Internet Banking News

March 7, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - As ransomware inches from economic burden to national security threat, policies may follow - On Wednesday – just Wednesday – news stories emerged about an airplane maker, information technology giant and computer game company all having operations disrupted by ransomware. https://www.scmagazine.com/home/security-news/ransomware/as-ransomware-inches-from-economic-burden-to-national-security-threat-policies-may-follow/

So far, ransomware attacks way down at schools, hospitals in 2021 - Some good news, for once: Health care and government organizations started 2021 with ransomware incidents at their lowest point in more than a year. https://www.scmagazine.com/home/security-news/ransomware/so-far-ransomware-attacks-way-down-at-schools-hospitals-in-2021/

Here’s how security pros can lock down their remote networks - Workforce migration has posed significant challenges for organizations, especially since 50 percent had no plan ready last year to accommodate an overnight transition to fully-remote employees. https://www.scmagazine.com/perspectives/heres-how-security-pros-can-lock-down-their-remote-networks/

UK's National Cyber Security Centre sidles in to help firm behind hacked NurseryCam product secure itself - The UK's National Cyber Security Centre is now helping IoT gadget firm FootfallCam Ltd secure product lines following the recent digital burglary of its nursery webcam operation. https://www.theregister.com/2021/02/25/ncsc_nurserycam_security/

Why we can expect another SolarWinds attack - Airport security has been designed (in theory) to detect threats to air travel before a malicious person or item makes it to the plane. Much of cybersecurity works the same way. https://www.scmagazine.com/perspectives/why-we-can-expect-another-solarwinds-attack/

VPNs begin to lose their relevance, even as they remain difficult to shed - Virtual private networks have been around for decades, but the past year forced many organizations to expand their use to keep up with growing telework trends. In response, criminal and state-backed hacking groups stepped up their own exploitation of the technology as well. https://www.scmagazine.com/home/security-news/network-security/vpns-still-dominate-post-covid-but-businesses-are-sniffing-for-alternatives/

Free cybersecurity tool aims to help smaller businesses stay safer online - NCSC tool aims to help small businesses develop a strategy to protect themselves from cybercrime. Small businesses can receive bespoke advice on how to improve their cybersecurity and protect their networks from malicious hackers and cybercrime via a new tool from the National Cyber Security Centre (NCSC). https://www.zdnet.com/article/free-cybersecurity-tool-aims-to-help-smaller-businesses-stay-safer-online/

NSA Releases Guidance on Zero-Trust Architecture - A new document provides guidance for businesses planning to implement a zero-trust system management strategy. The National Security Agency (NSA) today published a document to explain the zero-trust model and its benefits, challenges involved with implementation, and advice to navigate the process. https://www.darkreading.com/nsa-releases-guidance-on-zero-trust-architecture/d/d-id/1340269

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Federal Reserve nationwide outage impacts US banking system - The US Federal Reserve suffered a massive IT systems outage today that prevented wire transfers, ACH transactions, and other services from operating. https://www.bleepingcomputer.com/news/government/federal-reserve-nationwide-outage-impacts-us-banking-system/

TD Bank suffered systemwide banking outage, services now recovered - TD Bank has recovered from a major IT systems outage today that prevented account holders from accessing their online bank accounts, use ATM, or check balances over the phone. https://www.bleepingcomputer.com/news/technology/td-bank-suffered-systemwide-banking-outage-services-now-recovered/

Plane-maker Bombardier discloses breach after stolen data surfaces - Hackers have exposed data about employees, customers and suppliers of Bombardier, a Canadian plane manufacturer, in what appears to be the latest ripple effect from a larger security incident humming through the private sector in North America. https://www.cyberscoop.com/bombardier-breach-accellion-unc2546/

Finnish IT Giant Hit with Ransomware Cyberattack - TietoEVRY was forced to shut down services and infrastructure as the company continues to investigate the incident with relevant authorities. https://threatpost.com/finnish-it-giant-ransomware-cyberattack/164193/

Exclusive: Hackers Break Into ‘Biochemical Systems’ At Oxford University Lab Studying Covid-19 - One of the world’s top biology labs - one whose renowned professors have been researching how to counter the Covid-19 pandemic - has been hacked. https://www.forbes.com/sites/thomasbrewster/2021/02/25/exclusive-hackers-break-into-biochemical-systems-at-oxford-uni-lab-studying-covid-19/

Universal Health Services reports $67 million in losses after apparent ransomware attack - Written by Sean Lyngaas - An apparent ransomware attack last fall caused $67 million in pre-tax losses at Universal Health Services, the U.S. health care provider has revealed, illustrating the sharp financial toll that criminal hackers have caused the sector during the pandemic. https://www.cyberscoop.com/universal-health-services-ransomware-cost-ryuk/

T-Mobile discloses data breach after SIM swapping attacks - American telecommunications provider T-Mobile has disclosed a data breach after an unknown number of customers were apparently affected by SIM swap attacks. https://www.bleepingcomputer.com/news/security/t-mobile-discloses-data-breach-after-sim-swapping-attacks/

Chinese businessman plotted with GE insider to steal transistor secrets, say Feds - Hong Kong-based suspect wanted to create rival startup using pilfered silicon carbide MOSFET blueprints - claim - A Chinese businessman has been accused by the US government of trying to steal silicon secrets from General Electric (GE). https://www.theregister.com/2021/03/01/china_mosfet_theft/

Qualys hit with ransomware: Customer invoices leaked on extortionists' Tor blog - Infosec outfit Qualys, its cloud-based vuln detection tech, and its SSL server test webpage, have seemingly fallen victim to a ransomware attack. https://www.theregister.com/2021/03/03/qualys_ransomware_clop_gang/
Qualys’ Offical Response Press Release https://www.qualys.com/company/newsroom/news-releases/usa/qualys-update-on-accellion-fta-security-incident/

Nine-year Malaysia Airlines breach gave attackers lots of time to misuse data - Malaysia Airlines faces the daunting task of investigating over nine years’ worth of compromised data after learning of a “data security incident” at a third-party IT service provider that exposed Enrich frequent flyer program member data from March 2010 through June 2019. https://www.scmagazine.com/home/security-news/data-breach/nine-year-malaysia-airlines-breach-gave-attackers-lots-of-time-to-misuse-data/

Return to the top of the newsletter

WEB SITE COMPLIANCE - "Member FDIC" Logo - When is it required?

   The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds.

   Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page. Subsidiary web pages that advertise deposits must contain the official advertising statement. Conversely, subsidiary web pages that relate to loans do not require the official advertising statement.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Gathering and Retaining Intrusion Information.

  Particular care should be taken when gathering intrusion information. The OCC expects management to clearly assess the tradeoff between enabling an easier recovery by gathering information about an intruder and the risk that an intruder will inflict additional damage while that information is being gathered. Management should establish and communicate procedures and guidelines to employees through policies, procedures, and training. Intrusion evidence should be maintained in a fashion that enables recovery while facilitating subsequent actions by law enforcement. Legal chain of custody requirements must be considered. In general, legal chain of custody requirements address controlling and securing evidence from the time of the intrusion until it is turned over to law enforcement personnel. Chain of custody actions, and those actions that should be guarded against, should be identified and embodied in the bank's policies, procedures, and training.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

  13.6.1 Identify Program Scope, Goals, and Objectives

  The first step in developing a CSAT program is to determine the program's scope, goals, and objectives. The scope of the CSAT program should provide training to all types of people who interact with computer systems. The scope of the program can be an entire organization or a subunit. Since users need training, which relates directly to their use of particular systems, a large organization wide program may need to be supplemented by more specific programs. In addition, the organization should specifically address whether the program applies to employees only or also to other users of organizational systems.

  Generally, the overall goal of a CSAT program is to sustain an appropriate level of protection for computer resources by increasing employee awareness of their computer security responsibilities and the ways to fulfill them. More specific goals may need to be established. Objectives should be defined to meet the organization's specific goals.

  The Computer Security Act of 1987 requires federal agencies to "provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved with the management, use, or operation of each federal computer system within or under the supervision of that agency." The scope and goals of federal computer security awareness and training programs must implement this broad mandate. (Other federal requirements for computer security training are contained in OMB Circular A-130, Appendix III, and OPM regulations.)

  13.6.2 Identify Training Staff

  There are many possible candidates for conducting the training including internal training departments, computer security staff, or contract services. Regardless of who is chosen, it is important that trainers have sufficient knowledge of computer security issues, principles, and techniques. It is also vital that they know how to communicate information and ideas effectively.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.