R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of February 25, 2018

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Cybersecurity Pen-test Audits


FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Study shows which phishing attacks most successful - People are very predictable when it comes to designing phishing attacks that appeal to a potential victims with people most likely to click on messages concerning money. https://www.scmagazine.com/study-shows-most-clicked-phishing-attempts/article/743513/

Assessment: Security posture of U.S. government contractors inferior to federal agencies using them - An independent risk assessment conducted this month found that the security posture of U.S. government contractors was markedly worse than the federal agencies that use these third-party services, suggesting contractors must raise their game and bridge the gap. https://www.scmagazine.com/assessment-security-posture-of-us-government-contractors-inferior-to-federal-agencies-using-them/article/744832/

Filing Deadline for New Infosec Law Hits NY Finance Firms Thursday- Banks and financial services companies in New York must file by tomorrow to certify they are compliant with the state Department of Financial Services' new cybersecurity regulation, 23 NYCRR 500. http://www.darkreading.com/risk/compliance/filing-deadline-for-new-infosec-law-hits-ny-finance-firms-thursday/d/d-id/1331065

U.S. DOE creates new cybersecurity office - The U.S. Department of Energy has established and funded the new Office of Cybersecurity, Energy Security, and Emergency Response (CESER). https://www.scmagazine.com/us-doe-creates-new-cybersecurity-office/article/745112/

Enterprise needs right architecture to secure public cloud - Over the last few years, enterprises have been experimenting with private, public and hybrid cloud models for their applications and data. https://www.scmagazine.com/enterprise-needs-right-architecture-to-secure-public-cloud/article/742251/

SEC issues cybersecurity guidance disclosure - “Principles-based” guidance issued by the Securities and Exchange Commission (SEC) Wednesday clarifies how the commission views the disclosure responsibility of public companies that have fallen victim to a cyberattack. https://www.scmagazine.com/sec-issues-cybersecurity-guidance-disclosure/article/745806/

Companies still sacrificing security for expediency, study - Companies are sacrificing security for expediency and intentionally putting speed and profits before mobile security. https://www.scmagazine.com/verizons-2018-mobile-security-index-found-that-32-percent-of-its-respondents-admitted-to-having-sacrificed-mobile-security-to-improve-expediency/article/745809/

Savannah still suffering effects from cyberattack - Savannah, Ga., is still in the process of recovering from a malware attack that took place last week that forced the city to shut down part of its computer system in an attempt to limit damage. https://www.scmagazine.com/savannah-still-suffering-effects-from-cyberattack/article/745767/


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Open AWS S3 bucket exposes private info on thousands of Fedex customers - In what has become an alarmingly routine occurrence, an unsecured Amazon S3 server – this time affiliated with FedEx – has exposed personal information of tens of thousands of users. https://www.scmagazine.com/open-aws-s3-bucket-exposes-private-info-on-thousands-of-fedex-customers/article/744812/

Hackers pilfered $6M from Russian central bank via SWIFT system - Hackers nicked $6 million from the Russian central bank last year via the SWIFT messaging system, according to report from the bank. https://www.scmagazine.com/hackers-pilfered-6m-from-russian-central-bank-via-swift-system/article/745195/

Staybridge Suites Lexington Hotel hit with data breach - The Staybridge Suites Lexington was hit with what appears to be a point of sales data breach that occurred when several devices at the Kentucky hotel were hit with malware. https://www.scmagazine.com/staybridge-suites-lexington-hotel-hit-with-data-breach/article/744956/

California Department of Fish and Wildlife says insider exposed employee and vendor records - California's Department of Fish and Wildlife (CDFW) has reportedly issued an internal memo warning that a former employee downloaded worker and vendor records to a personal device without authorization, and stored them on an insecure network. https://www.scmagazine.com/california-department-of-fish-and-wildlife-says-insider-exposed-employee-and-vendor-records/article/745270/

Tesla's AWS servers hijacked by cryptominers - The hijacking of Tesla's Amazon Web Server cloud system by rogue cryptominers is proof that no one is immune to a misconfigured AWS server nor cryptomining attacks. https://www.scmagazine.com/teslas-unprotected-kubernetes-console-used-to-hijack-aws-servers/article/745474/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 3 of 10)

A. RISK DISCUSSION

Reputation Risk


Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

  • nature of the third-party product or service;
  • trade name of the third party; and
  • website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.


Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  SECURITY MEASURES

  
  Symmetric and Asymmetric Key Systems 

  
  There are two types of cryptographic key systems, symmetric and asymmetric.  With a  symmetric key system (also known as secret key or private key systems), all parties have the same key.  The keys can be used to encrypt and decrypt messages, and must be kept secret or the security is compromised.  For the parties to get the same key, there has to be a way to securely distribute the key to each party.  While this can be done, the security controls necessary make this system impractical for widespread and commercial use on an open network like the Internet.  Asymmetric key systems can solve this problem. 
  
  In an asymmetric key system (also known as a public key system), two keys are used. One key is kept secret, and therefore is referred to as the "private key."  The other key is made widely available to anyone who wants it, and is referred to as the "public key."  The private and public keys are mathematically related so that information encrypted with the private key can only be decrypted by the corresponding public key.  Similarly, information encrypted with the public key can only be decrypted by the corresponding private key. The private key, regardless of the key system utilized, is typically specific to a party or computer system.  Therefore, the sender of a message can be authenticated as the private key holder by anyone decrypting the message with a public key.  Importantly, it is mathematically impossible for the holder of any public key to use it to figure out what the private key is.  The keys can be stored either on a computer or on a physically separate medium such as a smart card.

  
  Regardless of the key system utilized, physical controls must exist to protect the confidentiality and access to the key(s).  In addition, the key itself must be strong enough for the intended application.  The appropriate encryption key may vary depending on how sensitive the transmitted or stored data is, with stronger keys utilized for highly confidential or sensitive data.  Stronger encryption may also be necessary to protect data that is in an open environment, such as on a Web server, for long time periods.  Because the strength of the key is determined by its length, the longer the key, the harder it is for high-speed computers to break the code.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY

The term physical and environmental security, as used in this chapter, refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment. Physical and environmental security controls include the following three broad areas:

1)  The physical facility is usually the building, other structure, or vehicle housing the system and network components. Systems can be characterized, based upon their operating location, as static, mobile, or portable. Static systems are installed in structures at fixed locations. Mobile systems are installed in vehicles that perform the function of a structure, but not at a fixed location. Portable systems are not installed in fixed operating locations. They may be operated in wide variety of locations, including buildings or vehicles, or in the open. The physical characteristics of these structures and vehicles determine the level of such physical threats as fire, roof leaks, or unauthorized access.

2)  The facility's general geographic operating location determines the characteristics of natural threats, which include earthquakes and flooding; man-made threats such as burglary, civil disorders, or interception of transmissions and emanations; and damaging nearby activities, including toxic chemical spills, explosions, fires, and electromagnetic interference from emitters, such as radars.

3)  Supporting facilities are those services (both technical and human) that underpin the operation of the system. The system's operation usually depends on supporting facilities such as electric power, heating and air conditioning, and telecommunications. The failure or substandard performance of these facilities may interrupt operation of the system and may cause physical damage to system hardware or stored data.

Physical and environmental security controls are implemented to protect the facility housing system resources, the system resources themselves, and the facilities used to support their operation.


Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Yennik, Inc.

Independent Cybersecurity Pen-test Audits
Our cybersecurity pen-test firewall audit meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  There is no charge if you are not satisfied with our service.  For more information, please call R. Kinney Williams at 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/.


Professional organizations:
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors
 

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.