Internet Banking News

December 14, 2014

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - OCC Official Testifies on Cybersecurity - The Office of the Comptroller of the Currency’s Senior Critical Infrastructure Officer Valerie Abend today discussed regulatory efforts to address cyber threats and vulnerabilities and coordinate information sharing for the benefit of the banking industry, regulatory community, and the financial system during testimony before the U.S. Senate Committee on Banking, Housing, and Urban Affairs.
www.occ.gov/news-issuances/congressional-testimony/2014/pub-test-2014-165-oral.pdf
www.occ.gov/news-issuances/congressional-testimony/2014/pub-test-2014-165-written.pdf

FYI - Judge rules that banks can sue Target for 2013 credit card hack - On Tuesday, a District Court judge in Minnesota ruled [PDF] that a group of banks can proceed to sue Target for negligence in the December 2013 breach that resulted in the theft of 40 million consumer credit card numbers as well as personal information on 70 million customers. http://arstechnica.com/tech-policy/2014/12/judge-rules-that-banks-can-sue-target-for-2013-credit-card-hack/

FYI - TD Bank agrees to $625K breach settlement in Mass. - TD Bank has agreed to pay a $625,000 settlement in the aftermath of a March 2012 data breach that occurred when two unencrypted backup tapes went missing during a courier run between its offices in Haverhill and Springfield, Mass. http://www.scmagazine.com/td-bank-will-pay-in-breach-that-affected-90k-mass-residents/article/387234/

FYI - 58 percent of businesses do not have complete patch management strategy - Although major vulnerabilities, such as Heartbleed and ShellShock, were discovered this year, and data breaches dominated headlines, IT security professionals are continuing to delay the creation of thorough security plans and patching schedules, a new study found. http://www.scmagazine.com/trustwave-releases-state-of-risk-report/article/386981/

FYI - A look back at the ever-changing information security industry - Twenty-five years is a long time by any standard. But in the Internet Age, it's literally an eternity. http://www.scmagazine.com/an-epic-ride-a-look-back-at-the-ever-changing-information-security-industry/article/385052/

FYI - Former Apple exec receives one year in prison, $4.5M fine, for leaking information - A former executive at Apple was sentenced on Friday to one year in prison for leaking company secrets and receiving monetary compensation from vendors and suppliers. http://www.scmagazine.com/former-apple-exec-gets-prison-time-for-leaking-documents/article/387174/

FYI - German courts blocks extradition of top hacker - A top German court has blocked the extradition of a Turkish man accused of stealing close to $60 million in cyber attacks against credit card companies. http://www.scmagazine.com/ercan-findikoglu-extradition-blocked-in-germany/article/386986/

FYI - Sony Got Hacked Hard: What We Know and Don’t Know So Far - Who knew that Sony’s top brass, a line-up of mostly white male executives, earn $1 million and more a year? Or that the company spent half a million this year in severance costs to terminate employees?
http://www.wired.com/2014/12/sony-hack-what-we-know/
http://www.pcmag.com/article2/0,2817,2472989,00.asp

FYI - Tor a Big Source of Bank Fraud - A new report from the U.S. Treasury Department found that a majority of bank account takeovers by cyberthieves over the past decade might have been thwarted had affected institutions known to look for and block transactions coming through Tor, a global communications network that helps users maintain anonymity by obfuscating their true location online. http://krebsonsecurity.com/2014/12/treasury-dept-tor-a-big-source-of-bank-fraud/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Iranian hackers have broken into the networks of 50 governments and critical infrastructure firms in 16 nations in the latest major threat to come to light. A report from security company Cylance details evidence that hackers from Iran have been hitting targets in countries including the UK, the US, Canada, Germany and South Korea from as far back as 2010. http://www.v3.co.uk/v3-uk/news/2384729/iranian-operation-cleaver-hackers-hit-50-organisations-in-16-countries

FYI - Bebe confirms breach, says data exposed - Bebe has confirmed a data breach that exposed customer payment card information and eventually led to fraudulent activity on compromised accounts recently detected by financial institutions. http://www.scmagazine.com/bebe-confirms-breach-says-data-exposed/article/386855/

FYI - Hacker collective targets PlayStation Network, causes service outage - The same hacker collective that launched a distributed denial-of-service (DDoS) attack on the Xbox Live service took down another gaming network it had previously targeted. http://www.scmagazine.com/hacker-collective-targets-playstation-network-causes-service-outage/article/387319/

St. Louis Parking Company says customer card info breached - Customers credit and debit card information was compromised in a data breach at a St. Louis parking lot. http://www.scmagazine.com/union-station-parking-lot-has-card-data-compromised/article/387961/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 1 of 3)

1. Banks should adopt appropriate processes for evaluating decisions to outsource e-banking systems or services.

a) Bank management should clearly identify the strategic purposes, benefits and costs associated with entering into outsourcing arrangements for e-banking with third parties.
b) The decision to outsource a key e-banking function or service should be consistent with the bank's business strategies, be based on a clearly defined business need, and recognize the specific risks that outsourcing entails.
c) All affected areas of the bank need to understand how the service provider(s) will support the bank's e-banking strategy and fit into its operating structure.

2. Banks should conduct appropriate risk analysis and due diligence prior to selecting an e-banking service provider and at appropriate intervals thereafter.

a) Banks should consider developing processes for soliciting proposals from several e-banking service providers and criteria for choosing among the various proposals.
b) Once a potential service provider has been identified, the bank should conduct an appropriate due diligence review, including a risk analysis of the service provider's financial strength, reputation, risk management policies and controls, and ability to fulfill its obligations.
c) Thereafter, banks should regularly monitor and, as appropriate, conduct due diligence reviews of the ability of the service provider to fulfill its service and associated risk management obligations throughout the duration of the contract.
d) Banks need to ensure that adequate resources are committed to overseeing outsourcing arrangements supporting e-banking.
e) Responsibilities for overseeing e-banking outsourcing arrangements should be clearly assigned.
f) An appropriate exit strategy for the bank to manage risks should it need to terminate the outsourcing relationship.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 2 of 4)

"Tuning" refers to the creation of signatures that can distinguish between normal network traffic and potentially malicious traffic. Proper tuning of these IDS units is essential to reliable detection of both known attacks and newly developed attacks. Tuning of some signature - based units for any particular network may take an extended period of time, and involve extensive analysis of expected traffic. If an IDS is not properly tuned, the volume of alerts it generates may degrade the intrusion identification and response capability.

Signatures may take several forms. The simplest form is the URL submitted to a Web server, where certain references, such as cmd.exe, are indicators of an attack. The nature of traffic to and from a server can also serve as a signature. An example is the length of a session and amount of traffic passed. A signature method meant to focus on sophisticated attackers is protocol analysis, when the contents of a packet or session are analyzed for activity that violates standards or expected behavior. That method can catch, for instance, indicators that servers are being attacked using Internet control message protocol (ICMP).

Switched networks pose a problem for network IDS. Switches ordinarily do not broadcast traffic to all ports, and a network IDS may need to see all traffic to be effective. When switches do not have a port that receives all traffic, the financial institution may have to alter their network to include a hub or other device to allow the IDS to monitor traffic.

Encrypted network traffic will drastically reduce the effectiveness of a network IDS. Since a network IDS only reads traffic and does not decrypt the traffic, encrypted traffic will avoid detection.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 18 - AUDIT TRAILS

18.5 Cost Considerations

Audit trails involve many costs. First, some system overhead is incurred recording the audit trail. Additional system overhead will be incurred storing and processing the records. The more detailed the records, the more overhead is required. Another cost involves human and machine time required to do the analysis. This can be minimized by using tools to perform most of the analysis. Many simple analyzers can be constructed quickly (and cheaply) from system utilities, but they are limited to audit reduction and identifying particularly sensitive events. More complex tools that identify trends or sequences of events are slowly becoming available as off-the-shelf software. (If complex tools are not available for a system, development may be prohibitively expensive. Some intrusion detection systems, for example, have taken years to develop.)

The final cost of audit trails is the cost of investigating anomalous events. If the system is identifying too many events as suspicious, administrators may spend undue time reconstructing events and questioning personnel.