R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of June 25, 2017

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Cybersecurity Pen-test Audits


FYI - NYC mayor reveals plan to add 10,000 cybersecurity jobs over the next decade - New York City Mayor Bill de Blasio on Thursday unveiled a ten-year plan to introduce 100,000 jobs with annual salaries of $50,000 or greater by strategically investing in multiple industries, with a strong emphasis on cybersecurity. https://www.scmagazine.com/nyc-mayor-reveals-plan-to-add-10000-cybersecurity-jobs-over-the-next-decade/article/668902/

FIN7 targeting restaurants with fileless malware - FIN7 is back at it again this time using their infamous fileless malware to target U.S. restaurants using clever phishing emails designed to look like food orders. https://www.scmagazine.com/fileless-malware-seeks-to-place-backdoors-in-restaurant-systems/article/668604/

Report predicts banks to get 4.7bn fines in first 3 years under GDPR - Report urges banks to focus on breach response readiness to mitigate GDPR risk as predicted number and levels of fines are exceedingly highs. https://www.scmagazine.com/report-predicts-banks-to-get-47bn-fines-in-first-3-years-under-gdpr/article/669051/

Banks will be forced to reveal cyber security breaches to European Central Bank - Big British banks, such as RBS, Barclays and HSBC, will all have to report major breaches to the ECB. https://www.v3.co.uk/v3-uk/news/3012227/banks-will-be-forced-to-reveal-cyber-security-breaches-to-european-central-bank

How to Know Which NIST Framework to Use - One of the most important aspects of the recent cybersecurity executive order is also the aspect causing the most confusion. http://www.nextgov.com/technology-news/tech-insider/2017/06/how-know-which-nist-framework-use/138750/

Why Girl Scouts Make Great Cybersecurity Hackers - Your favorite cookie sellers are in training to become white hat hackers. http://fortune.com/2017/06/16/girl-scouts-cybersecurity/

Bank websites struggle, consumer services sites shine in online trust assessment - An audit of more than 1,000 top websites found that 52 percent have highly trustworthy cybersecurity and privacy practices the highest percentage ever for this annual evaluation yet 46 percent failed the assessment altogether, with bank sites surprisingly faring worst of all. https://www.scmagazine.com/bank-websites-struggle-consumer-services-sites-shine-in-online-trust-assessment/article/669740/

Combatting the Security Risks of the IoT - The market for connected devices has exploded in recent years, leading to billions of Internet of Things (IoT) devices being deployed around the globe. https://www.scmagazine.com/combatting-the-security-risks-of-the-iot/article/666773/

One quarter of Australian companies hit by phishing attack this week: Mailguard - The phishing attacks against Australian energy customers grew yesterday with Mailguard reporting an enormous number of phishing attempts made centered on fake Origin Energy bills. https://www.scmagazine.com/one-quarter-of-australian-companies-hit-by-phishing-attack-this-week-mailguard/article/670063/


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Georgia special election disruption concerns rise after 6.7M records leaked - Several security vulnerabilities in systems used to manage Georgia's election technology, exposing the records of 6.7 million voters months before the nation most expensive House race slated for June 20, has raised the fears that the election could be disrupted. https://www.scmagazine.com/researchers-fear-georgia-special-election-still-vulnerable/article/668925/

Data breach at Oklahoma U impacts 30K students - Lax privacy settings in a campus file-sharing network led to an unintentional exposure of the educational records of thousands of students at Oklahoma University. https://www.scmagazine.com/data-breach-at-oklahoma-u-impacts-30k-students/article/668731/

University College London fights off ransomware infection - One of London's most prestigious universities is fighting off a ransomware infection, according to its information security team. https://www.scmagazine.com/update-university-college-london-fights-off-ransomware-infection/article/668720/

Accounts of 6M CashCrate users exposed - User data on six million subscribers to the cash-for-surveys site CashCrate has been compromised. https://www.scmagazine.com/accounts-of-6m-cashcrate-users-exposed/article/668889/

Brute Force Breach? WSU 85-pound safe theft compromises 1M records - A recent theft at Washington State University is redefine the definition of a brute force breach after someone made off with a 85-pound safe containing a hard drive holding the data of a million people. https://www.scmagazine.com/washington-state-university-breach-compromises-1-million-records/article/669068/

Erebus ransomware attack demanded $1.62 million from South Korean firm - South Korean firm NAYANA was hit with a Linux ransomware attack that demanded an unprecedented 550 Bitcoins (BTC) or $1.62 million ransom. https://www.scmagazine.com/erebus-ransomware-attack-demanded-162-million-from-south-korean-firm/article/669604/

No recourse, perhaps, for 200M affected in breach of RNC database, attorney - The 200 million registered voters whose personal details were compromised in a massive data breach face an uphill battle should they choose to petition for a class-action suit or seek recompense for the exposure. https://www.scmagazine.com/no-recourse-perhaps-for-200m-affected-in-breach-of-rnc-database-attorney/article/669610/

POS data breach hits Buckle Inc. stores - Buckle Inc. was hit with point-of-sale (POS) malware on the payment data systems at an undisclosed number of locations. https://www.scmagazine.com/buckle-clothier-stores-hit-with-pos-malware/article/669416/

2,000 Texas HHSC clients health data compromised - The Texas Health and Human Services Commission (HHSC) reported a data breach possibly affecting almost 2,000 people in the Houston area. https://www.scmagazine.com/2000-texas-hhsc-clients-health-data-compromised/article/669400/

Hacktivist hits Minnesota gov databases to protest Philando Castile verdict - A hacktivist Sunday breached Minnesota government databases and stole 1,400 email credentials, along with other information, to Protest the Philando Castile verdict. https://www.scmagazine.com/hacktivist-breaches-minnesota-gov-databases-to-protest-police-brutality/article/669962/

New York Supreme Court Justice fell for $1M phishing attack - New York State Supreme Court Justice Lori Sattler was duped out of more than $1 million while trying to sell her Upper East Side apartment and purchase another. https://www.scmagazine.com/new-york-state-supreme-court-justice-lori-sattler-phished-for-1m/article/670070/

Japanese Honda factory hit with WannaCry ransomware, halts production - A Honda plant in Sayama, Japan was forced to halt domestic production for a day after its network was hit with WannaCry ransomware. https://www.scmagazine.com/wannacry-attacks-halts-honda-production/article/670273/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (5 of 12)
 
 
Notification Procedures
 
 An institution should notify its primary Federal regulator as soon as it becomes aware of the unauthorized access to or misuse of sensitive customer information or customer information systems. Notifying the regulatory agency will help it determine the potential for broader ramifications of the incident, especially if the incident involves a service provider, as well as assess the effectiveness of the institution's IRP.
 
 Institutions should develop procedures for notifying law enforcement agencies and filing SARs in accordance with their primary Federal regulator's requirements.  Law enforcement agencies may serve as an additional resource in handling and documenting the incident. Institutions should also establish procedures for filing SARs in a timely manner because regulations impose relatively quick filing deadlines. The SAR form itself may serve as a resource in the reporting process, as it contains specific instructions and thresholds for when to file a report. The SAR form instructions also clarify what constitutes a "computer intrusion" for filing purposes. Defining procedures for notifying law enforcement agencies and filing SARs can streamline these notification and reporting requirements.
 
 Institutions should also address customer notification procedures in their IRP. When an institution becomes aware of an incident involving unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine the likelihood that such information has been or will be misused. If the institution determines that sensitive customer information has been misused or that misuse of such information is reasonably possible, it should notify the affected customer(s) as soon as possible. Developing standardized procedures for notifying customers will assist in making timely and thorough notification. As a resource in developing these procedures, institutions should reference the April 2005 interpretive guidance, which specifically addresses when customer notification is necessary, the recommended content of the notification, and the acceptable forms of notification.

Return to the top of the newsletter

FFIEC IT SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  
  
  
INTRUSION DETECTION AND RESPONSE
  
  A maxim of security is "prevention is ideal, but detection is a must."  Security systems must both restrict access and protect against the failure of those access restrictions. When those systems fail, however, an intrusion occurs and the only remaining protection is a detection - and - response capability. The earlier an intrusion is detected, the greater the institution's ability to mitigate the risk posed by the intrusion. Financial institutions should have a capability to detect and react to an intrusion into their information systems.
  
  INTRUSION DETECTION
  
  Preparation for intrusion detection generally involves identifying data flows to monitor for clues to an intrusion, deciding on the scope and nature of monitoring, implementing that monitoring, and establishing a process to analyze and maintain custody over the resulting information. Additionally, legal requirements may include notifications of users regarding the monitoring and the extent to which monitoring must be performed as an ordinary part of ongoing operations.
  
  Adequate preparation is a key prerequisite to detection. The best intrusion detection systems will not identify an intrusion if they are not located to collect the relevant data, do not analyze correct data, or are not configured properly. Even if they detect an intrusion, the information gathered may not be usable by law enforcement if proper notification of monitoring and preservation of data integrity has not taken place.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.2 Step 2: Identifying the Resources That Support Critical Functions
 
 
11.2.3 Automated Applications and Data
 
 Computer systems run applications that process data. Without current electronic versions of both applications and data, computerized processing may not be possible. If the processing is being performed on alternate hardware, the applications must be compatible with the alternate hardware, operating systems and other software (including version and configuration), and numerous other technical factors. Because of the complexity, it is normally necessary to periodically verify compatibility.
 
 11.2.4 Computer-Based Services
 
 An organization uses many different kinds of computer-based services to perform its functions. The two most important are normally communications services and information services. Communications can be further categorized as data and voice communications; however, in many organizations these are managed by the same service. Information services include any source of information outside of the organization. Many of these sources are becoming automated, including on-line government and private databases, news services, and bulletin boards.
 
 11.2.5 Physical Infrastructure
 
 For people to work effectively, they need a safe working environment and appropriate equipment and utilities. This can include office space, heating, cooling, venting, power, water, sewage, other utilities, desks, telephones, fax machines, personal computers, terminals, courier services, file cabinets, and many other items. In addition, computers also need space and utilities, such as electricity. Electronic and paper media used to store applications and data also have physical requirements
 
 11.2.6 Documents and Papers
 
 Many functions rely on vital records and various documents, papers, or forms. These records could be important because of a legal need (such as being able to produce a signed copy of a loan) or because they are the only record of the information. Records can be maintained on paper, microfiche, microfilm, magnetic media, or optical disk.


Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Yennik, Inc.

Independent Cybersecurity Pen-test Audits
Our cybersecurity pen-test firewall audit meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  There is no charge if you are not satisfied with our service.  For more information, please call R. Kinney Williams at 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/.


Professional organizations:
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors
 

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.