Internet Banking News

January 28, 2024

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Gold Standard Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Bank regulatory FFIEC IT audits - I perform annual IT audits required by the regulatory agencies for banks and credit unions. I am a former bank examiner over 30 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

MISCELLANEOUS CYBERSECURITY NEWS:

Federal agencies release cyber guidance for water sector after watchdog criticism - A trio of federal agencies published a guide of cybersecurity best practices for the water and sanitation sector following criticism from a U.S. government watchdog about the government’s work with the industry. https://therecord.media/federal-agencies-release-cyber-guidance-water

IT consultant fined for daring to expose shoddy security - A security researcher in Germany has been fined €3,000 ($3,300, £2,600) for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records. https://www.theregister.com/2024/01/19/germany_fine_security/

FTC Order Will Ban InMarket from Selling Precise Consumer Location Data - Proposed settlement is FTC’s second in recent weeks aimed at limiting the collection, use, and sale of consumers’ location data. https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-will-ban-inmarket-selling-precise-consumer-location-data

LoanDepot ransomware attack exposes data on almost 17M customers - The number of individuals impacted makes it the most widespread compromise of customer data in the spree of attacks targeting the real estate sector. https://www.cybersecuritydive.com/news/loandepot-ransomware-exposes-17M-people/705169/

CISA issues emergency directive for federal agencies to mitigate Ivanti vulnerabilities - Civilian agencies are under threat following a surge in nation-state linked exploitation of Ivanti Connect Secure and Ivanti Policy Secure devices. https://www.cybersecuritydive.com/news/cisa-emergency-federal-agencies-ivanti/705103/

Security pros are being hospitalized by after-effects of ransomware hacks - Psychological, physical, social and financial harm are all results of cyberattack. https://www.techradar.com/pro/security-pros-are-being-hospitalized-by-after-effects-of-ransomware-hacks

Why FinServ Companies Should Invest in Digital Experience - Financial services companies are going digital - but without offering an experience that meets consumer expectations, they risk losing customers in an industry where competition is tightening. Fintech companies need to offer a digital experience that builds trusted digital relationships and keeps consumers coming back. https://resources.industrydive.com/why-finserv-companies-should-invest-in-digital-experience

Here’s three questions to ask for better data security posture management - We live in an unprecedented age of data collection to steer business decisions, fuel innovation, and inform critical operations. https://www.scmagazine.com/perspective/three-questions-to-ask-for-better-data-security-posture-management

Will the movement to ban ransom payments gain steam in 2024? - Policies and regulations around ransomware payments are widely expected to change in 2024, but how and to what effect remains in flux. https://www.cybersecuritydive.com/news/ransom-payment-ban-outlook/705316/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

The number of patient records exposed in data breaches doubled in 2023 - Though the number of data breaches declined slightly from 2022, more than 116 million records were exposed last year, Fortified Health Security found. https://www.cybersecuritydive.com/news/patient-records-healthcare-data-breaches/704950/

Cyberattack targeting UK councils causes online disruption - Three councils in the United Kingdom have taken some of their public-facing systems offline due to an ongoing cybersecurity issue. https://techcrunch.com/2024/01/19/cyberattack-targeting-uk-councils-causes-online-disruption/

GitHub rotates keys to mitigate impact of credential-exposing flaw - GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables. https://www.bleepingcomputer.com/news/security/github-rotates-keys-to-mitigate-impact-of-credential-exposing-flaw/ `

Ransomware Group Targets Foxconn Subsidiary Foxsemicon - Foxsemicon specializes in semiconductor equipment manufacturing. The company’s website was defaced this week with a message claiming that data has been stolen and encrypted. https://www.securityweek.com/ransomware-group-targets-foxconn-subsidiary-foxsemicon/

Akira ransomware hits cloud service Tietoevry; numerous Swedish customers affected - Cloud hosting services provider Tietoevry announced that one of its datacenters in Sweden “was partially subject to a ransomware attack” this weekend, affecting numerous customers and forcing stores to close across the country. https://therecord.media/tietoevry-ransomware-attack-sweden-cloud-services-datacenter

Russian hackers stole Microsoft corporate emails in month-long breach - Microsoft warned Friday night that some of its corporate email accounts were breached and data stolen by a Russian state-sponsored hacking group known as Midnight Blizzard. https://www.bleepingcomputer.com/news/security/russian-hackers-stole-microsoft-corporate-emails-in-month-long-breach/

Cyberattack hits three English councils at once, as outsourcer Civica denies blame - Three councils in England have announced they were affected by a cyberattack which has forced them to take down multiple online services. https://therecord.media/cyberattack-three-english-councils-civica

Akira ransomware hits cloud service Tietoevry; numerous Swedish customers affected - Cloud hosting services provider Tietoevry announced that one of its datacenters in Sweden “was partially subject to a ransomware attack” this weekend, affecting numerous customers and forcing stores to close across the country. https://therecord.media/tietoevry-ransomware-attack-sweden-cloud-services-datacenter

SEC confirms X account was hacked in SIM swapping attack - The U.S. Securities and Exchange Commission confirmed today that its X account was hacked through a SIM-swapping attack on the cell phone number associated with the account. https://www.bleepingcomputer.com/news/security/sec-confirms-x-account-was-hacked-in-sim-swapping-attack/

Over 340,000 Jason’s Deli customers potentially impacted in credential-stuffing attack - Hackers have an unending appetite to steal and then slice and dice personally identifiable information (PII). https://www.scmagazine.com/news/over-340000-jasons-deli-customers-potentially-impacted-in-credential-stuffing-attack

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

    Board and Management Oversight - Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. (Part 1 of 2)

    Vigilant management oversight is essential for the provision of effective internal controls over e-banking activities. In addition to the specific characteristics of the Internet distribution channel discussed in the Introduction, the following aspects of e-banking may pose considerable challenge to traditional risk management processes:

    1) Major elements of the delivery channel (the Internet and related technologies) are outside of the bank's direct control.

    2) The Internet facilitates delivery of services across multiple national jurisdictions, including those not currently served by the institution through physical locations.

    3) The complexity of issues that are associated with e-banking and that involve highly technical language and concepts are in many cases outside the traditional experience of the Board and senior management.

    In light of the unique characteristics of e-banking, new e-banking projects that may have a significant impact on the bank's risk profile and strategy should be reviewed by the Board of Directors and senior management and undergo appropriate strategic and cost/reward analysis. Without adequate up-front strategic review and ongoing performance to plan assessments, banks are at risk of underestimating the cost and/or overestimating the payback of their e-banking initiatives.

    In addition, the Board and senior management should ensure that the bank does not enter into new e-banking businesses or adopt new technologies unless it has the necessary expertise to provide competent risk management oversight. Management and staff expertise should be commensurate with the technical nature and complexity of the bank's e-banking applications and underlying technologies. Adequate expertise is essential regardless of whether the bank's e-banking systems and services are managed in-house or outsourced to third parties. Senior management oversight processes should operate on a dynamic basis in order to effectively intervene and correct any material e-banking systems problems or security breaches that may occur. The increased reputational risk associated with e-banking necessitates vigilant monitoring of systems operability and customer satisfaction as well as appropriate incident reporting to the Board and senior management.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   INFORMATION SECURITY STRATEGY (2 of 2)

   Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

   For example, an institution's management may be assessing the proper strategic approach to intrusion detection for an Internet environment. Two potential approaches were identified for evaluation. The first approach uses a combination of network and host intrusion detection sensors with a staffed monitoring center. The second approach consists of daily access log review. The former alternative is judged much more capable of detecting an attack in time to minimize any damage to the institution and its data, albeit at a much greater cost. The added cost is entirely appropriate when customer data and institution processing capabilities are exposed to an attack, such as in an Internet banking environment. The latter approach may be appropriate when the primary risk is reputational damage, such as when the only information being protected is an information-only Web site, and the Web site is not connected to other financial institution systems.

   Strategies should consider the layering of controls. Excessive reliance on a single control could create a false sense of confidence. For example, a financial institution that depends solely on a firewall can still be subject to numerous attack methodologies that exploit authorized network traffic. Financial institutions should design multiple layers of security controls and testing to establish several lines of defense between the attacker and the asset being attacked. To successfully attack the data, each layer must be penetrated. With each penetration, the probability of detecting the attacker increases.

   Policies are the primary embodiment of strategy, guiding decisions made by users, administrators, and managers, and informing those individuals of their security responsibilities. Policies also specify the mechanisms through which responsibilities can be met, and provide guidance in acquiring, configuring, and auditing information systems. Key actions that contribute to the success of a security policy are:

   1) Implementing through ordinary means, such as system administration procedures and acceptable - use policies;

   2) Enforcing policy through security tools and sanctions;

   3) Delineating the areas of responsibility for users, administrators, and managers;

   4) Communicating in a clear, understandable manner to all concerned;

   5) Obtaining employee certification that they have read and understood the policy;

   6) Providing flexibility to address changes in the environment; and

   7) Conducting annually a review and approval by the board of directors.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE

8.3 Overview of the Computer System Life Cycle

There are many models for the computer system life cycle but most contain five basic phases:

1) Initiation. During the initiation phase, the need for a system is expressed and the purpose of the system is documented.

2) Development/Acquisition. During this phase the system is designed, purchased, programmed, developed, or otherwise constructed. This phase often consists of other defined cycles, such as the system development cycle or the acquisition cycle.

3) Implementation. After initial system testing, the system is installed or fielded.

4) Operation/Maintenance. During this phase the system performs its work. The system is almost always modified by the addition of hardware and software and by numerous other events.

5) Disposal. The computer system is disposed of once the transition to a new computer system is completed.

Each phase can apply to an entire system, a new component or module, or a system upgrade. As with other aspects of systems management, the level of detail and analysis for each activity described here is determined by many factors including size, complexity, system cost, and sensitivity.

Many people find the concept of a computer system life cycle confusing because many cycles occur within the broad framework of the entire computer system life cycle. For example, an organization could develop a system, using a system development life cycle. During the system's life, the organization might purchase new components, using the acquisition life cycle.

Moreover, the computer system life cycle itself is merely one component of other life cycles. For example, consider the information life cycle. Normally information, such as personnel data, is used much longer than the life of one computer system. If an employee works for an organization for thirty years and collects retirement for another twenty, the employee's automated personnel record will probably pass through many different organizational computer systems owned by the company. In addition, parts of the information will also be used in other computer systems, such as those of the Internal Revenue Service and the Social Security Administration.

Many different "life cycles" are associated with computer systems, including the system development, acquisition, and information life cycles.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.