Internet Banking News

January 31, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Todd Fitzgerald: ‘Do not expect trust. It must be earned’- A conversation with Todd Fitzgerald, chairman of the executive committee of Cybersecurity Collaborative. https://www.scmagazine.com/home/from-the-collaborative/todd-fitzgerald-do-not-expect-trust-it-must-be-earned/

How security pros can prepare for a tsunami of new financial industry regs in 2021 - Banks and financial services organizations have accelerated their adoption of biometrics, facial recognition and artificial intelligence (AI) to enable the use of digital identities and continue operations during the pandemic. However, these technologies are in need of strict regulations to protect users. https://www.scmagazine.com/perspectives/how-security-pros-can-prepare-for-a-tsunami-of-new-financial-industry-regs-in-2021/

CISA launches ransomware education program - The Cybersecurity and Infrastructure Security Agency at the U.S. Department of Homeland Security launched a new educational campaign Thursday encouraging governments, schools and private companies to take steps to protect their systems and data from ransomware. https://www.scmagazine.com/home/security-news/ransomware/cisa-launches-ransomware-education-program/

NSA Cybersecurity 2020 Year in Review - The US National Security Agency’s (NSA) Cybersecurity Directorate has published its first Cybersecurity Year in Review. https://media.defense.gov/2021/Jan/08/2002561651/-1/-1/0/NSA%20CYBERSECURITY%202020%20YEAR%20IN%20REVIEW.PDF/NSA%20CYBERSECURITY%202020%20YEAR%20IN%20REVIEW.PDF

Announcing Free Site Cleaning & Site Security Audits for K-12 Public Schools - Wordfence, the leading provider of WordPress security software and services, is announcing today that we are, effective immediately, offering free site cleaning and site security audit services to K-12 public schools in the United States who use WordPress as their content management system. https://www.wordfence.com/blog/2021/01/announcing-free-site-cleaning-site-security-audits-for-k-12-public-schools/

70% of apps for the manufacturing sector spent all of 2020 with at least one security flaw - According to WhiteHat Security, 70 percent of individual web, mobile and API-based apps that support the manufacturing sector spent all of 2020 with at least one critical or high-risk security flaw. https://www.scmagazine.com/application-security/70-of-apps-for-the-manufacturing-sector-spent-all-of-2020-with-at-least-one-security-flaw/

Speed of White House cyber appointments should make CISOs ‘a bit more confident’ - In the weeks leading up to President Joe Biden’s inauguration through the early days of his term, nominations of cybersecurity officials filtered out at a remarkable rate. https://www.scmagazine.com/home/government/speed-of-white-house-cyber-appointments-should-make-cisos-a-bit-more-confident/

Tesla sues ex-employee over alleged 'brazen' theft of confidential code, files - The court case claims an engineer swiped files and then tried to delete the evidence. https://www.zdnet.com/article/tesla-sues-ex-employee-over-alleged-code-file-theft/

Deactivation of Flash may have crippled Chinese railroad for a day - Railroad officials were blindsided by the long-scheduled deactivation of Flash. Officials at China Railway Shenyang use Flash-based software to plan each day's railroad operations. As a result of the outage, Apple Daily says, "staffers were reportedly unable to view train operation diagrams, formulate train sequencing schedules, and arrange shunting plans." https://arstechnica.com/tech-policy/2021/01/deactivation-of-flash-cripples-chinese-railroad-for-a-day/

The cyber ‘journeymen’: Apprentices may be the solution to the skills gap - Tony Bryan doesn’t believe in the traditional notion of a cyber skills gap. In fact, he thinks educational institutions and vocational training programs have done a pretty solid job of creating new legions of skilled and talented cyber workers. https://www.scmagazine.com/home/security-news/network-security/the-cyber-journeymen-apprentices-may-be-the-solution-to-the-skills-gap/

Phishing scheme shows CEOs may be ‘most valuable asset,’ and ‘greatest vulnerability’ - Cybercriminals have been using a phishing kit featuring fake Office 365 password alerts as a lure to target the credentials of chief executives, business owners and other high-level corporate leaders – highlighting the importance of ensuring that upper management is not excluded from security awareness training. https://www.scmagazine.com/home/security-news/phishing/phishing-scheme-shows-ceos-may-be-most-valuable-asset-and-greatest-vulnerability/

Last-minute Trump order adds new security regulation to cloud providers - An eleventh-hour executive order from then-president Donald Trump will require infrastructure-as-a-service providers to log the identity of foreign clients. https://www.scmagazine.com/home/security-news/cloud-security/last-minute-trump-order-adds-new-security-regulation-to-cloud-providers/

Even dead employees pose a security risk when their accounts are still active - A recent ransomware attack highlight the dangers of extraneous accounts sitting on your network – particularly those belonging to former employees. https://www.scmagazine.com/home/security-news/ransomware/even-dead-employees-pose-a-security-risk-when-their-accounts-are-still-active/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers hijacked cloud accounts of high-tech and aviation firms, hid in systems for years - A sophisticated threat actor gained illegal access into the networks of high-tech and aviation companies by initially hacking into their cloud-based services. Attacker dwell time on the secretly infiltrated networks sometimes lasted as long as three years. https://www.scmagazine.com/home/security-news/apts-cyberespionage/hackers-hijacked-cloud-accounts-of-high-tech-and-aviation-firms-hid-in-systems-for-years/

Laptops given to British schools came preloaded with remote-access worm - Department for Education says: 'We believe this is not widespread' - A shipment of laptops supplied to British schools by the Department for Education to help kids learn under lockdown came preloaded with malware. https://www.theregister.com/2021/01/21/dept_education_school_laptops_malware/

CHwapi hospital hit by Windows BitLocker encryption cyberattack - The CHwapi hospital in Belgium is suffering from a cyberattack where threat actors claim to have encrypted 40 servers and 100 TB of data using Windows Bitlocker. https://www.bleepingcomputer.com/news/security/chwapi-hospital-hit-by-windows-bitlocker-encryption-cyberattack/

SonicWall network attacked via zero day in its secure access solution - Cybersecurity firm SonicWall disclosed Friday night that hackers attacked the company’s internal networks by first exploiting a zero-day vulnerability in its very own secure remote access products. https://www.scmagazine.com/home/security-news/vulnerabilities/sonicwall-network-attacked-via-zero-days-in-its-vpn-and-secure-access-solutions/

Hackers hijacked cloud accounts of high-tech and aviation firms, hid in systems for years - A sophisticated threat actor gained illegal access into the networks of high-tech and aviation companies by initially hacking into their cloud-based services. https://www.scmagazine.com/home/security-news/apts-cyberespionage/hackers-hijacked-cloud-accounts-of-high-tech-and-aviation-firms-hid-in-systems-for-years/

SonicWall Probes Attack Using Zero-Days in Own Products - Security vendor SonicWall has warned its customers that threat actors may have found zero-day vulnerabilities in some of its remote access products. https://www.infosecurity-magazine.com/news/sonicwall-probes-zerodays-in-own/

Hackers publish thousands of files after government agency refuses to pay ransom - Ransomware gang publishes stolen data after Scottish Environment Protection Agency (SEPA) refuses to pay ransom - as agency confirms operations remain disrupted. https://www.zdnet.com/article/hackers-publish-thousands-of-files-after-government-agency-refuses-to-pay-ransom/

Digital burglars break into the Australian Securities and Investments Commission - Miscreant fingered server that held docs related to credit applications down under - The Australian Securities and Investments Commission (ASIC) has admitted one of its servers was accessed without sanction and may have been digitally pawed by miscreants. https://www.theregister.com/2021/01/25/asic_accellion_breach/

Leading crane maker Palfinger hit in global cyberattack - Leading crane and lifting manufacturer Palfinger is targeted in an ongoing cyberattack that has disrupted IT systems and business operations. https://www.bleepingcomputer.com/news/security/leading-crane-maker-palfinger-hit-in-global-cyberattack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures and Notices

   Several consumer regulations provide for disclosures and/or notices to consumers. The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means. The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s). The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

   Disclosures are generally required to be "clear and conspicuous." Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected. A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review security strategies and plans.

   Senior management and the board of directors are responsible for overseeing the development and implementation of their bank's security strategy and plan. Key elements to be included in those strategies and plans are an intrusion risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. These elements are needed for both internal and outsourced operations.

   The first step in managing the risks of intrusions is to assess the effects that intrusions could have on the institution. Effects may include direct dollar loss, damaged reputation, improper disclosure, lawsuits, or regulatory sanctions. In assessing the risks, management should gather information from multiple sources, including (1) the value and sensitivity of the data and processes to be protected, (2) current and planned protection strategies, (3) potential threats, and (4) the vulnerabilities present in the network environment. Once information is collected, management should identify threats and the likelihood of those threats materializing, rank critical information assets and operations, and estimate potential damage.

   The analysis should be used to develop an intrusion protection strategy and risk management plan. The intrusion protection strategy and risk management plan should be consistent with the bank's information security objectives. It also should balance the cost of implementing adequate security controls with the bank's risk tolerance and profile. The plan should be implemented within a reasonable time. Management should document this information, its analysis of the information, and decisions in forming the protection strategy and risk management plan. By documenting this information, management can better control the assessment process and facilitate future risk assessments.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

  People, who are all fallible, are usually recognized as one of the weakest links in securing systems. The purpose of computer security awareness, training, and education is to enhance security by:

  1) improving awareness of the need to protect system resources;

  2) developing skills and knowledge so computer users can perform their jobs more securely; and

  3) building in-depth knowledge, as needed, to design, implements, or operate security programs for organizations and systems.

  Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures (and to how to use them), users cannot be truly accountable for their actions. The importance of this training is emphasized in the Computer Security Act, which requires training for those involved with the management, use, and operation of federal computer systems.
  This chapter first discusses the two overriding benefits of awareness, training, and education, namely: (1) improving employee behavior and (2) increasing the ability to hold employees accountable for their actions. Next, awareness, training, and education are discussed separately, with techniques used for each. Finally, the chapter presents one approach for developing computer security awareness and training program.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.