Internet Banking News

January 10, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - 2021 strategy predictions: Shifts in business models, shifts in security priorities - As companies of all sizes prepare for more challenges tied to the pandemic, as well as an expected transition to a permanent hybrid workforce, security plans will need to adapt. https://www.scmagazine.com/home/year-in-review/2021-strategy-predictions-shifts-in-business-models-shifts-in-security-priorities/

Ticketmaster fined $10 million in corporate espionage scheme - The Department of Justice announced Wednesday Ticketmaster would pay a $10 million fine as part of a differed prosecution agreement for using an employee’s login credentials to his former employer’s computer systems to garner information on the competitor. https://www.scmagazine.com/home/security-news/data-breach/ticketmaster-fined-10-million-in-corporate-espionage-scheme/

SolarWinds, top executives hit with class action lawsuit over Orion software breach - SolarWinds and some of its top executives have been hit with a class action lawsuit by stockholders, who allege the company lied and materially misled them about security practices leading up to a massive breach of its Orion management software that has reverberated throughout the public and private sector. https://www.scmagazine.com/home/solarwinds-hack/solarwinds-top-executives-hit-with-class-action-lawsuit-over-orion-software-breach/

SolarWinds: The more we learn, the worse it looks - While you've been distracted by the holidays, coronavirus, and politics, the more we learn about the SolarWinds security fiasco, the worse it looks. https://www.zdnet.com/article/solarwinds-the-more-we-learn-the-worse-it-looks/

FBI: Home Surveillance Devices Hacked to Record Swatting Attacks - A warning issued this week by the FBI warns owners of smart home devices with voice and video capabilities that these types of systems have been targeted by individuals who launch so-called “swatting” attacks. https://www.securityweek.com/fbi-home-surveillance-devices-hacked-record-swatting-attacks

Survey says, women in cyber make 31 percent less than men - A 2020 survey of infosec professionals found that U.S.-based male respondents take home an average annual salary of $91,000, while female participants earn an average of $62,000 per year. https://www.scmagazine.com/women-in-it-security/survey-says-women-in-cyber-make-31-percent-less-than-men/

White House unveils maritime cybersecurity standards for government and industry - The White House unveiled a National Maritime Cybersecurity Plan meant to set standards for the U.S. maritime transportation system (MTS), including guidelines around threat information sharing, creating a cybersecurity workforce and establishing a risk framework for operational technology (OT) in ports. https://www.scmagazine.com/home/government/white-house-unveils-maritime-cybersecurity-standards-for-government-and-industry/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Non-profit founded by Gates Foundation suffers massive exposure of student records - Get Schooled, a New York-based charity suffered a data exposure that left records related to hundreds of thousands of students in an unsecured AWS bucket that was open and accessible from the internet. https://www.scmagazine.com/home/security-news/student-college-non-profit-founded-by-gates-foundation-suffers-student-records-breach/

Financial services industry hit with tens of millions of attacks per day - In an update of its State of the Internet report, Akamai found that in the past year the financial services industry was hit with millions or tens of millions of attacks per day. https://www.scmagazine.com/home/security-news/financial-services-industry-hit-with-tens-of-millions-of-attacks-per-day/

Fourth breach at T-Mobile puts focus on security post mergers - T-Mobile reported a breach that compromised customer data – the company’s fourth in three years – raises questions about whether the mobile carrier’s massive merger with Sprint left the combined company more vulnerable. https://www.scmagazine.com/home/security-news/mobile-security/fourth-breach-at-t-mobile-puts-focus-on-security-of-post-mergers/

SOLARWINDS ATTACKERS ACCESSED, BUT DID NOT MODIFY, MICROSOFT SOURCE CODE - As the organizations hit by the SolarWinds attackers have continued to assess the damage to their internal systems, some interesting details have emerged. At the top of that list is the fact that the attackers were able to access some of Microsoft’s source code repositories. https://duo.com/decipher/solarwinds-attackers-accessed-but-did-not-modify-microsoft-source-code

TransLink confirms ransomware data theft, still restoring systems - Metro Vancouver's transportation agency TransLink has confirmed that the Egregor ransomware operators who breached its network at the beginning of December 2020 also accessed and potentially stole employees' banking and social security information. https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/

Japanese Aerospace Firm Kawasaki Warns of Data Breach - The Japanese aerospace manufacturer said that starting in June, overseas unauthorized access to its servers may have compromised customer data. https://threatpost.com/japanese-aerospace-firm-kawasaki-warns-of-data-breach/162642/

Apex Laboratory Says Patient Data Stolen in Ransomware Attack - At-home laboratory services provider Apex Laboratory said hackers stole some patient data during a ransomware attack that took place several months ago. https://www.securityweek.com/apex-laboratory-says-patient-data-stolen-ransomware-attack

After widespread hospital attacks, targeting of health care industry continues to rise - A wave of ransomware attacks against hospitals in the United States and United Kingdom late last year shocked the conscious of many cybersecurity professionals. Things have only gotten worse for the health care industry since then. https://www.scmagazine.com/home/security-news/after-widespread-hospital-attacks-targeting-of-health-care-industry-continues-to-rise/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Record Retention

   Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

    Logical Access Controls (Part 2 of 2)

    Tokens

    Token technology relies on a separate physical device, which is retained by an individual, to verify the user's identity. The token resembles a small hand-held card or calculator and is used to generate passwords. The device is usually synchronized with security software in the host computer such as an internal clock or an identical time based mathematical algorithm. Tokens are well suited for one‑time password generation and access control. A separate PIN is typically required to activate the token.

    Smart Cards

    Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an embedded computer chip. The chip includes a processor, operating system, and both read only memory (ROM) and random access memory (RAM). They can be used to generate one-time passwords when prompted by a host computer, or to carry cryptographic keys. A smart card reader is required for their use.

    Biometrics

    Biometrics involves identification and verification of an individual based on some physical characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This technology is advancing rapidly, and offers an alternative means to authenticate a user.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

   Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING

   12.3 Technical Support for Incident Handling

   Incident handling will be greatly enhanced by technical mechanisms that enable the dissemination of information quickly and conveniently.

   12.3.1 Communications for Centralized Reporting of Incidents

   The technical ability to report incidents is of primary importance, since without knowledge of an incident, response is precluded. Fortunately, such technical mechanisms are already in place in many organizations.

   For rapid response to constituency problems, a simple telephone "hotline" is practical and convenient. Some agencies may already have a number used for emergencies or for obtaining help with other problems; it may be practical (and cost-effective) to also use this number for incident handling. It may be necessary to provide 24-hour coverage for the hotline. This can be done by staffing the answering center, by providing an answering service for non-office hours, or by using a combination of an answering machine and personal pagers.

   If additional mechanisms for contacting the incident handling team can be provided, it may increase access and thus benefit incident handling efforts. A centralized e-mail address that forwards mail to staff members would permit the constituency to conveniently exchange information with the team. Providing a fax number to users may also be helpful.

   One way to establish a centralized reporting and incident response capability, while minimizing expenditures, is to use an existing Help Desk. Many agencies already have central Help Desks for fielding calls about commonly used applications, troubleshooting system problems, and providing help in detecting and eradicating computer viruses. By expanding the capabilities of the Help Desk and publicizing its telephone number (or e-mail address), an agency may be able to significantly improve its ability to handle many different types of incidents at minimal cost.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.