Internet Banking News

December 13, 2015

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Thousands of devices left in UK bars each year - Each year in the UK, over 100,000 mobile devices and laptops are left in bars with almost two-thirds (64 percent) of them not having any security installed. http://www.scmagazine.com/thousands-of-devices-left-in-uk-bars-each-year/article/458283/

FYI - DHS Giving Firms Free Penetration Tests - The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies — mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help “critical infrastructure” companies shore up their computer and network defenses against real-world adversaries. And it’s all free of charge (well, on the U.S. taxpayer’s dime). http://krebsonsecurity.com/2015/12/dhs-giving-firms-free-penetration-tests/

FYI - Kazakhstan will force its citizens to install internet backdoors - The poorly thought-out and crude surveillance technique could have a devastating effect on the country's internet security. In less than a month, Kazakhstan will begin enforcing a new law that requires every internet user in the country to install a backdoor, allowing the government to conduct surveillance. http://www.zdnet.com/article/kazakhstan-forces-its-citizens-into-installing-internet-backdoors/

FYI - Hacker Leaks Customer Data After a United Arab Emirates Bank Fails to Pay Ransom - A hacker who broke into a large bank in the United Arab Emirates made good on his threat to release customer data after the bank refused to pay a bitcoin ransom worth about $3 million. http://www.wired.com/2015/12/hacker-leaks-customer-data-after-a-united-arab-emirates-bank-fails-to-pay-ransom/

FYI - GCHQ admits to hacking in court, says hacking helps stop terror attacks - In a court case brought forward by Privacy International and seven ISPs, GCHQ has admitted for the first time that it has hacked computers, smartphones, and networks in the UK and abroad. http://www.scmagazine.com/gchq-admits-to-hacking-in-court-says-hacking-helps-stop-terror-attacks/article/457795/

FYI - New Hampshire company hacks smaller competitor for customer list - A linen services company in New Hampshire pleaded guilty to hacking into the computer server of a similarly named, but smaller competitor. http://www.scmagazine.com/new-hampshire-company-hacks-smaller-competitor-for-customer-list/article/457932/

FYI - Cash machines in malware risk as embedded Windows XP reaches end of life - Tens of thousands of cash machines could become vulnerable to malware and DDoS attacks next month when support for the embedded version of Windows XP comes to an end. http://www.scmagazine.com/cash-machines-in-malware-risk-as-embedded-windows-xp-reaches-end-of-life/article/458104/

FYI - Former agent sentenced to 71 months for stealing in Silk Road probe - A former Secret Service agent who pleaded guilty to stealing $820,000 worth of Bitcoin during the Silk Road investigation, was sentenced in federal court to 71 months in prison. http://www.scmagazine.com/former-agent-sentenced-to-71-months-for-stealing-in-silk-road-probe/article/458582/

FYI - NIST opens comment period on Framework for Improving Critical Infrastructure Cybersecurity - The National Institute of Standards and Technology (NIST) will begin accepting comments and feedback starting on December 11 on its voluntary “Framework for Improving Critical Infrastructure Cybersecurity.” http://www.scmagazine.com/nist-opens-comment-period-on-framework-for-improving-critical-infrastructure-cybersecurity/article/459143/

FYI - FTC, Wyndham settle suit over trio of breaches - Less than a month after an administrative judge ruled against the Federal Trade Commission (FTC) in a case against LabMD, the commission reached a settlement with Wyndham Worldwide that had challenged its authority to pursue enforcement action against companies regarding security. http://www.scmagazine.com/ftc-settlement-with-wyndham-enumerates-security-requirements/article/459003/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Correction: 220,000 kids weren't exposed in VTech mega hack – it's actually 6.4 million - Toymaker VTech has admitted that millions of kiddies' online profiles were left exposed to hackers – much higher than the 220,000 first feared. http://www.theregister.co.uk/2015/12/02/vtech_breach_breakdown/

FYI - Nearly 657K affected in JD Wetherspoon breach - The personal information of nearly 657,000 customers was compromised in a breach of British pub chain operator JD Wetherspoon. http://www.scmagazine.com/nearly-657k-customers-were-impacted-in-the-breach-of-the-british-pub-chain-operator-jd-wetherspoon/article/457805/

FYI - Anonymous hacks UN climate conference officials - Anonymous has hacked and released the private details of nearly 1,500 UN officials in retaliation agains last week's arrest of protestors at a climate march in Paris. http://www.scmagazine.com/anonymous-hacks-un-climate-conference-officials/article/458102/

FYI - 29 locations affected in Elephant Bar POS breach - CM Ebar, LLC, the owner of Elephant Bar restaurants, announced a point-of-sale (POS) breach may have affected the information of customers at 29 locations in California, Colorado, Arizona, Missouri, Nevada, New Mexico, and Florida. http://www.scmagazine.com/elephant-bar-announced-a-point-of-sale-breach-that-affected-29-locations-in-seven-states/article/458707/

FYI - USB ports pose hidden risk for medical facilities - When visiting a medical facility, it can be tempting to charge a mobile device into a spare USB port, but the free charge may contain an unpleasant after-effect. http://www.scmagazine.com/usb-ports-pose-hidden-risk-for-medical-facilities/article/458298/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 9 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

Customer Service Complaints

Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.

Monitoring Weblinking Relationships

The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements. Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.

Return to the top of the newsletter

FFIEC IT SECURITY - This completes our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Information Sharing.

Information sharing among reliable and reputable experts can help institutions reduce the risk of information system intrusions. The OCC encourages management to participate in information-sharing mechanisms as part of an effort to detect and respond to intrusions and vulnerabilities. Mechanisms for information sharing are being developed by many different organizations, each with a different mission and operation. In addition, many vendors offer information sharing and analysis services. Three organizations that are primarily involved with the federal government's national information security initiatives are the Financial Services Information Sharing and Analysis Center (FS/ISAC), the Federal Bureau of Investigation (FBI), and Carnegie Mellon University's CERT/CC.

The FS/ISAC was formed in response to Presidential Decision Directive 63: Critical Infrastructure Protection (May 22, 1998), which encourages the banking, finance, and other industries to establish information-sharing efforts in conjunction with the federal government. The FS/ISAC allows financial services entities to report incidents anonymously. In turn, the FS/ISAC rapidly distributes information about attacks to the FS/ISAC members. Banks can contact FS/ISAC by telephone at (888) 660-0134, e-mail at admin@fsisac.com or their Web site at http://www.fsisac.com.

The FBI operates the National Information Protection Center Infraguard outreach effort. Since Infraguard supports law enforcement efforts, Infraguard members submit two versions of an incident report. One complete version is used by law enforcement and contains information that identifies the reporting member. The other version does not contain that identifying information, and is distributed to other Infraguard members. Banks can contact the FBI by contacting local FBI field offices or via e-mail at nipc@fbi.gov.

CERT/CC is part of a federally funded research and development center at Carnegie Mellon University that helps organizations identify vulnerabilities and recover from intrusions. It provides up-to-date information on specific attacks (including viruses and denial of service) and collates and shares information with other organizations. CERT/CC does not require membership to report problems. Banks can contact CERT/CC by phone at (412) 268-7090 or e-mail at cert@cert.org.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 4.1 Errors and Omissions

Errors and omissions are an important threat to data and system integrity. These errors are caused not only by data entry clerks processing hundreds of transactions per day, but also by all types of users who create and edit data. Many programs, especially those designed by users for personal computers, lack quality control measures. However, even the most sophisticated programs cannot detect all types of input errors or omissions. A sound awareness and training program can help an organization reduce the number and severity of errors and omissions.

Users, data entry clerks, system operators, and programmers frequently make errors that contribute directly or indirectly to security problems. In some cases, the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, the errors create vulnerabilities. Errors can occur during all phases of the systems life cycle. A long-term survey of computer-related economic losses conducted by Robert Courtney, a computer security consultant and former member of the Computer System Security and Privacy Advisory Board, found that 65 percent of losses to organizations were the result of errors and omissions. This figure was relatively consistent between both private and public sector organizations.

Programming and development errors, often called "bugs," can range in severity from benign to catastrophic. In a 1989 study for the House Committee on Science, Space and Technology, entitled Bugs in the Program, the staff of the Subcommittee on Investigations and Oversight summarized the scope and severity of this problem in terms of government systems as follows:

a) As expenditures grow, so do concerns about the reliability, cost and accuracy of ever-larger and more complex software systems. These concerns are heightened as computers perform more critical tasks, where mistakes can cause financial turmoil, accidents, or in extreme cases, death.

Since the study's publication, the software industry has changed considerably, with measurable improvements in software quality. Yet software "horror stories" still abound, and the basic principles and problems analyzed in the report remain the same. While there have been great improvements in program quality, as reflected in decreasing errors per 1,000 lines of code, the concurrent growth in program size often seriously diminishes the beneficial effects of these program quality enhancements.

Installation and maintenance errors are another source of security problems. For example, an audit by the President's Council for Integrity and Efficiency (PCIE) in 1988 found that every one of the ten mainframe computer sites studied had installation and maintenance errors that introduced significant security vulnerabilities.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.