R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of December 9, 2018

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content IT Security IT Security Checklist
Web Site Compliance Internet Privacy Pen Testing Auditing


FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma. 

FYI
- DHS algorithm to assess federal agencies’ cyber posture - Federal agencies are reportedly feeding data into a special algorithm introduced by the Department of Homeland Security (DHS) in order to assess their cyber posture scores. https://www.scmagazine.com/home/security-news/dhs-algorithm-to-assess-federal-agencies-cyber-posture/

US Senate computers will use disk encryption - New security measure is meant to protect sensitive Senate data on stolen Senate laptops and computers. The US Senate will enable disk encryption on all Senate computers as a basic security measure that will make it harder for spies or criminals to extract sensitive data from stolen Senate staff PCs or hard drives. https://www.zdnet.com/article/us-senate-computers-will-use-disk-encryption/

Dell’s belated data breach notification angers cybersecurity industry execs - Dell customers who wondered why they had to reset their passwords earlier this month learned today that action was taken due to a data breach, a fact it took the company several weeks to disclose. https://www.scmagazine.com/home/security-news/dells-belated-data-breach-notification-angers-cybersecurity-industry-exec/

Inspector General’s report documents security flaws at Arizona Medicare MCOs - A recent risk assessment of information systems at two Arizona-based Medicaid managed care organizations turned up 19 vulnerabilities, according to a new report from the Department of Health and Human Services Office of the Inspector General. https://www.scmagazine.com/home/security-news/inspector-generals-report-documents-security-flaws-at-arizona-medicare-mcos/

Half of all Phishing Sites Now Have the Padlock - Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”. https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/

Sky Brasil exposes data of 32M customers on ElasticSearch - As ElasticSearch based leaks become the latest source of massive data exposures, Sky Brasil, one of the biggest subscription television services in Brazil, is the latest to leave its customers exposed after not securing the server with a password. https://www.scmagazine.com/home/security-news/sky-brasil-one-of-the-biggest-subscription-television-services-in-brazil-is-the-latest-elasticsearch-server-user-to-leave-its-customers-exposed-after-not-securing-the-server-with-a-password/

NYS Education Dept. falls short in protecting student data, comptroller says - The New York State Education Department hasn’t incorporated all of the recommendations to protect student data, leaving it vulnerable to attack, the Office of the State Comptroller wrote in a November letter to Education Commissioner. https://www.scmagazine.com/home/security-news/nys-education-dept-falls-short-in-protecting-student-data-comptroller-says/

Tackling the security complexity in 5G IoT devices - IoT is one of three major use cases driving the development of 5G and it brings untold complexity and inherent risk that threatens to undermine the opportunity even before it gets started. https://www.scmagazine.com/home/opinions/tackling-the-security-complexity-in-5g-iot-devices/


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Marriott Starwood reservation system data breach exposes 500 million customer records - Malicious actors spent more than four years inside Marriott’s Starwood reservation system obtaining access to 500 million guest records that included names, payment card information and other PII, the hotel chain reported today. https://www.scmagazine.com/home/security-news/marriott-starwood-reservation-system-data-breach-exposes-500-million-customer-records/

Database breach affects 2.6 million Atrium Health patients - Atrium Health has reported a massive data breach exposing the PII of more than 2.6 million clients after someone gained access to a database belonging to a third-party vendor. https://www.scmagazine.com/home/security-news/database-breach-affects-2-6-million-atrium-health-patients/

Microsoft's multi-factor authentication service flakes out – again - For the second time in nine days, the Multi-Factor Authentication system used by Microsoft for Office 365 logins failed. Just one day after Microsoft came clean with an explanation of a Nov. 19 outage that blocked users of Office 365 from logging into their accounts using Multi-Factor Authentication (MFA), today the service again went on the fritz. https://www.computerworld.com/article/3323382/office-software/microsofts-multi-factor-authentication-service-flakes-out-again.html

Ames, Iowa, parking ticket payment system breached - For 4,600 Ames, Iowa, residents, forgetting to put a quarter into a parking meter may end up costing more than the price of their parking fine. https://www.scmagazine.com/home/security-news/ames-iowa-parking-ticket-payment-system-breached/

Bloom is off the rose: Canadian 1-800-FLOWERS operation discloses four-year breach - The Canadian retail operations of 1-800-FLOWERS has disclosed a four-year data breach affecting customers who purchased goods on its website, warning that payment card data was exposed. https://www.scmagazine.com/home/security-news/bloom-is-off-the-rose-canadian-1-800-flowers-operation-discloses-four-year-breach/

Florida marijuana dispensary website leaked customer data - A Florida medical marijuana dispensary took down its website after being notified that customer information was viewable through the site’s search function. https://www.scmagazine.com/home/security-news/marijuana-dispensary-data-breach/

Quora breach compromises 100 million users - A breach at the question and answer website Quora has compromised the data of 100 million users. https://www.scmagazine.com/home/security-news/quora-breach-compromises-100-million-users/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
  
  Hackers may use "social engineering" a scheme using social techniques to obtain technical information required to access a system. A hacker may claim to be someone authorized to access the system such as an employee or a certain vendor or contractor. The hacker may then attempt to get a real employee to reveal user names or passwords, or even set up new computer accounts. Another threat involves the practice of "war-dialing" in which hackers use a program that automatically dials telephone numbers and searches for modem lines that bypass network firewalls and other security measures. A few other common forms of system attack include:
  
  Denial of service (system failure), which is any action preventing a system from operating as intended. It may be the unauthorized destruction, modification, or delay of service. For example, in an "SYN Flood" attack, a system can be flooded with requests to establish a connection, leaving the system with more open connections than it can support. Then, legitimate users of the system being attacked are not allowed to connect until the open connections are closed or can time out.
  
  Internet Protocol (IP) spoofing, which allows an intruder via the Internet to effectively impersonate a local system's IP address in an attempt to gain access to that system. If other local systems perform session authentication based on a connections IP address, those systems may misinterpret incoming connections from the intruder as originating from a local trusted host and not require a password.
  
  Trojan horses, which are programs that contain additional (hidden) functions that usually allow malicious or unintended activities. A Trojan horse program generally performs unintended functions that may include replacing programs, or collecting, falsifying, or destroying data. Trojan horses can be attached to e-mails and may create a "back door" that allows unrestricted access to a system. The programs may automatically exclude logging and other information that would allow the intruder to be traced. 
  
  Viruses, which are computer programs that may be embedded in other code and can self-replicate. Once active, they may take unwanted and unexpected actions that can result in either nondestructive or destructive outcomes in the host computer programs. The virus program may also move into multiple platforms, data files, or devices on a system and spread through multiple systems in a network. Virus programs may be contained in an e-mail attachment and become active when the attachment is opened.


Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  

  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
  
  AUTHENTICATION -
Shared Secret Systems (Part 2 of 2)
  
  Weaknesses in shared secret mechanisms generally relate to the ease with which an attacker can discover the secret. Attack methods vary.
  
  ! A dictionary attack is one common and successful way to discover passwords. In a dictionary attack, the attacker obtains the system password file, and compares the password hashes against hashes of commonly used passwords.
  
  Controls against dictionary attacks include securing the password file from compromise, detection mechanisms to identify a compromise, heuristic intrusion detection to detect differences in user behavior, and rapid reissuance of passwords should the password file ever be compromised. While extensive character sets and storing passwords as one - way hashes can slow down a dictionary attack, those defensive mechanisms primarily buy the financial institution time to identify and react to the password file compromises.
  
  ! An additional attack method targets a specific account and submits passwords until the correct password is discovered.
  
  Controls against those attacks are account lockout mechanisms, which commonly lock out access to the account after a risk - based number of failed login attempts.
  
  ! A variation of the previous attack uses a popular password, and tries it against a wide range of usernames.
  
  Controls against this attack on the server are a high ratio of possible passwords to usernames, randomly generated passwords, and scanning the IP addresses of authentication requests and client cookies for submission patterns.
  
  ! Password guessing attacks also exist. These attacks generally consist of an attacker gaining knowledge about the account holder and password policies and using that knowledge to guess the password.
  
  Controls include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, length of the password, character set, prohibition against using well - known user identifiers, and length of time before the password must be changed. Users with greater authorization or privileges, such as root users or administrators, should have longer, more complex passwords than other users.
  
  ! Some attacks depend on patience, waiting until the logged - in workstation is unattended.
  
  Controls include automatically logging the workstation out after a period of inactivity (Existing industry practice is no more than 20 - 30 minutes) and heuristic intrusion detection.
  
  ! Attacks can take advantage of automatic login features, allowing the attacker to assume an authorized user's identity merely by using a workstation.
  
  Controls include prohibiting and disabling automatic login features, and heuristic intrusion detection.
  
  ! User's inadvertent or unthinking actions can compromise passwords. For instance, when a password is too complex to readily memorize, the user could write the password down but not secure the paper. Frequently, written - down passwords are readily accessible to an attacker under mouse pads or in other places close to the user's machines. Additionally, attackers frequently are successful in obtaining passwords by using social engineering and tricking the user into giving up their password.
  
  Controls include user training, heuristic intrusion detection, and simpler passwords combined with another authentication mechanism.
  
  ! Attacks can also become much more effective or damaging if different network devices share the same or a similar password.
  
  Controls include a policy that forbids the same or similar password on particular network devices.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 18.2 Audit Trails and Logs
 
 18.2.2.2 Application-Level Audit Trails
 
 System-level audit trails may not be able to track and log events within applications, or may not be able to provide the level of detail needed by application or data owners, the system administrator, or the computer security manager. In general, application-level audit trails monitor and log user activities, including data files opened and closed, specific actions, such as reading, editing, and deleting records or fields, and printing reports. Some applications may be sensitive enough from a data availability, confidentiality, and/or integrity perspective that a "before" and "after" picture of each modified record (or the data element(s) changed within a record) should be captured by the audit trail.
 
 18.2.2.3 User Audit Trails
 
 User audit trails can usually log:
 
 1) all commands directly initiated by the user;
 2) all identification and authentication attempts; and
 3) files and resources accessed.
 
 It is most useful if options and parameters are also recorded from commands. It is much more useful to know that a user tried to delete a log file (e.g., to hide unauthorized actions) than to know the user merely issued the delete command, possibly for a personal data file.


Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Yennik, Inc.

Independent Pen-test Audits
Our pen-test firewall audit  meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  For more information, please call R. Kinney Williams at Office 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/

 

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.