R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

December 30, 2018

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - 2019 Cybersecurity Predictions - https://www.scmagazine.com/home/security-news/2019-cybersecurity-predictions/

Three ways the marriage of SOAR and email security can benefit SOC and security teams - As email attacks grow more frequent and complex, organizations are scrambling for new ways to reduce risk and better detect and remediate threats. https://www.scmagazine.com/home/opinions/three-ways-the-marriage-of-soar-and-email-security-can-benefit-soc-and-security-teams/

Next Generation Tools: Deception Networks - There have been several predictions as to where adversary hacking is headed in the foreseeable future. Virtually all credible predictions have one thing in common: emerging attacks will be intelligent. https://www.scmagazine.com/home/security-news/malware/next-generation-tools-deception-networks/

Connected light bulbs give off more than just light - Turning on a “smart” light bulb may be the latest way people inadvertently flood the internet with their personal information. https://www.scmagazine.com/home/security-news/connected-light-bulbs-give-off-more-than-just-light/

The Aerospace Industries Association today is releasing a National Aerospace Standard on cybersecurity that provides the aerospace and defense industry a dynamic, risk-based solution to addressing threats and ensuring resilience in the increasingly complex cybersecurity ecosystem. https://www.aia-aerospace.org/news/aia-releases-cybersecurity-standard/

2018 – The year that was: Top Cyberthreats - It was clear it was going to be an intense year the cybersecurity industry when, just days after ringing in 2018, researchers announced a vulnerability found in essentially all CPU processors made over the previous two decades. https://www.scmagazine.com/home/security-news/2018-the-year-that-was-top-threats/

Top cybersecurity legislation of 2019 - 2018 may go down as the year the EU’s GDPR went into effect but legislators domestically kept busy introducing and passing legislation meant to bolster the U.S.’s cybersecurity and privacy postures. https://www.scmagazine.com/home/security-news/top-cybersecurity-legislation-of-2019/

Data Breaches Caused by Misconfigured Servers - Misconfigured server infrastructure is often considered one of the most significant causes of data breaches within the IT industry. https://www.scmagazine.com/home/opinions/data-breaches-caused-by-misconfigured-servers/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Aliens? NASA servers with employee PII potentially compromised - NASA yesterday alerted its employees of a possible compromise of NASA servers containing personally identifiable information. https://www.scmagazine.com/home/security-news/cybercrime/aliens-nasa-servers-with-employee-pii-potentially-compromised/

Hacking Diplomatic Cables Is Expected. Exposing Them Is Not - On Wednesday, the security and anti-phishing firm Area 1 published details of a breach that compromised one of the European Union's diplomatic communication channels for three years. https://www.wired.com/story/eu-diplomatic-cable-hacks-area-one/

NASA reveals employee data breach in internal memo - Information on employees may have been exposed, but it's unlikely that missions were compromised. https://www.cnet.com/news/nasa-reveals-data-breach-in-internal-memo/

Caribou Coffee data breach affects 270 locations - The Caribou Coffee chain has reported that its point of sale system was hacked, resulting in a data breach affecting dozens of locations, primarily in Minnesota. https://www.scmagazine.com/home/security-news/caribou-coffee-data-breach-affects-270-locations/

San Diego Unified School District data breach exposed 500,000 students, staff, parents - The San Diego Unified School District (SDUSD) – California’s second largest – first discovered in October 2018 that PII of more than a half million students and staff were compromised. https://www.scmagazine.com/home/security-news/san-diego-unified-school-district-data-breach-exposed-500000-students-staff-parents/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
  
  PENETRATION ANALYSIS (Part 1 of 2)
  
  After the initial risk assessment is completed, management may determine that a penetration analysis (test) should be conducted. For the purpose of this paper, "penetration analysis" is broadly defined. Bank management should determine the scope and objectives of the analysis. The scope can range from a specific test of a particular information systems security or a review of multiple information security processes in an institution.
  
  A penetration analysis usually involves a team of experts who identify an information systems vulnerability to a series of attacks. The evaluators may attempt to circumvent the security features of a system by exploiting the identified vulnerabilities. Similar to running vulnerability scanning tools, the objective of a penetration analysis is to locate system vulnerabilities so that appropriate corrective steps can be taken.
  
  The analysis can apply to any institution with a network, but becomes more important if system access is allowed via an external connection such as the Internet. The analysis should be independent and may be conducted by a trusted third party, qualified internal audit team, or a combination of both. The information security policy should address the frequency and scope of the analysis. In determining the scope of the analysis, items to consider include internal vs. external threats, systems to include in the test, testing methods, and system architectures.
  
  A penetration analysis is a snapshot of the security at a point in time and does not provide a complete guaranty that the system(s) being tested is secure. It can test the effectiveness of security controls and preparedness measures. Depending on the scope of the analysis, the evaluators may work under the same constraints applied to ordinary internal or external users. Conversely, the evaluators may use all system design and implementation documentation. It is common for the evaluators to be given just the IP address of the institution and any other public information, such as a listing of officers that is normally available to outside hackers. The evaluators may use vulnerability assessment tools, and employ some of the attack methods discussed in this paper such as social engineering and war dialing. After completing the agreed-upon analysis, the evaluators should provide the institution a detailed written report. The report should identify vulnerabilities, prioritize weaknesses, and provide recommendations for corrective action.
  
  FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  
  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
  
  AUTHENTICATION - Public Key Infrastructure (Part 1 of 3)
  
  Public key infrastructure (PKI), if properly implemented and maintained, may provide a strong means of authentication. By combining a variety of hardware components, system software, policies, practices, and standards, PKI can provide for authentication, data integrity, defenses against customer repudiation, and confidentiality. The system is based on public key cryptography in which each user has a key pair - a unique electronic value called a public key and a mathematically related private key. The public key is made available to those who need to verify the user's identity.
  
  The private key is stored on the user's computer or a separate device such as a smart card. When the key pair is created with strong encryption algorithms and input variables, the probability of deriving the private key from the public key is extremely remote. The private key must be stored in encrypted text and protected with a password or PIN to avoid compromise or disclosure. The private key is used to create an electronic identifier called a digital signature that uniquely identifies the holder of the private key and can only be authenticated with the corresponding public key.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 18.3.2 Review of Audit Trails
 
 Audit trails can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Reviewers should know what to look for to be effective in spotting unusual activity. They need to understand what normal activity looks like. Audit trail review can be easier if the audit trail function can be queried by user ID, terminal ID, application name, date and time, or some other set of parameters to run reports of selected information.
 
 Audit Trail Review After an Event. Following a known system or application software problem, a known violation of existing requirements by a user, or some unexplained system or user problem, the appropriate system-level or application-level administrator should review the audit trails. Review by the application/data owner would normally involve a separate report, based upon audit trail data, to determine if their resources are being misused.
 
 Periodic Review of Audit Trail Data. Application owners, data owners, system administrators, data processing function managers, and computer security managers should determine how much review of audit trail records is necessary, based on the importance of identifying unauthorized activities. This determination should have a direct correlation to the frequency of periodic reviews of audit trail data.
 
 Real-Time Audit Analysis. Traditionally, audit trails are analyzed in a batch mode at regular intervals (e.g., daily). Audit records are archived during that interval for later analysis. Audit analysis tools can also be used in a real-time, or near real-time fashion. Such intrusion detection tools are based on audit reduction, attack signature, and variance techniques. Manual review of audit records in real time is almost never feasible on large multiuser systems due to the volume of records generated. However, it might be possible to view all records associated with a particular user or application, and view them in real time.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.