Internet Banking News

March 14, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - NSA, CISA issue guidance on Protective DNS services - The National Security Agency (NSA) and Cybersecurity and Infrastructure Agency (CISA) released a joint information sheet Thursday that offers guidance on the benefits of using a Protective Domain Name System (PDNS). https://www.scmagazine.com/home/security-news/government-and-defense/nsa-cisa-issue-guidance-on-protective-dns-services/

CISA orders US agencies to address Microsoft flaws exploited by suspected Chinese hackers - The Department of Homeland Security’s cybersecurity division on Wednesday ordered federal civilian agencies to address flaws in a popular email software program at the center of a suspected Chinese spying campaign. https://www.cyberscoop.com/dhs-microsoft-exchange-flaws-patch-china/

MITRE Unveils Ransomware Resource for Hospitals, Healthcare Providers - A new ransomware resource center from MITRE is designed to help hospitals and other healthcare providers develop and maintain resilient security processes and policies. https://healthitsecurity.com/news/mitre-unveils-ransomware-resource-for-hospitals-healthcare-providers

Government briefed on breach of at least 30,000 Microsoft Exchange Servers - Cybersecurity experts briefed government investigators that at least 30,000 Microsoft Exchange Servers have been breached using a chain of vulnerabilities Microsoft patched on Tuesday. https://www.scmagazine.com/home/security-news/data-breach/government-briefed-on-breach-of-at-least-30000-microsoft-exchange-servers/

When lawyers get hacked: How law firms grapple with risk tied to supply chain breaches - Large data breaches are typically boom times for the lawyers, called upon to control the bleeding and manage the fallout. https://www.scmagazine.com/home/security-news/data-breach/when-lawyers-get-hacked-how-law-firms-grapple-with-risk-tied-to-supply-chain-breaches/

Public companies may not grasp responsibility to investors in sharing info on cyber risk - Publicly traded companies must start disclosing more “actionable” information to shareholders and regulators around their cyber risks and vulnerabilities. https://www.scmagazine.com/home/security-news/data-breach/public-companies-may-not-grasp-responsibility-to-investors-in-sharing-info-on-cyber-risk/

For the second time in less than a year, F5 announces critical vulnerabilities in networking devices- F5 announced March 10 seven vulnerabilities tied to it’s BIG-IP and BIG-IQ network devices, the company’s second significant security disclosure in less than year. https://www.scmagazine.com/home/security-news/vulnerabilities/for-the-second-time-in-less-than-a-year-f5-announces-critical-vulnerabilities-in-networking-devices/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - CompuCom MSP hit by DarkSide ransomware cyberattack - US managed service provider CompuCom has suffered a DarkSide ransomware attack leading to service outages and customers disconnecting from the MSP's network to prevent the spread of malware. https://www.bleepingcomputer.com/news/security/compucom-msp-hit-by-darkside-ransomware-cyberattack/

As Hafnium timeline crystalizes, signs of new Microsoft Exchange Server attacks emerge - A surge of breaches against Microsoft Exchange Server appear to have rolled out in phases, with signs also pointing to other hackers using the same vulnerabilities after Microsoft announced a patch. https://www.scmagazine.com/home/security-news/data-breach/as-hafnium-timeline-crystalizes-signs-of-new-microsoft-exchange-server-attacks-emerge/

Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims - A single group appears to have infiltrated tens of thousands of Microsoft Exchange servers in an ongoing onslaught. https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/

Airlines warn passengers of data breach after aviation tech supplier is hit by cyberattack - Sita, which provides IT of services to 90% of the world's airlines, warns of "data security incident" after falling victim to a "highly sophisticated attack." https://www.zdnet.com/article/airlines-warn-passengers-of-data-breach-after-aviation-tech-supplier-is-hit-by-cyberattack/

niversity of the Highlands and Islands shuts down campuses as it deals with 'ongoing cyber incident' - The University of the Highlands and Islands (UHI) in Scotland is fending off "an ongoing cyber incident" that has shut down its campuses. https://www.theregister.com/2021/03/08/uni_highlands_islands_cyber_incident/

Flagstar Bank hit by data breach exposing customer, employee data - US bank and mortgage lender Flagstar has disclosed a data breach after the Clop ransomware gang hacked their Accellion file transfer server in January. https://www.bleepingcomputer.com/news/security/flagstar-bank-hit-by-data-breach-exposing-customer-employee-data/

FBI Probing 2 Hospital Ransomware Attacks; Hackers Remove Health Data - Previously leaked data from New Mexico’s Rehoboth McKinley Christian Health Care has been removed from the dark web, while the FBI is investigating the incident and another in North Carolina. https://healthitsecurity.com/news/fbi-probing-2-hospital-ransomware-attacks-hackers-remove-health-data

Camera tricks: Privacy concerns raised after massive surveillance cam breach - A hacking collective compromised roughly 150,000 internet-connected surveillance cameras from Verkada, Inc., granting them access to live and archived video feeds across multiple organizations, including manufacturing facilities, hospitals, schools, police departments and prisons. https://www.scmagazine.com/home/security-news/iot/camera-tricks-privacy-concerns-raised-after-massive-surveillance-cam-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Fair Housing Act

   A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

   Home Mortgage Disclosure Act (Regulation C)

   The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Suspicious Activity Reporting.

  National banks are required to report intrusions and other computer crimes to the OCC and law enforcement by filing a Suspicious Activity Report (SAR) form and submitting it to the Financial Crimes Enforcement Network (FinCEN), in accordance with 12 USC 21.11. This reporting obligation exists regardless of whether the institution has reported the intrusion to the information-sharing organizations discussed below. For purposes of the regulation and the SAR form instructions, an "intrusion" is defined as gaining access to the computer system of a financial institution to remove, steal, procure or otherwise affect information or funds of the institution or customers. It also includes actions that damage, disable, or otherwise affect critical systems of the institution. For example, distributed denial of service attaches (DDoS) attacks should be reported on a SAR because they may temporarily disable critical systems of financial institutions.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

  3.6.3 Identify Target Audiences

  Not everyone needs the same degree or type of computer security information to do their jobs. A CSAT program that distinguishes between groups of people, presents only the information needed by the particular audience, and omits irrelevant information will have the best results. Segmenting audiences (e.g., by their function or familiarity with the system) can also improve the effectiveness of a CSAT program. For larger organizations, some individuals will fit into more than one group. For smaller organizations, segmenting may not be needed. The following methods are some examples of ways to do this.

  Segment according to level of awareness. Individuals may be separated into groups according to their current level of awareness. This may require research to determine how well employees follow computer security procedures or understand how computer security fits into their jobs.
  Segment according to general job task or function. Individuals may be grouped as data providers, data processors, or data users.

  Segment according to specific job category. Many organizations assign individuals to job categories. Since each job category generally has different job responsibilities, training for each will be different. Examples of job categories could be general management, technology management, applications development, or security.

  Segment according to level of computer knowledge. Computer experts may be expected to find a program containing highly technical information more valuable than one covering the management issues in computer security. Similarly, a computer novice would benefit more from a training program that presents introductory fundamentals.

  Segment according to types of technology or systems used. Security techniques used for each off-the-shelf product or application system will usually vary. The users of major applications will normally require training specific to that application.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.