Internet Banking News

March 12, 2023

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Remote bank regulatory FFIEC IT audits - I am performing virtual/remote bank regality FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

MISCELLANEOUS CYBERSECURITY NEWS:

Biden’s national cyber strategy wants to redirect responsibility from users to manufacturers - The Biden administration released its long-awaited national cybersecurity strategy, calling on governments, businesses, critical infrastructure and the public to cast aside the status quo and embrace a far more aggressive and collaborative approach to solving collective insecurity in the digital world. https://www.scmagazine.com/analysis/compliance/bidens-national-cyber-strategy-wants-to-redirect-responsibility-from-users-to-manufacturers

Cisco patches critical bugs in multiple series models of its IP Phones - Cisco on Wednesday released updates for two vulnerabilities in the web-based management interface of four series models of its Cisco IP Phones. https://www.scmagazine.com/news/network-security/cisco-patches-critical-bugs-in-multiple-series-models-of-its-ip-phones

BetterHelp to pay FTC $7.8M for privacy failures, unfair practices - BetterHelp must pay the FTC $7.8 million after repeatedly pushing its users into sharing their sensitive health information and violating its own privacy practices. The settlement includes partial refunds for BetterHelp users. https://www.scmagazine.com/news/privacy/betterhelp-pay-ftc-7m-privacy-failures-unfair-practices

EPA issues water cybersecurity mandates, concerning industry and experts - The Environmental Protection Agency's water cybersecurity standards follow the Biden administration's new national cyber strategy. https://cyberscoop.com/epa-water-cyber-regulations/

TSA issues emergency cybersecurity mandates for aviation sector - The Transportation Security Administration used its emergency powers to amend security directives for airport and aircraft operators, citing “persistent cybersecurity threats against U.S. infrastructure, including the aviation sector.” https://www.scmagazine.com/news/critical-infrastructure/tsa-emergency-cybersecurity-mandates-aviation

SSE vs. SASE: What’s the difference? - Many organizations would like to move to converged cloud-security solutions such as secure access service edge (SASE) and security service edge (SSE). Yet according to a recent survey, the adoption rate is low, and the concepts remain unclear to many. https://www.scmagazine.com/resource/cloud-security/sse-vs-sase-whats-the-difference

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Chick-fil-A hack spells indigestion for 71K customers - Risks associated with poor password hygiene are hitting home for 71,000 Chick-fil-A customers who have been notified that their online customer loyalty accounts have been compromised via an automated credential-stuffing attack. https://www.scmagazine.com/news/identity-and-access/chick-fil-a-hack-customers

BidenCash card shop leaks 2 million payment card records - A carding marketplace known as BidenCash leaked over 2 million payment card records on a top tier dark net for free in celebration of its first anniversary. https://www.scmagazine.com/news/cybercrime/bidencash-card-shop-leaks-2-million-payment-card-records

Thousands of Websites Hijacked Using Compromised FTP Credentials - Cloud security startup Wiz warns of a widespread redirection campaign in which thousands of websites targeting East Asian audiences have been compromised using legitimate FTP credentials. https://www.securityweek.com/thousands-of-websites-hijacked-using-compromised-ftp-credentials/

Cyberattack Hits Major Hospital in Spanish City of Barcelona - A ransomware attack on one of Barcelona’ s main hospitals has crippled the center’s computer system and forced the cancellation of non-urgent operations and patient checkups. https://www.securityweek.com/cyberattack-hits-major-hospital-in-spanish-city-of-barcelona/

Two data centers used by major tech firms hacked - Two Asia-based data centers used by major global corporations were targeted in a series of cyberattack first identified in 2021 and as recently as January 2023. Data exfiltrated over the past three years included the credentials of those managing the data centers and login information used by customers to access cloud services hosted with the two data-center operators. https://www.scmagazine.com/news/cloud-security/datacenters-major-firms-hacked

Dish Network confirms cyberattack - Dish Network confirmed it was hit by a massive cyberattack tied to a multiday outage that downed internal billing systems, broke consumer apps and shut down several consumer-facing websites. https://www.scmagazine.com/news/ransomware/dish-network-confirms-cyberattack

Info stealer targets Facebook business accounts to land sensitive data - Malicious hackers have been using an advanced information stealer to target Facebook business accounts by using Google ads and fake Facebook profiles that promote games, adult content, and cracked software to lure victims into downloading malicious files. https://www.scmagazine.com/news/cybercrime/info-stealer-facebook-business-accounts

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft. (Part 5 of 6)

    Consumer Education

    The FDIC believes that consumers have an important role to play in protecting themselves from identity theft. As identity thieves become more sophisticated, consumers can benefit from accurate, up-to-date information designed to educate them concerning steps they should take to reduce their vulnerability to this type of fraud. The financial services industry, the FDIC and other federal regulators have made significant efforts to raise consumers' awareness of this type of fraud and what they can do to protect themselves.

    In 2005, the FDIC sponsored four identity theft symposia entitled Fighting Back Against Phishing and Account-Hijacking. At each symposium (held in Washington, D.C., Atlanta, Los Angeles and Chicago), panels of experts from government, the banking industry, consumer organizations and law enforcement discussed efforts to combat phishing and account hijacking, and to educate consumers on avoiding scams that can lead to account hijacking and other forms of identity theft. Also in 2006, the FDIC sponsored a symposia series entitled Building Confidence in an E-Commerce World. Sessions were held in San Francisco, Phoenix and Miami. Further consumer education efforts are planned for 2007.

    In 2006, the FDIC released a multi-media educational tool, Don't Be an On-line Victim, to help online banking customers avoid common scams. It discusses how consumers can secure their computer, how they can protect themselves from electronic scams that can lead to identity theft, and what they can do if they become the victim of identity theft. The tool is being distributed through the FDIC's web site and via CD-ROM. Many financial institutions also now display anti-fraud tips for consumers in a prominent place on their public web site and send customers informational brochures discussing ways to avoid identity theft along with their account statements. Financial institutions are also redistributing excellent educational materials from the Federal Trade Commission, the federal government's lead agency for combating identity theft.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

   Risk Mitigation

   Security should not be compromised when offering wireless financial services to customers or deploying wireless internal networks. Financial institutions should carefully consider the risks of wireless technology and take appropriate steps to mitigate those risks before deploying either wireless networks or applications. As wireless technologies evolve, the security and control features available to financial institutions will make the process of risk mitigation easier. Steps that can be taken immediately in wireless implementation include:

   1) Establishing a minimum set of security requirements for wireless networks and applications;

   2) Adopting proven security policies and procedures to address the security weaknesses of the wireless environment;

   3) Adopting strong encryption methods that encompass end-to-end encryption of information as it passes throughout the wireless network;

   4) Adopting authentication protocols for customers using wireless applications that are separate and distinct from those provided by the wireless network operator;

   5) Ensuring that the wireless software includes appropriate audit capabilities (for such things as recording dropped transactions);

   6) Providing appropriate training to IT personnel on network, application and security controls so that they understand and can respond to potential risks; and

   9) Performing independent security testing of wireless network and application implementations.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 2 - ELEMENTS OF COMPUTER SECURITY

  2.4 Computer Security Responsibilities and Accountability Should Be Made Explicit.

  The responsibilities and accountability of owners, providers, and users of computer systems and other parties concerned with the security of computer systems should be explicit. The assignment of responsibilities may be internal to an organization or may extend across organizational boundaries.

  Depending on the size of the organization, the program may be large or small, even a collateral duty of another management official. However, even small organizations can prepare a document that states organization policy and makes explicit computer security responsibilities. This element does not specify that individual accountability must be provided for on all systems. For example, many information dissemination systems do not require user identification and, therefore, cannot hold users accountable.

  2.5 Systems Owners Have Security Responsibilities Outside Their Own Organizations.

  If a system has external users, its owners have a responsibility to share appropriate knowledge about the existence and general extent of security measures so that other users can be confident that the system is adequately secure. (This does not imply that all systems must meet any minimum level of security, but does imply that system owners should inform their clients or users about the nature of the security.)

  In addition to sharing information about security, organization managers "should act in a timely, coordinated manner to prevent and to respond to breaches of security" to help prevent damage to others. However, taking such action should not jeopardize the security of systems.

  2.6 Computer Security Requires a Comprehensive and Integrated Approach.

  Providing effective computer security requires a comprehensive approach that considers a variety of areas both within and outside of the computer security field. This comprehensive approach extends throughout the entire information life cycle.

  2.6.1 Interdependencies of Security Controls

  To work effectively, security controls often depend upon the proper functioning of other controls. In fact, many such interdependencies exist. If appropriately chosen, managerial, operational, and technical controls can work together synergistically. On the other hand, without a firm understanding of the interdependencies of security controls, they can actually undermine one another. For example, without proper training on how and when to use a virus-detection package, the user may apply the package incorrectly and, therefore, ineffectively. As a result, the user may mistakenly believe that their system will always be virus-free and may inadvertently spread a virus. In reality, these interdependencies are usually more complicated and difficult to ascertain.

  2.6.2 Other Interdependencies

  The effectiveness of security controls also depends on such factors as system management, legal issues, quality assurance, and internal and management controls. Computer security needs to work with traditional security disciplines including physical and personnel security. Many other important interdependencies exist that are often unique to the organization or system environment. Managers should recognize how computer security relates to other areas of systems and organizational management.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.