Internet Banking News

February 11, 2024

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Gold Standard Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Bank regulatory FFIEC IT audits - I perform annual IT audits required by the regulatory agencies for banks and credit unions. I am a former bank examiner over 30 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

MISCELLANEOUS CYBERSECURITY NEWS:

China-linked hackers primed to attack US critical infrastructure, FBI director says - Christopher Wray and other top cybersecurity officials warned state-linked hackers are prepositioning for catastrophic attacks to distract from a potential military action. https://www.cybersecuritydive.com/news/fbi-china-hackers-us-critical-infrastructure/706307/

White House rejects efforts to undo SEC cyber disclosure rule - The Biden administration came out forcefully this week against a congressional effort to undo the U.S. Securities and Exchange Commission’s recently adopted rule requiring public companies to disclose cybersecurity incidents. https://www.cybersecuritydive.com/news/white-house-sec-rule-change/706237/

GAO: National Cyber Director Needs to Take Additional Actions to Implement an Effective Strategy. https://www.gao.gov/products/gao-24-106916

Federal agencies have until Feb. 3 to disconnect Ivanti VPNs - The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a supplemental directive on the high-severity flaws discovered over the past several weeks in Ivanti Connect Secure and Policy Secure VPN products, calling for federal civilian executive branch (FCEB) agencies to disconnect all affected devices by early Saturday morning. https://www.scmagazine.com/news/federal-agencies-have-until-feb-3-to-disconnect-ivanti-vpns

Blackbaud settles FTC data security probe into 2020 ransomware attack - Blackbaud needs to delete any unnecessarily stored data under a proposed settlement with the Federal Trade Commission reached in connection with a 2020 ransomware attack. https://www.cybersecuritydive.com/news/blackbaud-ftc-data-security-probe/706449/

AI-generated code leads to security issues for most businesses: report - More than three-quarters of developers bypass established protocols to use code completion tools despite potential risks, Snyk’s research found. https://www.cybersecuritydive.com/news/security-issues-ai-generated-code-snyk/705926/

Interpol's latest cybercrime intervention dismantles ransomware, banking malware servers - Interpol has arrested 31 people following a three-month operation to stamp out various types of cybercrime. https://www.theregister.com/2024/02/02/interpols_latest_cybercrime_intervention_dismantles/

Stop chasing shadow IT: Tackle the root causes of cloud breaches - The cloud has become an epicenter of cyberattacks and breaches. To prevent these breaches from succeeding, security teams must address the root causes behind these incidents and not confuse them with symptoms. https://www.scmagazine.com/perspective/stop-chasing-shadow-it-tackle-the-root-causes-of-cloud-breaches

Internal Verizon breach exposed personal data of 63K employees - More than 63,000 Verizon employees - about half the company’s workforce - were victims of a data breach resulting from a staff member gaining unauthorized access to a file containing personnel records. https://www.scmagazine.com/news/internal-verizon-breach-exposed-personal-data-of-63k-employees

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Hack of PJ&A tops 2023 US healthcare data breaches as tally jumps by 4M - An attack on medical transcription firm Perry Johnson & Associates (PJ&A) belatedly picked up the unwanted distinction of being 2023’s largest U.S. health sector data breach. https://www.scmagazine.com/news/hack-of-pja-tops-2023-us-healthcare-data-breaches-as-tally-jumps-by-4m

Cloudflare hit by follow-on attack from previous Okta breach - A threat actor that previously intruded Cloudflare’s network through its Okta environment regained access with mistakenly unrotated credentials. https://www.cybersecuritydive.com/news/cloudflare-follow-on-attack-okta/706450/

Another Chicago hospital announces cyberattack - For the second time this week, a Chicago hospital announced a cyberattack, with officials saying it forced them to take the facility’s entire network offline. https://therecord.media/lurie-childrens-hospital-chicago-cyberattack

Fulton County Schools cyber security incident involved at least one student, district confirms - Fulton County Schools confirmed Tuesday that one or more students at the FCS Innovation Academy had accessed their Information Technology system without authorization. On Wednesday, the district shared details of how it’s proceeding. https://www.wsbtv.com/news/local/fulton-county/fulton-county-schools-cyber-security-incident-involved-least-one-student-district-confirms/24PYZLHLJZD37CBYZZEJ4VYU5Q/

Johnson Controls Ransomware Attack: Data Theft Confirmed, Cost Exceeds $27 Million - In an SEC filing detailing its financial results for the last quarter of 2023, the company said the attack was discovered during the weekend of September 23, 2023. https://www.securityweek.com/johnson-controls-ransomware-attacks-data-theft-confirmed-cost-exceeds-27-million/

Lurie Children's Hospital back to pen and paper after cyberattack - For the second time in one week, cybercriminals have targeted a Chicago children's hospital, this time causing significant operational disruption. https://www.theregister.com/2024/02/05/lurie_childrens_hospital_cyberattack/

AnyDesk forces password reset for customers as 18k credentials go up for sale online - Remote access firm AnyDesk forced a password reset for all my.anydesk.com customers after 18,000 user credentials were found up for sale in hacker forums for $15K. https://www.scmagazine.com/news/anydesk-triggers-password-reset-for-all-customers-as-credentials-surface-on-dark-web

Deepfake video conference convinces employee to send $25M to scammers - A deepfake phishing scam cost a multinational company more than $25 million after an employee was fooled by digital imitations of his colleagues on a conference call. https://www.scmagazine.com/news/deepfake-video-conference-convinces-employee-to-send-25m-to-scammers

Cloudflare’s Atlassian systems breached in nation-state attack - Cloudflare reported Feb. 1 that it was the victim of a nation-state attack on its Atlassian systems following last fall’s Okta breach. https://www.scmagazine.com/news/cloudflares-atlassian-systems-breached-in-nation-state-attack

Hack of PJ&A tops 2023 US healthcare data breaches as tally jumps by 4M - An attack on medical transcription firm Perry Johnson & Associates (PJ&A) belatedly picked up the unwanted distinction of being 2023’s largest U.S. health sector data breach. https://www.scmagazine.com/news/hack-of-pja-tops-2023-us-healthcare-data-breaches-as-tally-jumps-by-4m

Timex breach leaks employee Social Security numbers - Timex Group experienced a data breach that leaked the names and Social Security numbers of more than 3,000 people, the watchmaking company disclosed Monday. https://www.scmagazine.com/news/timex-breach-leaks-employee-social-security-numbers

2 Chicago Hospitals Are Facing Cyberattack Woes - Two Chicago hospitals are navigating the effects of recent cyberattacks. One, a children's hospital, has taken its IT network offline to respond to an incident that happened this week, and the other, a nonprofit safety-net hospital, is being shaken down by cybercriminals asking for a hefty ransom in return for patient data stolen in December. https://www.govinfosecurity.com/2-chicago-hospitals-are-facing-cyberattack-woes-a-24259

Pennsylvania Courts’ Website Disrupted by DoS Attack - The Pennsylvania Courts system has been hit by a cyber-attack, taking down parts of its website. https://www.infosecurity-magazine.com/news/pennsylvania-courts-website-dos/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

   Board and Management Oversight - Principle 2: The Board of Directors and senior management should review and approve the key aspects of the bank's security control process.

   The Board of Directors and senior management should oversee the development and continued maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. This should include establishing appropriate authorization privileges, logical and physical access controls, and adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities.

   Safeguarding of bank assets is one of the Board's fiduciary duties and one of senior management's fundamental responsibilities. However, it is a challenging task in a rapidly evolving e-banking environment because of the complex security risks associated with operating over the public Internet network and using innovative technology.

   To ensure proper security controls for e-banking activities, the Board and senior management need to ascertain whether the bank has a comprehensive security process, including policies and procedures, that addresses potential internal and external security threats both in terms of incident prevention and response. Key elements of an effective e-banking security process include:

   1) Assignment of explicit management/staff responsibility for overseeing the establishment and maintenance of corporate security policies.

   2) Sufficient physical controls to prevent unauthorized physical access to the computing environment.

   3) Sufficient logical controls and monitoring processes to prevent unauthorized internal and external access to e-banking applications and databases.

   4) Regular review and testing of security measures and controls, including the continuous tracking of current industry security developments and installation of appropriate software upgrades, service packs and other required measures.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

   Access Rights Administration (2 of 5)

   System devices, programs, and data are system resources. Each system resource may need to be accessed by other system resources and individuals in order for work to be performed. Access beyond the minimum required for work to be performed exposes the institution's systems and information to a loss of confidentiality, integrity, and availability. Accordingly, the goal of access rights administration is to identify and restrict access to any particular system resource to the minimum required for work to be performed. The financial institution's security policy should address access rights to system resources and how those rights are to be administered.

   Management and information system administrators should critically evaluate information system access privileges and establish access controls to prevent unwarranted access. Access rights should be based upon the needs of the applicable user or system resource to carry out legitimate and approved activities on the financial institution's information systems. Policies, procedures, and criteria need to be established for both the granting of appropriate access rights and for the purpose of establishing those legitimate activities. Formal access rights administration for users consists of four processes:

   ! An enrollment process to add new users to the system;

   ! An authorization process to add, delete, or modify authorized user access to operating systems, applications, directories, files, and specific types of information;

   ! An authentication process to identify the user during subsequent activities; and

   ! A monitoring process to oversee and manage the access rights granted to each user on the system.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE

8.4.2 Development/Acquisition

For most systems, the development/acquisition phase is more complicated than the initiation phase. Security activities can be divided into three parts:

! determining security features, assurances, and operational practices;

! incorporating these security requirements into design specifications; and

! actually acquiring them.

These divisions apply to systems that are designed and built in house, to systems that are purchased, and to systems developed using a hybrid approach.

During the phase, technical staff and system sponsors should actively work together to ensure that the technical designs reflect the system's security needs. As with development and incorporation of other system requirements, this process requires an open dialogue between technical staff and system sponsors. It is important to address security requirements effectively in synchronization with development of the overall system.

8.4.2.1 Determining Security Requirements

During the first part of the development / acquisition phase, system planners define the requirements of the system. Security requirements should be developed at the same time. These requirements can be expressed as technical features (e.g., access controls), assurances (e.g., background checks for system developers), or operational practices (e.g., awareness and training). System security requirements, like other system requirements, are derived from a number of sources including law, policy, applicable standards and guidelines, functional needs of the system, and cost-benefit tradeoffs.

Law. Besides specific laws that place security requirements on information, such as the Privacy Act of 1974, there are laws, court cases, legal options, and other similar legal material that may affect security directly or indirectly.

Policy. As discussed in Chapter 5, management officials issue several different types of policy. System security requirements are often derived from issue-specific policy.

Standards and Guidelines. International, national, and organizational standards and guidelines are another source for determining security features, assurances, and operational practices. Standards and guidelines are often written in an "if…then" manner (e.g., if the system is encrypting data, then a particular cryptographic algorithm should be used). Many organizations specify baseline controls for different types of systems, such as administrative, mission- or business- critical, or proprietary. As required, special care should be given to interoperability standards.

Functional Needs of the System. The purpose of security is to support the function of the system, not to undermine it. Therefore, many aspects of the function of the system will produce related security requirements.

Cost-Benefit Analysis. When considering security, cost-benefit analysis is done through risk assessment, which examines the assets, threats, and vulnerabilities of the system in order to determine the most appropriate, cost-effective safeguards (that comply with applicable laws, policy, standards, and the functional needs of the system). Appropriate safeguards are normally those whose anticipated benefits outweigh their costs. Benefits and cost include monetary and nonmonetary issues, such as prevented losses, maintaining an organization's reputation, decreased user friendliness, or increased system administration.

Risk assessment, like cost-benefit analysis, is used to support decision-making. It helps managers select cost-effective safeguards. The extent of the risk assessment, like that of other cost-benefit analyses, should be commensurate with the complexity and cost (normally an indicator of complexity) of the system and the expected benefits of the assessment.

Risk assessment can be performed during the requirements analysis phase of a procurement or the design phase of a system development cycle. Risk should also normally be assessed during the development/acquisition phase of a system upgrade. The risk assessment may be performed once or multiple times, depending upon the projects methodology.

Care should be taken in differentiating between security risk assessment and project risk analysis. Many system development and acquisition projects analyze the risk of failing to successfully complete the project - a different activity from security risk assessment.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.