Internet Banking News

January 15, 2023

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Remote bank regulatory FFIEC IT audits - I am performing virtual/remote bank regality FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

MISCELLANEOUS CYBERSECURITY NEWS:

SolarWinds shareholders ask Delaware Supreme Court to revive Orion breach lawsuit - SolarWinds shareholders have appealed to the Delaware Supreme Court after a lower Chancery Court dismissed their lawsuit against the software company’s directors last year, arguing that the board “did absolutely nothing” for years to address cybersecurity flaws that were exposed in a massive 2020 hack of their flagship Orion IT management software. https://www.scmagazine.com/analysis/application-security/solarwinds-shareholders-appeal-orion-breach-lawsuit-to-delaware-supreme-court

End to Windows 8.1 support will create asset management headaches for specialized industries - Microsoft will stop supporting Windows 8.1 on Jan. 10, at which point the software maker says it will no longer offer point technical assistance and software updates for those systems. https://www.scmagazine.com/analysis/asset-management/end-to-windows-8-1-support-will-create-asset-management-headaches-for-specialized-industries

Hackers went after personally identifiable information the most, study says - A recently released study that analyzed the top 100 breaches from July 2021 to July 2022 showed that hackers went after personally identifiable information 42.7% of the time. https://www.scmagazine.com/news/data-security/hackers-went-after-personally-identifiable-information-the-most-study-says

Microsoft: Windows Server 2012 reaches end of support in October - Microsoft has reminded customers that the extended support for all editions of Windows Server 2012 and Windows Server 2012 R2 will end on October 10. https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-server-2012-reaches-end-of-support-in-october/

Four ways to reduce the risk of third-party breaches - Data breaches and cyberattacks via third-parties and supply chain partners are on the rise. Alarmingly, there has been a 300% increase in data breaches via third-parties, representing a staggering 25% share of all data breaches. https://www.scmagazine.com/perspective/risk-management/four-ways-to-reduce-the-risk-of-third-party-breaches

FCC proposes stronger data breach rules, faster notifications for telecoms - The Federal Communications Commission on Friday launched a process to update its rules for how quickly telecommunication carriers notify consumers about breaches of sensitive information. https://www.cyberscoop.com/fcc-data-breach-notifications/

John Deere relents, says farmers can fix their own tractors after all - After a lengthy argument, a right to repair comes to agricultural machinery. Farmers now have the right to repair their John Deere tractors themselves or through independent third parties, ending a lengthy battle with the agricultural machinery company. https://arstechnica.com/tech-policy/2023/01/john-deere-relents-says-farmers-can-fix-their-own-tractors-after-all/

What CISOs don’t know about their SOCs - CISOs and security operations teams attempting to protect enterprise networks, data and assets face growing complexity. The constantly increasing attack surface, number of data sources, attack vectors, and correlation rules create the Gordian’s Knot of security. https://www.scmagazine.com/perspective/strategy/what-cisos-dont-know-about-their-socs

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

DevOps platform CircleCI suffers breach, urges immediate user action - CircleCI, a developer tool provider with over one million users, is urging customers to immediately rotate all secrets following a breach of the company’s systems.
https://www.scmagazine.com/analysis/breach/devops-platform-circleci-suffers-breach-urges-immediate-user-action
https://thehackernews.com/2023/01/circleci-urges-customers-to-rotate.html

Rail Tech Giant Wabtec Discloses Global Data Breach - Wabtec Corporation has finally disclosed details of a data security incident last year which led to the compromise of highly sensitive personal information. https://www.infosecurity-magazine.com/news/rail-tech-wabtec-global-data-breach/

The Guardian ransomware attack hits week two as staff told to work from home - Long-standing British newspaper The Guardian has told staff to continue working from home and notified the UK's data privacy watchdog about the security breach following a suspected ransomware attack before Christmas. https://www.theregister.com/2023/01/04/guardian_ransomware_attack/

NJ hospital CentraState diverting patients after cyberattack, IT shutdown - CentraState Medical Center in New Jersey, Hospital for Sick Children (SickKids), and Queen Elizabeth Hospital (QEH) in Barbados are facing continued disruptions due to cybersecurity incidents in the last few weeks. https://www.scmagazine.com/analysis/ransomware/nj-hospital-centrastate-diverting-patients-after-cyberattack-it-shutdown

Cyberattack on Records Vendor Affects Scores of US Counties - Hundreds of U.S. counties continue to work with pen and paper after a cyberattack on their digital records management vendor last week disrupted methods to view, add and edit government records. https://www.govinfosecurity.com/cyberattack-on-records-vendor-affects-scores-us-counties-a-20856

Rackspace confirms Play ransomware was behind recent cyberattack - Texas-based cloud computing provider Rackspace has confirmed that the Play ransomware operation was behind a recent cyberattack that took down the company's hosted Microsoft Exchange environments. https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/

Healthcare’s vendor problem spurs more than data breaches - it’s a patient safety risk - The risk of supply chain partners is well-known in all sectors, thanks, in part, to the massive disruptions caused by the Colonial Pipeline, SolarWinds, and Accellion incidents in 2020. https://www.scmagazine.com/feature/third-party-risk/healthcares-vendor-problem-spurs-more-than-data-breaches-its-a-patient-safety-risk

Car hackers discover vulnerabilities that could let them hijack millions of vehicles - The vulnerabilities could let attackers remotely track, stop or control a car - even an entire fleet of emergency vehicles. https://www.cyberscoop.com/car-hackers-vulnerabilities-research/

Texas County EMS Agency Says Ransomware Breach Hit 612,000 - A municipal ambulance services provider that serves 15 cities in a Texas county has reported to federal regulators a ransomware breach potentially affecting 612,000 individuals, which is equivalent to nearly 30% of the county's 2.1 million population. https://www.govinfosecurity.com/texas-county-ems-agency-says-ransomware-breach-hit-612000-a-20876

Interior’s Cyber Practices Allow for Easily Crackable Passwords, Watchdog Finds - An OIG investigation found that the Interior Department has not fully implemented multifactor authentication and that its “outdated and ineffective” password requirements leave employees’ accounts vulnerable to exploitation. https://www.nextgov.com/cybersecurity/2023/01/interiors-cyber-practices-allow-easily-crackable-passwords-watchdog-finds/381620/

Hive claims stealing Consulate Health data; provider reports vendor incident - The Hive ransomware threat group claims to have stolen 550 GB of data from Consulate Health Care. The actors’ dark web posting appeared around the same time a notice was posted on the Consulate website that warned patients of potential access to their data. https://www.scmagazine.com/analysis/ransomware/hive-claims-stealing-consulate-health-data-provider-reports-vendor-incident

Healthcare disruptions rise due to ransomware attacks, though reporting gaps limit insights - Ransomware attacks on healthcare delivery organizations doubled between 2016 and 2021, from 43 reported attacks to 91. https://www.scmagazine.com/analysis/ransomware/healthcare-disruptions-rise-due-to-ransomware-attacks-though-reporting-gaps-limit-insights

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 7 of 10)

    B. RISK MANAGEMENT TECHNIQUES

    Planning Weblinking Relationships

    Agreements

    If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:

    1) dissatisfied purchasers of third-party products or services;

    2) patent or trademark holders for infringement by the third party; and

    3) persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.

    The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.

    In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.

    Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations. For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY TESTING - TESTING CONCEPTS AND APPLICATION

   Measurement and Interpretation of Test Results. Institutions should design tests to produce results that are logical and objective. Results that are reduced to metrics are potentially more precise and less subject to confusion, as well as being more readily tracked over time. The interpretation and significance of test results are most useful when tied to threat scenarios. Traceability. Test results that indicate an unacceptable risk in an institution's security should be traceable to actions subsequently taken to reduce the risk to an acceptable level.

   Thoroughness. Institutions should perform tests sufficient to provide a high degree of assurance that their security plan, strategy and implementation is effective in meeting the security objectives. Institutions should design their test program to draw conclusions about the operation of all critical controls. The scope of testing should encompass all systems in the institution's production environment and contingency plans and those systems within the institution that provide access to the production environment.

   Frequency. Test frequency should be based on the risk that critical controls are no longer functioning. Factors to consider include the nature, extent, and results of prior tests, the value and sensitivity of data and systems, and changes to systems, policies and procedures, personnel, and contractors. For example, network vulnerability scanning on highrisk systems can occur at least as frequently as significant changes are made to the network.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.6.4 Mitigating Threats of Information Disclosure/Brokering

HGA concurred with the risk assessment's conclusions about its exposure to information-brokering risks, and adopted most of the associated recommendations.

The assessment recommended that HGA improve its security awareness training (e.g., via mandatory refresher courses) and that it institute some form of compliance audits. The training should be sure to stress the penalties for noncompliance. It also suggested installing "screen lock" software on PCs that automatically lock a PC after a specified period of idle time in which no keystrokes have been entered; unlocking the screen requires that the user enter a password or reboot the system.

The assessment recommended that HGA modify its information-handling policies so that employees would be required to store some kinds of disclosure-sensitive information only on PC local hard disks (or floppies), but not on the server. This would eliminate or reduce risks of LAN eavesdropping. It was also recommended that an activity log be installed on the server (and regularly reviewed). Moreover, it would avoid unnecessary reliance on the server's access-control features, which are of uncertain assurance. The assessment noted, however, that this strategy conflicts with the desire to store most information on the server's disks so that it is backed up routinely by COG personnel. (This could be offset by assigning responsibility for someone other than the PC owner to make backup copies.) Since the security habits of HGA's PC users have generally been poor, the assessment also recommended use of hard-disk encryption utilities to protect disclosure-sensitive information on unattended PCs from browsing by unauthorized individuals. Also, ways to encrypt information on the server's disks would be studied.

The assessment recommended that HGA conduct a thorough review of the mainframe's safeguards in these respects, and that it regularly review the mainframe audit log, using a query package, with particular attention to records that describe user accesses to HGA's employee master database.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.