Internet Banking News

January 23, 2022

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Remote bank regulatory FFIEC IT audits - I am performing virtual/remote bank regality FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

MISCELLANEOUS CYBERSECURITY NEWS:

Statutory restrictions hindered federal response to SolarWinds, Microsoft Exchange - The SolarWinds and Microsoft Exchange incidents improved coordination between the government and private industry, but also exposed worrying gaps in the government’s information sharing, auditors concluded in a new Government Accountability Office report released Thursday. https://www.scmagazine.com/analysis/incident-response/statutory-restrictions-hindered-federal-response-to-solarwinds-microsoft-exchange

Accellion claims no ‘guarantee’ of security in $8.1M breach settlement - Accellion reached an $8.1 million settlement in its class-action data breach lawsuit with the approximately 9.2 million individuals impacted by the months long hack of its file transfer application, which resulted in the theft of both consumer and patient data. https://www.scmagazine.com/analysis/incident-response/accellion-reaches-8-1m-settlement-in-data-breach-lawsuit

10 nations coordinate shutdown of ransomware VPN service - On Monday, law enforcement agencies in 10 nations, including the FBI in the United States, shut down a 15-server VPN service used to anonymize ransomware attacks. https://www.scmagazine.com/analysis/ransomware/10-nations-coordinate-shutdown-of-ransomware-vpn-service

NSA gains new cybersecurity authorities over national security systems - The White House issued a memo today that gives the National Security Agency (NSA) more authority over protecting national security systems and seeks to better position the Department of Defense (DoD) and intelligence agencies to handle a range of digital national security threats targeting cloud systems and outdated encryption standards. https://www.scmagazine.com/analysis/cloud-security/nsa-gains-new-cybersecurity-authorities-over-national-security-systems

Critical vulnerabilities submissions increased 185% for financial sector in 2021 - It was reported that financial services companies experienced a 185% increase in the last 12 months for Priority One (P1) bug submissions, which refer to the most critical vulnerabilities. https://www.scmagazine.com/news/asset-management/critical-vulnerabilities-submissions-increased-185-for-financial-sector-in-2021

Philippines bank will no longer use clickable website links on promo materials - In an interesting move by a foreign bank to protect consumers, UnionBank of the Philippines on Tuesday said it will no longer use clickable website links in promo materials as a way to protect online users from becoming victims of phishing, smishing, and other online fraud.https://www.scmagazine.com/news/cybercrime/philippines-bank-will-no-longer-use-clickable-website-links-on-promo-materials

GAO 1-20-22 - Information Technology: Biannual Scorecards Have Evolved and Served as Effective Oversight Tools. https://www.gao.gov/products/gao-22-105659

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Maryland Department of Health confirms ransomware spurred monthlong outage - Maryland Departments of Health and Information Technology confirmed the ongoing, monthlong network outages were spurred by a ransomware attack. https://www.scmagazine.com/analysis/backup-and-recovery/maryland-department-of-health-confirms-ransomware-spurred-monthlong-outage

Maryland officials confirm ransomware attack shut down Department of Health - Maryland officials confirmed on Wednesday that the state's Department of Health is dealing with a devastating ransomware attack, which has left hospitals struggling amid a surge of COVID-19 cases. https://www.zdnet.com/article/maryland-officials-confirm-ransomware-attack-shut-down-department-of-health/

Cyberattack hits Ukraine as U.S. warns Russia preparing 'pretext for invasion' - The United States said it feared Russia was preparing a pretext to invade Ukraine if diplomacy fails to meet its objectives, after a massive cyberattack splashed Ukrainian government websites with a warning to "be afraid and expect the worst." https://www.cbc.ca/news/world/ukraine-russia-hacking-government-websites-1.6314821

AWS Glue misconfiguration potentially exposes account data to other customers - Researchers on Thursday reported a misconfiguration issue in the AWS Glue data integration service that could potentially let a threat actor escalate privileges within an account and obtain unrestricted access to all resources for the service, including full administrative privileges. https://www.scmagazine.com/news/cloud-security/aws-glue-misconfiguration-potentially-exposes-account-data-to-other-customers

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

   Sound Security Control Practices for E-Banking

   1. Security profiles should be created and maintained and specific authorization privileges assigned to all users of e-banking systems and applications, including all customers, internal bank users and outsourced service providers. Logical access controls should also be designed to support proper segregation of duties.

   2. E-banking data and systems should be classified according to their sensitivity and importance and protected accordingly. Appropriate mechanisms, such as encryption, access control and data recovery plans should be used to protect all sensitive and high-risk e-banking systems, servers, databases and applications.

   3. Storage of sensitive or high-risk data on the organization's desktop and laptop systems should be minimized and properly protected by encryption, access control and data recovery plans.

   4. Sufficient physical controls should be in place to deter unauthorized access to all critical e-banking systems, servers, databases and applications.

   5. Appropriate techniques should be employed to mitigate external threats to e-banking systems, including the use of:

   a) Virus-scanning software at all critical entry points (e.g. remote access servers, e-mail proxy servers) and on each desktop system.
   b) Intrusion detection software and other security assessment tools to periodically probe networks, servers and firewalls for weaknesses and/or violations of security policies and controls.
   c) Penetration testing of internal and external networks.

   6. A rigorous security review process should be applied to all employees and service providers holding sensitive positions.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

  Stateful Inspection Firewalls

  Stateful inspection firewalls are packet filters that monitor the state of the TCP connection. Each TCP session starts with an initial handshake communicated through TCP flags in the header information. When a connection is established the firewall adds the connection information to a table. The firewall can then compare future packets to the connection or state table. This essentially verifies that inbound traffic is in response to requests initiated from inside the firewall.

  Proxy Server Firewalls

  Proxy servers act as an intermediary between internal and external IP addresses and block direct access to the internal network. Essentially, they rewrite packet headers to substitute the IP of the proxy server for the IP of the internal machine and forward packets to and from the internal and external machines. Due to that limited capability, proxy servers are commonly employed behind other firewall devices. The primary firewall receives all traffic, determines which application is being targeted, and hands off the traffic to the appropriate proxy server. Common proxy servers are the domain name server (DNS), Web server (HTTP), and mail (SMTP) server. Proxy servers frequently cache requests and responses, providing potential performance benefits. Additionally, proxy servers provide another layer of access control by segregating the flow of Internet traffic to support additional authentication and logging capability, as well as content filtering. Web and e-mail proxy servers, for example, are capable of filtering for potential malicious code and application-specific commands.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 17 - LOGICAL ACCESS CONTROL

17.4 Administration of Access Controls

17.4.2 Decentralized Administration

In decentralized administration, access is directly controlled by the owners or creators of the files, often the functional manager. This keeps control in the hands of those most accountable for the information, most familiar with it and its uses, and best able to judge who needs what kind of access. This may lead, however, to a lack of consistency among owners/creators as to procedures and criteria for granting user accesses and capabilities. Also, when requests are not processed centrally, it may be much more difficult to form a systemwide composite view of all user accesses on the system at any given time. Different application or data owners may inadvertently implement combinations of accesses that introduce conflicts of interest or that are in some other way not in the organization's best interest. It may also be difficult to ensure that all accesses are properly terminated when an employee transfers internally or leaves an organization.

17.4.3 Hybrid Approach

A hybrid approach combines centralized and decentralized administration. One typical arrangement is that central administration is responsible for the broadest and most basic accesses, and the owners/creators of files control types of accesses or changes in users' abilities for the files under their control. The main disadvantage to a hybrid approach is adequately defining which accesses should be assignable locally and which should be assignable centrally.

17.5 Coordinating Access Controls

It is vital that access controls protecting a system work together. At a minimum, three basic types of access controls should be considered: physical, operating system, and application. In general, access controls within an application are the most specific. However, for application access controls to be fully effective they need to be supported by operating system access controls. Otherwise access can be made to application resources without going through the application. Operating system and application access controls need to be supported by physical access controls.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.