Internet Banking News

February 7, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - NIST Shares Risk-Based Guide to Information Exchange Security - Newly proposed NIST guidance tackles the use of information exchange channels, providing insights on risk-based considerations to protect and manage shared information. NIST released a proposed guide designed to support the use of information exchange channels, which provides insights on risk-based considerations to protect data throughout the sharing process and case studies around the effective management of exchanged information. https://healthitsecurity.com/news/nist-shares-risk-based-guide-to-information-exchange-security

Law enforcement strikes back at Emotet, one of the world’s most popular ransomware loaders - Europol announced a takedown of infrastructure used to run the Emotet botnet in a joint operation with law enforcement organizations from the U.S., Canada, and urope. https://www.scmagazine.com/home/security-news/ransomware/law-enforcement-strikes-back-at-emotet-one-of-the-worlds-most-popular-ransomware-loaders/

How an automated pentesting stick can address multiple security needs - Used for offensive and defensive purposes, a penetration testing device can be configured to perform automated checks on network security and more. Penetration testers and threat actors (hackers) share a lot in common when it comes to the methods and tools used to test a network's defenses, identify vulnerabilities, and compromise systems. https://www.techrepublic.com/article/how-an-automated-pentesting-stick-can-address-multiple-security-needs/

Can CISOs learn to do more with less? - Even before the coronavirus pandemic, being a chief information security officer (CISO) was a tough job. According to one recent survey, nine out of 10 C-level information security execs are stressed out, leaving half with mental health issues and one-third with physical health problems. https://www.scmagazine.com/perspectives/can-cisos-learn-to-do-more-with-less/

Lazarus Affiliate ‘ZINC’ Blamed for Campaign Against Security Researcher - New details emerge of how North Korean-linked APT won trust of experts and exploited Visual Studio to infect systems with ‘Comebacker’ malware. https://threatpost.com/lazarus-affiliate-zinc-blamed-for-campaign-against-security-researcher/163474/

UK ‘open banking’ efforts provide case study in risks, rewards tied to digital transformation - A quasi-governmental entity in the United Kingdom is rolling out a new tool designed to boost fraud protections among open banking partners, offering an interesting lesson in risk management amid digital transformation. https://www.scmagazine.com/home/security-news/cybercrime/uk-open-banking-efforts-provide-case-study-in-risks-rewards-tied-to-digital-transformation/

Security spending will top 40% in most 2021 IT budgets - Some 56% of IT leaders will allocate more than 40% of their IT budgets to cybersecurity in 2021. https://www.scmagazine.com/home/security-news/security-spending-will-top-40-in-most-2021-it-budgets/

Think of remote access as a business continuity issue - A little more than a year ago I had the opportunity to interview 40 CISOs about their enterprise access challenges. They understood the limitations of virtual private networks (VPNs), yet not one IT leader had the appetite or intention of replacing their legacy access approach. https://www.scmagazine.com/perspectives/think-of-remote-access-as-a-business-continuity-issue/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Stack Overflow 2019 hack was guided by advice from none other than... Stack Overflow - Developer site Stack Overflow has published details of a breach dating back to May 2019, finding evidence that an intruder in its systems made extensive use of Stack Overflow itself to determine how to make the next move. https://www.theregister.com/2021/01/27/stack_overflow_2019_hack_was/

Ransomware Disrupts Operations at Packaging Giant WestRock - Incident is another reminder of how vulnerable OT environments are to attack, security experts say. Operations at $17 billion packaging firm WestRock were disrupted Saturday by a ransomware attack that impacted both its IT and operational technology (OT) networks. https://www.darkreading.com/attacks-breaches/ransomware-disrupts-operations-at-packaging-giant-westrock/d/d-id/1339990

USCellular hit by a data breach after hackers access CRM software - Mobile network operator USCellular suffered a data breach after hackers gained access to its CRM and viewed customers' accounts. https://www.bleepingcomputer.com/news/security/uscellular-hit-by-a-data-breach-after-hackers-access-crm-software/

Data on 3.2 million DriveSure clients exposed on hacking forum - Hackers published data on 3.2 million users lifted from DriveSure data on the Raidforums hacking forum late last month. https://www.scmagazine.com/home/security-news/data-on-3-2-million-drivesure-users-exposed-on-hacking-forum/

UK Research and Innovation suffers ransomware attack - The agency has suspended some services while an investigation takes place. UK Research and Innovation (UKRI) has disclosed a ransomware attack that has disrupted services and may have led to data theft. https://www.zdnet.com/article/uk-research-and-innovation-suffers-ransomware-attack/

State auditor’s office clashes with file transfer service provider after breach - Malicious actors last Dec. 25 stole millions of unemployment applicants’ data from the Washington State Auditor’s Office (SAO) via a zero-day vulnerability in a 20-year-old file transfer service from Accellion, Inc. https://www.scmagazine.com/application-security/state-auditors-office-clashes-with-file-transfer-service-provider-after-breach/

SonicWall issues firmware patch after attackers exploited critical bugs - SonicWall today made available a critical patch for two vulnerabilities in its Secure Mobile Access 100 series products featuring 10.x firmware, which malicious actors exploited in a cyberattack against the infosec firm last month. https://www.scmagazine.com/home/security-news/vulnerabilities/sonicwall-issues-firmware-patch-after-attackers-exploited-critical-bugs/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

   Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

   Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

   Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

   The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we start a three part review of controls to prevent and detect intrusions.

   Management should determine the controls necessary to deter, detect, and respond to intrusions, consistent with the best practices of information system operators. Controls may include the following:

   1) Authentication. Authentication provides identification by means of some previously agreed upon method, such as passwords and biometrics. (A method of identifying a person's identity by analyzing a unique physical attribute.) The means and strength of authentication should be commensurate with the risk. For instance, passwords should be of an appropriate length, character set, and lifespan (The lifespan of a password is the length of time the password allows access to the system. Generally speaking, shorter lifespans reduce the risk of password compromises.) for the systems being protected. Employees should be trained to recognize and respond to fraudulent attempts to compromise the integrity of security systems. This may include "social engineering" whereby intruders pose as authorized users to gain access to bank systems or customer records.

   2) Install and Update Systems. When a bank acquires and installs new or upgraded systems or equipment, it should review security parameters and settings to ensure that these are consistent with the intrusion risk assessment plan. For example, the bank should review user passwords and authorization levels for maintaining "separation of duties" and "need to know" policies. Once installed, security flaws to software and hardware should be identified and remediated through updates or "patches." Continuous monitoring and updating is essential to protect the bank from vulnerabilities. Information related to vulnerabilities and patches are typically available from the vendor, security-related web sites, and in bi-weekly National Infrastructure Protection Center's CyberNotes.

   3) Software Integrity. Copies of software and integrity checkers (An integrity checker uses logical analysis to identify whether a file has been changed.) are used to identify unauthorized changes to software. Banks should ensure the security of the integrity checklist and checking software. Where sufficient risk exists, the checklist and software should be stored away from the network, in a location where access is limited. Banks should also protect against viruses and other malicious software by using automated virus scanning software and frequently updating the signature file (The signature file contains the information necessary to identify each virus.) to enable identification of new viruses.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

  13.1 Behavior

  People are a crucial factor in ensuring the security of computer systems and valuable information resources. Human actions account for a far greater degree of computer-related loss than all other sources combined. Of such losses, the actions of an organization's insiders normally cause far more harm than the actions of outsiders. (Chapter 4 discusses the major sources of computer-related loss.)

  The major causes of loss due to an organization's own employees are: errors and omissions, fraud, and actions by disgruntled employees. One principal purpose of security awareness, training, and education is to reduce errors and omissions. However, it can also reduce fraud and unauthorized activity by disgruntled employees by increasing employees' knowledge of their accountability and the penalties associated with such actions.

  Management sets the example for behavior within an organization. If employees know that management does not care about security, no training class teaching the importance of security and imparting valuable skills can be truly effective. This "tone from the top" has myriad effects an organization's security program.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.