R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and Onsite FFIEC IT Audits

January 22, 2023

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.
Remote bank regulatory FFIEC IT audits - I am performing virtual/remote bank regality FFIEC IT audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.


MISCELLANEOUS CYBERSECURITY NEWS:

How a CISO collaboration of healthcare’s ‘haves’ plans to address third-party vendor challenges - The last year has seen a broader audience understand the disparities between the ‘haves’ and ‘have-nots’ in healthcare, in part spurred by the growing chasm between the two groups. https://www.scmagazine.com/feature/third-party-risk/how-a-ciso-collaboration-of-healthcares-haves-plans-to-address-third-party-vendor-challenges

A third of companies don’t offer cybersecurity training to remote workers - A Thursday reported that 33% of companies are not offering any cybersecurity awareness training to users who work remotely. https://www.scmagazine.com/news/security-awareness/a-third-of-companies-dont-offer-cybersecurity-training-to-remote-workers

There’s no such thing as ‘100% security’ - CIOs and CISOs will inevitably have to accurately answer the holy grail question from the C-suite: Are we 100% secure? https://www.scmagazine.com/perspective/strategy/theres-no-such-thing-as-100-security

Cisco Warns of Critical Vulnerability in EoL Small Business Routers - Cisco this week announced that no patches will be released for a critical-severity vulnerability impacting small business RV016, RV042, RV042G, and RV082 routers, which have reached end of life (EoL). https://www.securityweek.com/cisco-warns-critical-vulnerability-eol-small-business-routers

Hackers to Get a Crack at Systems Running the Pentagon in New Bug Bounty - The Defense Department is planning the third iteration of its Hack the Pentagon program with a focus on identifying vulnerabilities in the operational technologies that keep the iconic building and grounds running. https://www.nextgov.com/cybersecurity/2023/01/hackers-get-crack-systems-running-pentagon-new-bug-bounty/381806/

Ransomware attacks persist in healthcare as impacts on patient safety rise - Patient safety has become the driving force behind ongoing healthcare cybersecurity risk framing and as a risk metric for evaluating connected vendors. https://www.scmagazine.com/analysis/ransomware/ransomware-attacks-persist-in-healthcare-as-impacts-on-patient-safety-rise

GAO - Cybersecurity High-Risk Series: Challenges in Establishing a Comprehensive Cybersecurity Strategy and Performing Effective Oversight. https://www.gao.gov/products/gao-23-106415

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

CircleCI working with AWS to identify, rotate tokens possibly impacted by breach - WS tokens may have been impacted by a Jan. 4 security breach, according to an update provided by the development platform Thursday. https://www.scmagazine.com/analysis/cloud-security/circleci-working-with-aws-to-identify-rotate-tokens-impacted-by-the-breach

Fortinet: Govt networks targeted with now-patched SSL-VPN zero-day - Fortinet says unknown attackers exploited a FortiOS SSL-VPN zero-day vulnerability patched last month in attacks against government organizations and government-related targets. https://www.bleepingcomputer.com/news/security/fortinet-govt-networks-targeted-with-now-patched-ssl-vpn-zero-day/

Royal Mail, cops probe 'cyber incident' that's knackered international mail - Royal Mail confirmed a "cyber incident" has disrupted its ability to send letters and packages abroad, and also caused some delays on post coming into the UK. https://www.theregister.com/2023/01/11/royal_mail_uk_cyber_incident/

Cyberattack Cancels Classes for Des Moines Public Schools - The largest public school system in Iowa is slated to resume classes on Thursday, Jan. 12, following the detection of abnormal network activity that prompted the district to pull its systems offline. https://www.darkreading.com/attacks-breaches/cyberattack-cancels-classes-for-des-moines-public-schools

CircleCI Hacked via Malware on Employee Laptop - Software development service CircleCI has revealed that a recently disclosed data breach was the result of information stealer malware being deployed on an engineer’s laptop. https://www.securityweek.com/circleci-hacked-malware-employee-laptop

NortonLifeLock warns that hackers breached Password Manager accounts - Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/

Ransomware Attack Affects 1,000 Vessels Worldwide - A ransomware attack shut down servers hosting software used to manage the crewing and maintenance schedules of about 1,000 vessels across the globe. https://www.govinfosecurity.com/ransomware-attack-affects-1000-vessels-worldwide-a-20939

Third-party administrator hack leads to theft of patient data for over 251K - Austin, Texas-based Bay Bridge Administrators, a third-party administrator of insurance products, recently began notifying more than 251,000 patients that their data was stolen after a network hack in September 2022. https://www.scmagazine.com/analysis/breach/third-party-administrator-hack-leads-to-theft-of-patient-data-for-over-251k

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."
  (Part 8 of 10)
    

    B. RISK MANAGEMENT TECHNIQUES
    
    Implementing Weblinking Relationships
    
    
The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.
    
    Disclaimers and Disclosures
    
    
Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.
    
    In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.
    
    A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.
    
    In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.


Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
   
   
SECURITY TESTING - INDEPENDENT DIAGNOSTIC TESTS
   
(FYI - This is the type of independent diagnostic testing that we perform.  Please refer to http://www.internetbankingaudits.com/ for information.)
   
   
Penetration tests, audits, and assessments can use the same set of tools in their methodologies.  The nature of the tests, however, is decidedly different. Additionally, the definitions of penetration test and assessment, in particular, are not universally held and have changed over time.
   
   Penetration Tests. A penetration test subjects a system to the real - world attacks selected and conducted by the testing personnel. The benefit of a penetration test is to identify the extent to which a system can be compromised before the attack is identified and assess the response mechanism's effectiveness. Penetration tests generally are not a comprehensive test of the system's security and should be combined with other independent diagnostic tests to validate the effectiveness of the security process.
   
   Audits. Auditing compares current practices against a set of standards. Industry groups or institution management may create those standards. Institution management is responsible for demonstrating that the standards they adopt are appropriate for their institution.
   
   Assessments. An assessment is a study to locate security vulnerabilities and identify corrective actions. An assessment differs from an audit by not having a set of standards to test against. It differs from a penetration test by providing the tester with full access to the systems being tested. Assessments may be focused on the security process or the information system. They may also focus on different aspects of the information system, such as one or more hosts or networks.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.6.5 Mitigating Network-Related Threats

The assessment recommended that HGA:

  • require stronger I&A for dial-in access or, alternatively, that a restricted version of the mail utility be provided for dial-in, which would prevent a user from including files in outgoing mail messages;
  • replace its current modem pool with encrypting modems, and provide each dial-in user with such a modem; and
  • work with the mainframe agency to install a similar encryption capability for server-to-mainframe communications over the WAN.

As with previous risk assessment recommendations, HGA's management tasked COG to analyze the costs, benefits, and impacts of addressing the vulnerabilities identified in the risk assessment. HGA eventually adopted some of the risk assessment's recommendations, while declining others. In addition, HGA decided that its policy on handling time and attendance information needed to be clarified, strengthened, and elaborated, with the belief that implementing such a policy would help reduce risks of Internet and dial-in eavesdropping. Thus, HGA developed and issued a revised policy, stating that users are individually responsible for ensuring that they do not transmit disclosure-sensitive information outside of HGA's facilities via e-mail.


PLEASE NOTE:
 
Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.