R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of October 15, 2017

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Cybersecurity Pen-test Audits


FYI - Kaspersky Labs denies report its software was used to hack NSA - Russian hackers used a Kaspersky Labs antivirus product to steal hacking tools from the National Security Agency (NSA). https://www.scmagazine.com/kaspersky-labs-denies-report-its-software-was-used-to-hack-nsa/article/698447/

Equifax snags $7.25M no-bid IRS ID verification, fraud prevention contract - The Internal Revenue Service handed breach-beleaguered Equifax a $7.25 million for identity verification and fraud prevention. https://www.scmagazine.com/equifax-snags-725m-no-bid-irs-id-verification-fraud-prevention-contract/article/697825/

Cyberattack to cause power disruption within five years, utility execs fear - Three-quarters of North American utility executives believe there is at least a moderate chance that the electrical grid in their nation will be interrupted by a cyberattack sometime in the next five years. https://www.scmagazine.com/cyberattack-to-cause-power-disruption-within-five-years-utility-execs-fear/article/698063/

Brazilian banking trojan uses legit VMware binary to bypass security - Cybercriminals are using legitimate VMware binary to spread banking trojans in a new phishing campaign targeting the Brazilian financial sector. https://www.scmagazine.com/brazilian-trojan-uses-an-authentic-vmware-binary-to-deceive-security-tools/article/698097/

Sole Equifax security worker at fault for failed patch, says former CEO -Someone failed to order the patch. If it was you, c'mere, have a hug. And a new identity - Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz's IT security breach on a single member of the company's security team. http://www.theregister.co.uk/2017/10/04/sole_security_worker_at_fault_for_equifax_fail_says_former_ceo/

White House wants to end Social Security numbers as a national ID - US government is examining the use of a “modern cryptographic identifier.” Rob Joyce, the White House cybersecurity czar, said on Tuesday that the government should end using the Social Security number as a national identification method. https://arstechnica.com/tech-policy/2017/10/white-house-wants-to-end-social-security-numbers-as-a-national-id/

Secret Service nixes personal mobile devices in West Wing after Kelly hack - After it came to light that the smartphone of White House Chief of Staff Gen. John Kelly was hacked by potentially by foreign operatives, the Secret Service reportedly has put the kibosh on personal devices in the West Wing. https://www.scmagazine.com/secret-service-nixes-personal-mobile-devices-in-west-wing-after-kelly-hack/article/698727/

Yahoo breach underscores importance of heeding risk factors, renews interest in legislation - That the 2013 Yahoo breach tripled – to three billion - the number of affected accounts previously reported demonstrates the far-reaching and ongoing impact of an undetected hack, underscores the cost of unexamined risk, points to the dangers of neglecting vulnerabilities and will likely renew calls for federal data breach notification legislation, information security professionals said in the aftermath of the revelation by Verizon Communications, which acquired Yahoo earlier this year. https://www.scmagazine.com/yahoo-breach-underscores-importance-of-heeding-risk-factors-renews-interest-in-legislation/article/698527/


Using Public Data to Alert Missouri Entities of Vulnerabilities - The State of Missouri Office of Cyber Security’s (OCS) “Using Public Data to Alert Organizations of Vulnerabilities” program identifies vulnerable internet connected systems belonging to organizations from various industries across the State of Missouri. https://cybersecurity.mo.gov/blog/2017/06/using-public-data-to-alert-missouri-entities-of-vulnerabilities/

Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8 out in the cold - Versions in use by millions lag behind latest OS, leaving systems vulnerable to attack - Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack. http://www.theregister.co.uk/2017/10/06/researchers_say_windows_10_patches_punch_holes_in_older_versions/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - A new report suggests that the FDIC could have been breached numerous times between 2015 and 2016, leading to the leak of PII data. - Over the course of two years, the Federal Deposit Insurance Corporation (FDIC) could have experienced as many as 54 data breaches, according to a recent report from the Office of the Inspector General. The breaches occurred between 2015 and 2016, and could have compromised personally identifiable information (PII) data, the report said. http://www.techrepublic.com/article/fdic-hit-by-50-breaches-in-a-two-year-period/?ftag=TRE684d531&bhid=22680896641396056876729228067471

Russians hacked smartphones of 4,000 NATO troops - NATO troops' smartphones are under attack by Russian hackers bent on obtaining information on and exploiting soldiers as well as getting a handle on NATO military capabilities. https://www.scmagazine.com/russians-hacked-smartphones-of-4000-nato-troops/article/698095/

6,000 Atlanta Public School employees possibly compromised - Federal investigators have warned the Atlanta Public School system that all 6,000 of its employees may have had their personal information compromised due to a phishing scam. https://www.scmagazine.com/6000-atlanta-public-school-employees-possibly-compromised/article/697832/

128,000 Arkansas Oral & Facial Surgery Center patients compromised - In late July the Arkansas Oral & Facial Surgery Center was hit with a ransomware attack that not only locked up patient records, but may have also exposed their personal information. https://www.scmagazine.com/128000-arkansas-oral-facial-surgery-center-patients-compromised/article/698227/

City of Englewood, Colo. hit with ransomware - The city of Englewood, Colo. was hit with a ransomware attack which brought down the city's internal network. https://www.scmagazine.com/the-city-of-englewood-colo-was-hit-with-a-ransomware-attack/article/698236/

NFL player personal data found on open Elasticsearch server - NFL players may not mind having their views on social issues known, but they are probably not happy that a publicly accessible database has been found containing private information on about 1,100 players and their agents. https://www.scmagazine.com/nfl-player-personal-data-found-on-open-elasticsearch-server/article/698541/

Disqus confirmed a 2012 database breach on Friday impacting some data for 17.5 million users and including information dating back to 2007. https://www.cyberscoop.com/disqus-breach-2012-troy-hunt/

Market Research Firm Forrester Says Hackers Stole Sensitive Reports - Forrester, one of the world's leading market research and investment advisory firms, admitted late Friday afternoon to a security breach that took place during the past week. https://www.bleepingcomputer.com/news/security/market-research-firm-forrester-says-hackers-stole-sensitive-reports

Return to the top of the newsletter

WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services ( Part 1 of 4)
  
  Purpose and Background
  
  This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services.1 Financial institutions should consider the guidance outlined in this statement and the attached appendix in managing arrangements with their technology service providers.  While this guidance covers a broad range of issues that financial institutions should address, each financial institution should apply those elements based on the scope and importance of the outsourced services as well as the risk to the institution from the services.
  
  Financial institutions increasingly rely on services provided by other entities to support an array of technology-related functions. While outsourcing to affiliated or nonaffiliated entities can help financial institutions manage costs, obtain necessary expertise, expand customer product offerings, and improve services, it also introduces risks that financial institutions should address.  This guidance covers four elements of a risk management process: risk assessment, selection of
  service providers, contract review, and monitoring of service providers.


Return to the top of the newsletter

FFIEC IT SECURITY
-
e continue our series on the FFIEC interagency Information Security Booklet.
 

 SECURITY TESTING - KEY FACTORS
 

 Management is responsible for considering the following key factors in developing and implementing independent diagnostic tests:
 
 Personnel. Technical testing is frequently only as good as the personnel performing and supervising the test. Management is responsible for reviewing the qualifications of the testing personnel to satisfy themselves that the capabilities of the testing personnel are adequate to support the test objectives.
 
 Scope. The tests and methods utilized should be sufficient to validate the effectiveness of the security process in identifying and appropriately controlling security risks.
 
 Notifications. Management is responsible for considering whom to inform within the institution about the timing and nature of the tests. The need for protection of institution systems and the potential for disruptive false alarms must be balanced against the need to test personnel reactions to unexpected activities.
 
 Controls Over Testing. Certain testing can adversely affect data integrity, confidentiality, and availability. Management is expected to limit those risks by appropriately crafting test protocols. Examples of issues to address include the specific systems to be tested, threats to be simulated, testing times, the extent of security compromise allowed, situations in which testing will be suspended, and the logging of test activity. Management is responsible for exercising oversight commensurate with the risk posed by the testing.
 
 Frequency. The frequency of testing should be determined by the institution's risk assessment. High - risk systems should be subject to an independent diagnostic test at least once a year. Additionally, firewall policies and other policies addressing access control between the financial institution's network and other networks should be audited and verified at least quarterly.  Factors that may increase the frequency of testing include the extent of changes to network configuration, significant changes in potential attacker profiles and techniques, and the results of other testing.
 (FYI - This is exactly the type of independent diagnostic testing that we perform.  Please refer to http://www.internetbankingaudits.com/ for information.)
 
 Proxy Testing. Independent diagnostic testing of a proxy system is generally not effective in validating the effectiveness of a security process. Proxy testing, by its nature, does not test the operational system's policies and procedures, or its integration with other systems. It also does not test the reaction of personnel to unusual events. Proxy testing may be the best choice, however, when management is unable to test the operational system without creating excessive risk.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 
Chapter 13 - AWARENESS, TRAINING, AND EDUCATION
 
 People, who are all fallible, are usually recognized as one of the weakest links in securing systems. The purpose of computer security awareness, training, and education is to enhance security by:
 
 1) improving awareness of the need to protect system resources;
  
 2) developing skills and knowledge so computer users can perform their jobs more securely; and
 
 3) building in-depth knowledge, as needed, to design, implements, or operate security programs for organizations and systems.
 
 Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures (and to how to use them), users cannot be truly accountable for their actions. The importance of this training is emphasized in the Computer Security Act, which requires training for those involved with the management, use, and operation of federal computer systems.
 This chapter first discusses the two overriding benefits of awareness, training, and education, namely: (1) improving employee behavior and (2) increasing the ability to hold employees accountable for their actions. Next, awareness, training, and education are discussed separately, with techniques used for each. Finally, the chapter presents one approach for developing computer security awareness and training program.


Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Yennik, Inc.

Independent Cybersecurity Pen-test Audits
Our cybersecurity pen-test firewall audit meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  There is no charge if you are not satisfied with our service.  For more information, please call R. Kinney Williams at 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/.


Professional organizations:
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors
 

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.