R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of July 30, 2017

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Cybersecurity Pen-test Audits

FYI - Meet the scholar challenging the cyber deterrence paradigm - In recent years, U.S. thinking on a national cyber strategy has included, at least in part, a focus on the concept of cyber deterrence. The deterrence theme has been prevalent in civilian government and military leaders' speeches, as well as congressional hearings and scholarly literature. http://www.fifthdomain.com/home/2017/07/19/meet-the-scholar-challenging-the-cyber-deterrence-paradigm/

State Department reorganization to shutter cyber office, lower priority - A reorganization at the State Department will lead to the shutdown of the Office of the Coordinator for Cyber Issues, the group that helped broker the U.S. cyber pact with China to eliminate corporate cyberattacks, and fold it into the Bureau of Economic and Business Affairs. https://www.scmagazine.com/state-department-reorganization-to-shutter-cyber-office-lower-priority/article/676176/

Cisco predicts a major increase in cyberattacks designed to destroy systems - Cisco researchers are predicting more and larger cyberattacks that have the goal of destroying their targets systems, instead of financial gain or stealing information. https://www.scmagazine.com/cisco-predicts-a-major-increase-in-cyberattacks-designed-to-destroy-systems/article/676306/

Millions of IoT devices are vulnerable to widespread bug - Researchers find a flaw that could let hackers take over millions of security cameras and other connected devices. https://www.cnet.com/news/iot-devices-hack-bug-vulnerability-devil-ivy-exploit/

So, FCC, how about that massive DDoS? Hello? Hello...? You still there? Like trying to get blood out of a stone - Updated America's broadband watchdog, the FCC, has declined to share any more details on the cyber-assault that apparently downed its website shortly after it announced its intent to kill net neutrality. http://www.theregister.co.uk/2017/07/20/fcc_cant_prove_ddos_attack/

UK government wants to give 6,000 teenagers cyber security training - Government launches 20m Cyber Schools Programme aimed at students aged between 14 and 18 - The Department for Digital, Culture, Media and Sport (DCMS) is to launch a cyber security training programme for schoolchildren later this year. http://www.computerweekly.com/news/450423197/UK-government-wants-to-give-6000-teenagers-cyber-security-training

Easily guessed password led to downfall of Russian cybercriminal's empire, DOJ officials say - The fate of convicted Russian hacker Roman Seleznev was all but sealed after federal authorities were able to easily gain access to his confiscated laptop containing incriminating information, according to U.S. Department of Justice officials who spoke at Black Hat on Wednesday. https://www.scmagazine.com/easily-guessed-password-led-to-downfall-of-russian-cybercriminals-empire-doj-officials-say/article/677868/


FYI - $32 million worth of Ethereum stolen from Parity client - Just days after an attacker made off with $7 million worth of Ethereum, a separate heist managed to make away with nearly $32 million worth of cryptocurrency from at least three accounts by exploiting a critical vulnerability in the Ethereum client Parity. https://www.scmagazine.com/hacker-steals-32m-worth-of-ethereum-from-parity-client/article/676196/

International operation takes down AlphaBay, Hansa dark web markets - Working with the support of Europol, the FBI, the U.S. Drug Enforcement Agency (DEA) and the Dutch National Police brought down two of the top three darkweb markets, AlphaBay and Hansa darkweb, Thursday. https://www.scmagazine.com/international-operation-takes-down-alphabay-hansa-dark-web-markets/article/676475/

Millions of SSN across 10 states leaked in Kansas Commerce Dept. breach - The personal information of millions of job seekers across ten states was compromised when an attacker managed to exploit a vulnerability in the application code of the America's Job Link Alliance division of the Kansas Department of Commerce. https://www.scmagazine.com/millions-of-ssn-across-10-states-leaked-in-kansas-commerce-dept-breach/article/676627/

Prospective students tricked into handing over confidential information - Criminals have set up a realistic looking website called Newcastle International University, complete with information about courses. The URL doesn't point to a UK educational domain (.ac.uk), but students unfamiliar with such details may be tricked into applying for non-existent courses. https://www.scmagazine.com/prospective-students-tricked-into-handing-over-confidential-information/article/676786/

Chipotle data breach leads to illegal ATM withdrawal - In another case of a cybercrime pushing its way into the physical world, the Gainsville, Fla. police department are searching for a man spotted allegedly stealing $17,000 from an ATM by using login credentials taken during the Chipotle data breach earlier this year. https://www.scmagazine.com/chipotle-data-breach-leads-to-illegal-atm-withdrawal/article/676626/

Hacking Nemo: Adversary compromises smart fish tank at casino - A new report has revealed that an unknown actor recently succeeded in hacking into a tank... Relax, not the military kind. Rather, it was a "smart" fish tank operated by a North American casino. https://www.scmagazine.com/hacking-nemo-adversary-compromises-smart-fish-tank-at-casino/article/676619/

Sweden transport agency slips up, leaks top secret data - Believing it was moving sensitive data to the cloud under a 2015 outsourcing agreement with IBM, Sweden's Transport Agency inadvertently sent information on every vehicle nationwide to marketers that subscribed to it and then allegedly covered up the leak, with only a slap on the wrist to the agency's director. https://www.scmagazine.com/sweden-transport-agency-slips-up-leaks-top-secret-data/article/677078/

UniCredit Bank's third party leads to hack on 400,000 clients - An attack on Italian bank, UniCredit, has led to the accounts of 400,000 loan customers being accessed. https://www.scmagazine.com/unicredit-banks-third-party-leads-to-hack-on-400000-clients/article/677565/

Return to the top of the newsletter

We continue the series  from the FDIC "Security Risks Associated with the Internet." 

 Digital Signatures 

 Digital signatures authenticate the identity of a sender, through the private, cryptographic key.  In addition, every digital signature is different because it is derived from the content of the message itself. T he combination of identity authentication and singularly unique signatures results in a transmission that cannot be repudiated. 

 Digital signatures can be applied to any data transmission, including e-mail.  To generate a digital signature, the original, unencrypted message is run through a mathematical algorithm that generates what is known as a message digest (a unique, character representation of the data).  This process is known as the "hash."  The message digest is then encrypted with a private key, and sent along with the message.  The recipient receives both the message and the encrypted message digest.  The recipient decrypts the message digest, and then runs the message through the hash function again.  If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified.  Because the message digest was encrypted with a private key, the sender can be identified and bound to the specific message.  The digital signature cannot be reused, because it is unique to the message.  In the above example, data privacy and confidentiality could also be achieved by encrypting the message itself. The strength and security of a digital signature system is determined by its implementation, and the management of the cryptographic keys.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  
A honeypot is a network device that the institution uses to attract attackers to a harmless and monitored area of the network. Honeypots have three key advantages over network and host IDS systems. Since the honeypot's only function is to be attacked, any network traffic to or from the honeypot potentially signals an intrusion. Monitoring that traffic is simpler than monitoring all traffic passing a network IDS. Honeypots also collect very little data, and all of that data is highly relevant. Network IDS systems gather vast amounts of traffic which must be analyzed, sometimes manually, to generate a complete picture of an attack. Finally, unlike IDS, a honeypot does not pass packets without inspection when under a heavy traffic load.
 Honeypots have two key disadvantages. They are ineffective unless they are attacked. Consequently, organizations that use honeypots for detection usually make the honeypot look attractive to an attacker. Attractiveness may be in the name of the device, its apparent capabilities, or in its connectivity. Since honeypots are ineffective unless they are attacked, they are typically used to supplement other intrusion detection capabilities.
 Honeypots also introduce the risk of being compromised without triggering an alarm, then becoming staging grounds for attacks on other devices. The level of risk is dependent on the degree of monitoring, capabilities of the honeypot, and its connectivity. For instance, a honeypot that is not rigorously monitored, that has excellent connectivity to the rest of the institution's network, and that has varied and easy - to - compromise services presents a high risk to the confidentiality, integrity, and availability of the institution's systems and data. On the other hand, a honeypot that is rigorously monitored and whose sole capability is to log connections and issue bogus responses to the attacker, while signaling outside the system to the administrator, demonstrates much lower risk.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
11.5.3 Training
 All personnel should be trained in their contingency-related duties. New personnel should be trained as they join the organization, refresher training may be needed, and personnel will need to practice their skills.
 Training is particularly important for effective employee response during emergencies. There is no time to check a manual to determine correct procedures if there is a fire. Depending on the nature of the emergency, there may or may not be time to protect equipment and other assets. Practice is necessary in order to react correctly, especially when human safety is involved.
 11.6    Step 6: Testing and Revising
 A contingency plan should be tested periodically because there will undoubtedly be flaws in the plan and in its implementation. The plan will become dated as time passes and as the resources used to support critical functions change. Responsibility for keeping the contingency plan current should be specifically assigned. The extent and frequency of testing will vary between organizations and among systems. There are several types of testing, including reviews, analyses, and simulations of disasters.
 Contingency plan maintenance can be incorporated into procedures for change management so that upgrades to hardware and software are reflected in the plan.
 A review can be a simple test to check the accuracy of contingency plan documentation. For instance, a reviewer could check if individuals listed are still in the organization and still have the responsibilities that caused them to be included in the plan. This test can check home and work telephone numbers, organizational codes, and building and room numbers. The review can determine if files can be restored from backup tapes or if employees know emergency procedures.
 An analysis may be performed on the entire plan or portions of it, such as emergency response procedures. It is beneficial if the analysis is performed by someone who did not help develop the contingency plan but has a good working knowledge of the critical function and supporting resources. The analyst(s) may mentally follow the strategies in the contingency plan, looking for flaws in the logic or process used by the plan's developers. The analyst may also interview functional managers, resource managers, and their staff to uncover missing or unworkable pieces of the plan.
 Organizations may also arrange disaster simulations. These tests provide valuable information about flaws in the contingency plan and provide practice for a real emergency. While they can be expensive, these tests can also provide critical information that can be used to ensure the continuity of important functions. In general, the more critical the functions and the resources addressed in the contingency plan, the more cost-beneficial it is to perform a disaster simulation.
 The results of a "test" often implies a grade assigned for a specific level of performance, or simply pass or fail. However, in the case of contingency planning, a test should be used to improve the plan. If organizations do not use this approach, flaws in the plan may remain hidden and uncorrected.

Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
IT Security Auditor
Yennik, Inc.

Independent Cybersecurity Pen-test Audits
Our cybersecurity pen-test firewall audit meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  There is no charge if you are not satisfied with our service.  For more information, please call R. Kinney Williams at 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/.

Professional organizations:
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.