R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of June 18, 2017

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Cybersecurity Pen-test Audits


FYI - Frequently Asked Questions to Supplement - OCC Bulletin 2013-29 - The Office of the Comptroller of the Currency (OCC) is issuing frequently asked questions (FAQ) to supplement OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013.  https://www.occ.treas.gov/news-issuances/bulletins/2017/bulletin-2017-21.html

The Behavioral Economics of Why Executives Underinvest in Cybersecurity - Determining the ROI for any cybersecurity investment, from staff training to AI-enabled authentication managers, can best be described as an enigma shrouded in mystery. https://hbr.org/2017/06/the-behavioral-economics-of-why-executives-underinvest-in-cybersecurity

Cybercriminals switch from automated attacks methods to targeting humans - It would seem people are their own worst enemy when it comes to protecting their data and cybercriminals have fully taken advantage of this fact. https://www.scmagazine.com/cybercriminals-switch-from-automated-attacks-methods-to-targeting-humans/article/667076/

Quantum-powered random numbers could provide key to better cryptography - True randomness is impossible to achieve with conventional hardware, and some applications are terrible at it, but are our current random number generators 'good enough' and is it worth using quantum technology to achieve better randomness? https://www.scmagazine.com/quantum-powered-random-numbers-could-provide-key-to-better-cryptography/article/667362/

Memory-based attacks on printers on the rise, says HP - Increase in use of printers as an attack vector for hackers: recommended that purchasing decisions include security considerations, not just price. https://www.scmagazine.com/infosec-2017-memory-based-attacks-on-printers-on-the-rise-says-hp/article/667365/

Crying wolf: Combatting cybersecurity alert fatigue - Not only must security pros contend with ever-increasing attacks to their networks, they also must finagle the tool sets guarding their systems to make certain settings are as they should be, reports Greg Masters. https://www.scmagazine.com/crying-wolf-combatting-cybersecurity-alert-fatigue/article/667677/

Government System Integrators Where Cybersecurity Ninjas Most Want To Work - Using a metric identified in the 2016 Center for Strategic and International Studies (CSIS) report Recruiting and Retaining Cyber Ninjas, we identified 57 large government IT system integrators that have built teams of cyber ninjas at rates ahead of their peers and eight of those firms that have had remarkable success in recruiting and retaining ninjas. https://www.sans.org/best-places-to-work-for-cyber-ninjas?ref=195285


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - China-based Apple contractors caught selling customer data - Authorities in China have unmasked a massive underground market where Apple contractors were selling user data of Apple's Chinese customers. https://www.scmagazine.com/china-based-apple-contractors-caught-selling-customer-data/article/667675/

Al Jazeera sites being hacked, FBI assisting in investigation - An FBI team is onsite in Qatar following "systematic and continual hacking attempts" on the websites and other digital platforms of the Al Jazeera Media Network. https://www.scmagazine.com/al-jazeera-sites-being-hacked-fbi-assisting-in-investigation/article/667500/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (4 of 12)
 
 
Reaction Procedures
 

 Assessing security incidents and identifying the unauthorized access to or misuse of customer information essentially involve organizing and developing a documented risk assessment process for determining the nature and scope of the security event. The goal is to efficiently determine the scope and magnitude of the security incident and identify whether customer information has been compromised.
 
 Containing and controlling the security incident involves preventing any further access to or misuse of customer information or customer information systems. As there are a variety of potential threats to customer information, organizations should anticipate the ones that are more likely to occur and develop response and containment procedures commensurate with the likelihood of and the potential damage from such threats. An institution's information security risk assessment can be useful in identifying some of these potential threats. The containment procedures developed should focus on responding to and minimizing potential damage from the threats identified. Not every incident can be anticipated, but institutions should at least develop containment procedures for reasonably foreseeable incidents.

Return to the top of the newsletter

FFIEC IT SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  
  
  
SERVICE PROVIDER OVERSIGHT - SAS 70 REPORTS
  
  Frequently TSPs or user groups will contract with an accounting firm to report on security using Statement on Auditing Standards 70 (SAS 70), an auditing standard developed by the American Institute of Certified Public Accountants. SAS 70 focuses on controls and control objectives. It allows for two types of reports. A SAS 70 Type I report gives the service provider's description of controls at a specific point in time, and an auditor's report. The auditor's report will provide an opinion on whether the control description fairly presents the relevant aspects of the controls, and whether the controls were suitably designed for their purpose.
  
  A SAS 70 Type II report expands upon a Type I report by addressing whether the controls were functioning. It provides a description of the auditor's tests of the controls. It also provides an expanded auditor's report that addresses whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified period.
  
  Financial institutions should carefully evaluate the scope and findings of any SAS 70 report. The report may be based on different security requirements than those established by the institution. It may not provide a thorough test of security controls unless requested by the TSP or augmented with additional coverage. Additionally, the report may not address the effectiveness of the security process in continually mitigating changing risks.  Therefore, financial institutions may require additional reports to oversee the security program of the service provider.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.2 Step 2: Identifying the Resources That Support Critical Functions
 
 
Resources That Support Critical Functions:
 !  Human Resources
 !  Processing Capability
 !  Computer-Based Services
 !  Data and Applications
 !  Physical Infrastructure
 !  Documents and Papers

 
 
11.2.1 Human Resources
 
 People are perhaps an organization's most obvious resource. Some functions require the effort of specific individuals, some require specialized expertise, and some only require individuals who can be trained to perform a specific task. Within the information technology field, human resources include both operators (such as technicians or system programmers) and users (such as data entry clerks or information analysts).
 
 11.2.2 Processing Capability
 
 Contingency Planning Teams - To understand what resources are needed from each of the six resource categories and to understand how the resources support critical functions, it is often necessary to establish a contingency planning team. A typical team contains representatives from various organizational elements, and is often headed by a contingency planning coordinator. It has representatives from the following three groups:
 
 1)  business-oriented groups , such as representatives from functional areas;
 
 2)  facilities management; and
 
 3)  technology management.
 
 Various other groups are called on as needed including financial management, personnel, training, safety, computer security, physical security, and public affairs.
 
 Traditionally contingency planning has focused on processing power (i.e., if the data center is down, how can applications dependent on it continue to be processed?). Although the need for data center backup remains vital, today's other processing alternatives are also important. Local area networks (LANs), minicomputers, workstations, and personal computers in all forms of centralized and distributed processing may be performing critical tasks.


Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Yennik, Inc.

Independent Cybersecurity Pen-test Audits
Our cybersecurity pen-test firewall audit meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  There is no charge if you are not satisfied with our service.  For more information, please call R. Kinney Williams at 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/.


Professional organizations:
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors
 

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.