Internet Banking News

December 21, 2014

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Agencies Mold Regulations around ‘Voluntary’ Cyber Standards - Federal regulators are adapting voluntary cybersecurity standards to suit industries they oversee, for what could pan out to be requirements. http://www.nextgov.com/cybersecurity/2014/12/agencies-mold-regulations-around-voluntary-cyber-standards/101217/?oref=ng-channeltopstory

FYI - Senate passes DHS cyber bill - The Senate has approved a cyber bill to codify much of the Department of Homeland Security’s cybersecurity role. http://thehill.com/policy/cybersecurity/226639-senate-passes-dhs-cyber-bill

FYI - Security group plans for a future without passwords - The FIDO Alliance encourages stronger use of biometrics and hardware tokens instead of passwords to identify users. http://www.computerworld.com/article/2857496/security-group-plans-for-a-future-without-passwords.html

FYI - Pirate Bay Torrent Tracking Site Goes Dark - Ever since it was created, torrent tracking site The Pirate Bay has evaded copyright holders and law enforcement—that is, until Dec. 9. On that date, Swedish authorities reportedly seized the Stockholm servers of The Pirate Bay, effectively shutting down the site and its affiliates. http://www.eweek.com/blogs/security-watch/pirate-bay-torrent-tracking-site-goes-dark.html

FYI - New report sheds light on National Research Council breach - A new federal analysis has revealed that Chinese hackers used spear phishing techniques to place malware on the National Research Council's network in an attempt to steal sensitive data. http://www.scmagazine.com/new-report-sheds-light-on-national-research-council-breach/article/388409/

FYI - Landmark HIPAA settlement confirms push to firm up patching schedules - For the first time, a medical services provider will have to pay a “neglect” settlement over Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations that led to a data breach. http://www.scmagazine.com/anchorage-community-mental-health-services-settles-over-data-breach/article/388932/

FYI - NIST drafts new cloud metrics guide - The National Institute of Standards and Technology (NIST) has drafted a new guide aimed at helping organizations find the right cloud service. http://www.scmagazine.com/guide-helps-companies-choose-cloud-service/article/388919/

FYI - Jeans and blazers will feature RFID blocking fabric - A notable security firm has teamed up with a clothing brand to produce jeans and blazers that add an additional layer of security to your mobile device data. http://www.scmagazine.com/jeans-and-blazers-will-feature-rfid-blocking-fabric/article/389117/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar Era - The pipeline was outfitted with sensors and cameras to monitor every step of its 1,099 miles from the Caspian Sea to the Mediterranean. The blast that blew it out of commission didn’t trigger a single distress signal. http://www.bloomberg.com/news/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar.html

FYI - Now at the Sands Casino: An Iranian Hacker in Every Server - Most gamblers were still asleep, and the gondoliers had yet to pole their way down the ersatz canal in front of the Venetian casino on the Las Vegas Strip. http://www.businessweek.com/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas#p1

FYI - DDoS of unprecedented scale 'stops Sweden working'. The target? A gaming site - Much of Sweden's fixed-line broadband became collateral damage as a result of a DDoS attack on a mystery gaming site this week. http://www.zdnet.com/article/ddos-of-unprecedented-scale-stops-sweden-working-the-target-a-gaming-site/

FYI - More than 100K WordPress sites compromised by malware due to plugin vulnerability - Since Sunday, unidentified attackers have been indiscriminately infecting WordPress websites with malware by exploiting a previously disclosed vulnerability in the Slider Revolution plugin, according to security company Sucuri. http://www.scmagazine.com/more-than-100k-wordpress-sites-compromised-by-malware-due-to-plugin-vulnerability/article/388410/

FYI - Stolen EMCOR Services laptop contained Social Security numbers, other data - EMCOR Services Mesa Energy Systems is notifying an undisclosed number of individuals that their personal information – including Social Security numbers – was on a company laptop that was stolen. http://www.scmagazine.com/stolen-emcor-services-laptop-contained-social-security-numbers-other-data/article/388422/

FYI - UC Berkeley data breach impacts about 1,600 individuals - University of California, Berkeley (UC Berkeley) is notifying roughly 1,600 individuals that their personal information may have been compromised in a data breach that involved unauthorized access to servers and databases in the campus's Real Estate Division. http://www.scmagazine.com/uc-berkeley-data-breach-impacts-about-1600-individuals/article/388534/

FYI - Skimming at Virginia ATMs, more than 3,000 Union debit cards compromised - Virginia-based Union First Market Bank announced that a number of ATMs in the Richmond area fell victim to skimming, and certain activity has been restricted for more than 3,000 of its debit cards that were affected. http://www.scmagazine.com/skimming-at-virginia-atms-more-than-3000-union-debit-cards-compromised/article/388904/

FYI - After hack, Ars Technica asks subscribers to change passwords - After experiencing an intrusion on Sunday, technology news and information site Ars Technica is asking all readers who have accounts to change their passwords. http://www.scmagazine.com/after-hack-ars-technica-asks-subscribers-to-change-passwords/article/389167/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 2 of 3)

3. Banks should adopt appropriate procedures for ensuring the adequacy of contracts governing e-banking. Contracts governing outsourced e-banking activities should address, for example, the following:

a) The contractual liabilities of the respective parties as well as responsibilities for making decisions, including any sub-contracting of material services are clearly defined.

b) Responsibilities for providing information to and receiving information from the service provider are clearly defined. Information from the service provider should be timely and comprehensive enough to allow the bank to adequately assess service levels and risks. Materiality thresholds and procedures to be used to notify the bank of service disruptions, security breaches and other events that pose a material risk to the bank should be spelled out.

c) Provisions that specifically address insurance coverage, the ownership of the data stored on the service provider's servers or databases, and the right of the bank to recover its data upon expiration or termination of the contract should be clearly defined.

d) Performance expectations, under both normal and contingency circumstances, are defined.

e) Adequate means and guarantees, for instance through audit clauses, are defined to insure that the service provider complies with the bank's policies.

f) Provisions are in place for timely and orderly intervention and rectification in the event of substandard performance by the service provider.

g) For cross-border outsourcing arrangements, determining which country laws and regulations, including those relating to privacy and other customer protections, are applicable.

h) The right of the bank to conduct independent reviews and/or audits of security, internal controls and business continuity and contingency plans is explicitly defined.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 3 of 4)

Some network IDS units allow the IP addresses associated with certain signatures to be automatically blocked. Financial institutions that use that capability run the risk of an attacker sending attack packets that falsely report the sending IP addresses as that of service providers and others that the institution needs to continue offering service, thereby creating a denial - of - service situation. To avoid such a situation, the institution also may implement a list of IP addresses that should not be blocked by the IDS.

Hosts also use a signature-based method. One such method creates a hash of key binaries, and periodically compares a newly generated hash against the original hash. Any mismatch signals a change to the binary, a change that could be the result of an intrusion. Successful operation of this method involves protection of the original binaries from change or deletion, and protection of the host that compares the hashes. If attackers can substitute a new hash for the original, an attack may not be identified. Similarly, if an attacker can alter the host performing the comparison so that it will report no change in the hash, an attack may not be identified.

An additional host-based signature method monitors the application program interfaces for unexpected or unwanted behavior, such as a Web server calling a command line interface.

Attackers can defeat host-based IDS systems using loadable kernel modules, or LKMs. A LKM is software that attaches itself to the operating system kernel. From there, it can redirect and alter communications and processing. With the proper LKM, an attacker can force a comparison of hashes to always report a match and provide the same cryptographic fingerprint of a file, even after the source file was altered. LKMs can also hide the use of the application program interfaces. Detection of LKMs is extremely difficult and is typically done through another LKM.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

Cryptography is a branch of mathematics based on the transformation of data. It provides an important tool for protecting information and is used in many aspects of computer security. For example, cryptography can help provide data confidentiality, integrity, electronic signatures, and advanced user authentication. Although modern cryptography relies upon advanced mathematics, users can reap its benefits without understanding its mathematical underpinnings.

This chapter describes cryptography as a tool for satisfying a wide spectrum of computer security needs and requirements. It describes fundamental aspects of the basic cryptographic technologies and some specific ways cryptography can be applied to improve security. The chapter also explores some of the important issues that should be considered when incorporating cryptography into computer systems.

Cryptography is traditionally associated only with keeping data secret. However, modern cryptography can be used to provide many security services, such as electronic signatures and ensuring that data has not been modified.