Internet Banking News

January 9, 2022

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT/AIO audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.
|
2022 workforce predictions: Remote workforce to challenge IT teams - As the COVID-19 pandemic extends into a new year, having a remote workforce will continue to challenge IT and security teams, cybersecurity experts predict. https://www.scmagazine.com/analysis/careers/2022-workforce-predictions-remote-workforce-to-challenge-it-teams

Missouri Gov believes reporter will still be prosecuted for disclosing data leak - Mike Parson, the Republican governor of Missouri, said Wednesday he believed prosecutors will press criminal charges on a St. Louis Post-Dispatch reporter for what many security experts believe was a responsible disclosure of a data leak on a state website. https://www.scmagazine.com/news/data-security/missouri-gov-believes-reporter-will-still-be-prosecuted-for-reporting-data-leak

Financial firms struggle with security in storage, backups- The lion’s share of financial service institutions (FSIs) are having trouble properly securing their stored data, which could be particularly troubling given the rise in ransomware attacks. https://www.scmagazine.com/analysis/backup-and-recovery/financial-firms-struggle-with-security-in-storage-backups

New guidance tackles role of manufacturers in medical device security, patient safety - The Healthcare Supply Chain Association released two guides that outline key privacy and cybersecurity considerations for medical devices, directed at healthcare delivery organizations and manufacturers. https://www.scmagazine.com/analysis/iot/new-guidance-tackles-role-of-manufacturers-in-medical-device-security-patient-safety

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

University loses 77TB of research data due to backup error - The Kyoto University in Japan has lost about 77TB of research data due to an error in the backup system of its Hewlett-Packard supercomputer. https://www.bleepingcomputer.com/news/security/university-loses-77tb-of-research-data-due-to-backup-error/

Government data breach in Rhode Island leads to AG investigation - The transit authority (RIPTA) was hacked. Now the ACLU is questioning why thousands of people with no relationship to RIPTA had their personal information leaked. https://www.bleepingcomputer.com/news/security/university-loses-77tb-of-research-data-due-to-backup-error/

Broward Health discloses data breach affecting 1.3 million people - The Broward Health public health system has disclosed a large-scale data breach incident impacting 1,357,879 individuals. https://www.bleepingcomputer.com/news/security/broward-health-discloses-data-breach-affecting-13-million-people/

Cyberattack on payroll vendor Kronos disrupting healthcare workforce paychecks - The ongoing ransomware attack and recovery efforts on HR and payroll vendor Kronos is affecting payroll services at some health systems, which includes reduced paychecks for some healthcare employees, according to local news reports. https://www.scmagazine.com/analysis/incident-response/cyberattack-on-payroll-vendor-kronos-disrupting-healthcare-workforce-paychecks

NY investigation finds more than 1 million accounts compromised through credential stuffing - The New York State Attorney General said an investigation by her office uncovered at least 1.1 million online consumer accounts that were compromised through credential stuffing attacks across the products of at least 17 different companies. https://www.scmagazine.com/analysis/cybercrime/ny-investigation-finds-more-than-1-million-accounts-compromised-through-credential-stuffing

Health tech vendor QRS faces lawsuit after data theft impacting 319K patients - Technology services vendor QRS is facing a class-action lawsuit, following its The Health Insurance Portability and Accountability Act breach notification informing 319,778 patients that their data was possibly stolen during a hack on an electronic patient portal. https://www.scmagazine.com/analysis/incident-response/health-tech-vendor-qrs-faces-lawsuit-after-data-theft-impacting-319k-patients

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 13: Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.

   To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with customer expectations. To achieve this, the bank must have the ability to deliver e-banking services to end-users from either primary (e.g. internal bank systems and applications) or secondary sources (e.g. systems and applications of service providers). The maintenance of adequate availability is also dependent upon the ability of contingency back-up systems to mitigate denial of service attacks or other events that may potentially cause business disruption.

   The challenge to maintain continued availability of e-banking systems and applications can be considerable given the potential for high transaction demand, especially during peak time periods. In addition, high customer expectations regarding short transaction processing cycle times and constant availability (24 X 7) has also increased the importance of sound capacity, business continuity and contingency planning. To provide customers with the continuity of e-banking services that they expect, banks need to ensure that:

   1) Current e-banking system capacity and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of customer acceptance of e-banking products and services.

   2) E-banking transaction processing capacity estimates are established, stress tested and periodically reviewed.

   3) Appropriate business continuity and contingency plans for critical e-banking processing and delivery systems are in place and regularly tested.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

  Firewalls

  A firewall is a collection of components (computers, routers, and software) that mediate access between different security domains. All traffic between the security domains must pass through the firewall, regardless of the direction of the flow. Since the firewall serves as a choke point for traffic between security domains, they are ideally situated to inspect and block traffic and coordinate activities with network IDS systems.

  Financial institutions have four primary firewall types from which to choose: packet filtering, stateful inspection, proxy servers, and application-level firewalls. Any product may have characteristics of one or more firewall types. The selection of firewall type is dependent on many characteristics of the security zone, such as the amount of traffic, the sensitivity of the systems and data, and applications. Over the next few weeks we will discussed the different types of firewalls.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 17 - LOGICAL ACCESS CONTROL

17.3.2 External Access Controls

17.3.2.2 Secure Gateways/ Firewalls

Often called firewalls, secure gateways block or filter access between two networks, often between a privatenetwork and a larger, more public network such as the Internet, which attract malicious hackers. Secure gateways allow internal users to connect to external networks and at the same time prevent malicious hackers from compromising the internal systems.

Some secure gateways are set up to allow all traffic to pass through except for specific traffic which has known or suspected vulnerabilities or security problems, such as remote log-in services. Other secure gateways are set up to disallow all traffic except for specific types, such as e-mail. Some secure gateways can make access-control decisions based on the location of the requester. There are several technical approaches and mechanisms used to support secure gateways.

Because gateways provide security by restricting services or traffic, they can affect a system's usage. For this reason, firewall experts always emphasize the need for policy, so that appropriate officials decide how the organization will balance operational needs and security.

In addition to reducing the risks from malicious hackers, secure gateways have several other benefits. They can reduce internal system security overhead, since they allow an organization to concentrate security efforts on a limited number of machines. (This is similar to putting a guard on the first floor of a building instead of needing a guard on every floor.)

A second benefit is the centralization of services. A secure gateway can be used to provide a central management point for various services, such as advanced authentication, e-mail, or public dissemination of information. Having a central management point can reduce system overhead and improve service.

Types of Secure Gateways - There are many types of secure gateways. Some of the most common are packet filtering (or screening) routers, proxy hosts, bastion hosts, dual-homed gateways, and screened-host gateways.

17.3.2.3 Host-Based Authentication

Host-based authentication grants access based upon the identity of the host originating the request, instead of the identity of the user making the request. Many network applications in use today use host-based authentication to determine whether access is allowed. Under certain circumstances it is fairly easy to masquerade as the legitimate host, especially if the masquerading host is physically located close to the host being impersonated. Security measures to protect against misuse of some host-based authentication systems are available (e.g., Secure RPC123 uses DES to provide a more secure identification of the client host).

An example of host-based authentication is the Network File System (NFS), which allows a server to make file systems/directories available to specific machines.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.