R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 27, 2019

wsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.


FYI
- Court doc: Equifax allegedly used insecure password ‘admin’ to protect portal - Failing to patch a critical vulnerability in its Apache Struts software was not the only major security oversight committed by Equifax in the lead-up to a highly damaging data breach in 2017, according to a document filed as part of a securities fraud class-action lawsuit filed earlier this year. https://www.scmagazine.com/home/security-news/court-doc-equifax-allegedly-used-insecure-password-admin-to-protect-portal/

Hacker behind Montgomery County school data breach identified - A Montgomery County, Md., high school student earlier this month hacked into the Naviance college prep system and downloaded and shared the PII from about 1,400 fellow students. https://www.scmagazine.com/home/security-news/data-breach/hacker-behind-montgomery-county-school-data-breach-identified/

U.S. carried out secret cyber strike on Iran in wake of Saudi oil attack: officials - The United States carried out a secret cyber operation against Iran in the wake of the Sept. 14 attacks on Saudi Arabia’s oil facilities, which Washington and Riyadh blame on Tehran, two U.S. officials have told Reuters. https://www.reuters.com/article/us-usa-iran-military-cyber-exclusive/exclusive-u-s-carried-out-secret-cyber-strike-on-iran-in-wake-of-saudi-oil-attack-officials-idUSKBN1WV0EK

US stopped using floppy disks to manage nuclear weapons arsenal - US Air Force switches to secure solid-state-based solution to replace antiquated floppy disks in SACCS nuclear weapons management system. https://www.zdnet.com/article/us-stopped-using-floppy-disks-to-manage-nuclear-weapons-arsenal/

Girl Scouts of USA Launch First National Cybersecurity Challenge - Girls across the United States of America will take part in the country's first ever National Girl Scouts Cyber Challenge tomorrow. https://www.infosecurity-magazine.com/news/us-girl-scouts-launch/

Tips for those of all ages interested in pursuing a career in cybersecurity - Today, we are facing a frightening shortage of cybersecurity professionals in the workforce. Specifically, this widening gap is expected to lead to 3.5 million jobs left unfilled, according to Cybersecurity Ventures, in the cybersecurity profession by 2021. https://www.scmagazine.com/home/opinion/executive-insight/tips-for-those-of-all-ages-interested-in-pursuing-a-career-in-cybersecurity/

Georgia Supreme Court rules that collection of vehicular data requires warrant - The Georgia Supreme Court yesterday ruled that law enforcement must obtain a warrant before pulling data from an automobile as part of a crash investigation, overturning a verdict previously rendered and later upheld by lower courts. https://www.scmagazine.com/home/security-news/legal-security-news/georgia-supreme-court-rules-that-collection-of-vehicular-data-requires-warrant/


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Avast’s network penetrated, CCleaner targeted again - The Czech-based security firm Avast reported its internal network had been accessed through a temporary and loosely protected VPN profile with compromised credentials. https://www.scmagazine.com/home/security-news/apts-cyberespionage/avasts-network-penetrated-ccleaner-targeted-again/

San Bernadino City schools hit with ransomware - The San Bernadino City Unified School District has been knocked offline by a ransomware attack. https://www.scmagazine.com/home/security-news/ransomware/san-bernadino-city-schools-hit-with-ransomware/

2.8 million CenturyLink customer records exposed by unprotected database - https://www.scmagazine.com/?s=2.8+million+CenturyLink+customer+records+exposed+by+unprotected+database+

UC Browser potentially endangers 500 million users - The popular Android browser UC Browser was found to break several Google mobile app rules possibly placing up to 500 million of its users at risk. https://www.scmagazine.com/home/security-news/mobile-security/uc-browser-potentially-endangers-500-million-users/

Phishing scam targets users of Stripe payment processing service - Cybercriminals have devised a phishing campaign that that takes aim at customers of the online payment processing company Stripe, with the intention to steal their credentials, compromise their accounts and presumably view their payment card data. https://www.scmagazine.com/home/security-news/cybercrime/phishing-scam-targets-users-of-stripe-payment-processing-service/

Major German manufacturer still down a week after getting hit by ransomware - Pilz, a German company making automation tool, was infected with the BitPaymer ransomware on October 13. https://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/

Popular VPN service NordVPN confirms data center breach - NordVPN, a popular virtual private network, said Monday it was the victim of a data breach in 2018. The company said that so far the impact from the hack was minor, but it plans on upping its security efforts.
https://www.cnet.com/news/best-buy-kicks-off-weekly-apple-deals-with-discounts-on-ipad-pro-and-apple-watch/
https://www.scmagazine.com/home/security-news/data-breach/nordvpn-confirms-2018-breach/

Phishing scam behind Kalispell Regional Healthcare data breach - Kalispell Regional Healthcare (KRH) just reported a cyberattack that took place in late August and exposed patients’ health information. https://www.scmagazine.com/home/health-care/phishing-scam-behind-kalispell-regional-healthcare-data-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (6 of 12)
  
  
Best Practices-Going Beyond the Minimum
  
  Each bank has the opportunity to go beyond the minimum requirements and incorporate industry best practices into its IRP. As each bank tailors its IRP to match its administrative, technical, and organizational complexity, it may find some of the following best practices relevant to its operating environment. The practices addressed below are not all inclusive, nor are they regulatory requirements. Rather, they are representative of some of the more effective practices and procedures some institutions have implemented. For organizational purposes, the best practices have been categorized into the various stages of incident response: preparation, detection, containment, recovery, and follow-up.

  
  Preparation

  
  Preparing for a potential security compromise of customer information is a proactive risk management practice. The overall effectiveness and efficiency of an organization's response is related to how well it has organized and prepared for potential incidents. Two of the more effective practices noted in many IRPs are addressed below.
  
  Establish an incident response team.
  
  
A key practice in preparing for a potential incident is establishing a team that is specifically responsible for responding to security incidents. Organizing a team that includes individuals from various departments or functions of the bank (such as operations, networking, lending, human resources, accounting, marketing, and audit) may better position the bank to respond to a given incident. Once the team is established, members can be assigned roles and responsibilities to ensure incident handling and reporting is comprehensive and efficient. A common responsibility that banks have assigned to the incident response team is developing a notification or call list, which includes contact information for employees, vendors, service providers, law enforcement, bank regulators, insurance companies, and other appropriate contacts. A comprehensive notification list can serve as a valuable resource when responding to an incident.


Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION
   
   Source Code Review and Testing
   
   Application and operating system source code can have numerous vulnerabilities due to programming errors or misconfiguration. Where possible, financial institutions should use software that has been subjected to independent security reviews of the source code especially for Internet facing systems. Software can contain erroneous or intentional code that introduces covert channels, backdoors, and other security risks into systems and applications. These hidden access points can often provide unauthorized access to systems or data that circumvents built-in access controls and logging. The source code reviews should be repeated after the creation of potentially significant changes.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We begin the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section I. Introduction & Overview
 Chapter 1

 
 INTRODUCTION
 

 1.1 Purpose
 
 This handbook provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.
 
 The handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps necessary to implement a computer security program, provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems. General references are provided at the end of this chapter, and references of "how-to" books and articles are provided at the end of each chapter in Parts II, III and IV.
 
 The purpose of this handbook is not to specify requirements but, rather, to discuss the benefits of various computer security controls and situations in which their application may be appropriate. Some requirements for federal systems are noted in the text. This document provides advice and guidance; no penalties are stipulated.
 
 1.2 Intended Audience
 

 The handbook was written primarily for those who have computer security responsibilities and need assistance understanding basic concepts and techniques. Within the federal government, this includes those who have computer security responsibilities for sensitive systems.
 
 For the most part, the concepts presented in the handbook are also applicable to the private sector. While there are differences between federal and private-sector computing, especially in terms of priorities and legal constraints, the underlying principles of computer security and the available safeguards -- managerial, operational, and technical -- are the same. The handbook is therefore useful to anyone who needs to learn the basics of computer security or wants a broad overview of the subject. However, it is probably too detailed to be employed as a user awareness guide, and is not intended to be used as an audit guide.


PLEASE NOTE:
 
Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.