Internet Banking News

November 18, 2018

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma. For more information go to On-site FFIEC IT Audits.

FYI - Lazarus FASTCash ATM attack details discovered - Symantec researchers have uncovered several crucial details behind how the cybergang Lazarus, (AKA Hidden Cobra) has successfully conducted dozens of ATM hacks resulting in the machines literally spewing money out on the group’s command. https://www.scmagazine.com/home/security-news/lazarus-fastcash-atm-attack-details-discovered/

U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail Scanning Service - A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. https://krebsonsecurity.com/2018/11/u-s-secret-service-warns-id-thieves-are-abusing-uspss-mail-scanning-service/

Companies, customers will avoid you after a breach, survey says - A recent study found customers would cease engaging with a brand after it experienced a breach and that overall, most respondents were unwilling to pay extra for the protection of their personal data. https://www.scmagazine.com/home/security-news/companies-customers-will-avoid-you-after-a-breach-survey-says/

Pentagon bolstering cybersecurity demands for future contracts - The Pentagon's top weapons buyer has issued new language applying to future contracts that's intended to put companies on notice that they must elevate cybersecurity protection. https://www.stripes.com/news/us/pentagon-bolstering-cybersecurity-demands-for-future-contracts-1.555931

Top banks in cyber-attack 'war gam7e' - The Bank of England is testing the UK's ability to withstand a major cyber-attack on financial institutions. Some 40 firms, including leading banks, are taking part in a one-day "war-gaming" exercise designed to assess their resilience. https://www.bbc.com/news/business-46149667

GAO - Departments Need to Improve Chief Information Officers' Review and Approval of IT Budgets. https://www.gao.gov/products/GAO-19-49?utm_campaign=usgao_email&utm_content=topic_it&utm_medium=email&utm_source=govdelivery

GAO - OPM Has Implemented Many of GAO's 80 Recommendations, but Over One-Third Remain Open. https://www.gao.gov/products/GAO-19-143R?utm_campaign=usgao_email&utm_content=topci_infosec&utm_medium=email&utm_source=govdelivery

U.S. declines to sign cybersecurity pact - The U.S. Monday joined Russia, North Korea and China in declining to sign a cybersecurity pact supported by 50 countries and aimed at fighting both cyberwarfare and cybercrime. https://www.scmagazine.com/home/security-news/u-s-declines-to-sign-cybersecurity-pact/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Oracle’s VirtualBox vulnerability leaked by disgruntled researcher - An independent researcher who was disgruntled with traditional bug bounty methods took it upon himself to leak the details of an exploit in Oracle’s Virtual Box without first informing Oracle. https://www.scmagazine.com/home/security-news/oracles-virtualbox-vulnerability-leaked-by-disgruntled-researcher/

Leaky MongoDB server exposes personal info on 700K Amex India customers - An unsecured MongoDB server has exposed personal data on 689,272 American Express India customers. https://www.scmagazine.com/home/security-news/leaky-mongodb-server-exposes-personal-info-on-700k-amex-india-customers/

Huntsville Hospital in Alabama notifies job applicants of data breach - Huntsville Hospital in Alabama is reporting the information of job applicants who applied to the facility may be at risk after a breach at a recruiting firm it uses. https://www.scmagazine.com/home/security-news/huntsville-hospital-in-alabama-notifies-job-applicants-of-data-breach/

WooCommerce WordPress flaw allowed unique privilege escalation, 4M users affected - A file deletion vulnerability in WordPress can be used to exploit millions of WooCommerce shops. https://www.scmagazine.com/home/security-news/woocommerce-wordpress-flaw-allowed-unique-privilege-escalation-4m-users-affected/

Nordstrom data breach exposes employee information - High-end retailer Nordstrom is in the process of notifying its employees their data may have been compromised in a breach. https://www.scmagazine.com/home/security-news/nordstrom-data-breach-exposes-employee-information/

Google hit with IP hijack taking down several services - Google G Suite yesterday had much of its traffic re-routed through Russia and dropped at China Telecom, according to the network intelligence company Thousand Eyes. https://www.scmagazine.com/home/security-news/google-hit-with-ip-hijack-attack-taking-down-several-services/

22,000 Kars4Kids donor data records exposed - Thousands of donors who were able to look past the Kars4Kids ad jingle and went ahead had their information exposed when a misconfigured MongoDB made it publicly accessible. https://www.scmagazine.com/home/security-news/22000-kars4kids-donors-data-exposed/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

  Performing the Risk Assessment and Determining Vulnerabilities

  Performing a sound risk assessment is critical to establishing an effective information security program. The risk assessment provides a framework for establishing policy guidelines and identifying the risk assessment tools and practices that may be appropriate for an institution. Banks still should have a written information security policy, sound security policy guidelines, and well-designed system architecture, as well as provide for physical security, employee education, and testing, as part of an effective program.

  When institutions contract with third-party providers for information system services, they should have a sound oversight program. At a minimum, the security-related clauses of a written contract should define the responsibilities of both parties with respect to data confidentiality, system security, and notification procedures in the event of data or system compromise. The institution needs to conduct a sufficient analysis of the provider's security program, including how the provider uses available risk assessment tools and practices. Institutions also should obtain copies of independent penetration tests run against the provider's system.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

  SECURITY CONTROLS - IMPLEMENTATION

  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

  Access Rights Administration (5 of 5)

  The access rights process also constrains user activities through an acceptable - use policy (AUP). Users who can access internal systems typically are required to agree to an AUP before using a system. An AUP details the permitted system uses and user activities and the consequences of noncompliance. AUPs can be created for all categories of system users, from internal programmers to customers. An AUP is a key control for user awareness and administrative policing of system activities. Examples of AUP elements for internal network and stand - alone users include:

  ! The specific access devices that can be used to access the network;

  ! Hardware and software changes the user can make to their access device;

  ! The purpose and scope of network activity;

  ! Network services that can be used, and those that cannot be used;

  ! Information that is allowable and not allowable for transmission using each allowable service;

  ! Bans on attempting to break into accounts, crack passwords, or disrupt service;

  ! Responsibilities for secure operation; and

  ! Consequences of noncompliance.

  Depending on the risk associated with the access, authorized internal users should generally receive a copy of the policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system.

  Customers may be provided with a Web site disclosure as their AUP. Based on the nature of the Web site, the financial institution may require customers to demonstrate knowledge of and agreement to abide by the terms of the AUP. That evidence can be paper based or electronic.

  Authorized users may seek to extend their activities beyond what is allowed in the AUP, and unauthorized users may seek to gain access to the system and move within the system. Network security controls provide the protection necessary to guard against those threats.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 18 - AUDIT TRAILS

18.1 Benefits and Objectives

18.1.4 Problem Analysis

Audit trails may also be used as on-line tools to help identify problems other than intrusions as they occur. This is often referred to as real-time auditing or monitoring. If a system or application is deemed to be critical to an organization's business or mission, real-time auditing may be implemented to monitor the status of these processes (although, as noted above, there can be difficulties with real-time analysis). An analysis of the audit trails may be able to verify that the system operated normally (i.e., that an error may have resulted from operator error, as opposed to a system-originated error). Such use of audit trails may be complemented by system performance logs. For example, a significant increase in the use of system resources (e.g., disk file space or outgoing modem use) could indicate a security problem.

18.2 Audit Trails and Logs

A system can maintain several different audit trails concurrently. There are typically two kinds of audit records, (1) an event-oriented log and (2) a record of every keystroke, often called keystroke monitoring. Event-based logs usually contain records describing system events, application events, or user events.

An audit trail should include sufficient information to establish what events occurred and who (or what) caused them. In general, an event record should specify when the event occurred, the user ID associated with the event, the program or command used to initiate the event, and the result. Date and time can help determine if the user was a masquerader or the actual person specified.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.