Internet Banking News

October 7, 2012

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Security challenges at universities - The CISO of UNC-Charlotte is getting a lesson in the unique security challenges facing universities. http://www.scmagazine.com/school-ties-security-challenges-at-universities/article/259497/?DCMP=EMC-SCUS_Newswire

FYI - Rent-to-own firms settle computer spying charges - Rented computers had software on them that was used to surreptitiously log key strokes, capture screen shots and take photos of people who were late on payments, FTC says. Eight companies accused of spying on consumers via rented computers have agreed to settle charges that they broke the law and engaged in unfair business practices, the Federal Trade Commission announced. http://news.cnet.com/8301-1009_3-57520249-83/rent-to-own-firms-settle-computer-spying-charges/

FYI - DISA charged with securing networks for all but two agencies - The Defense Information Systems Agency has been tapped to tighten up network security of all branches of the federal government except the State Department and the FBI, which have their own systems. http://www.nextgov.com/defense/2012/09/disa-charged-securing-all-two-federal-networks/58354/

FYI - Utilities open to cybersecurity dialogue - A group of electric companies says it is not opposed to working with the federal government to secure power-grid computer networks, as long as regulators don’t proscribe new burdensome and inflexible rules. http://www.nextgov.com/cybersecurity/2012/09/utilities-open-cybersecurity-dialogue/58459/?oref=ng-channeltopstory

FYI - In cyberattacks, hacking humans is highly effective way to access systems - Government and business leaders in the United States and around the world are rushing to build better defenses -- and to prepare for the coming battles in the digital universe. http://www.washingtonpost.com/investigations/in-cyberattacks-hacking-humans-is-highly-effective-way-to-access-systems/2012/09/26/2da66866-ddab-11e1-8e43-4a3c4375504a_story.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Researcher finds 100K passwords, user IDs, on IEEE site - Danish CS teaching assistant says he stumbled upon IEEE cache during search for research material - A Danish graduate student said he was searching for research material on an IEEE FTP server last week when he stumbled upon the usernames and passwords of about 100,000 members of the professional association. http://www.computerworld.com/s/article/9231731/Researcher_finds_100K_passwords_user_IDs_on_IEEE_site?taxonomyId=203

FYI - Government Agencies, Utilities Among Targets of 'VOHO' Cyber-Spy Attacks - An analysis of a cyber-espionage attack finds that a stealthy Trojan infected nearly 1,000 organizations using the uncommon "waterhole" attack. http://www.eweek.com/security/government-agencies-utilities-among-targets-of-voho-cyber-spy-attacks/

FYI - Maker of Smart-Grid Control Software Hacked - The maker of an industrial control system designed to be used with so-called smart grid networks disclosed to customers last week that hackers had breached its network and accessed project files related to a control system used in portions of the electrical grid. http://www.wired.com/threatlevel/2012/09/scada-vendor-telvent-hacked/

FYI - Hackers raid Adobe, compromise certificate to sign malware - Advanced hackers have broken into an internal server at Adobe to compromise a digital certificate that allowed them to create at least two files that appear to be legitimately signed by the software maker, but actually contain malware. http://www.scmagazine.com/hackers-raid-adobe-compromise-certificate-to-sign-malware/article/261175/?DCMP=EMC-SCUS_Newswire

FYI - Damage not done yet for Global Payments after breach - Atlanta-based payment processor Global Payments expects to take a hit of another $55 to $65 million related to a data breach it sustained earlier this year. http://www.scmagazine.com/damage-not-done-yet-for-global-payments-after-breach/article/261598/?DCMP=EMC-SCUS_Newswire

FYI - Postcard gaffe exposes employee SSNs at University of Chicago - The personal data of several thousand University of Chicago employees were mailed out on postcards sent to faculty and staff last week. http://www.scmagazine.com/postcard-gaffe-exposes-employee-ssns-at-university-of-chicago/article/261497/?DCMP=EMC-SCUS_Newswire

FYI - Attackers used Adobe certificate to validate malware - Attackers compromised an Adobe server and hijacked a code-signing certificate -- a mechanism that is supposed to validate that computer programs are from trusted sources -- and manipulated it to give the green light for malware to enter computer systems, the company said. http://www.nextgov.com/cybersecurity/2012/10/attackers-used-adobe-certificate-validate-malware/58488/?oref=ng-channeltopstory

FYI - DSL modem hack used to infect millions with banking fraud malware - Even when PCs are locked down, modems and routers can still be compromised. Millions of Internet users in Brazil have fallen victim to a sustained attack that exploited vulnerabilities in DSL modems, forcing people visiting sites such as Google or Facebook to reach imposter sites that installed malicious software and stole online banking credentials, a security researcher said. http://arstechnica.com/security/2012/10/dsl-modem-hack-infects-millions-with-malware/

FYI - White House confirms 'spearphishing' intrusion - Official confirms report by veteran Pentagon reporter Bill Gertz saying hackers linked to China's government "broke into one of the U.S. government's most sensitive computer networks."
http://news.cnet.com/8301-1009_3-57523621-83/white-house-confirms-spearphishing-intrusion/
http://www.scmagazine.com/spear-phish-cracks-white-house-computer-network/article/261627/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next 12 weeks will will cover the recently released FDIC Supervisory Insights regarding Incident Response Programs. (1of 12)

Incident Response Programs: Don't Get Caught Without One

Everyone is familiar with the old adage "Time is money." In the Information Age, data may be just as good. Reports of data compromises and security breaches at organizations ranging from universities and retail companies to financial institutions and government agencies provide evidence of the ingenuity of Internet hackers, criminal organizations, and dishonest insiders obtaining and profiting from sensitive customer information. Whether a network security breach compromising millions of credit card accounts or a lost computer tape containing names, addresses, and Social Security numbers of thousands of individuals, a security incident can damage corporate reputations, cause financial losses, and enable identity theft.

Banks are increasingly becoming prime targets for attack because they hold valuable data that, when compromised, may lead to identity theft and financial loss. This environment places significant demands on a bank's information security program to identify and prevent vulnerabilities that could result in successful attacks on sensitive customer information held by the bank. The rapid adoption of the Internet as a delivery channel for electronic commerce coupled with prevalent and highly publicized vulnerabilities in popular hardware and software have presented serious security challenges to the banking industry. In this high-risk environment, it is very likely that a bank will, at some point, need to respond to security incidents affecting its customers.

To mitigate the negative effects of security breaches, organizations are finding it necessary to develop formal incident response programs (IRPs). However, at a time when organizations need to be most prepared, many banks are finding it challenging to assemble an IRP that not only meets minimum requirements (as prescribed by Federal bank regulators), but also provides for an effective methodology to manage security incidents for the benefit of the bank and its customers. In response to these challenges, this article highlights the importance of IRPs to a bank's information security program and provides information on required content and best practices banks may consider when developing effective response programs.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Risk Mitigation

Security should not be compromised when offering wireless financial services to customers or deploying wireless internal networks. Financial institutions should carefully consider the risks of wireless technology and take appropriate steps to mitigate those risks before deploying either wireless networks or applications. As wireless technologies evolve, the security and control features available to financial institutions will make the process of risk mitigation easier. Steps that can be taken immediately in wireless implementation include:

1) Establishing a minimum set of security requirements for wireless networks and applications;

2) Adopting proven security policies and procedures to address the security weaknesses of the wireless environment;

3) Adopting strong encryption methods that encompass end-to-end encryption of information as it passes throughout the wireless network;

4) Adopting authentication protocols for customers using wireless applications that are separate and distinct from those provided by the wireless network operator;

5) Ensuring that the wireless software includes appropriate audit capabilities (for such things as recording dropped transactions);

6) Providing appropriate training to IT personnel on network, application and security controls so that they understand and can respond to potential risks; and

9) Performing independent security testing of wireless network and application implementations.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

39. Does the institution use an appropriate means to ensure that notices may be retained or obtained later, such as:

a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]

b. mailing a printed copy to the last known address of the customer; [§9(e)(2)(ii)] or

c. making the current privacy notice available on the institution's web site (or via a link to the notice at another site) for the customer who agrees to receive the notice at the web site? [§9(e)(2)(iii)]