R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of November 19, 2017

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Cybersecurity Pen-test Audits


FYI - To Improve Cybersecurity, Start with Improving Human Behavior - According to a new study by Osterman Research, the most common source of ransomware infections in US-based organizations is related to email use: 37 percent were from a malicious email attachment and 27 percent were from a malicious link in an email. https://www.scmagazine.com/to-improve-cybersecurity-start-with-improving-human-behavior/article/701640/

Knowledge of cyber should be requirement to join board of directors - A CISO carries many weighty responsibilities, but teaching cybersecurity to a company's board of directors in order to secure their buy-in should not be one of them. https://www.scmagazine.com/former-ciso-knowledge-of-cyber-should-be-requirement-to-join-board-of-directors/article/706459/

Michigan to implement 211 cybercrime hotline - A Michigan non-profit is working with federal, state, and local law enforcement to add services to the already established 211 system to serve victims of cybercrimes. https://www.scmagazine.com/michigan-nonprofit-looks-to-implement-cybercrime-hotline/article/706638/ 

Google study finds phishing attacks more efficient than data breaches - A Google study found that phishing attacks are more efficient than data breaches at getting criminals into victim's account and that the average person still has can't pick a good pass word. https://www.scmagazine.com/google-study-finds-250000-web-credentials-stolen-every-week/article/706810/

Defense Department's vulnerability disclosure program racks up 2,837 security flaws - The Defense Department's vulnerability disclosure program (VDP) has yielded 2,837 security flaws in the nearly one year since its inception. https://www.scmagazine.com/defense-departments-vulnerability-disclosure-program-racks-up-2837-security-flaws/article/707036/

DHS demonstrates airliner's vulnerability to being hacked - A Boeing 757 airliner was successfully hacked by a team of public and private security professionals, according to a Department of Homeland Security (DHS) official. https://www.scmagazine.com/dhs-demonstrates-airliners-vulnerability-to-being-hacked/article/706872/

A rocket scientist hacks the cybersecurity labor crisis - The president of Girls Scouts of the USA may have cracked the code on where to find future cyber fighters. https://www.csoonline.com/article/3237025/it-careers/a-rocket-scientist-hacks-the-cybersecurity-labor-crisis.html


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Tennessee city hit with ransomware, $250K demanded - The City of Spring Hill, Tenn. was hit late last week with a ransomware attack after a government employee opened a malicious email. https://www.scmagazine.com/tennessee-city-hit-with-ransomware-250k-demanded/article/706452/

Tennessee city hit with ransomware, $250K demanded - The City of Spring Hill, Tenn. was hit late last week with a ransomware attack after a government employee opened a malicious email. https://www.scmagazine.com/tennessee-city-hit-with-ransomware-250k-demanded/article/706452/

Maine IT Office leaks foster child data - The Maine Office of Information Technology is notifying approximately 2,100 foster parents that their personal data was briefly exposed on a third party site. https://www.scmagazine.com/maine-it-office-leaks-foster-child-data/article/707194/

Forever 21 reports data breach, failed to turn on POS encryption - The clothing retailer Forever 21 reported yesterday that unauthorized access to its payment card system when the encryption installed on some of those systems was not operational. https://www.scmagazine.com/forever-21-reports-data-breach-failed-to-turn-on-pos-encryption/article/707520/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Technical and Industry Expertise

• Assess the service provider’s experience and ability to provide the necessary services and supporting technology for current and anticipated needs.
• Identify areas where the institution would have to supplement the service provider’s expertise to fully manage risk.
• Evaluate the service provider’s use of third parties or partners that would be used to support the outsourced operations.
• Evaluate the experience of the service provider in providing services in the anticipated operating environment.
• Consider whether additional systems, data conversions, and work are necessary.
• Evaluate the service provider’s ability to respond to service disruptions.
• Contact references and user groups to learn about the service provider’s reputation and performance.
• Evaluate key service provider personnel that would be assigned to support the institution.
• Perform on-site visits, where necessary, to better understand how the service provider operates and supports its services.

Return to the top of the newsletter

FFIEC IT SECURITY
-
Over the next few weeks, we will cover the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
 
 Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.
 
 Wireless Technology and the Risks of Implementation
 
 
Wireless networks are rapidly becoming a cost-effective alternative for providing network connectivity to financial institution information systems. Institutions that are installing new networks are finding the installation costs of wireless networks competitive compared with traditional network wiring. Performance enhancements in wireless technology have also made the adoption of wireless networks attractive to institutions. Wireless networks operate at speeds that are sufficient to meet the needs of many institutions and can be seamlessly integrated into existing networks. Wireless networks can also be used to provide connectivity between geographically close locations without having to install dedicated lines.
 
 Wireless Internet access to banking applications is also becoming attractive to financial institutions. It offers customers the ability to perform routine banking tasks while away from the bank branch, automated teller machines or their own personal computers. Wireless Internet access is a standard feature on many new cellular phones and hand-held computers.
 
 Many of the risks that financial institutions face when implementing wireless technology are risks that exist in any networked environment (see FIL-67-2000, "Security Monitoring of Computer Networks," dated October 3, 2000, and the 1996 FFIEC Information Systems Examination Handbook, Volume 1, Chapter 15). However, wireless technology carries additional risks that financial institutions should consider when designing, implementing and operating a wireless network. Common risks include the potential:
 
 1)  Compromise of customer information and transactions over the wireless network;
 
 2)  Disruption of wireless service from radio transmissions of other wireless devices;
 
 3)  Intrusion into the institution's network through wireless network connections; and
 
 4)  Obsolescence of current systems due to rapidly changing standards.
 
 These risks could ultimately compromise the bank's computer system, potentially causing:
 
 1)  Financial loss due to the execution of unauthorized transactions;
 
 2)  Disclosure of confidential customer information, resulting in - among other things - identity theft (see FIL-39-2001, "Guidance on Identity Theft and Pretext Calling," dated May 9, 2001, and FIL-22-2001, "Guidelines Establishing Standards for Safeguarding Customer Information," dated March 14, 2001);
 
 3)  Negative media attention, resulting in harm to the institution's reputation; and
 
 4)  Loss of customer confidence.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 
Chapter 13 - AWARENESS, TRAINING, AND EDUCATION
 
 13.6.1 Identify Program Scope, Goals, and Objectives
 
 The first step in developing a CSAT program is to determine the program's scope, goals, and objectives. The scope of the CSAT program should provide training to all types of people who interact with computer systems. The scope of the program can be an entire organization or a subunit. Since users need training, which relates directly to their use of particular systems, a large organization wide program may need to be supplemented by more specific programs. In addition, the organization should specifically address whether the program applies to employees only or also to other users of organizational systems.
 
 Generally, the overall goal of a CSAT program is to sustain an appropriate level of protection for computer resources by increasing employee awareness of their computer security responsibilities and the ways to fulfill them. More specific goals may need to be established. Objectives should be defined to meet the organization's specific goals.
 
 The Computer Security Act of 1987 requires federal agencies to "provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved with the management, use, or operation of each federal computer system within or under the supervision of that agency." The scope and goals of federal computer security awareness and training programs must implement this broad mandate. (Other federal requirements for computer security training are contained in OMB Circular A-130, Appendix III, and OPM regulations.)
 
 13.6.2 Identify Training Staff
 
 There are many possible candidates for conducting the training including internal training departments, computer security staff, or contract services. Regardless of who is chosen, it is important that trainers have sufficient knowledge of computer security issues, principles, and techniques. It is also vital that they know how to communicate information and ideas effectively.


Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Yennik, Inc.

Independent Cybersecurity Pen-test Audits
Our cybersecurity pen-test firewall audit meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  There is no charge if you are not satisfied with our service.  For more information, please call R. Kinney Williams at 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/.


Professional organizations:
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors
 

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.