Internet Banking News

February 21, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - New organization helps blind workers find dream jobs in cybersecurity - Despite a sterling academic record, magna cum laude honors, and hearty recommendations from his professors, Naveen James was unable to land a job after graduating from California State Polytechnic University Pomona in 2015. https://www.scmagazine.com/home/security-news/new-organization-helps-blind-workers-find-their-dream-jobs-in-cybersecurity/

NSA/DHS CAE Supplemental Grants and Scholarship Program - Each of the colleges and universities that are listed at the CAE Designated Institution website (www.caecommunity.org) may request access to the practice simulator to allow up to 100 students to prepare for the National Cyber Scholarship Foundation’s $2 million in college scholarships to be granted to students who excel in the Scholarship Round. https://www.nationalcyberscholarship.org/

Researchers identify 223 vulnerabilities used in recent ransomware attacks - Ransomware is getting worse. Cybersecurity analysts have been screaming this sentiment from the rooftops for years, but now new research examining the expanding landscape of software vulnerabilities leveraged in ransomware attacks offers up some hard numbers that put the depth of this problem into context. https://www.scmagazine.com/home/security-news/ransomware/researchers-identify-223-vulnerabilities-used-in-recent-ransomware-attacks/

Following Oldsmar attack, FBI warns about using TeamViewer and Windows 7 - An FBI alert sent on Tuesday warns companies about the use of out-of-date Windows 7 systems, poor account passwords, and desktop sharing software TeamViewer. https://www.zdnet.com/article/following-oldsmar-attack-fbi-warns-about-using-teamviewer-and-windows-7/

The Long Hack: How China Exploited a U.S. Tech Supplier - For years, U.S. investigators found tampering in products made by Super Micro Computer Inc. The company says it was never told. Neither was the public. In 2010, the U.S. Department of Defense found thousands of its computer servers sending military network data to China - the result of code hidden in chips that handled the machines’ startup process. https://www.bloomberg.com/features/2021-supermicro/

Vulnerabilities hit record high in 2020, topping 18,000 - Security teams were under siege last year, according to research analyzing 2020 NIST data on common vulnerabilities and exposures (CVEs) that found more security flaws – 18,103 – were disclosed in 2020 than in any other year to date. https://www.scmagazine.com/home/security-news/cves-break-record-in-2020-topping-18000/

‘I lost faith’: New organization helps blind workers find dream jobs in cybersecurity - Despite a sterling academic record, magna cum laude honors, and hearty recommendations from his professors, Naveen James was unable to land a job after graduating from California State Polytechnic University Pomona in 2015. https://www.scmagazine.com/home/security-news/new-organization-helps-blind-workers-find-their-dream-jobs-in-cybersecurity/

Org behind .org launches DNS Abuse Institute - Public Interest Registry (PIR), the non-profit best known for overseeing the .org top-level domain, launched a centralized resource to help stomp out domain name system (DNS) abuse Wednesday morning. https://www.scmagazine.com/home/security-news/org-behind-org-launches-dns-abuse-institute/

Non-profit pledges $1 million to offer free ransomware protection for private hospitals - Perhaps no part of industry has been stung by the scourge of ransomware over the past year than hospitals. https://www.scmagazine.com/home/security-news/non-profit-pledges-1-million-to-offer-free-ransomware-protection-for-private-hospitals/

Most businesses plan to move away from VPNs, adopt a zero-trust access model - Growing security risks have prompted companies to move away from virtual private networks (VPNs) in favor of a zero-trust model. https://www.scmagazine.com/home/security-news/most-businesses-plan-to-move-away-from-vpns-adopt-a-zero-trust-access-model/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Web hosting provider shuts down after cyberattack - Two other UK web hosting providers also suffered similar hacks over the weekend, although it's unconfirmed if the attacks are related. A web hosting company named No Support Linux Hosting announced today it was shutting down after a hacker breached its internal systems and compromised its entire operation. https://www.zdnet.com/article/web-hosting-provider-shuts-down-after-cyber-attack/

100+ Financial Services Firms Targeted in Ransom DDoS Attacks in 2020 - Consumer banks, exchanges, payment firms, and card issuing companies around the globe were among those hit. More than 100 financial services firms across multiple countries were targeted in a wave of ransom distributed denial-of-service (DDoS) attacks conducted by the same threat actor in 2020. https://www.darkreading.com/attacks-breaches/100+-financial-services-firms-targeted-in-ransom-ddos-attacks-in-2020/d/d-id/1340165

Leading Canadian rental car company hit by DarkSide ransomware - Canadian Discount Car and Truck Rentals has been hit with a DarkSide ransomware attack where the hackers claim to have stolen 120GB of data. https://www.bleepingcomputer.com/news/security/leading-canadian-rental-car-company-hit-by-darkside-ransomware/

Dax-Côte d’Argent hospital in France hit by ransomware attack - A hospital in southwest France is scrambling to recover from a ransomware attack that has caused significant operational disruption. https://portswigger.net/daily-swig/dax-cote-dargent-hospital-in-france-hit-by-ransomware-attack

Florida Water Plant Hack: Leaked Credentials Found in Breach Database - Researchers discovered credentials for the Oldsmar water treatment facility in the massive compilation of data from breaches posted just days before the attack.Researchers discovered credentials for the Oldsmar water treatment facility in the massive compilation of data from breaches posted just days before the attack. https://threatpost.com/florida-water-plant-hack-credentials-breach/163919/

Prosecutor charges former phone company employee in SIM-swap scheme - A former phone company worker has been charged with conspiracy to commit fraud for allegedly using his access to customer account data to take over the phone numbers of 19 customers, including at least one cryptocurrency holder. https://arstechnica.com/information-technology/2021/02/former-phone-carrier-employee-accused-of-accepting-bribes-in-sim-swap-scam/

Cyberattack on Dutch Research Council (NWO) suspends research grants - Servers belonging to the Dutch Research Council (NWO) have been compromised, forcing the organization to make its network unavailable and suspend subsidy allocation for the foreseeable future. https://www.bleepingcomputer.com/news/security/cyberattack-on-dutch-research-council-nwo-suspends-research-grants/

Singtel hit by third-party vendor's security breach, customer data may be leaked - Singapore telco says it has pulled back all use of Accellion's file-sharing system FTA and is investigating the impact of a cybersecurity attack, having ascertained on February 9 that "files were taken" and customer data "may have" been compromised. https://www.zdnet.com/article/singtel-hit-by-third-party-vendors-security-breach-customer-data-may-be-leaked/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)

   Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.

   Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations.

   Consumer Leasing Act (Regulation M)

   The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review the last of a three part series regarding controls to prevent and detect intrusions.

   8) Encryption. Encryption is a means of securing data. Data can by encrypted when it is transmitted, and when it is stored. Because networks are not impervious to penetration, management should evaluate the need to secure their data as well as their network. Management's use of encryption should be based on an internal risk assessment and a classification of data. The strength of encryption should be proportional to the risk and impact if the data were revealed.

   9) Employee and Contractor Background Checks. Management should ensure that information technology staff, contractors, and others who can make changes to information systems have passed background checks. Management also should revalidate periodically access lists and logon IDs.

   10) Accurate and Complete Records of Uses and Activities. Accurate and complete records of users and activities are essential for analysis, recovery, and development of additional security measures, as well as possible legal action. Information of primary importance includes the methods used to gain access, the extent of the intruder's access to systems and data, and the intruder's past and current activities. To ensure that adequate records exist, management should consider collecting information about users and user activities, systems, networks, file systems, and applications. Consideration should be given to protecting and securing this information by locating it in a physical location separate from the devices generating the records, writing the data to a tamperproof device, and encrypting the information both in transit and in storage. The OCC expects banks to limit the use of personally identifiable information collected in this manner for security purposes, and to otherwise comply with applicable law and regulations regarding the privacy of personally identifiable information.

   11) Vendor Management. Banks rely on service providers, software vendors, and consultants to manage networks and operations. In outsourcing situations, management should ensure that contractual agreements are comprehensive and clear with regard to the vendor's responsibility for network security, including its monitoring and reporting obligations. Management should monitor the vendor's performance under the contract, as well as assess the vendor's financial condition at least annually.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

13.4 Training

The purpose of training is to teach people the skills that will enable them to perform their jobs more securely. This includes teaching people what they should do and how they should (or can) do it. Training can address many levels, from basic security practices to more advanced or specialized skills. It can be specific to one computer system or generic enough to address all systems.

Training is most effective when targeted to a specific audience. This enables the training to focus on security-related job skills and knowledge that people need performing their duties. Two types of audiences are general users and those who require specialized or advanced skills.

General Users. Most users need to understand good computer security practices, such as:

1) protecting the physical area and equipment (e.g., locking doors, caring for floppy diskettes);
2) protecting passwords (if used) or other authentication data or tokens (e.g., never divulge PINs); and
3) reporting security violations or incidents (e.g., whom to call if a virus is suspected).

In addition, general users should be taught the organization's policies for protecting information and computer systems and the roles and responsibilities of various organizational units with which they may have to interact.

In teaching general users, care should be taken not to overburden them with unneeded details. These people are the target of multiple training programs, such as those addressing safety, sexual harassment, and AIDS in the workplace. The training should be made useful by addressing security issues that directly affect the users. The goal is to improve basic security practices, not to make everyone literate in all the jargon or philosophy of security.

Specialized or Advanced Training. Many groups need more advanced or more specialized training than just basic security practices. For example, managers may need to understand security consequences and costs so they can factor security into their decisions, or system administrators may need to know how to implement and use specific access control products.

There are many different ways to identify individuals or groups who need specialized or advanced training. One method is to look at job categories, such as executives, functional managers, or technology providers. Another method is to look at job functions, such as system design, system operation, or system use. A third method is to look at the specific technology and products used, especially for advanced training for user groups and training for a new system.

Techniques. A security training program normally includes training classes, either strictly devoted to security or as added special sections or modules within existing training classes. Training may be computer- or lecture-based (or both), and may include hands-on practice and case studies. Training, like awareness, also happens on the job.

One group that has been targeted for specialized training is executives and functional managers. The training for management personnel is specialized (rather than advanced) because managers do not (as a general rule) need to understand the technical details of security. However, they do need to understand how to organize, direct, and evaluate security measures and programs. They also need to understand risk acceptance.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.