connect to external networks and at the same time prevent malicious hackers from compromising the internal systems.

Some secure gateways are set up to allow all traffic to pass through except for specific traffic which has known or suspected vulnerabilities or security problems, such as remote log-in services. Other secure gateways are set up to disallow all traffic except for specific types, such as e-mail. Some secure gateways can make access-control decisions based on the location of the requester. There are several technical approaches and mechanisms used to support secure gateways.

Because gateways provide security by restricting services or traffic, they can affect a system's usage. For this reason, firewall experts always emphasize the need for policy, so that appropriate officials decide how the organization will balance operational needs and security.

In addition to reducing the risks from malicious hackers, secure gateways have several other benefits. They can reduce internal system security overhead, since they allow an organization to concentrate security efforts on a limited number of machines. (This is similar to putting a guard on the first floor of a building instead of needing a guard on every floor.)

A second benefit is the centralization of services. A secure gateway can be used to provide a central management point for various services, such as advanced authentication, e-mail, or public dissemination of information. Having a central management point can reduce system overhead and improve service.

Types of Secure Gateways - There are many types of secure gateways. Some of the most common are packet filtering (or screening) routers, proxy hosts, bastion hosts, dual-homed gateways, and screened-host gateways.

17.3.2.3 Host-Based Authentication

Host-based authentication grants access based upon the identity of the host originating the request, instead of the identity of the user making the request. Many network applications in use today use host-based authentication to determine whether access is allowed. Under certain circumstances it is fairly easy to masquerade as the legitimate host, especially if the masquerading host is physically located close to the host being impersonated. Security measures to protect against misuse of some host-based authentication systems are available (e.g., Secure RPC123 uses DES to provide a more secure identification of the client host).

An example of host-based authentication is the Network File System (NFS), which allows a server to make file systems/directories available to specific machines.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.