FYI - Is your web site compliant with the American Disability Act?  For the past 20 years, our bank web site audits have covered the ADA guidelines.  Help reduce any liability, please contact me for more information at examiner@yennik.com. 

FYI - The FDIC and the OCC do not have a requirement that financial institutions change third-party vendors on a periodic basis.  Any such decision is a management decision not a regulatory decision.  Refer to http://www.yennik.com/occ_10-12-16_rotation_letter.pdf and at http://www.yennik.com/fdic_10-18-16_rotation_letter.pdf.

When it comes to IoT, more security is needed - Sometimes it takes a monumental event for an industry to change. The Target hack during the holiday season of 2013 – in which some 40 million credit card numbers were stolen – changed people's attitudes about security forever. https://www.scmagazine.com/when-it-comes-to-iot-more-security-is-needed/article/578654/

Virtualization and cloud-based security - These are two sides of the same coin. On one side, we have security for the virtual, or software-defined, data center. On the other, we have security for cloud-based systems. https://www.scmagazine.com/virtualization-and-cloud-based-security/article/577719/

Joomla flaw allows attacker to change passwords and seize sites - Joomla patched a vulnerability (CVE-2016-9838) which if exploited could allow an attacker to reset login credentials and take over sites. https://www.scmagazine.com/joomla-bug-allows-attackers-to-take-over-your-site/article/579432/

44 percent of orgs fail to meet breach investigation deadlines, study - A recent study revealed that 44 percent of organizations in the U.K. fail to meet deadlines for investigating and reporting data breaches, and a lack of staff and automation may be to blame. https://www.scmagazine.com/study-finds-44-percent-of-orgs-dont-meet-breach-reporting-deadlines/article/579874/

Breach risk assessment reveals attackers' favorite techniques - A recent breach risk assessment of more than 20 organizations running large enterprise networks found that 100 percent showed signs of traffic tunneling, DNS-related exfiltration and malformed protocols in outbound traffic – all indicators of attackers using evasion and exfiltration techniques. https://www.scmagazine.com/breach-risk-assessment-reveals-attackers-favorite-techniques/article/579856/

Insurers handling 'hundreds' of breach claims - Insurance claims for data breaches are being made at a rate of more than one a day, figures from CFC Underwriting suggest. http://www.bbc.com/news/technology-38346427

Advances in emerging surveillance technologies like cell-site simulators – devices which transform a cell phone into a real-time tracking device – require careful evaluation to ensure their use is consistent with the protections afforded under the First and Fourth Amendments to the U.S. Constitution. http://oversight.house.gov/wp-content/uploads/2016/12/THE-FINAL-bipartisan-cell-site-simulator-report.pdf

59% of consumers fear cyber-attacks disrupting celebrations - Consumers growing less forgiving: only four percent would unconditionally stay with a business that failed to inform them of a cyber-attack. https://www.scmagazine.com/59-of-consumers-fear-cyber-attacks-disrupting-celebrations/article/580289/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - China hacked the FDIC - and US officials covered it up, report says - China's spies hacked into computers at the Federal Deposit Insurance Corporation from 2010 until 2013 -- and American government officials tried to cover it up, according to a Congressional report. http://money.cnn.com/2016/07/13/technology/china-fdic-hack/

US election agency breached by suspected Russian hacker - A security firm discovers more than 100 login credentials for computers at the US Election Assistance Commission on the internet black market. https://www.cnet.com/news/us-election-agency-hacked-by-suspected-russian/ 

SWIFT bank system involved in hack into Turkey's third largest bank - The third largest bank in Turkey was hit with another assault exploiting the SWIFT money transfer system. https://www.scmagazine.com/swift-bank-system-involved-in-hack-into-turkeys-third-largest-bank/article/579855/

Howard County: Ransomware attack worse than originally thought - Howard County (Indiana) government officials reported that more files than originally thought were impacted by a pair of ransomware attacks that took place in November. https://www.scmagazine.com/howard-county-ransomware-attack-worse-than-originally-thought/article/579847/

Domino's Pizza advises customers to change their passwords - Pizza purveyor Domino's Pizza has advised its customers by email to change their account password to one which is strong and unique to avoid fraudulent account activity, owing to recent large-scale data breaches and password reuse across multiple websites. https://www.scmagazine.com/dominos-pizza-advises-customers-to-change-their-passwords/article/579961/

PayAsUGym hacked, 305,000 sets of customer credentials stolen - The company says that it does not store any financial credentials, but appears to have ignored multiple attempts to work with the individual who claims to have carried out the breach. https://www.scmagazine.com/payasugym-hacked-305000-sets-of-customer-credentials-stolen/article/579963/

Data of 55K users of Lynda.com at risk following breach - Lynda.com, the training site of LinkedIn, was hit by a breach that exposed the user passwords of a small percentage of users, around 55,0000 accounts, according to Endgadget. https://www.scmagazine.com/data-of-55k-users-of-lyndacom-at-risk-following-breach/article/579986/

Ethereum cryptocurrency breach affects 16K - Administrators of the Ethereum Project said the platform to trade the Ethereum cryptocurrency incurred a breach affecting more than 16,500 users. https://www.scmagazine.com/bo-shens-hacker-strikes-again-in-ethereum-cryptocurrency-breach/article/580288/

November healthcare breaches: 458,000 patient records affected - The healthcare industry had an up and down November with the amount of patient records lost in data breaches declining, but the number of incidents reaching a new high for the year. https://www.scmagazine.com/november-healthcare-breaches-458000-patient-records-affected/article/580428/

Alleged car thieves used breached data to help steal Hyundais and Kias - Israeli Police reportedly have arrested three individuals from East Jerusalem who allegedly hacked into the company servers of car manufacturers Hyundai and Kia in order to obtain data that would help them steal dozens of their automobiles. https://www.scmagazine.com/alleged-car-thieves-used-breached-data-to-help-steal-hyundais-and-kias/article/580425/

Data of 400K Community Health Plan of Washington members compromised by breach - Personal information, including Social Security numbers, were compromised in a recent data breach of Community Health Plan of Washington, the insurance arm of 19 community health centers in Washington state. https://www.scmagazine.com/data-of-400k-community-health-plan-of-washington-members-compromised-by-breach/article/627470/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Board and Management Oversight - Principle 2: The Board of Directors and senior management should review and approve the key aspects of the bank's security control process. 
 
 The Board of Directors and senior management should oversee the development and continued maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. This should include establishing appropriate authorization privileges, logical and physical access controls, and adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities.
 
 Safeguarding of bank assets is one of the Board's fiduciary duties and one of senior management's fundamental responsibilities. However, it is a challenging task in a rapidly evolving e-banking environment because of the complex security risks associated with operating over the public Internet network and using innovative technology.
 
 To ensure proper security controls for e-banking activities, the Board and senior management need to ascertain whether the bank has a comprehensive security process, including policies and procedures, that addresses potential internal and external security threats both in terms of incident prevention and response. Key elements of an effective e-banking security process include: 
 
 1) Assignment of explicit management/staff responsibility for overseeing the establishment and maintenance of corporate security policies.
 
 2) Sufficient physical controls to prevent unauthorized physical access to the computing environment.
 
 3) Sufficient logical controls and monitoring processes to prevent unauthorized internal and external access to e-banking applications and databases.
 
 4)  Regular review and testing of security measures and controls, including the continuous tracking of current industry security developments and installation of appropriate software upgrades, service packs and other required measures.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - PHYSICAL SECURITY
 
 The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. Conceptually, those physical security risks are mitigated through zone-oriented implementations. Zones are physical areas with differing physical security requirements. The security requirements of each zone are a function of the sensitivity of the data contained or accessible through the zone and the information technology components in the zone. For instance, data centers may be in the highest security zone, and branches may be in a much lower security zone. Different security zones can exist within the same structure. Routers and servers in a branch, for instance, may be protected to a greater degree than customer service terminals. Computers and telecommunications equipment within an operations center will have a higher security zone than I/O operations, with the media used in those equipment stored at yet a higher zone.
 
 The requirements for each zone should be determined through the risk assessment. The risk assessment should include, but is not limited to, the following threats:
 
 ! Aircraft crashes
 ! Chemical effects
 ! Dust
 ! Electrical supply interference
 ! Electromagnetic radiation
 ! Explosives
 ! Fire
 ! Smoke
 ! Theft/Destruction
 ! Vibration/Earthquake
 ! Water
 ! Wireless emissions
 ! Any other threats applicable based on the entity's unique geographical location, building configuration, neighboring entities, etc.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 9 - Assurance
 
 9.3.2 NIST Conformance Testing and Validation Suites
 
 NIST produces validation suites and conformance testing to determine if a product (software, hardware, firmware) meets specified standards. These test suites are developed for specific standards and use many methods. Conformance to standards can be important for many reasons, including interoperability or strength of security provided. NIST publishes a list of validated products quarterly.
 
 9.3.3 Use of Advanced or Trusted Development
 
 In the development of both commercial off-the-shelf products and more customized systems, the use of advanced or trusted system architectures, development methodologies, or software engineering techniques can provide assurance. Examples include security design and development reviews, formal modeling, mathematical proofs, ISO 9000 quality techniques, or use of security architecture concepts, such as a trusted computing base (TCB) or reference monitor.
 
 9.3.4 Use of Reliable Architectures
 
 Some system architectures are intrinsically more reliable, such as systems that use fault-tolerance, redundance, shadowing, or redundant array of inexpensive disks (RAID) features. These examples are primarily associated with system availability.
 
 9.3.5 Use of Reliable Security
 
 One factor in reliable security is the concept of ease of safe use, which postulates that a system that is easier to secure will be more likely to be secure. Security features may be more likely to be used when the initial system defaults to the "most secure" option. In addition, a system's security may be deemed more reliable if it does not use very new technology that has not been tested in the "real" world (often called "bleeding-edge" technology). Conversely, a system that uses older, well-tested software may be less likely to contain bugs.