R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of December 16, 2018

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content IT Security IT Security Checklist
Web Site Compliance Internet Privacy Pen Testing Auditing


FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma. 

FYI
- Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees' Personal Data - The Pennsylvania Supreme Court has drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard its employees' personal information stored on an internet-accessible computer. https://www.natlawreview.com/article/pennsylvania-supreme-court-recognizes-common-law-duty-to-safeguard-employees

DarkVishnya steals millions using attached devices to hack bank computers - A cyber bank robbery outfit proved to the detriment of several Eastern European banks the necessity of physically securing computer assets that could give an attacker direct access to their network. https://www.scmagazine.com/home/security-news/darkvishnya-steals-millions-using-attached-devices-to-hack-bank-computers/

DanaBot banking trojan adds sly spam feature, distributes GootKit malware - The DanaBot banking trojan is branching out into new territories, adding email address harvesting and spam distribution to its bag of tricks, while apparently partnering with the actors behind GootKit, another banking malware program. https://www.scmagazine.com/home/security-news/danabot-banking-trojan-adds-sly-spam-feature-distributes-gootkit-malware/

12 states file lawsuit against medical record data companies - A multi-state lawsuit has been filed in an Indiana federal court against three affiliated medical data IT firms, alleging poor cybersecurity practices that led to breaches with 3.9 million compromised records. https://www.scmagazine.com/home/security-news/12-states-file-lawsuit-against-medical-record-data-companies/

Clues in Marriott hack implicate China - sources - Hackers behind a massive breach at hotel group Marriott International Inc (MAR.O) left clues suggesting they were working for a Chinese government intelligence gathering operation, according to sources familiar with the matter. https://www.reuters.com/article/us-marriott-intnl-cyber-china-exclusive/exclusive-clues-in-marriott-hack-implicate-china-sources-idUSKBN1O504D

Wow, what a lovely early Christmas present for Australians: A crypto-busting super-snoop law passes just in time - Ring in the new year with some of those backdoors, developers - Congratulations, Australia: somehow after chaotic scenes in parliament, the government last night managed to secure after-the-bell passage of its encryption-busting eavesdropping legislation. https://www.theregister.co.uk/2018/12/07/australias_crypto_legislation/

SANS - NIST Report on First Responder Wireless Tech Security - The National Institute of Standards and Technology (NIST) has released a draft report titled “Security Analysis of First Responder Mobile and Wearable Devices,” which aims to “to identify security objectives for these devices, enabling jurisdictions to more easily select and purchase secure devices and industry to design and build more secure public safety devices.” https://gcn.com/articles/2018/12/04/nist-responder-tech-cybersecurity.aspx

Bipartisan bill would create grant program promoting cybersecurity education - A pair of lawmakers on Wednesday introduced bipartisan legislation to create a grant program at the Department of Education to add cybersecurity into career and technical education curriculums. https://thehill.com/policy/cybersecurity/419903-bipartisan-bill-would-create-grant-program-promoting-cybersecurity

The US Leans on Private Firms to Expose Foreign Hackers - When the Democratic National Committee realized they had been hacked in April 2016, they turned to experts from a private company. https://www.wired.com/story/private-firms-do-government-dirty-work/


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Humble Bundle breach could be first step in wider attack - Sometimes a basic data breach is just the first step in a larger campaign. That appears to be the case with the gaming subscription site Humble Bundle, which began informing its customers of a data breach that may have exposed a person’s subscription status, Malwarebytes reported. https://www.scmagazine.com/home/security-news/humble-bundle-breach-could-be-first-step-in-wider-attack/

Bloom is off the rose: Canadian 1-800-FLOWERS operation discloses four-year breach - The Canadian retail operations of 1-800-FLOWERS has disclosed a four-year data breach affecting customers who purchased goods on its website, warning that payment card data was exposed. https://www.scmagazine.com/home/security-news/bloom-is-off-the-rose-canadian-1-800-flowers-operation-discloses-four-year-breach/

Yet another mega-leak: 100 million Quora accounts compromised by system invaders - Passwords should be safe, but reset just in case - Someone's taken a wander through the systems of question-and-answer website Quora, pilfering account details of 100 million users. https://www.theregister.co.uk/2018/12/04/100_million_quora_passwords/

Redwood Eye Care hit with ransomware, 16,000 records encrypted - The Redwood Eye Center has notified 16,000 California residents their personal information may have been compromised when a company subcontractor suffered a ransomware attack. https://www.scmagazine.com/home/security-news/redwood-eye-care-hit-with-ransomware-16000-records-encrypted/

City of North Bend hit with ransomware - The city of North Bend, Ore., was hit with a ransomware attack which temporarily locked out city workers from their computers and databases. https://www.scmagazine.com/home/security-news/ransomware/the-city-of-north-bend-ore-was-hit-with-a-ransomware-attack-which-temporarily-locked-out-city-workers-from-their-computers-and-databases/


NRCC breach exposes gaps 2 years after Russia hacks - Democrats are seizing on recent revelations that the House GOP’s campaign arm was hacked earlier this year to spotlight that both parties are vulnerable to cyberattacks. https://thehill.com/policy/technology/420368-nrcc-breach-exposes-vulnerabilities-2-years-after-russia-hacks

Criminals Use Locally Connected Devices to Attack, Loot Banks - Tens of millions of dollars stolen from at least eight banks in East Europe, Kasperksy Lab says. Attackers, likely working for the same threat group, have looted tens of millions of dollars from at least eight banks in Eastern Europe after gaining initial access to their networks via devices connected directly to a local network. http://www.darkreading.com/attacks-breaches/criminals-use-locally-connected-devices-to-attack-loot-banks/d/d-id/1333439

North Texas hospital breach exposes payment info on $47,000 - A breach discovered September 29 at Baylor Scott & White Medical Center – Frisco may have compromised the payment information of about 47,000 patients or guarantors. https://www.scmagazine.com/home/security-news/north-texas-hospital-breach-exposes-payment-info-on-47000/

Topeka billing system data breach, 10,000 potentially affected - Topeka’s third-party payment vendor was breached for just over one month possibly exposing the personal information of about 10,000 residents. https://www.scmagazine.com/home/security-news/topeka-billing-system-data-breach-10000-potentially-affected/

Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
  
  VULNERABILITY ASSESSMENT TOOLS
  
  Vulnerability assessment tools, also called security scanning tools, assess the security of network or host systems and report system vulnerabilities. These tools can scan networks, servers, firewalls, routers, and applications for vulnerabilities. Generally, the tools can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities such as settings contrary to established security policies.
  
  In evaluating a vulnerability assessment tool, management should consider how frequently the tool is updated to include the detection of any new weaknesses such as security flaws and bugs. If there is a time delay before a system patch is made available to correct an identified weakness, mitigating controls may be needed until the system patch is issued.
  
  Generally, vulnerability assessment tools are not run in real-time, but they are commonly run on a periodic basis. When using the tools, it is important to ensure that the results from the scan are secure and only provided to authorized parties. The tools can generate both technical and management reports, including text, charts, and graphs. The vulnerability assessment reports can tell a user what weaknesses exist and how to fix them. Some tools can automatically fix vulnerabilities after detection.


Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  

  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
  
  AUTHENTICATION -
Token Systems (1 of 2)
  
  Token systems typically authenticate the token and assume that the user who was issued the token is the one requesting access. One example is a token that generates dynamic passwords every X seconds. When prompted for a password, the user enters the password generated by the token. The token's password - generating system is identical and synchronized to that in the system, allowing the system to recognize the password as valid. The strength of this system of authentication rests in the frequent changing of the password and the inability of an attacker to guess the seed and password at any point in time.
  
  Another example of a token system uses a challenge/response mechanism. In this case, the user identifies him/herself to the system, and the system returns a code to enter into the password - generating token. The token and the system use identical logic and initial starting points to separately calculate a new password. The user enters that password into the system. If the system's calculated password matches that entered by the user, the user is authenticated. The strengths of this system are the frequency of password change and the difficulty in guessing the challenge, seed, and password.
  
  Other token methods involve multi - factor authentication, or the use of more than one authentication method. For instance, an ATM card is a token. The magnetic strip on the back of the card contains a code that is recognized in the authentication process. However, the user is not authenticated until he or she also provides a PIN, or shared secret. This method is two - factor, using both something the user has and something the user knows. Two - factor authentication is generally stronger than single - factor authentication. This method can allow the institution to authenticate the user as well as the token.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 18 - AUDIT TRAILS

18.2 Audit Trails and Logs

Audit Logs for Physical Access

Physical access control systems (e.g., a card/key entry system or an alarm system) use software and audit trails similar to general-purpose computers. The following are examples of criteria that may be used in selecting which events to log:

The date and time the access was attempted or made should be logged, as should the gate or door through which the access was attempted or made, and the individual (or user ID) making the attempt to access the gate or door.

Invalid attempts should be monitored and logged by noncomputer audit trails just as they are for computer-system audit trails. Management should be made aware if someone attempts to gain access during unauthorized hours.

Logged information should also include attempts to add, modify, or delete physical access privileges (e.g., granting a new employee access to the building or granting transferred employees access to their new office [and, of course, deleting their old access, as applicable]).

As with system and application audit trails, auditing of noncomputer functions can be implemented to send messages to security personnel indicating valid or invalid attempts to gain access to controlled spaces. In order not to desensitize a guard or monitor, all access should not result in messages being sent to a screen. Only exceptions, such as failed access attempts, should be highlighted to those monitoring access.


Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Yennik, Inc.

Independent Pen-test Audits
Our pen-test firewall audit  meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  For more information, please call R. Kinney Williams at Office 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/

 

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.