R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 25, 2018

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Study finds medical device security pros may have false sense of security - A recent study surveying healthcare IT professionals found while the majority of them are very confident their connected devices are protected from cyberattacks, there may be some disconnects between the perceived level of security and how secure medical devices are. https://www.scmagazine.com/home/security-news/study-finds-medical-device-security-pros-may-have-false-sense-of-security/

DOD disables file sharing service due to 'security risks' - AMRDEC SAFE portal had been to handle the transfer of classified and non-classified materials. The US Department of Defense has disabled access this month to a file sharing service used by its army aviation and missile research centers, citing security issues. https://www.zdnet.com/article/dod-disables-file-sharing-service-due-to-security-risks/

DEA and ICE using surveillance cameras hidden in streetlights - In a move that could stir up visions of an Orwellian-style government surveillance state, recently published government procurement data revealed the US Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE) have purchased an undisclosed number of covert surveillance cameras hidden inside streetlights to place around the country. https://www.scmagazine.com/home/security-news/dea-and-ice-using-surveillance-cameras-hidden-in-streetlights/

Britain may not be able to fend off a determined cyber-attack, MPs warn - Britain's critical national infrastructure is vulnerable to hackers and neither UK.gov nor privatised operators are doing enough to tighten things up, a Parliamentary committee has warned. https://www.theregister.co.uk/2018/11/19/uk_cni_report_parliament/

GSA proposes new cybersecurity reporting rules for contractors - The General Services Administration is proposing new rules shaping how contractors protect government information on the IT systems they manage. https://www.fedscoop.com/gsa-proposes-2-new-cybersecurity-reporting-rules-contractors/

How the U.S. might respond if China launched a full-scale cyberattack - The U.S. financial and energy sectors are no strangers to foreign government hackers, from Iranian denial-of-service attacks on American banks to Russian reconnaissance of industrial control systems. Less-familiar territory, however, is how companies would work with the U.S. government to respond to a cross-sector cyberattack during a geopolitical crisis. https://www.cyberscoop.com/u-s-respond-china-launched-full-scale-cyber-attack/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Instagram flaw exposes user passwords - A security flaw in Instagram’s recently released “Download Your Data” tool could have exposed some user passwords, the company reportedly told users. https://www.scmagazine.com/home/security-news/instagram-flaw-exposes-user-passwords/

Amarillo City workers PII compromised - The employees of the city of Amarillo, Texas, had their personal information compromised when an outside contractor conducting an audit lost a USB drive containing their data. https://www.scmagazine.com/home/security-news/amarillo-city-workers-pii-compromised/

Vision Direct breach exposes customers’ personal, financial data - Personal and financial data entered by customers who ordered or updated information on the VisionDirect.co.uk website was compromised and stolen between November 3 to November 8, the London-based company warned in an updated online alert. https://www.scmagazine.com/home/security-news/vision-direct-breach-exposes-customers-personal-financial-data/

Make-A-Wish website compromised for cryptomining campaign - Not even the Make-A-Wish Foundation is off limits for some unscrupulous cybercriminals, as evidenced by a cryptojacking operation that compromised the charitable organization’s international website. https://www.scmagazine.com/home/security-news/make-a-wish-website-compromised-for-cryptomining-campaign/

ETSU breached after phishing scam - Two employees at East Tennessee State University fell for an email phishing scam and paved the way for a breach at the school. https://www.scmagazine.com/home/security-news/etsu-breached-after-phishing-scam/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
  
  When assessing information security products, management should be aware that many products offer a combination of risk assessment features, and can cover single or multiple operating systems. Several organizations provide independent assessments and certifications of the adequacy of computer security products (e.g., firewalls). While the underlying product may be certified, banks should realize that the manner in which the products are configured and ultimately used is an integral part of the products' effectiveness. If relying on the certification, banks should understand the certification process used by the organization certifying the security product. Other examples of items to consider in the risk assessment process include:
  
  1) Identifying mission-critical information systems, and determining the effectiveness of current information security programs. For example, a vulnerability might involve critical systems that are not reasonably isolated from the Internet and external access via modem. Having up-to-date inventory listings of hardware and software, as well as system topologies, is important in this process.
  
  2) Assessing the importance and sensitivity of information and the likelihood of outside break-ins (e.g., by hackers) and insider misuse of information. For example, if a large depositor list were made public, that disclosure could expose the bank to reputational risk and the potential loss of deposits. Further, the institution could be harmed if human resource data (e.g., salaries and personnel files) were made public. The assessment should identify systems that allow the transfer of funds, other assets, or sensitive data/confidential information, and review the appropriateness of access controls and other security policy settings. 
  
  3) Assessing the risks posed by electronic connections with business partners. The other entity may have poor access controls that could potentially lead to an indirect compromise of the bank's system. Another example involves vendors that may be allowed to access the bank's system without proper security safeguards, such as firewalls. This could result in open access to critical information that the vendor may have "no need to know."
  
  4) Determining legal implications and contingent liability concerns associated with any of the above. For example, if hackers successfully access a bank's system and use it to subsequently attack others, the bank may be liable for damages incurred by the party that is attacked.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION

Action Summary - Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include

1)  Selecting authentication mechanisms based on the risk associated with the particular application or services;
2)  Considering whether multi - factor authentication is appropriate for each application, taking into account that multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and
3)  Encrypting the transmission and storage of authenticators (e.g., passwords, PINs, digital certificates, and biometric templates).

Authentication is the verification of identity by a system based on the presentation of unique credentials to that system. The unique credentials are in the form of something the user knows, something the user has, or something the user is. Those forms exist as shared secrets, tokens, or biometrics. More than one form can be used in any authentication process. Authentication that relies on more than one form is called multi - factor authentication and is generally stronger than any single authentication method. Authentication contributes to the confidentiality of data and the accountability of actions performed on the system by verifying the unique identity of the system user.

Authentication is not identification as that term is used in the USA PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide assurance that the initial identification of a system user is proper. Authentication only provides assurance that the user of the system is the same user that was initially identified. Procedures for the initial identification of a system user are beyond the scope of this booklet.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 18.2 Audit Trails and Logs
 
 18.2.1 Keystroke Monitoring
 
 Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer's response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails. Examples of keystroke monitoring would include viewing characters as they are typed by users, reading users' electronic mail, and viewing other recorded information typed by users.
 
 Some forms of routine system maintenance may record user keystrokes. This could constitute keystroke monitoring if the keystrokes are preserved along with the user identification so that an administrator could determine the keystrokes entered by specific users. Keystroke monitoring is conducted in an effort to protect systems and data from intruders who access the systems without authority or in excess of their assigned authority. Monitoring keystrokes typed by intruders can help administrators assess and repair damage caused by intruders.
 
 18.2.2 Audit Events
 
 System audit records are generally used to monitor and fine-tune system performance. Application audit trails may be used to discern flaws in applications, or violations of security policy committed within an application. User audits records are generally used to hold individuals accountable for their actions. An analysis of user audit records may expose a variety of security violations, which might range from simple browsing to attempts to plant Trojan horses or gain unauthorized privileges.
 
 The system itself enforces certain aspects of policy (particularly system-specific policy) such as access to files and access to the system itself. Monitoring the alteration of systems configuration files that implement the policy is important. If special accesses (e.g., security administrator access) have to be used to alter configuration files, the system should generate audit records whenever these accesses are used.
 
 Sometimes a finer level of detail than system audit trails is required. Application audit trails can provide this greater level of recorded detail. If an application is critical, it can be desirable to record not only who invoked the application, but certain details specific to each use. For example, consider an e-mail application. It may be desirable to record who sent mail, as well as to whom they sent mail and the length of messages. Another example would be that of a database application. It may be useful to record who accessed what database as well as the individual rows or columns of a table that were read (or changed or deleted), instead of just recording the execution of the database program.
 
 A user audit trail monitors and logs user activity in a system or application by recording events initiated by the user (e.g., access of a file, record or field, use of a modem).
 
 Flexibility is a critical feature of audit trails. Ideally (from a security point of view), a system administrator would have the ability to monitor all system and user activity, but could choose to log only certain functions at the system level, and within certain applications. The decision of how much to log and how much to review should be a function of application/data sensitivity and should be decided by each functional manager/application owner with guidance from the system administrator and the computer security manager/officer, weighing the costs and benefits of the logging.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.