R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of April 30, 2017

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Cybersecurity Pen-test Audits


FYI - NICC releases guidance for secure implementation and use of SIP ALG - Guidance has been produced by NICC for the use and secure implementation of SIP (Session Initiation Protocol) ALG (Application Layer Gateways). https://www.scmagazine.com/nicc-releases-guidance-for-secure-implementation-and-use-of-sip-alg/article/651754/

HHS to stand up its own version of the NCCIC for health - The Health and Human Services Department is taking a page out of the Homeland Security Department’s book, as it tries to coordinate and secure the ever-growing and complicated world of mobile health IT. https://federalnewsradio.com/health-it/2017/04/hhs-to-stand-up-its-own-version-of-the-nccic-for-health/

Securing robotic and IoT devices - Unsecure Internet of Things (IoT) devices and the increasing use of automation are leading to vulnerable robotic device, robots if you will, that if compromised by a hacker could inflict physical harm to human not to mention opening the device possibly compromising all types of personal information. https://www.scmagazine.com/preventing-skynet-securing-robotic-and-iot-devices/article/652511/

FCC chair calls for net neutrality rollback - Ajit Pai, chairman of the Federal Communications Commission (FCC), Wednesday laid out plans to rollback net neutrality regulations put in place under the Obama administration. https://www.scmagazine.com/fcc-chair-calls-for-net-neutrality-rollback/article/653133/

Paid in the USA: Americans more likely to pony up when infected with ransomware - The U.S. suffered 34 percent of global ransomware infections last year – and it's no wonder why, with 64 percent of Americans willing to pay to retrieve their encrypted files, compared to just 34 percent of victims worldwide. https://www.scmagazine.com/paid-in-the-usa-americans-more-likely-to-pony-up-when-infected-with-ransomware/article/653106/


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - IHG data breach, cyber experts weigh in on curing POS problems - The recent revelation by the InterContinental Hotels Group that 1,200 of its locations had been victimized by malware placed on its front desk point-of-sale (PoS) systems should spur companies to ensure their equipment is locked down and monitored. https://www.scmagazine.com/ihg-data-breach-cyber-experts-weigh-in-on-curing-pos-problems/article/651916/

Cybersecurity firm exposed non-anonymized hospital data in demos - Cybersecurity startup Tanium is in hot water after exposing non-anonymized network data from a California hospital during live product demonstrations and online videos. https://www.scmagazine.com/security-firm-in-hot-water-after-exposing-hospital-data-in-demos/article/651757/

Hackers launch Delta fake ticket receipt scam - Heimdal Security researchers spotted fraudsters sending phishing emails under the guise of blank Delta Airlines' ticket confirmations. https://www.scmagazine.com/delta-fake-ticket-receipt-scam-redirects-to-hancitor-malware/article/652053/

Fake Super Mario Run App Steals Credit Card Information - Dozens of malicious Android apps claiming to be the mobile game Super Mario Run have been detected by researchers at Trend Micro. https://www.scmagazine.com/fake-super-mario-run-app-steals-credit-card-information/article/652196/

20K notified of data breach at healthcare network Lifespan - Lifespan, a Rhode Island-based healthcare network, informed 20,000 patients that an employee laptop containing patient data went missing. https://www.scmagazine.com/20k-notified-of-data-breach-at-healthcare-network-lifespan/article/652348/

Iowa veterans warned of possible data breach - On April 21, the Iowa Veterans Home (IVH) began notifying thousands of residents, former residents and applicants that their personal information may have been compromised. https://www.scmagazine.com/iowa-veterans-warned-of-possible-data-breach/article/652340/

Script kiddies pwn 1000s of Windows boxes using leaked NSA hack tools - Vulnerable unpatched systems expose exploitable SMB networking to world+dog - The NSA's Equation Group hacking tools, leaked last Friday by the Shadow Brokers, have now been used to infect thousands of Windows machines worldwide, we're told. http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/

Data blowout at Blowout Cards - Blowout Cards, a site for the buying, selling and trading of sports and other types of cards, suffered a breach, according to a report on Data Breach Today. https://www.scmagazine.com/data-blowout-at-blowout-cards/article/652828/

City of Newark reportedly hit in ransomware attack - A ransomware attack has hit some municipal computers in New Jersey's most populous city, Newark, TAPInto Newark reported on Monday, citing the city's CIO Seth Wainer and a document obtained by the media outlet. https://www.scmagazine.com/city-of-newark-reportedly-hit-in-ransomware-attack/article/652644/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Sound
Authorization Practices for E-Banking Applications
 
 
1. Specific authorization and access privileges should be assigned to all individuals, agents or systems, which conduct e-banking activities.
 
 2. All e-banking systems should be constructed to ensure that they interact with a valid authorization database.
 
 3. No individual agent or system should have the authority to change his or her own authority or access privileges in an e-banking authorization database.
 
 4. Any addition of an individual, agent or system or changes to access privileges in an e-banking authorization database should be duly authorized by an authenticated source empowered with the adequate authority and subject to suitable and timely oversight and audit trails.
 
 5. Appropriate measures should be in place in order to make e-banking authorization databases reasonably resistant to tampering. Any such tampering should be detectable through ongoing monitoring processes. Sufficient audit trails should exist to document any such tampering.
 
 6. Any e-banking authorization database that has been tampered with should not be used until replaced with a validated database.
 
 7. Controls should be in place to prevent changes to authorization levels during e-banking transaction sessions and any attempts to alter authorization should be logged and brought to the attention of management.


Return to the top of the newsletter

FFIEC IT SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  
  
  
PERSONNEL SECURITY
  
  
Security personnel allow legitimate users to have system access necessary to perform their duties. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third - party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems. Risk exposures from internal users include:
  
  ! Altering data,
  ! Deleting production and back up data,
  ! Crashing systems,
  ! Destroying systems,
  ! Misusing systems for personal gain or to damage the institution,
  ! Holding data hostage, and
  ! Stealing strategic or customer data for corporate espionage or fraud schemes.
  
  BACKGROUND CHECKS AND SCREENING
  
  Financial institutions should verify job application information on all new employees. The sensitivity of a particular job or access level may warrant additional criminal background and credit checks. Institutions should verify that contractors are subject to similar screening procedures. Typically, the minimum verification considerations include:
  
  ! Character references;
  ! Confirmation of prior experience, academic record, and professional qualifications; and
  ! Confirmation of identity from government issued identification.
  
  After employment, managers should remain alert to changes in employees' personal circumstances that could increase incentives for system misuse or fraud.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10

 

 10.2.5 Termination
 
 Termination of a user's system access generally can be characterized as either "friendly" or "unfriendly." Friendly termination may occur when an employee is voluntarily transferred, resigns to accept a better position, or retires. Unfriendly termination may include situations when the user is being fired for cause, "RIFed,"82 or involuntarily transferred. Fortunately, the former situation is more common, but security issues have to be addressed in both situations.
 
 10.2.5.1 Friendly Termination
 
 Friendly termination refers to the removal of an employee from the organization when there is no reason to believe that the termination is other than mutually acceptable. Since terminations can be expected regularly, this is usually accomplished by implementing a standard set of procedures for outgoing or transferring employees. These are part of the standard employee "out-processing," and are put in place, for example, to ensure that system accounts are removed in a timely manner. Out-processing often involves a sign-out form initialed by each functional manager with an interest in the separation. This normally includes the group(s) managing access controls, the control of keys, the briefing on the responsibilities for confidentiality and privacy, the library, the property clerk, and several other functions not necessarily related to information security.
 
 In addition, other issues should be examined as well. The continued availability of data, for example, must often be assured. In both the manual and the electronic worlds, this may involve documenting procedures or filing schemes, such as how documents are stored on the hard disk, and how are they backed up. Employees should be instructed whether or not to "clean up" their PC before leaving. If cryptography is used to protect data, the availability of cryptographic keys to management personnel must be ensured. Authentication tokens must be collected.
 
 Confidentiality of data can also be an issue. For example, do employees know what information they are allowed to share with their immediate organizational colleagues? Does this differ from the information they may share with the public? These and other organizational-specific issues should be addressed throughout an organization to ensure continued access to data and to provide continued confidentiality and integrity during personnel transitions. (Many of these issues should be addressed on an ongoing basis, not just during personnel transitions.) The training and awareness program normally should address such issues.


Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Yennik, Inc.

Independent Cybersecurity Pen-test Audits
Our cybersecurity pen-test firewall audit meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  There is no charge if you are not satisfied with our service.  For more information, please call R. Kinney Williams at 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/.


Professional organizations:
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors
 

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.