R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of August 13, 2017

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Cybersecurity Pen-test Audits

FYI - Justice Dept. vulnerability disclosure framework aims to formalize programs - As the popularity of vulnerability programs soar in both the public and private sectors, the Cybersecurity Unit of the Justice Department's Criminal Division has created a framework to guide organizations interested in building a formalized program.

Congress to smart device makers: Your security sucks - Four senators propose the "Internet of Things Cybersecurity Improvement Act," calling for minimum security standards for connected devices. https://www.cnet.com/news/congress-senate-iot-device-makers-your-security-sucks/

DOD risks 'rogue' apps under current IoT policy - The Department of Defense must address some key security risks in its policies and guidance for Internet of Things devices, according to a new Government Accountability Office report. https://fcw.com/articles/2017/07/31/gao-iot-rogue-apps.aspx

Most corporate information systems are just two steps away from failure - The level of security of Wi-Fi networks and user awareness regarding information security has fallen significantly; a Positive Technologies security audit says mostly due to common vulnerabilities not needing much skill to implement. https://www.scmagazine.com/most-corporate-information-systems-are-just-two-steps-away-from-failure/article/679886/

Cyberattacks at sea prompt return of radio ship navigation - The threat of possible cyberwarfare attacks against ships sea is prompting the return of navigators using radio navigation technology like Loran, as opposed, to modern GPS (Global Positioning System). https://www.scmagazine.com/cyber-threats-at-sea-prompt-return-to-radio-navigation-technology/article/680290/

Disney sued, accused of violating child data privacy laws - Disney was hit with a class action lawsuit for allegedly violating the Child Online Privacy Protection Act (COPPA) laws by capturing children's data and selling it to third parties. https://www.scmagazine.com/disney-accused-of-collecting-and-selling-childrens-data-violating-coppa-laws/article/680287/

Guidelines issued to ensure vehicle design includes cyber-security - The UK government has issued a range of guidelines designed to ensure vehicle design includes cyber-security at all stages of development. https://www.scmagazine.com/smart-anything-is-hackable--including-cars/article/680139/

The Man Who Wrote Those Password Rules Has a New Tip - Bill Burr’s 2003 report recommended using numbers, obscure characters and capital letters and updating regularly - he regrets the error - The man who wrote the book on password management has a confession to make: He blew it. https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118

44% of sampled websites fail password protection assessment - An analysis of 48 popular websites determined that 46 percent of consumer services sites and 36 percent of enterprise or business services sites had "dangerously lax" password policies that failed to enforce even some of the most basic security requirements. https://www.scmagazine.com/44-of-sampled-websites-fail-password-protection-assessment/article/680847/


FYI - Hackers post info stolen from Mandiant analyst, threaten similar attacks - After leaking data stolen from an analyst working for Mandiant, a hacking group or individual going by the name "31337" is threatening to victimize other cybersecurity experts in similar fashion. https://www.scmagazine.com/hackers-post-info-stolen-from-mandiant-analyst-threaten-similar-attacks/article/679498/

HBO hackers may have made off with 1.5 TB of data - The hackers who breached HBO and leaked episodes of Ballers, Room 104 along with some written material allegedly from next week's Game of Thrones with threats to leak more may have stolen more than 1.5 Terabytes of data. https://www.scmagazine.com/hbo-breach-may-have-compromised-seven-times-more-than-sony-breach/article/679800/

Chrome web dev plugin with 1m+ users hijacked, crams ads into browsers - Toolmaker phished, Google account pwned, malicious code pushed out – and now fixed - A popular Chrome extension was hijacked earlier today to inject ads into browsers, and potentially run malicious JavaScript, after the plugin's creator was hacked. http://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/

Hackers post info stolen from Mandiant analyst, threaten similar attacks - After leaking data stolen from an analyst working for Mandiant, a hacking group or individual going by the name "31337" is threatening to victimize other cybersecurity experts in similar fashion. https://www.scmagazine.com/hackers-post-info-stolen-from-mandiant-analyst-threaten-similar-attacks/article/679498/

Australian Red Cross data breach caused by third-party error - An error by a third-party vendor's employee led to the massive data breach that hit the Australian Red Cross last year. https://www.scmagazine.com/australian-red-cross-data-breach-caused-by-third-party-error/article/680149/

HBO breach accomplished with hard work by hacker, poor security practices by victim - Cybersecurity executives are speculating the HBO hack by “Mr. Smith” was the result of the intruder putting in a tremendous amount of effort to infiltrate the entertainment giant that included many separate attacks, while said giant most likely was slayed by ignoring basic security hygiene. https://www.scmagazine.com/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/article/680568/

IRS: Phishing scam aims to deceive accountants with fake tax software updates - The Internal Revenue Service (IRS) is warning of an email-based phishing scam that impersonates tax software providers in order to trick professional accountants into giving away their log-in credentials for these services. https://www.scmagazine.com/irs-phishing-scam-aims-to-deceive-accountants-with-fake-tax-software-updates/article/680404/

Russian hacker extorts gambling company after cracking poker machines - A Russian mathematician and programmer attempted to extort Aristocrat Leisure, an Australian gambling company, in upwards of $10 million after cracking the spin sequence on several of the firm's poker machines. https://www.scmagazine.com/russian-programmer-attempts-to-extort-millions-after-hacking-poker-machines/article/680830/

Almost 900 Bloomberg terminal chat room users doxxed - More than 800 Wall Street workers using an anonymous Bloomberg business terminal chat room were doxxed earlier this month when an email containing their names and employers was sent to the chat room participants. https://www.scmagazine.com/almost-900-bloomberg-terminal-chat-room-users-doxxed/article/680672/

Return to the top of the newsletter

We conclude the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (12 of 12)

 What the Future Holds

 In addition to meeting regulatory requirements and addressing applicable industry best practices, several characteristics tend to differentiate banks. The most successful banks will find a way to integrate incident response planning into normal operations and business processes. Assimilation efforts may include expanding security awareness and training initiatives to reinforce incident response actions, revising business continuity plans to incorporate security incident responses, and implementing additional security monitoring systems and procedures to provide timely incident notification. Ultimately, the adequacy of a bank's IRP reflects on the condition of the information security program along with management's willingness and ability to manage information technology risks. In essence, incident response planning is a management process, the comprehensiveness and success of which provide insight into the quality and attentiveness of management. In this respect, the condition of a bank's IRP, and the results of examiner review of the incident response planning process, fit well within the objectives of the information technology examination as described in the Information Technology-Risk Management Program. 
 An IRP is a critical component of a well-formed and effective information security program and has the potential to provide tangible value and benefit to a bank. Similar to the importance of a business continuity planning program as it relates to the threat of natural and man-made disasters, sound IRPs will be necessary to combat new and existing data security threats facing the banking community. Given the high value placed on the confidential customer information held within the financial services industry, coupled with the publicized success of known compromises, one can reasonably assume that criminals will continue to probe an organization's defenses in search of weak points. The need for response programs is real and has been recognized as such by not only state and Federal regulatory agencies (through passage of a variety of legal requirements), but by the banking industry itself. The challenges each bank faces are to develop a reasonable IRP providing protections for the bank and the consumer and to incorporate the IRP into a comprehensive, enterprise-wide information security program. The most successful banks will exceed regulatory requirements to leverage the IRP for business advantages and, in turn, improved protection for the banking industry as a whole.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  
  (Part 1 of 2)
 Intrusion detection by itself does not mitigate risks of an intrusion. Risk mitigation only occurs through an effective and timely response. The goal of the response is to minimize damage to the institution and its customers through containment of the intrusion, and restoration of systems.
 The response primarily involves people rather then technologies. The quality of intrusion response is a function of the institution's culture, policies and procedures, and training.
 Preparation determines the success of any intrusion response. Preparation involves defining the policies and procedures that guide the response, assigning responsibilities to individuals and providing appropriate training, formalizing information flows, and selecting, installing, and understanding the tools used in the response effort. Key considerations that directly affect the institution's policies and procedures include the following:
 ! How to balance concerns regarding availability, confidentiality, and integrity, for devices and data of different sensitivities. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. An institution may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left on line.
 ! When and under what circumstances to invoke the intrusion response activities, and how to ensure the proper personnel are available and notified.
 ! How to control the frequently powerful intrusion identification and response tools.
 ! When to involve outside experts and how to ensure the proper expertise will be available when needed. This consideration addresses both the containment and the restoration strategy.
 ! When and under what circumstances to involve regulators, customers, and law enforcement. This consideration drives certain monitoring decisions, decisions regarding evidence-gathering and preservation, and communications considerations.
 ! Which personnel have authority to perform what actions in containment of the intrusion and restoration of the systems. This consideration affects the internal communications strategy, the commitment of personnel, and procedures that escalate involvement and decisionswithin the organization.
 ! How and what to communicate outside the organization, whether to law enforcement, customers, service providers, potential victims, and others. This consideration drives the communication strategy, and is a key component in mitigating reputation risk.
 ! How to document and maintain the evidence, decisions, and actions taken.
 ! What criteria must be met before compromised services, equipment and software are returned to the network.
 ! How to learn from the intrusion and use those lessons to improve the institution's security.
 ! How and when to prepare and file a Suspicious Activities Report (SAR).

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -  We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Computer systems are subject to a wide range of mishaps -- from corrupted data files, to viruses, to natural disasters. Some of these mishaps can be fixed through standard operating procedures. For example, frequently occurring events (e.g., a mistakenly deleted file) can usually be readily repaired (e.g., by restoration from the backup file). More severe mishaps, such as outages caused by natural disasters, are normally addressed in an organization's contingency plan. Other damaging events result from deliberate malicious technical activity (e.g., the creation of viruses or system hacking).
 A computer security incident can result from a computer virus, other malicious code, or a system intruder, either an insider or an outsider. It is used in this chapter to broadly refer to those incidents resulting from deliberate malicious technical activity. It can more generally refer to those incidents that, without technically expert response, could result in severe damage. This definition of a computer security incident is somewhat flexible and may vary by organization and computing environment.
 Malicious code include viruses as well as Trojan horses and worms. A virus is a code segment that replicates by attaching copies of itself to existing executables. A Trojan horse is a program that performs a desired task, but also includes unexpected functions. A worm is a self-replicating program.
 Although the threats that hackers and malicious code pose to systems and networks are well known, the occurrence of such harmful events remains unpredictable. Security incidents on larger networks (e.g., the Internet), such as break-ins and service disruptions, have harmed various organizations' computing capabilities. When initially confronted with such incidents, most organizations respond in an ad hoc manner. However recurrence of similar incidents often makes it cost-beneficial to develop a standing capability for quick discovery of and response to such events. This is especially true, since incidents can often "spread" when left unchecked thus increasing damage and seriously harming an organization.
 Incident handling is closely related to contingency planning as well as support and operations. An incident handling capability may be viewed as a component of contingency planning, because it provides the ability to react quickly and efficiently to disruptions in normal processing. Broadly speaking, contingency planning addresses events with the potential to interrupt system operations. Incident handling can be considered that portion of contingency planning that responds to malicious technical threats.
 This chapter describes how organizations can address computer security incidents (in the context of their larger computer security program) by developing a computer security incident handling capability.
 Many organizations handle incidents as part of their user support capability  or as a part of general system support.

Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
IT Security Auditor
Yennik, Inc.

Independent Cybersecurity Pen-test Audits
Our cybersecurity pen-test firewall audit meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  There is no charge if you are not satisfied with our service.  For more information, please call R. Kinney Williams at 806-798-7119, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/.

Professional organizations:
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.