Internet Banking News

February 14, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Years overdue, the profile of the CISO begins to rise as cyber grabs attention in boardrooms - Cybersecurity garnered far more attention in executive boardrooms and among regulators and insurance underwriters during the last couple years, thanks to both an increasing volume of attacks and growing demand for digital transformation. https://www.scmagazine.com/home/security-news/network-security/years-overdue-the-profile-of-the-ciso-begins-to-rise-as-cyber-grabs-attention-in-boardrooms/

Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says - Investigators still don’t know how the company was breached in attack that will cost millions. https://www.wsj.com/articles/hackers-lurked-in-solarwinds-email-system-for-at-least-9-months-ceo-says-11612317963

Safety first: Will insurance companies stall or accelerate cybersecurity progress? - Every time a driver buckles up or an airbag is deployed we see the powerful influence of the insurance companies who insisted those measures become mandatory. Now, those insurers are poised to drive cybersecurity investment by insisting that organizations meet certain criteria to qualify for coverage. https://www.scmagazine.com/home/security-news/data-breach/safety-first-will-insurance-companies-stall-or-accelerate-cybersecurity-progress/

With thousands of vendors, companies typically have limited grasp over supply chain security - Cyberattacks against SolarWinds and other widely implemented software offerings exposed a supply chain rife with exploitable weaknesses. And still, most enterprises have little insight into the plethora of suppliers plugged into their networks. https://www.scmagazine.com/risk-management/with-thousands-of-vendors-companies-typically-have-limited-grasp-over-supply-chain-security/

Police seize $60 million of bitcoin! Now, where's the password? - German prosecutors have confiscated more than 50 million euros ($60 million) worth of bitcoin from a fraudster. There’s only one problem: they can’t unlock the money because he won’t give them the password. https://www.reuters.com/article/us-crypto-currency-germany-password/police-seize-60-million-of-bitcoin-now-wheres-the-password-idINKBN2A511T

New guidelines from NIST on how to avoid cyberattacks from a nation-state - The National Institute for Standards and Technology has some new advice for contractors that handle sensitive information desirable to adversarial nation-states. https://www.fedscoop.com/nist-800-172-cybersecurity-guidelines/

Rampant data sharing suggests website managers lack control, visibility - Data sharing between websites and third-party applications is a common practice, but a new research-based report takes a more focused look into the potential overreach of some of these apps, particularly as website managers lose sight of their third-party partners’ default settings and access rights. https://www.scmagazine.com/home/security-news/privacy-compliance/rampant-data-sharing-suggests-website-managers-lack-control-visibility/

Words of advice for President’s new CISO - News that the President's team seeks congressional approval for an enormous spending plan that includes some $9 billion for IT and cybersecurity and also just named a federal chief information security officer (CISO) offers some welcome hope. https://www.scmagazine.com/perspectives/words-of-advice-for-president-bidens-new-ciso/

Penetration tests can help companies avoid future breaches - Comprehensive penetration testing can contribute to the security conversation by suggesting organizations prioritize cybersecurity controls that will offer optimal risk remediation against exploits hackers will attempt. https://www.scmagazine.com/perspectives/penetration-tests-can-help-companies-avoid-future-breaches/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - DDoS attacks leverage Plex media server - Netscout is reporting a spate of distributed denial-of-service (DDoS) attacks leveraging a problematic engineering decision in the popular Plex media server. https://www.scmagazine.com/home/security-news/network-security/ddos-attacks-leverages-plex-media-server/

Security firm Stormshield discloses data breach, theft of source code - Stormshield is a major provider of network security products to the French government, some approved to be used on sensitive networks. https://www.zdnet.com/article/security-firm-stormshield-discloses-data-breach-theft-of-source-code/

Mortgage loan servicing company discloses ransomware attack to multiple states - Mortgage loan servicing company SN Servicing Corporation notified at least two states in recent weeks of a ransomware attack on its systems. https://www.scmagazine.com/home/security-news/mortgage-loan-servicing-company-discloses-ransomware-attack-to-multiple-states/

Security gaps in operational tech exposed with hacker attempt to poison Florida city water - A malicious hacker’s attempted poisoning of the Oldsmar, Florida water supply serves as a stark reminder of the potentially devastating consequences that can result from operating vulnerable and unsecured industrial controls in a critical infrastructure environment.
https://www.scmagazine.com/home/security-news/network-security/security-gaps-in-operational-tech-exposed-with-hacker-attempt-to-poison-florida-city-water/
https://www.wired.com/story/oldsmar-florida-water-utility-hack/

Conti ransomware gang tied to latest attacks on hospitals in Florida and Texas - A security researcher on Monday said the recent ransomware attacks on hospital chains in Florida and Texas are tied to the Conti ransomware gang. https://www.scmagazine.com/home/security-news/ransomware/conti-ransomware-gang-tied-to-latest-attacks-on-hospitals-in-florida-and-texas/

Ransomware Attacks Hit Major Utilities - Two state-owned utility companies in Brazil suffered separate ransomware attacks in the past week, forcing them to shut down some operations and services temporarily, In one case, sensitive data was stolen and dumped online, including network access logins and engineering plans. https://threatpost.com/ransomware-attacks-major-utilities/163687/

SitePoint hacked: Hashed, salted passwords pinched from web dev learning site via GitHub tool pwnage - SitePoint, an Australian learn-to-code publishing website, has been compromised while promoting the book Hacking for Dummies on its homepage. https://www.theregister.com/2021/02/05/sitepoint_hack_supply_chain/

Hackers Dump More Health Data, as Feds Share Ransomware Factsheet - On the heels of a federal joint ransomware fact sheet, the Conti ransomware hacking group dumped more health-related data onto the dark web. https://healthitsecurity.com/news/hackers-dump-more-health-data-as-feds-share-ransomware-factsheet

Ransomware group claims it dumped source code of Cyberpunk 2077 - In what could have been the dystopian future envisioned by sci-fi author or just another bad day for CD Projekt Red, the company was hit with a 48-hour ransom demand by an undetermined hacking group. https://www.scmagazine.com/home/security-news/ransomware-group-claims-it-dumped-source-code-of-cyberpunk-2077/

State auditor’s office clashes with file transfer service provider after breach - Malicious actors last Dec. 25 stole millions of unemployment applicants’ data from the Washington State Auditor’s Office (SAO) via a zero-day vulnerability in a 20-year-old file transfer service from Accellion, Inc. https://www.scmagazine.com/application-security/state-auditors-office-clashes-with-file-transfer-service-provider-after-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

   Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

   Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review part two of three regarding controls to prevent and detect intrusions.

   4) Attack Profile. Frequently systems are installed with more available components and services than are required for the performance of necessary functions. Banks maintaining unused features may unwittingly enable network penetration by increasing the potential vulnerabilities. To reduce the risk of intrusion, institutions should use the minimum number of system components and services to perform the necessary functions.

   5) Modem Sweep. While access to a system is typically directed through a firewall, sometimes modems are attached to the system directly, perhaps without the knowledge of personnel responsible for security. Those modems can provide an uncontrolled and unmonitored area for attack. Modems that present such vulnerabilities should be identified and either eliminated, or monitored and controlled.

   6) Intrusion Identification. Real-time identification of an attack is essential to minimize damage. Therefore, management should consider the use of real-time intrusion detection software. Generally, this software inspects for patterns or "signatures" that represent known intrusion techniques or unusual system activities. It may not be effective against new attack methods or modified attack patterns. The quality of the software and sophistication of an attack also may reduce the software's effectiveness. To identify intrusions that escape software detection, other practices may be necessary. For example, banks can perform visual examinations and observations of systems and logs for unexpected or unusual activities and behaviors as well as manual examinations of hardware. Since intrusion detection software itself is subject to compromise, banks should take steps to ensure the integrity of the software before it is used.

   7) Firewalls. Firewalls are an important component of network security and can be effective in reducing the risk of a successful attack. The effectiveness of a firewall, however, is dependent on its design and implementation. Because misconfigurations, operating flaws, and the means of attack may render firewalls ineffective, management should consider additional security behind the firewall, such as intrusion identification and encryption.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

  13.3 Awareness

  Awareness stimulates and motivates those being trained to care about security and to remind them of important security practices. Explaining what happens to an organization, its mission, customers, and employees if security fails motivates people to take security seriously.

  Awareness can take on different forms for particular audiences. Appropriate awareness for management officials might stress management's pivotal role in establishing organizational attitudes toward security. Appropriate awareness for other groups, such as system programmers or information analysts, should address the need for security as it relates to their job. In today's systems environment, almost everyone in an organization may have access to system resources -- and therefore may have the potential to cause harm.

  Security awareness programs: (1) set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure; and (2) remind users of the procedures to be followed.

  Awareness is used to reinforce the fact that security supports the mission of the organization by protecting valuable resources. If employees view security as just bothersome rules and procedures, they are more likely to ignore them. In addition, they may not make needed suggestions about improving security nor recognize and report security threats and vulnerabilities.

  Awareness also is used to remind people of basic security practices, such as logging off a computer system or locking doors.

  Techniques. A security awareness program can use many teaching methods, including video tapes, newsletters, posters, bulletin boards, flyers, demonstrations, briefings, short reminder notices at log-on, talks, or lectures. Awareness is often incorporated into basic security training and can use any method that can change employees' attitudes.

  Effective security awareness programs need to be designed with the recognition that people tend to practice a tuning out process (also known as acclimation). For example, after a while, a security poster, no matter how well designed, will be ignored; it will, in effect, simply blend into the environment. For this reason, awareness techniques should be creative and frequently changed.

  Employees often regard computer security as an obstacle to productivity. A common feeling is that they are paid to produce, not to protect. To help motivate employees, awareness should emphasize how security, from a broader perspective, contributes to productivity. The consequences of poor security should be explained, while avoiding the fear and intimidation that employees often associate with security.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.