Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.

FYI - Credential phishing attack impersonating USPS targets consumers over the holidays - Abnormal Security reported Wednesday that its email security platform blocked a credential phishing attack impersonating the U.S. Postal Service that sought to get victims to give up their credit card credentials and pay a special delivery fee within three days to ensure package delivered. https://www.scmagazine.com/home/security-news/phishing/credential-phishing-attack-impersonating-usps-targets-consumers-over-the-holidays/

The SolarWinds hack, and the danger of arrogance - In an interview I did with Kevin Mandia, he said this: “If your supply chain is compromised, so are you, since the networks so often get connected. Let’s say small company C gets compromised. Does it lead to a compromise of big company A? It usually does.” https://www.scmagazine.com/home/editorial/the-solarwinds-hack-and-the-danger-of-arrogance/

Backups are a tool – not a silver bullet – in the fight against ransomware - One of the best ways for a business to protect itself from ransomware is by having dedicated backups in place for their systems and data. It’s one of many reasons that more than 90 percent of respondents in a 3,000 person survey conducted earlier this year reported that they back up the systems and data they’re responsible for protecting. https://www.scmagazine.com/home/security-news/ransomware/backups-are-a-tool-not-a-silver-bullet-in-the-fight-against-ransomware/

Three ways we can move the industry to passwordless authentication - Change happens at an uneven pace. Take the latest smartphone. The camera still has a lovely shutter click, though digital cameras have long since surpassed shutter cameras. https://www.scmagazine.com/perspectives/three-ways-we-can-move-the-industry-to-passwordless-authentication/

Can SolarWinds survive? For breached companies it’s a long, painful road to restoring trust - In several important ways, the SolarWinds hack is unique: few companies have the same level of software dominance at the highest levels of government and industry or merit the kind of targeting from a state sponsored APT group. https://www.scmagazine.com/home/solarwinds-hack/can-solarwinds-survive-for-breached-companies-its-a-long-painful-road-to-restoring-trust/

Grid regulator warns utilities of risk of SolarWinds backdoor, asks how exposed they are - The North American electric grid regulator has asked utilities to report how exposed they are to SolarWinds software that is at the center of a suspected Russian hacking operation, and the regulator advised utilities that the vulnerability “poses a potential threat” to parts of the power sector. https://www.cyberscoop.com/nerc-alert-solarwinds-grid-russia/

CISA Warns SolarWinds Incident Response May Be Substantial - 'All Network Assets' Monitored by Backdoored Orion Software May Need Rebuilding - Federal, state and local governments are among the many victims of the supply chain attack that backdoored the SolarWinds Orion network-monitoring software, and victims "may need to rebuild all network assets" being monitored by the software, the U.S. Cybersecurity and Infrastructure Security Agency warns. https://www.govinfosecurity.com/cisa-warns-solarwinds-incident-response-may-be-substantial-a-15661

The Worst Hacks of 2020, a Surreal Pandemic Year - From ransomware schemes to supply chain attacks, this year melded classic hacks with extraordinary circumstances. https://www.wired.com/story/worst-hacks-2020-surreal-pandemic-year/

After the worst year ever for ransomware, 2021 will be more of the same - With 2020 coming to a close, SC Media is delivering through a series of articles our picks of the most high impact events and trends of the last year, which we predict will factor into community strategies in 2021 and beyond. https://www.scmagazine.com/home/year-in-review/2020-was-the-worst-year-ever-for-ransomware-2021-will-be-more-of-the-same/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - DoS attacks hit Citrix Application Delivery Controllers, hindering customer performance - Citrix reported Thursday a DDoS attack was hitting its Citrix Application Delivery Controllers (ADCs), the networking products that let security and network teams manage the delivery speed and quality of applications to end users. https://www.scmagazine.com/home/security-news/network-security/ddos-attacks-hit-citrix-application-delivery-controllers-hindering-customer-performance/

Law enforcement take down three bulletproof VPN providers - The three VPN services provided safe haven for cybercriminals to carry out ransomware attacks, web skimming operations, spearphishing, and account takeovers. https://www.zdnet.com/article/law-enforcement-take-down-three-bulletproof-vpn-providers/

Finnish Parliament attackers hack lawmakers’ email accounts - The email accounts of multiple members of parliament (MPs) were compromised following a cyberattack as revealed today by the Parliament of Finland. https://www.bleepingcomputer.com/news/security/finnish-parliament-attackers-hack-lawmakers-email-accounts/

Home appliance giant Whirlpool hit in Nefilim ransomware attack - Home appliances giant Whirlpool suffered a ransomware attack by the Nefilim ransomware gang who stole data before encrypting devices. https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/

Cyber criminals targeting remote work to gain access to enterprise networks and critical data - Good threat intelligence can sift through mountains of data collected from sensors across the globe to provide insights into what is happening and what countermeasures need to be in place to defend against a dynamic threat environment. https://www.scmagazine.com/home/sponsor-content/cyber-criminals-targeting-remote-work-to-gain-access-to-enterprise-networks-and-critical-data/

Return to the top of the newsletter

WEB SITE COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)
  
  Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.
  
  Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.
  
  Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
   
   Logical Access Controls (Part 1 of 2)
   
   If passwords are used for access control or authentication measures, users should be properly educated in password selection. Strong passwords consist of at least six to eight alpha numeric characters, with no resemblance to any personal data. PINs should also be unique, with no resemblance to personal data. Neither passwords nor PINs should ever be reduced to writing or shared with others. 
   
   Other security measures should include the adoption of one-time passwords, or password aging measures that require periodic changes. Encryption technology can also be employed in the entry and transmission of passwords, PINs, user IDs, etc. Any password directories or databases should be properly protected, as well. 
   
   Password guessing programs can be run against a system. Some can run through tens of thousands of password variations based on personal information, such as a user's name or address. It is preferable to test for such vulnerabilities by running this type of program as a preventive measure, before an unauthorized party has the opportunity to do so. Incorporating a brief delay requirement after each incorrect login attempt can be very effective against these types of programs. In cases where a potential attacker is monitoring a network to collect passwords, a system utilizing one-time passwords would render any data collected useless. 
   
   When additional measures are necessary to confirm that passwords or PINs are entered by the user, technologies such as tokens, smart cards, and biometrics can be useful. Utilizing these technologies adds another dimension to the security structure by requiring the user to possess something physical.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING
  
  12.3.3 Secure Communications Facilities
  
  Incidents can range from the trivial to those involving national security. Often when exchanging information about incidents, using encrypted communications may be advisable. This will help prevent the unintended distribution of incident-related information. Encryption technology is available for voice, fax, and e-mail communications.
  
  12.4 Interdependencies
  
  An incident handling capability generally depends upon other safeguards presented in this handbook. The most obvious is the strong link to other components of the contingency plan. The following paragraphs detail the most important of these interdependencies.
  
  Contingency Planning. As discussed in the introduction to this chapter, an incident handling capability can be viewed as the component of contingency planning that deals with responding to technical threats, such as viruses or hackers. Close coordination is necessary with other contingency planning efforts, particularly when planning for contingency processing in the event of a serious unavailability of system resources.
  
  Support and Operations. Incident handling is also closely linked to support and operations, especially user support and backups. For example, for purposes of efficiency and cost savings, the incident handling capability is often co-operated with a user "help desk." Also, backups of system resources may need to be used when recovering from an incident.
  
  Training and Awareness. The training and awareness program can benefit from lessons learned during incident handling. Incident handling staff will be able to help assess the level of user awareness about current threats and vulnerabilities. Staff members may be able to help train system administrators, system operators, and other users and systems personnel. Knowledge of security precautions (resulting from such training) helps reduce future incidents. It is also important that users are trained what to report and how to report it.
  
  Risk Management. The risk analysis process will benefit from statistics and logs showing the numbers and types of incidents that have occurred and the types of controls that are effective in preventing incidents. This information can be used to help select appropriate security controls and practices.

Suggestions from readers has resulted in our new fresh look, which we hope you like.