R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of April 22, 2018

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Cybersecurity Pen-test Audits

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - FTC Punishes Children's App Company for Not Playing by the Rules - In early January the Federal Trade Commission announced that it reached a settlement in a lawsuit against VTech Electronics, an Internet-connected toy maker, for violating the Children's Online Privacy Protection Act (COPPA) and the FTC Act. https://www.scmagazine.com/ftc-punishes-childrens-app-company-for-not-playing-by-the-rules/article/757556/

All it took was $35 and a laptop to hack SF emergency alert system - Not long ago, skilled hackers could have blasted the sounds of Dodger Stadium or even a fake attack warning over San Francisco's emergency alert sirens, according to a security firm which exposed a vulnerability in the network. https://www.sfgate.com/news/article/Security-firm-All-it-took-was-35-and-a-laptop-12822536.php

NIST details software security assessment process - To help organizations manage the risk from attackers who take advantage of unmanaged software on a network, the National Institute of Standards and Technology has released a draft operational approach for automating the assessment of SP 800-53 security controls that manage software. https://gcn.com/articles/2018/04/10/nist-software-asset-management.aspx?admgarea=TC_SecCybersSec

Survey says: Many breaches accomplished in less than an hour - Penetration testers and hackers are having little problem breaching the perimeter and quickly locating critical data with 12 percent saying they can get into a system in less than an hour and despite learning their company is vulnerable some firms still opt to do nothing to improve security. https://www.scmagazine.com/survey-says-many-breaches-accomplished-in-less-than-an-hour/article/758536/

“Privacy is not for sale,” Telegram founder says after being banned in Russia - Russian authorities are demanding a universal key. Telegram says it doesn’t exist. https://arstechnica.com/information-technology/2018/04/privacy-is-not-for-sale-telegram-founder-says-after-being-banned-in-russia/

Bracing for Tomorrow's Threats with Behavioral Analytics - As the cybersecurity threat landscape becomes increasingly complex, attacks are growing in both volume and sophistication. https://www.scmagazine.com/bracing-for-tomorrows-threats-with-behavioral-analytics/article/757046/


FYI - Uber, FTC agree to expanded settlement after second breach - Uber Technologies Inc. has agreed to broaden its proposed settlement with the Federal Trade Commission (FTC) over its deceptive privacy and data security practices after the commission discovered that the car-sharing company had failed to disclose a major 2016 breach. https://www.scmagazine.com/uber-ftc-agree-to-expanded-settlement-after-second-breach/article/758248/

Medical supplier Inogen hit with breach, 30,000 possibly affected - A California-based medical device manufacturer reported that 30,000 former and current customers may have had their personal information exposed when a company employee's email account was compromised. https://www.scmagazine.com/medical-supplier-inogen-hit-with-breach-30000-possibly-affected/article/758676/

Texas Health Resources' patient information exposed in October 2017 email compromise - Texas Health Resources, a nonprofit health care delivery system in North Central Texas, has disclosed that an unauthorized party may have gained access to patient information back in October 2017 by compromising some of the organization's email accounts. https://www.scmagazine.com/texas-health-resources-patient-information-exposed-in-october-2017-email-compromise/article/758653/

Return to the top of the newsletter

This week begins our series on the FDIC's Supervisory Policy on Identity Theft (Part 1 of  6)
Supervisory Policy on Identity Theft
  Identity theft is fraud committed or attempted by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver's license number, passport number, biometric data and other unique electronic identification numbers or codes. As more financial transactions are done electronically and remotely, and as more sensitive information is stored in electronic form, the opportunities for identity theft have increased significantly.  This policy statement describes the characteristics of identity theft and emphasizes the FDIC's well-defined expectations that institutions under its supervision detect, prevent and mitigate the effects of identity theft in order to protect consumers and help ensure safe and sound operations.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  Logical Access Controls (Part 2 of 2)


  Token technology relies on a separate physical device, which is retained by an individual, to verify the user's identity. The token resembles a small hand-held card or calculator and is used to generate passwords. The device is usually synchronized with security software in the host computer such as an internal clock or an identical time based mathematical algorithm. Tokens are well suited for one‑time password generation and access control. A separate PIN is typically required to activate the token.

  Smart Cards

  Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an embedded computer chip. The chip includes a processor, operating system, and both read only memory (ROM) and random access memory (RAM). They can be used to generate one-time passwords when prompted by a host computer, or to carry cryptographic keys. A smart card reader is required for their use.
  Biometrics involves identification and verification of an individual based on some physical characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This technology is advancing rapidly, and offers an alternative means to authenticate a user.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

 For most systems, identification and authentication (I&A) is the first line of defense. I&A is a technical measure that prevents unauthorized people (or unauthorized processes) from entering a computer system.
 I&A is a critical building block of computer security since it is the basis for most types of access control and for establishing user accountability. Access control often requires that the system be able to identify and differentiate among users. For example, access control is often based on least privilege, which refers to the granting to users of only those accesses required to perform their duties. User accountability requires the linking of activities on a computer system to specific individuals and, therefore, requires the system to identify users.
 Identification is the means by which a user provides a claimed identity to the system. Authentication108 is the means of establishing the validity of this claim.
 This chapter discusses the basic means of identification and authentication, the current technology used to provide I&A, and some important implementation issues.
 Computer systems recognize people based on the authentication data the systems receive. Authentication presents several challenges: collecting authentication data, transmitting the data securely, and knowing whether the person who was originally authenticated is still the person using the computer system. For example, a user may walk away from a terminal while still logged on, and another person may start using it.
 There are three means of authenticating a user's identity, which can be used alone or in combination:
 1) something the individual knows (a secret -- e.g., a password, Personal Identification Number (PIN), or cryptographic key);
 2) something the individual possesses (a token -- e.g., an ATM card or a smart card); and
 3) something the individual is (a biometric -- e.g., such characteristics as a voice pattern, handwriting dynamics, or a fingerprint).
 A typical user identification could be JSMITH (for Jane Smith). This information can be known by system administrators and other system users. A typical user authentication could be Jane Smith's password, which is kept secret. This way system administrators can set up Jane's access and see her activity on the audit trail, and system users can send her e-mail, but no one can pretend to be Jane.

Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
IT Security Auditor
Yennik, Inc.

Independent Cybersecurity Pen-test Audits
Our cybersecurity pen-test firewall audit meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  There is no charge if you are not satisfied with our service.  For more information, please call R. Kinney Williams at 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/.

Professional organizations:
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.