Internet Banking News

January 30, 2022

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Remote bank regulatory FFIEC IT audits - I am performing virtual/remote bank regality FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

MISCELLANEOUS CYBERSECURITY NEWS:

Insurance firms often targeted for customers’ personal information - Insurance companies are expected to offer financial protection to their customers. But when it comes to cyber threats, insurers are increasingly finding themselves the victims of a merciless onslaught from data thieves, ransomware groups, hacktivists and even nation-states. https://www.scmagazine.com/analysis/data-loss-prevention/insurance-firms-often-targeted-for-customers-personal-information

Singapore gives banks two-week deadline to fix SMS security - A widespread phishing operation targeting Southeast Asia's second-largest bank – Oversea-Chinese Banking Corporation (OCBC) – has prompted the Monetary Authority of Singapore (MAS) to introduce regulations for internet banking that include use of an SMS Sender ID registry. https://www.theregister.com/2022/01/20/singapores_monetary_authority_requires_banks/

More than half of medical devices found to have critical vulnerabilities - A new report reveals what kind of medical devices are at most risk of security threats. More than half of the connected medical devices in hospitals pose security threats due to critical vulnerabilities that could potentially compromise patient care. https://www.zdnet.com/article/more-than-half-of-medical-devices-have-critical-vulnerabilities/

IRS plans for facial recognition draw scrutiny from privacy, cybersecurity advocates - The IRS is pushing taxpayers to start using a login service that leverages facial recognition and requires users to send photos of themselves to a third-party company. https://www.scmagazine.com/analysis/identity-and-access/irs-plans-for-facial-recognition-draw-scrutiny-from-privacy-cybersecurity-advocates

Feds want bulk electric systems to monitor network security - The Federal Energy Regulatory Commission is mulling a new regulation that would mandate owners and operators of bulk electric systems to implement internal network security monitoring. https://www.scmagazine.com/analysis/endpoint-security/feds-want-bulk-electric-systems-to-monitor-network-security

Data compromises increased by 68% in 2021 - The Identity Theft Resource Center (ITRC) on Monday reported that the 1,862 data compromises it recorded in 2021 was up more than 68% compared with 2020 - and for last year, cloud-based supply chain attacks were classified as the fourth most common attack vector. https://www.scmagazine.com/news/cloud/data-compromises-increased-by-68-in-2021-itrc-report-says

What enterprises should learn from Merck’s $1.4 billion insurance lawsuit - Earlier this month, pharma-giant Merck won a $1.4 billion lawsuit over insurance companies' duty to pay for the damages stemming from the 2017 NotPetya cyberattack. https://www.scmagazine.com/analysis/incident-response/what-enterprises-should-learn-from-mercks-1-4-billion-insurance-lawsuit

$4.35M Excellus breach lawsuit settlement requires data retention, security overhaul - A proposed settlement has been reached in a class-action data breach lawsuit against Excellus Health Plan, affiliate companies, and Blue Cross Blue Shield Association, which would result in millions of dollars in injunctive relief and require the insurer to make numerous improvements to its security program. https://www.scmagazine.com/analysis/breach/4-35m-excellus-breach-lawsuit-settlement-requires-data-retention-security-overhaul

Federal Reserve report casts concerns on central bank digital currency - Despite rapidly growing support from the U.S. financial community for stablecoin cryptocurrency, a new report from the Federal Reserve Bank raises questions about the potential risks of instituting a central bank digital currency (CBDC). https://www.scmagazine.com/analysis/cryptocurrency/federal-reserve-report-casts-concerns-on-central-bank-digital-currency

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Red Cross breach could happen to any organization, security community warns - The security community on Thursday was aghast to learn of the attack by still unknown hackers on the servers of the International Committee of the Red Cross (ICRC). https://www.scmagazine.com/news/breach/red-cross-breach-could-happen-to-any-organization-security-community-warns

RIPTA under fire: Why would a public transit authority have healthcare data? - The Rhode Island Public Transit Authority is currently being investigated by the state attorney general, following its breach notice to 5,015 health plan beneficiaries informing them their personal and protected health information was stolen during a systems hack in August. https://www.scmagazine.com/feature/compliance/ripta-under-fire-why-would-a-public-transit-authority-have-healthcare-data

FBI warns of malicious QR codes used to steal your money - The Federal Bureau of Investigation (FBI) warned Americans this week that cybercriminals are using maliciously crafted Quick Response (QR) codes to steal their credentials and financial info. https://www.bleepingcomputer.com/news/security/fbi-warns-of-malicious-qr-codes-used-to-steal-your-money/

Patient data stolen ahead of Memorial Health ransomware attack, EHR downtime - Memorial Health System in Ohio has confirmed that threat actors accessed or acquired health information tied to about 216,000 patients prior to deploying a ransomware attack in August. https://www.scmagazine.com/analysis/breach/patient-data-stolen-ahead-of-memorial-health-ransomware-attack-ehr-downtime

Pennsylvania man pleads guilty to hacking users at two Philadelphia-area colleges - The U.S. Justice Department announced Monday that a Chester Springs, Pennsylvania, man pleaded guilty to hacking the campus networks of two Philadelphia-area colleges in an attempt to use stolen personal information to submit fraudulent tax returns. https://edscoop.com/pennsylvania-man-hack-two-philadelphia-colleges/

New York fines EyeMed $600K after data breach investigation finds security flaws - EyeMed reached a $600,000 settlement with the state of New York to resolve a number of allegations against its data security program, revealed during the state’s investigation into the healthcare business associate following a 2020 data breach that impacted 2.1 million individuals. https://www.scmagazine.com/analysis/breach/new-york-fines-eyemed-600k-after-data-breach-investigation-finds-security-flaws

Kentucky hospital reports network outage, care delays amid cyberattack - A cyberattack struck Taylor Regional Hospital (TRH) earlier this week, which has led to electronic health record downtime procedures and network outages, according to a notice posted on the Kentucky hospital’s website. https://www.scmagazine.com/analysis/cybercrime/kentucky-hospital-reports-network-outage-care-delays-amid-cyberattack

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

   Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 1 of 3)

   1. Banks should adopt appropriate processes for evaluating decisions to outsource e-banking systems or services.

   a) Bank management should clearly identify the strategic purposes, benefits and costs associated with entering into outsourcing arrangements for e-banking with third parties.
   b) The decision to outsource a key e-banking function or service should be consistent with the bank's business strategies, be based on a clearly defined business need, and recognize the specific risks that outsourcing entails.
   c) All affected areas of the bank need to understand how the service provider(s) will support the bank's e-banking strategy and fit into its operating structure.

   2. Banks should conduct appropriate risk analysis and due diligence prior to selecting an e-banking service provider and at appropriate intervals thereafter.

   a) Banks should consider developing processes for soliciting proposals from several e-banking service providers and criteria for choosing among the various proposals.
   b) Once a potential service provider has been identified, the bank should conduct an appropriate due diligence review, including a risk analysis of the service provider's financial strength, reputation, risk management policies and controls, and ability to fulfill its obligations.
   c) Thereafter, banks should regularly monitor and, as appropriate, conduct due diligence reviews of the ability of the service provider to fulfill its service and associated risk management obligations throughout the duration of the contract.
   d) Banks need to ensure that adequate resources are committed to overseeing outsourcing arrangements supporting e-banking.
   e) Responsibilities for overseeing e-banking outsourcing arrangements should be clearly assigned.
   f) An appropriate exit strategy for the bank to manage risks should it need to terminate the outsourcing relationship.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

  Application - Level Firewalls

  Application-level firewalls perform application-level screening, typically including the filtering capabilities of packet filter firewalls with additional validation of the packet content based on the application. Application-level firewalls capture and compare packets to state information in the connection tables. Unlike a packet filter firewall, an application-level firewall continues to examine each packet after the initial connection is established for specific application or services such as telnet, FTP, HTTP, SMTP, etc. The application-level firewall can provide additional screening of the packet payload for commands, protocols, packet length, authorization, content, or invalid headers. Application-level firewalls provide the strongest level of security, but are slower and require greater expertise to administer properly.

  The primary disadvantages of application - level firewalls are:

  ! The time required to read and interpret each packet slows network traffic. Traffic of certain types may have to be split off before the application level firewall and passed through different access controls.

  ! Any particular firewall may provide only limited support for new network applications and protocols. They also simply may allow traffic from those applications and protocols to go through the firewall.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 17 - LOGICAL ACCESS CONTROL

17.4 Administration of Access Controls

17.6 Interdependencies

Logical access controls are closely related to many other controls. Several of them have been discussed in the chapter.

Policy and Personnel. The most fundamental interdependencies of logical access control are with policy and personnel. Logical access controls are the technical implementation of system-specific and organizational policy, which stipulates who should be able to access what kinds of information, applications, and functions. These decisions are normally based on the principles of separation of duties and least privilege.

Audit Trails. As discussed earlier, logical access controls can be difficult to implement correctly. Also, it is sometimes not possible to make logical access control as precise, or fine-grained, as would be ideal for an organization. In such situations, users may either deliberately or inadvertently abuse their access. For example, access controls cannot prevent a user from modifying data the user is authorized to modify, even if the modification is incorrect. Auditing provides a way to identify abuse of access permissions. It also provides a means to review the actions of system or security administrators.

Identification and Authentication. In most logical access control scenarios, the identity of the user must be established before an access control decision can be made. The access control process then associates the permissible forms of accesses with that identity. This means that access control can only be as effective as the I&A process employed for the system.

Physical Access Control. Most systems can be compromised if someone can physically access the machine (i.e., CPU or other major components) by, for example, restarting the system with different software. Logical access controls are, therefore, dependent on physical access controls (with the exception of encryption, which can depend solely on the strength of the algorithm and the secrecy of the key).

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.