Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.

FYI - Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers - A Proposed Rule by the Comptroller of the Currency, the Federal Reserve System, and the Federal Deposit Insurance Corporation on 01/12/2021. https://www.federalregister.gov/documents/2021/01/12/2020-28498/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank

Your return-to-work plan: Forget your perimeter. Embrace security without borders - You learned a hard lesson over the last year. Your assets lost most of their defenses once they left your perimeter. https://www.scmagazine.com/home/sponsor-content/your-return-to-work-plan-forget-your-perimeter-embrace-security-without-borders/

Early-stage cybersecurity investment flowing, despite pandemic - Most industries saw a significant drop in venture capital investment at the seed and Series A stages throughout 2020. Cybersecurity appears to be the exception, according to a new report, with dealmaking remaining resilient, despite the coronavirus pandemic and a turbulent economic environment. https://www.scmagazine.com/home/security-news/early-stage-cybersecurity-investment-flowing-despite-pandemic/

CISA says multiple attacks on cloud services bypassed multifactor authentication - The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday said it discovered several recent successful cyberattacks against the cloud services of multiple organizations, offering guidance on how security teams can bolster associated security. https://www.scmagazine.com/home/security-news/cloud-security/cisa-says-multiple-attacks-on-cloud-services-bypassed-multifactor-authentication/

NSA advises companies to avoid third party DNS resolvers - The US National Security Agency (NSA) says that companies should avoid using third party DNS resolvers to block threat actors' DNS traffic eavesdropping and manipulation attempts and to block access to internal network information. https://www.bleepingcomputer.com/news/security/nsa-advises-companies-to-avoid-third-party-dns-resolvers/

Biden to invest in cyber workforce, but without plan to overcome lingering staffing hurdles - President-elect Joe Biden announced funding to modernize secure IT and lure cyber talent to the public sector as part of his plan to stimulate the economy and rebuild in the wake of the pandemic. But cybersecurity experts remain skeptical that the newfound funding focus will be enough to draw the necessary talent. https://www.scmagazine.com/home/security-news/biden-to-invest-in-cyber-workforce-but-without-plan-to-overcome-lingering-staffing-hurdles/

Free cyber career training coursework emerges as a perk in tough times - A pair of cybersecurity firms this month announced a slate of new career training and education courses that will be made freely available to the public. These complimentary offerings are helping current, aspiring and unemployed infosec professionals gain an upper hand in a down economy, while aiding an industry facing a growing skills gap. https://www.scmagazine.com/home/security-news/network-security/free-cyber-career-training-coursework-emerges-as-a-perk-in-tough-times/

Singapore tightens cyber defence guidelines for financial services sector - Revised guidelines on technology risk management include instructions for financial institutions to exercise "strong oversight" of arrangements with third-party service providers to ensure data confidentiality and details of the responsibility of senior management. https://www.zdnet.com/article/singapore-tightens-cyber-defence-guidelines-for-financial-services-sector/

The Dunning-Kruger Effect: Why security training isn’t enough - Behavioral psychologists call this phenomenon the Dunning-Kruger effect, when people with a low level of knowledge dangerously overestimate their skill and make errors as a result. This effect partly answers one of the most enduring conundrums in cybersecurity: why do people keep clicking on bad emails, causing email data breaches? https://www.scmagazine.com/perspectives/the-dunning-kruger-effect-why-security-training-isnt-enough/

Last-minute Trump order adds new security regulation to cloud providers - An eleventh-hour executive order from then-president Donald Trump will require infrastructure-as-a-service providers to log the identity of foreign clients. https://www.scmagazine.com/home/security-news/cloud-security/last-minute-trump-order-adds-new-security-regulation-to-cloud-providers/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers have leaked the COVID-19 vaccine data they stole in a cyberattack - European Union medical agency reveals that information about coronavirus medicine was leaked in a data breach first disclosed last month. https://www.zdnet.com/article/hackers-have-leaked-the-covid-19-vaccine-data-they-stole-in-a-cyberattack/

Mimecast breach investigators probe possible SolarWinds connection - Mimecast, a global email security provider, on Tuesday said that one of its software security certificates had been breached by a “sophisticated threat actor” in a targeted operation to access customer emails. https://www.cyberscoop.com/mimecast-email-breach-solarwinds-russia/

FIN11 e-crime group shifted to clop ransomware and big game hunting - The financially motivated FIN11, which increasingly incorporated CL0P ransomware into their operations in 2020, appeared to rely on low-effort volume techniques like spamming malware for initial entry, but put a substantial amount of effort into each follow-up compromise. https://www.scmagazine.com/home/security-news/fin11-e-crime-group-shifted-to-cl0p-ransomware-and-big-game-hunting/

Hackers alter stolen regulatory data to sow mistrust in COVID-19 vaccine - Post titled “Astonishing fraud! Evil Pfffizer! Fake vaccines!” found on the Dark Web. https://arstechnica.com/information-technology/2021/01/hackers-alter-stolen-regulatory-data-to-sow-mistrust-in-covid-19-vaccine/

Scottish Environment Protection Agency refuses to pay ransomware crooks over 1.2GB of stolen data - Scotland's environmental watchdog has confirmed it is dealing with an "ongoing ransomware attack" likely masterminded by international "serious and organised" criminals during the last week of 2020. https://www.theregister.com/2021/01/18/scottish_environment_protection_agency_refuses_to_pay_ransom/

OpenWRT reports data breach after hacker gained access to forum admin account - The maintainers of OpenWRT, an open-source project that provides free and customizable firmware for home routers, have disclosed a security breach that took place over the weekend. https://www.zdnet.com/article/openwrt-reports-data-breach-after-hacker-gained-access-to-forum-admin-account/

SolarWinds attack opened up 4 separate paths to a Microsoft 365 cloud breach - The perpetrators behind the SolarWinds supplychain attack were observed leveraging four separate, techniques to bypass identity and access management protections and laterally move from victims’ on-premises networks to their cloud-based Microsoft 365 accounts. https://www.scmagazine.com/home/security-news/cloud-security/solarwinds-attack-opened-up-4-separate-paths-to-a-microsoft-365-cloud-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Flood Disaster Protection Act
   
   The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.
 
 Return to the top of the newsletter
 
 FFIEC IT SECURITY - Over the next few weeks, we will cover the OCC Bulletin about Infrastructure Threats and Intrusion Risks. 
    
    This bulletin provides guidance to financial institutions on how to prevent, detect, and respond to intrusions into bank computer systems. Intrusions can originate either inside or outside of the bank and can result in a range of damaging outcomes, including the theft of confidential information, unauthorized transfer of funds, and damage to an institution's reputation.
    
    The prevalence and risk of computer intrusions are increasing as information systems become more connected and interdependent and as banks make greater use of Internet banking services and other remote access devices. Recent e-mail-based computer viruses and the distributed denial of service attacks earlier this year revealed that the security of all Internet-connected networks are increasingly intertwined. The number of reported incidences of intrusions nearly tripled from 1998 to 1999, according to Carnegie Mellon University's CERT/CC. 
    
    Management can reduce a bank's risk exposure by adopting and regularly reviewing its risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. This bulletin provides guidance in each of these critical areas and also highlights information-sharing mechanisms banks can use to keep abreast of current attack techniques and potential vulnerabilities.
 
 Return to the top of the newsletter
 
 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
   
   Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING
   
   12.5 Cost Considerations
   
   There are a number of start-up costs and funding issues to consider when planning an incident handling capability. Because the success of an incident handling capability relies so heavily on users' perceptions of its worth and whether they use it, it is very important that the capability be able to meet users' requirements. Two important funding issues are:
   
   Personnel. An incident handling capability plan might call for at least one manager and one or more technical staff members (or their equivalent) to accomplish program objectives. Depending on the scope of the effort, however, full-time staff members may not be required. In some situations, some staff may be needed part-time or on an on-call basis. Staff may be performing incident handling duties as an adjunct responsibility to their normal assignments.
   
   Education and Training. Incident handling staff will need to keep current with computer system and security developments. Budget allowances need to be made, therefore, for attending conferences, security seminars, and other continuing-education events. If an organization is located in more than one geographic areas, funds will probably be needed for travel to other sites for handling incidents.