Internet Banking News

January 17, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - The physical breach of the Capitol building opens a cybersecurity Pandora’s box - The insurrection at the U.S. Capitol Wednesday, which saw rioters storm the building and reportedly steal devices belonging to government officials, opened what one cybersecurity expert has called a Pandora’s box of national security and data privacy issues. https://www.scmagazine.com/home/security-news/data-breach/the-physical-breach-of-the-capitol-building-opens-a-cybersecurity-pandoras-box/

Biden’s pick as White House cyber czar provides critical federal leadership and diversity - When Joe Biden assumes the presidency 13 days from now, as government grapples with fallout from the SolarWinds breach and a break-in at the U.S. Capitol, veteran intelligence expert Anne Neuberger likely will be by his side as deputy national security advisor for cybersecurity on the National Security Council (NSC). https://www.scmagazine.com/women-in-it-security/bidens-pick-as-white-house-cyber-czar-provides-critical-federal-leadership-and-diversity/

Sealed U.S. Court Records Exposed in SolarWinds Breach - The ongoing breach affecting thousands of organizations that relied on backdoored products by network software firm SolarWinds may have jeopardized the privacy of countless sealed court documents on file with the U.S. federal court system, according to a memo released Wednesday by the Administrative Office (AO) of the U.S. Courts. https://krebsonsecurity.com/2021/01/sealed-u-s-court-records-exposed-in-solarwinds-breach/

SolarWinds fallout: DOJ says hackers accessed its Microsoft O365 email server - The US Department of Justice is one of the rare SolarWinds victims where hackers escalated the hack to a second phase and moved to access internal email inboxes, the agency said today. https://www.zdnet.com/article/solarwinds-fallout-doj-says-hackers-accessed-its-microsoft-o365-email-server/

CISA updates guidance on SolarWinds compromise - Federal agencies that ran compromised SolarWinds Orion software must conduct a forensic analysis by the end of the month, according to new supplemental guidance from the Cybersecurity and Infrastructure Security Agency released Wednesday. https://www.fedscoop.com/solarwinds-guidance-update-cisa/

Feds will weigh whether cyber best practices were followed when assessing HIPAA fines - The Department of Health and Human Services (HHS) will now consider whether organizations followed best practices for protecting medical information before assessing fines for violation of the Health Insurance Portability and Accountability Act. https://www.scmagazine.com/home/health-care/feds-will-weigh-whether-cyber-best-practices-were-followed-when-assessing-hipaa-fines/

SolarWinds details stealthy code used to launch hacking campaign - SolarWinds, the federal contractor at the center of a sweeping suspected Russian hacking campaign, on Monday identified malicious code the company says attackers used to manipulate its software, and remain undetected for months. https://www.cyberscoop.com/solarwinds-malicious-code-crowdstrike-russia/

Russian man sentenced to 12 years in prison for massive JPMorgan data heist - A U.S. federal judge on Thursday sentenced Andrei Tyurin, a 37-year-old Russian man, to 12 years in prison for his role in a hacking scheme that prosecutors say involved the theft of personal data from over 100 million customers of big U.S. financial firms. https://www.cyberscoop.com/andrei-tyurin-jp-morgan-hack-sentencing/

Thou shalt not hack indiscriminately, High Court of England tells Britain's spy agencies - A landmark High Court ruling has struck down Britain's ability to hack millions of people at a time through so-called "general warrants" in what privacy campaigners are hailing as a major victory. https://www.theregister.com/2021/01/11/equipment_interference_privacy_international_judgment/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Months after this 'serious' cyberattack, stolen data has been leaked online by hackers - The information that was stolen has been published to the dark web. Data stolen in a cyberattack against a London council last year has been leaked online by the hackers responsible for the attack. https://www.zdnet.com/article/months-after-this-serious-cyber-attack-stolen-data-has-been-leaked-online-by-hackers/

Minnesota’s Lake Region Healthcare Recovering From Ransomware Attack - A ransomware attack struck Minnesota-based Lake Region Healthcare just before Christmas, resulting in some system disruptions; “activist” data leaks and two email hacks complete this week’s breach roundup. https://healthitsecurity.com/news/minnesotas-lake-region-healthcare-recovering-from-ransomware-attack

Nissan source code leaked online after Git repo misconfiguration - Nissan was allegedly running a Bitbucket Git server with the default credentials of admin/admin. https://www.zdnet.com/article/nissan-source-code-leaked-online-after-git-repo-misconfiguration/

Legal recourse? Nissan balances competitive and security fallout from source code leak - News that source code of Nissan North America tools leaked online because of a misconfigured Git server spurs questions not only about potential cyberattacks by bad actors, but also whether competitors could use the sensitive data against the automobile giant. https://www.scmagazine.com/home/security-news/data-breach/legal-recourse-nissan-balances-competitive-and-security-fallout-from-source-code-leak/

Linux machines again targeted by hackers with new memory loader - Linux-based machines are no longer considered a major deterrent for cybercriminal groups, who are embracing the operating system as a target. https://www.scmagazine.com/home/security-news/malware/linux-machines-again-targeted-by-hackers-with-new-memory-loader/

Reserve Bank of New Zealand investigates illegal access of third-party system - Compromised data may include some commercially and personally sensitive information. The Reserve Bank of New Zealand -- Te Pūtea Matua -- on Monday said it was still responding "with urgency" to an illegal breach of one of its systems. https://www.zdnet.com/article/reserve-bank-of-new-zealand-investigates-illegal-access-of-third-party-system/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisements

  Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.

  In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.

Return to the top of the newsletter

FFIEC IT SECURITY - This concludes the series from the FDIC "Security Risks Associated with the Internet." Starting next week, we will begin covering the OCC Bulletin about Infrastructure Threats and Intrusion Risks.

   V. Security Flaws and Bugs

   Because hardware and software continue to improve, the task of maintaining system performance and security is ongoing. Products are frequently issued which contain security flaws or other bugs, and then security patches and version upgrades are issued to correct the deficiencies. The most important action in this regard is to keep current on the latest software releases and security patches. This information is generally available from product developers and vendors. Also important is an understanding of the products and their security flaws, and how they may affect system performance. For example, if there is a time delay before a patch will be available to correct an identified problem, it may be necessary to invoke mitigating controls until the patch is issued.

   Reference sources for the identification of software bugs exist, such as the Computer Emergency Response Team Coordination Center (CERT/CC) at the Software Engineering Institute of Carnegie Mellon University, Pittsburgh, Pennsylvania. The CERT/CC, among other activities, issues advisories on security flaws in software products, and provides this information to the general public through subscription e‑mail, Internet newsgroups (Usenet), and their Web site at www.cert.org. Many other resources are freely available on the Internet.

   Active Content Languages

   Active content languages have been the subject of a number of recent security discussions within the technology industry. While it is not their only application, these languages allow computer programs to be attached to Web pages. As such, more appealing and interactive Web pages can be created, but this function may also allow unauthorized programs to be automatically downloaded to a user's computer. To date, few incidents have been reported of harm caused by such programs; however, active content programs could be malicious, designed to access or damage data or insert a virus.

   Security problems may result from an implementation standpoint, such as how the languages and developed programs interact with other software, such as Web browsers. Typically, users can disable the acceptance of such programs on their Web browser. Or, users can configure their browser so they may choose which programs to accept and which to deny. It is important for users to understand how these languages function and the risks involved, so that they make educated decisions regarding their use. Security alerts concerning active content languages are usually well publicized and should receive prompt reviews by those utilizing the technology.

   VI. Viruses

   Because potentially malicious programs can be downloaded directly onto a system from the Internet, virus protection measures beyond the traditional boot scanning techniques may be necessary to properly protect servers, systems, and workstations. Additional protection might include anti-virus products that remain resident, providing for scanning during downloads or the execution of any program. It is also important to ensure that all system users are educated in the risks posed to systems by viruses and other malicious programs, as well as the proper procedures for accessing information and avoiding such threats.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue our series on the FFIEC interagency Information Security Booklet.

MONITORING AND UPDATING - MONITORING

Effective monitoring of threats includes both non - technical and technical sources. Nontechnical sources include organizational changes, business process changes, new business locations, increased sensitivity of information, or new products and services. Technical sources include new systems, new service providers, and increased access. Security personnel and financial institution management must remain alert to emerging threats and vulnerabilities. This effort could include the following security activities:

! Senior management support for strong security policy awareness and compliance. Management and employees must remain alert to operational changes that could affect security and actively communicate issues with security personnel. Business line managers must have responsibility and accountability for maintaining the security of their personnel, systems, facilities, and information.

! Security personnel should monitor the information technology environment and review performance reports to identify trends, new threats, or control deficiencies. Specific activities could include reviewing security and activity logs, investigating operational anomalies, and routinely reviewing system and application access levels.

! Security personnel and system owners should monitor external sources for new technical and nontechnical vulnerabilities and develop appropriate mitigation solutions to address them. Examples include many controls discussed elsewhere in this booklet including:

  - Establishing an effective configuration management process that monitors for vulnerabilities in hardware and software and establishes a process to install and test security patches,

  - Maintaining up - to - date anti - virus definitions and intrusion detection attack definitions, and

  - Providing effective oversight of service providers and vendors to identify and react to new security issues.

! Senior management should require periodic security self-assessments and audits to provide an ongoing assessment of policy compliance and ensure prompt corrective action of significant deficiencies.

! Security personnel should have access to automated tools appropriate for the complexity of the financial institution systems. Automated security policy and security log analysis tools can significantly increase the effectiveness and productivity of security personnel.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

13.4 Training

The purpose of training is to teach people the skills that will enable them to perform their jobs more securely. This includes teaching people what they should do and how they should (or can) do it. Training can address many levels, from basic security practices to more advanced or specialized skills. It can be specific to one computer system or generic enough to address all systems.

Training is most effective when targeted to a specific audience. This enables the training to focus on security-related job skills and knowledge that people need performing their duties. Two types of audiences are general users and those who require specialized or advanced skills.

General Users. Most users need to understand good computer security practices, such as:

1) protecting the physical area and equipment (e.g., locking doors, caring for floppy diskettes);
2) protecting passwords (if used) or other authentication data or tokens (e.g., never divulge PINs); and
3) reporting security violations or incidents (e.g., whom to call if a virus is suspected).

In addition, general users should be taught the organization's policies for protecting information and computer systems and the roles and responsibilities of various organizational units with which they may have to interact.

In teaching general users, care should be taken not to overburden them with unneeded details. These people are the target of multiple training programs, such as those addressing safety, sexual harassment, and AIDS in the workplace. The training should be made useful by addressing security issues that directly affect the users. The goal is to improve basic security practices, not to make everyone literate in all the jargon or philosophy of security.

Specialized or Advanced Training. Many groups need more advanced or more specialized training than just basic security practices. For example, managers may need to understand security consequences and costs so they can factor security into their decisions, or system administrators may need to know how to implement and use specific access control products.

There are many different ways to identify individuals or groups who need specialized or advanced training. One method is to look at job categories, such as executives, functional managers, or technology providers. Another method is to look at job functions, such as system design, system operation, or system use. A third method is to look at the specific technology and products used, especially for advanced training for user groups and training for a new system.

Techniques. A security training program normally includes training classes, either strictly devoted to security or as added special sections or modules within existing training classes. Training may be computer- or lecture-based (or both), and may include hands-on practice and case studies. Training, like awareness, also happens on the job.

One group that has been targeted for specialized training is executives and functional managers. The training for management personnel is specialized (rather than advanced) because managers do not (as a general rule) need to understand the technical details of security. However, they do need to understand how to organize, direct, and evaluate security measures and programs. They also need to understand risk acceptance.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.