R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of March 26, 2017

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Cybersecurity Pen-test Audits


FYI - New Cifas data reveals 173,000 cases recorded in 2016, record high - Nine out of 10 fraudulent applications for bank accounts and other financial products made online. Cifas, the UK's fraud prevention service, has released new figures showing that identity fraud has hit the highest levels ever recorded. https://www.scmagazine.com/new-cifas-data-reveals-173000-cases-recorded-in-2016-record-high/article/644716/

Becky Bace's passing hits cybersecurity community hard - The security industry today is mourning the death of security expert, mentor and Infidel President/CEO Rebecca “Becky” Bace, who passed away Tuesday. https://www.scmagazine.com/becky-baces-passing-hits-cybersecurity-community-hard/article/644432/

Spam hitting Germans with personalized messages - A spam campaign that targets recipients with personalized messages is spreading in Germany, similar to a previous scourge there earlier this year and another that spread in the U.K. in April 2016. https://www.scmagazine.com/spam-hitting-germans-with-personalized-messages/article/645158/

Cybersecurity made simple - No one said it was going to be easy, but the task of locking down enterprise networks seems to be getting more and more complex as attackers devise ever more sophisticated ways of penetrating defenses. https://www.scmagazine.com/cybersecurity-made-simple/article/645639/


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Association of British Travel Agents web server breach impacts 43,000 individuals - The Association of British Travel Agents (ABTA) has suffered a data breach affecting approximately 43,000 individuals after an unauthorized intruder exploited a vulnerability in a third-party web server, the trade organization has acknowledged in a statement. https://www.scmagazine.com/association-of-british-travel-agents-web-server-breach-impacts-43000-individuals/article/644702/

Celebgate repeat? Private images of Emma Watson and others leaked - In an all-too-familiar scenario, hackers have once again broken into the iCloud accounts of female celebrities, this time exposing intimate images of Beauty and the Beast star Emma Watson, Mischa Barton, Amanda Seyfried, and others. https://www.scmagazine.com/hacker-leaks-private-icloud-photos-from-emma-watson-and-others-celebs/article/644555/

Saks Fifth Avenue leaves customer data exposed - Saks Fifth Avenue reportedly exposed the personal information of tens of thousands of customers in plain text on publicly accessible pages. https://www.scmagazine.com/saks-fifth-avenue-plain-text-customer-data-found-online/article/645169/

Government contractor Defense Point Security hit with W-2 scam - The cybersecurity firm Defense Point Security that holds several government contracts told its employees it was hit with a W-2 phishing scam resulting in the exposure of all the personally identifiable information. https://www.scmagazine.com/government-contractor-defense-point-security-hit-with-w-2-scam/article/645310/

Hacker defaces celebrity websites in the name of Kurdish Homeland - A hacker has vandalised the websites of a number of mid-level American celebrities for the cause of a Kurdish homeland. https://www.scmagazine.com/hacker-defaces-celebrity-websites-in-the-name-of-kurdish-homeland/article/645156/

W-2 phishing scam scourge continues hitting Powhatan County (Va.) schools - Almost 1,000 Powhatan County (Va.) school district employees had their personal information compromised when a district employee fell for a W-2 phishing scam. https://www.scmagazine.com/w-2-phishing-scam-scourge-continues-hitting-powhatan-county-va-schools/article/645468/

Website hacks up by a third in 2016, Google - Looking at the State of Website Security in 2016, researchers at Google have detected a sharp rise in the number of hacked sites. https://www.scmagazine.com/website-hacks-up-by-a-third-in-2016-google/article/645761/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  

Board and Management Oversight
- Principle 14: Banks should develop appropriate incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-banking systems and services.
  
  Effective incident response mechanisms are critical to minimize operational, legal and reputational risks arising from unexpected events such as internal and external attacks that The current and future capacity of critical e-banking delivery systems should be assessed on an ongoing basis may affect the provision of e-banking systems and services. Banks should develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services, including those originating from outsourced systems and operations.
  
  To ensure effective response to unforeseen incidents, banks should develop: 
  
  1)  Incident response plans to address recovery of e-banking systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the bank. E-banking systems that are outsourced to third-party service providers should be an integral part of these plans.
  
  2)  Mechanisms to identify an incident or crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service.
  
  3)  A communication strategy to adequately address external market and media concerns that may arise in the event of security breaches, online attacks and/or failures of e-banking systems.
  
  4)  A clear process for alerting the appropriate regulatory authorities in the event of material security breaches or disruptive incidents occur.
  
  5)  Incident response teams with the authority to act in an emergency and sufficiently trained in analyzing incident detection/response systems and interpreting the significance of related output.
  
  6)  A clear chain of command, encompassing both internal as well as outsourced operations, to ensure that prompt action is taken appropriate for the significance of the incident. In addition, escalation and internal communication procedures should be developed and include notification of the Board where appropriate.
  
  7)  A process to ensure all relevant external parties, including bank customers, counterparties and the media, are informed in a timely and appropriate manner of material e-banking disruptions and business resumption developments.
  
  8)  A process for collecting and preserving forensic evidence to facilitate appropriate post-mortem reviews of any e-banking incidents as well as to assist in the prosecution of attackers.

Return to the top of the newsletter

FFIEC IT SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  
 
 
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION
 
 Development and Support
 
 Development and support activities should ensure that new software and software changes do not compromise security. Financial institutions should have an effective application and system change control process for developing, implementing, and testing changes to internally developed software and purchased software. Weak change control procedures can corrupt applications and introduce new security vulnerabilities. Change control considerations relating to security include the following:
 
 ! Restricting changes to authorized users,
 ! Reviewing the impact changes will have on security controls,
 ! Identifying all system components that are impacted by the changes,
 ! Ensuring the application or system owner has authorized changes in advance,
 ! Maintaining strict version control of all software updates, and
 ! Maintaining an audit trail of all changes.
 
 Changes to operating systems may degrade the efficiency and effectiveness of applications that rely on the operating system for interfaces to the network, other applications, or data. Generally, management should implement an operating system change control process similar to the change control process used for application changes. In addition, management should review application systems following operating system changes to protect against a potential compromise of security or operational integrity.
 
 When creating and maintaining software, separate software libraries should be used to assist in enforcing access controls and segregation of duties. Typically, separate libraries exist for development, test, and production.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10

 

 10.1.3 Filling the Position -- Screening and Selecting
 
 Once a position's sensitivity has been determined, the position is ready to be staffed. In the federal government, this typically includes publishing a formal vacancy announcement and identifying which applicants meet the position requirements. More sensitive positions typically require preemployment background screening; screening after employment has commenced (post-entry-on-duty) may suffice for less sensitive positions.
 
 Background screening helps determine whether a particular individual is suitable for a given position. For example, in positions with high-level fiduciary responsibility, the screening process will attempt to ascertain the person's trustworthiness and appropriateness for a particular position. In the federal government, the screening process is formalized through a series of background checks conducted through a central investigative office within the organization or through another organization (e.g., the Office of Personnel Management).
 
 Within the Federal Government, the most basic screening technique involves a check for a criminal history, checking FBI fingerprint records, and other federal indices.78 More extensive background checks examine other factors, such as a person's work and educational history, personal interview, history of possession or use of illegal substances, and interviews with current and former colleagues, neighbors, and friends. The exact type of screening that takes place depends upon the sensitivity of the position and applicable agency implementing regulations. Screening is not conducted by the prospective employee's manager; rather, agency security and personnel officers should be consulted for agency-specific guidance.
  
 Outside of the Federal Government, employee screening is accomplished in many ways. Policies vary considerably among organizations due to the sensitivity of examining an individual's background and qualifications. Organizational policies and procedures normally try to balance fears of invasiveness and slander against the need to develop confidence in the integrity of employees. One technique may be to place the individual in a less sensitive position initially.
 
 For both the Federal Government and private sector, finding something compromising in a person's background does not necessarily mean they are unsuitable for a particular job. A determination should be made based on the type of job, the type of finding or incident, and other relevant factors. In the federal government, this process is referred to as adjudication.
 
 In general, it is more effective to use separation of duties and least privilege to limit the sensitivity of the position, rather than relying on screening to reduce the risk to the organization.


Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Yennik, Inc.

Independent Cybersecurity Pen-test Audits
Our cybersecurity pen-test firewall audit meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  There is no charge if you are not satisfied with our service.  For more information, please call R. Kinney Williams at 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/.


Professional organizations:
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors
 

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.