Internet Banking News

November 26, 2017

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - New online challenge will test teenagers’ cyber security skills - The search is now on to inspire the UK’s next generation of cyber security specialists as the Government’s extracurricular training programme Cyber Discovery opens its doors. https://www.gov.uk/government/news/new-online-challenge-will-test-teenagers-cyber-security-skills

Bank consortium founds company to vet third-party vendors - Whenever a company announces a data breach has taken place hearing that an error by a third-party vendor was behind the disaster is a very common occurrence. https://www.scmagazine.com/bank-consortium-founds-company-to-vet-third-party-vendors/article/708011/

Terdot banking trojan targets social media and email in addition to financial services - Saying that Terdot malware is a banking trojan is kind of like saying your computer is a giant calculator. Yes, that's essentially what it is, but it's also a whole lot more. https://www.scmagazine.com/terdot-banking-trojan-targets-social-media-and-email-in-addition-to-financial-services/article/708114/

Organizations suffer critical and costly IT incidents five times a month - On average, organizations experience a critical IT incident five times per month, with each one costing a mean of $141,628, according to a new report. https://www.scmagazine.com/study-organizations-suffer-critical-and-costly-it-incidents-five-times-a-month/article/707517/

Manhattan DA speaks on burden of hiring hackers to beat smartphone encryption - Manhattan District Attorney Cy Vance, Jr. touted his agency's use of mercenary hackers to crack phone encryption while criticizing the lack of federal legislation to force tech giants to make exceptions in smartphone encryption for when judicial warrants are issued. https://www.scmagazine.com/cy-vance-speaks-on-burdens-of-tech-firm-smartphone-encryption/article/708308/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Tennessee city still not recovered from ransomware attack - The City of Spring Hill, Tenn. is still suffering from the effects of a ransomware attack that struck the municipality in early November when government officials refused to pay the $250,000 ransom demanded by the cybercriminals. https://www.scmagazine.com/tennessee-city-still-not-recovered-from-ransomware-attack/article/707847/

Forever 21 reports data breach, failed to turn on POS encryption - The clothing retailer Forever 21 reported yesterday that unauthorized access to its payment card system when the encryption installed on some of those systems was not operational. https://www.scmagazine.com/forever-21-reports-data-breach-failed-to-turn-on-pos-encryption/article/707520/

Cash Convertors hit by security breach - Pawnbroker chain Cash Converters is investigating a data security breach at its UK operations after receiving email threats of data release. https://www.scmagazine.com/cash-convertors-hit-by-security-breach/article/708122/

Misconfigured Amazon S3 server leaks Australian Broadcasting Corporation - As misconfigured Amazon servers continue to leak sensitive data Australian Broadcasting Corporation (ABC) is the latest culprit of administrators not properly securing their cloud servers. https://www.scmagazine.com/australian-broadcast-corporation-data-leaked-from-misconfigured-aws-s3-server/article/708646/

Montgomery County (Ill.) government offices taken offline by malware - The Montgomery County Emergency Management Agency reported that much of the county's computer system went down last week due to what it is calling a malware incident. https://www.scmagazine.com/montgomery-county-ill-government-offices-taken-offline-by-malware/article/708468/

Uber hid massive hack compromising data of 57M for a year - For more than a year, even as it negotiated with regulators in the U.S. over privacy infractions, Uber hid a massive hack that resulted in cyberthieves pilfering the personal information of 57 million customers and drivers and prompted the company to fire two executives. https://www.scmagazine.com/uber-hid-massive-hack-compromising-data-of-57m-for-a-year/article/709144/

Cyberthieves swipe $31 million in tokens from Tether - Cybercriminals on Sunday stole nearly $31 million in USDT cryptocurrency from Tether, prompting the digital currency converter to suspend its back-end wallet service and apparently causing cryptocurrency trading values to fall. https://www.scmagazine.com/cyberthieves-swipe-31-million-in-tokens-from-tether/article/709020/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider

Operations and Controls

• Determine adequacy of the service provider’s standards, policies and procedures relating to internal controls, facilities management (e.g., access requirements, sharing of facilities, etc.), security (e.g., systems, data, equipment, etc.), privacy protections, maintenance of records, business resumption contingency planning, systems development and maintenance, and employee background checks.
• Determine if the service provider provides sufficient security precautions, including, when appropriate, firewalls, encryption, and customer identity authentication, to protect institution resources as well as detect and respond to intrusions.
• Review audit reports of the service provider to determine whether the audit scope, internal controls, and security safeguards are adequate.
• Evaluate whether the institution will have complete and timely access to its information maintained by the provider.
• Evaluate the service provider’s knowledge of regulations that are relevant to the services they are providing. (e.g., Regulation E, privacy and other consumer protection regulations, Bank Secrecy Act, etc.).
• Assess the adequacy of the service provider’s insurance coverage including fidelity, fire, liability, data losses from errors and omissions, and protection of documents in transit.

Financial Condition

• Analyze the service provider’s most recent audited financial statements and annual report as well as other indicators (e.g., publicly traded bond ratings), if available.
• Consider factors such as how long the service provider has been in business and the service provider’s market share for a given service and how it has fluctuated.
• Consider the significance of the institution’s proposed contract on the service provider’s financial condition.
• Evaluate technological expenditures. Is the service provider’s level of investment in technology consistent with supporting the institution’s activities? Does the service provider have the financial resources to invest in and support the required technology?

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

  Risk Mitigation

  Security should not be compromised when offering wireless financial services to customers or deploying wireless internal networks. Financial institutions should carefully consider the risks of wireless technology and take appropriate steps to mitigate those risks before deploying either wireless networks or applications. As wireless technologies evolve, the security and control features available to financial institutions will make the process of risk mitigation easier. Steps that can be taken immediately in wireless implementation include:

  1) Establishing a minimum set of security requirements for wireless networks and applications;

  2) Adopting proven security policies and procedures to address the security weaknesses of the wireless environment;

  3) Adopting strong encryption methods that encompass end-to-end encryption of information as it passes throughout the wireless network;

  4) Adopting authentication protocols for customers using wireless applications that are separate and distinct from those provided by the wireless network operator;

  5) Ensuring that the wireless software includes appropriate audit capabilities (for such things as recording dropped transactions);

  6) Providing appropriate training to IT personnel on network, application and security controls so that they understand and can respond to potential risks; and

  9) Performing independent security testing of wireless network and application implementations.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

3.6.3 Identify Target Audiences

Not everyone needs the same degree or type of computer security information to do their jobs. A CSAT program that distinguishes between groups of people, presents only the information needed by the particular audience, and omits irrelevant information will have the best results. Segmenting audiences (e.g., by their function or familiarity with the system) can also improve the effectiveness of a CSAT program. For larger organizations, some individuals will fit into more than one group. For smaller organizations, segmenting may not be needed. The following methods are some examples of ways to do this.

Segment according to level of awareness. Individuals may be separated into groups according to their current level of awareness. This may require research to determine how well employees follow computer security procedures or understand how computer security fits into their jobs.
Segment according to general job task or function. Individuals may be grouped as data providers, data processors, or data users.

Segment according to specific job category. Many organizations assign individuals to job categories. Since each job category generally has different job responsibilities, training for each will be different. Examples of job categories could be general management, technology management, applications development, or security.

Segment according to level of computer knowledge. Computer experts may be expected to find a program containing highly technical information more valuable than one covering the management issues in computer security. Similarly, a computer novice would benefit more from a training program that presents introductory fundamentals.

Segment according to types of technology or systems used. Security techniques used for each off-the-shelf product or application system will usually vary. The users of major applications will normally require training specific to that application.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.