R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of February 19, 2017

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Cybersecurity Pen-test Audits

FYI - Trump’s Cybersecurity Chief Could Be a ‘Voice of Reason’ - Last month, the Atlantic Council think tank held a dinner to send off Tom Bossert, one of its fellows. President-elect Donald Trump had tapped Bossert to be his homeland security adviser, effectively putting him in charge of the administration’s cybersecurity efforts. https://www.wired.com/2017/02/tom-bossert-trump-cybersecurity/

Ex-NSA contractor Harold Martin indicted: He spent 'up to 20 years stealing top-secret files' - US prosecutors list dossiers and code allegedly swiped - Former Booz Allen Hamilton contractor Harold Thomas Martin III allegedly stole secret and top-secret software and documents from American intelligence agencies for up to 20 years. http://www.theregister.co.uk/2017/02/08/us_grand_jury_indicts_harold_martin_nsa/

Orlando, Tampa and St. Louis have 5x's malware of US average - A recent study found computers in Tampa, Orlando and St. Louis are more than five times as likely to be infected with malware as the national average in 2016. https://www.scmagazine.com/study-finds-orlando-has-most-malware-infections-in-the-nation/article/637547/

Banks worldwide under attack from new malware, report - A variety of banks and other financial institutions in more than 30 countries have been targeted in a new round of watering hole attacks, perhaps the work of the Lazarus group, according to a blog post from Symantec.

'Internet of Evil Things' challenges security pros - After Mirai shook the rafters of cybersecurity in 2016, IT security professionals (rightfully) expect that connected devices will be a major security headache in 2017 – but still struggle to get a grasp on how to account for, track and monitor those devices. https://www.scmagazine.com/internet-of-evil-things-challenges-security-pros/article/637660/

How IoT hackers turned a university's network against itself - A university found its own network turned against it - as refrigerators and lights overwhelmed it with searches for seafood. http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-against-itself/

Data breach scheme to become law - Mandatory data breach notification will finally become law in Australia, after the Senate today gave the scheme the green light. http://www.theaustralian.com.au/business/technology/data-breach-scheme-to-become-law/news-story/8c2765681201c0d1c58ece2ebc3022c5

One third of U.S. companies breached last year, study - A third of companies in the U.S. were breached in 2016, according to a study from Bitdefender issued on Tuesday. https://www.scmagazine.com/one-third-of-us-companies-breached-last-year-study/article/638100/

Almost all organizations lack the technology to defend against cyberattacks - A new survey shows that just three percent of IT security professionals believe their organization has the technology in place to deal with the most common cyber problems that they face. https://www.scmagazine.com/almost-all-organizations-lack-the-technology-to-defend-against-cyberattacks-tripwire/article/638345/


FYI - Arby's hit with POS breach, 1,100 stores possibly affected - The fast food restaurant chain Arby's has suffered a breach involving the payment card systems in up to 1,100 of its locations. https://www.scmagazine.com/arbys-hit-with-pos-breach-1100-stores-possibly-affected/article/637283/

Breach compromises data of 9,000 Verity Health System patients - About 9,000 Verity Health patients had their personal data compromised after an unauthorized entry was discovered in the health system's network. https://www.scmagazine.com/breach-compromises-data-of-9000-verity-health-system-patients/article/637127/

7,700 Manatee, Fla. school workers compromised in W-2 scam - Thousands of Manatee (Fla.) County school employees had their W-2 tax form information compromised after a district employee fell for a phishing scam. https://www.scmagazine.com/7700-manatee-fla-school-workers-compromised-in-w-2-scam/article/637830/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 9: Banks should ensure that clear audit trails exist for all e-banking transactions.
  Delivery of financial services over the Internet can make it more difficult for banks to apply and enforce internal controls and maintain clear audit trails if these measures are not adapted to an e-banking environment. Banks are not only challenged to ensure that effective internal control can be provided in highly automated environments, but also that the controls can be independently audited, particularly for all critical e-banking events and applications.
  A bank's internal control environment may be weakened if it is unable to maintain clear audit trails for its e-banking activities. This is because much, if not all, of its records and evidence supporting e-banking transactions are in an electronic format. In making a determination as to where clear audit trails should be maintained, the following types of e-banking transactions should be considered:
  1)  The opening, modification or closing of a customer's account.
  2)  Any transaction with financial consequences.
  3)  Any authorization granted to a customer to exceed a limit.
  4)  Any granting, modification or revocation of systems access rights or privileges.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  
 Asymmetric encryption is the basis of PKI, or public key infrastructure. In theory, PKI allows two parties who do not know each other to authenticate each other and maintain the confidentiality, integrity, and accountability for their messages. PKI rests on both communicating parties having a public and a private key, and keeping their public keys registered with a third party they both trust, called the certificate authority, or CA. The use of and trust in the third party is a key element in the authentication that takes place. For example, assume individual A wants to communicate with individual B. A first hashes the message, and encrypts the hash with A's private key. Then A obtains B's public key from the CA, and encrypts the message and the hash with B's public key. Obtaining B's public key from the trusted CA provides A assurance that the public key really belongs to B and not someone else. Using B's public key ensures that the message will only be able to be read by B. When B receives the message, the process is reversed. B decrypts the message and hash with B's private key, obtains A's public key from the trusted CA, and decrypts the hash again using A's public key. At that point, B has the plain text of the message and the hash performed by A. To determine whether the message was changed in transit, B must re - perform the hashing of the message and compare  the newly computed hash to the one sent by A. If the new hash is the same as the one sent by A, B knows that the message was not changed since the original hash was created (integrity). Since B obtained A's public key from the trusted CA and that key produced a matching hash, B is assured that the message came from A and not someone else (authentication).
 Various communication protocols use both symmetric and asymmetric encryption. Transaction layer security (TLS, the successor to SSL) uses asymmetric encryption for authentication, and symmetric encryption to protect the remainder of the communications session. TLS can be used to secure electronic banking and other transmissions between the institution and the customer. TLS may also be used to secure e - mail, telnet, and FTP sessions. A wireless version of TLS is called WTLS, for wireless transaction layer security.
 Virtual Private Networks (VPNs) are used to provide employees, contractors, and customers remote access over the Internet to institution systems. VPN security is provided by authentication and authorization for the connection and the user, as well as encryption of the traffic between the institution and the user. While VPNs can exist between client systems, and between servers, the typical installation terminates the VPN connection at the institution firewall. VPNs can use many different protocols for their communications. Among the popular protocols are PPTP (point - to - point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use different authentication methods, and different components on the host systems. Implementations between vendors, and between products, may differ. Currently, the problems with VPN implementations generally involve interfacing a VPN with different aspects of the host systems, and reliance on passwords for authentication.
 IPSec is a complex aggregation of protocols that together provide authentication and confidentiality services to individual IP packets. It can be used to create a VPN over the Internet or other untrusted network, or between any two computers on a trusted network. Since IPSec has many configuration options, and can provide authentication and encryption using different protocols, implementations between vendors and products may differ. Secure Shell is frequently used for remote server administration. SSH establishes an encrypted tunnel between a SSH client and a server, as well as authentication services.
 Disk encryption is typically used to protect data in storage.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Chapter 9 - Assurance Automated Tools
 Several types of automated tools monitor a system for security problems. Some examples follow:
 !  Virus scanners are a popular means of checking for virus infections. These programs test for the presence of viruses in executable program files.
 !  Checksumming presumes that program files should not change between updates. They work by generating a mathematical value based on the contents of a particular file. When the integrity of the file is to be verified, the checksum is generated on the current file and compared with the previously generated value. If the two values are equal, the integrity of the file is verified. Program checksumming can detect viruses, Trojan horses, accidental changes to files caused by hardware failures, and other changes to files. However, they may be subject to covert replacement by a system intruder. Digital signatures can also be used.
 !  Password crackers check passwords against a dictionary (either a "regular" dictionary or a specialized one with easy-to-guess passwords) and also check if passwords are common permutations of the user ID. Examples of special dictionary entries could be the names of regional sports teams and stars; common permutations could be the user ID spelled backwards.
 !  Integrity verification programs can be used by such applications to look for evidence of data tampering, errors, and omissions. Techniques include consistency and reasonableness checks and validation during data entry and processing. These techniques can check data elements, as input or as processed, against expected values or ranges of values; analyze transactions for proper flow, sequencing, and authorization; or examine data elements for expected relationships. These programs comprise a very important set of processes because they can be used to convince people that, if they do what they should not do, accidentally or intentionally, they will be caught. Many of these programs rely upon logging of individual user activities.
 !  Intrusion detectors analyze the system audit trail, especially log-ons, connections, operating system calls, and various command parameters, for activity that could represent unauthorized activity.
 !  System performance monitoring analyzes system performance logs in real time to look for availability problems, including active attacks (such as the 1988 Internet worm) and system and network slowdowns and crashes.

Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
IT Security Auditor
Yennik, Inc.

Independent Cybersecurity Pen-test Audits
Our cybersecurity pen-test firewall audit meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  There is no charge if you are not satisfied with our service.  For more information, please call R. Kinney Williams at 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/.

Professional organizations:
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.