Internet Banking News

March 21, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - The UK Is Secretly Testing a Controversial Web Snooping Tool - The country passed its Investigatory Powers Act in 2016. Now, its building what could be the most powerful data collection system used by any democratic nation. https://www.wired.com/story/uk-secretly-testing-controversial-web-snooping-tool/

‘Accountability framework’ proposed to promote secure health care practices - In a newly published strategic analysis report, the CyberPeace Institute this week conveyed the exacting toll that cyberattacks are taking on the health care industry, especially the human impact on health care staffers, patients and society. https://www.scmagazine.com/featured/accountability-framework-proposed-to-promote-secure-health-care-practices/

Microsoft Exchange server hack: Banking agency on 'heightened alert' after cyberattack - European Union financial body says it believes no personal data was accessed in zero-day attack - but additional security precautions are being taken. https://www.zdnet.com/article/microsoft-exchange-server-hack-european-banking-authority-on-heightened-alert-after-being-hit-by-cyber-attackers/

As legislators work toward law requiring companies to alert feds to breaches, key hurdles emerge - After two major hearings on Solarigate, one domestic policy proposal grabbed the spotlight: requiring organizations to alert the government to major cyber incidents in the interest of national security. https://www.scmagazine.com/home/security-news/data-breach/as-legislators-work-toward-law-requiring-companies-to-alert-feds-to-breaches-key-hurdles-emerge/

School district IT leaders grade their handling of past malware attacks - The school districts of Rockford, Illinois and Rockingham County, North Carolina learned some very valuable lessons in transparency and communication, timely incident response, access management, data redundancy and disaster recovery after each experienced a debilitating malware attack years ago. https://www.scmagazine.com/disaster-recovery/school-district-it-leaders-grade-their-handling-of-past-malware-attacks/

White House forms public-private task force to tackle Microsoft Exchange hack - A task force composed of representatives from federal agencies and the private sector convened last week to discuss a “whole of government” response to the Microsoft Exchange hack, White House Press Secretary Jen Psaki said in a statement today. https://www.scmagazine.com/home/security-news/vulnerabilities/white-house-forms-public-private-task-force-to-tackle-microsoft-exchange-hack/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Trouble is brewing: Cyber incident takes down Molson Coors operations - Molson Coors reported a systems outage caused by a cybersecurity incident that delayed and may continue to disrupt parts of the company’s business, including its brewery operations, production and shipments. https://www.scmagazine.com/home/security-news/trouble-is-brewing-as-cyber-incident-takes-down-molson-coors-operations/

Camera tricks: Privacy concerns raised after massive surveillance cam breach - A hacking collective compromised roughly 150,000 internet-connected surveillance cameras from Verkada, Inc., granting them access to live and archived video feeds across multiple organizations, including manufacturing facilities, hospitals, schools, police departments and prisons. https://www.scmagazine.com/home/security-news/iot/camera-tricks-privacy-concerns-raised-after-massive-surveillance-cam-breach/

Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals - A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools. https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams

OVHcloud data centers engulfed in flames - Customers are being urged to launch their own disaster recovery plans. On March 10, OVHcloud founder and chairman Octave Klaba started a Twitter thread updating customers on the situation, which has claimed at least one data center. https://www.zdnet.com/article/ovhcloud-data-centers-engulfed-in-flames/

Buffalo Public Schools cancels classes after cyberattack - Ransomware attackers appear to have taken a swipe at Buffalo Public Schools in recent days, screeching the school system’s plans for remote classes and in-person learning to a halt on Friday. https://www.cyberscoop.com/buffalo-public-schools-canceled-cyberattack-ransomware/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Non-Deposit Investment Products

   Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Testing.

  Management should ensure that information system networks are tested regularly. The nature, extent, and frequency of tests should be proportionate to the risks of intrusions from external and internal sources. Management should select qualified and reputable individuals to perform the tests and ensure that tests do not inadvertently damage information systems or reveal confidential information to unauthorized individuals. Management should oversee the tests, review test results, and respond to deficiencies in a timely manner. In accordance with OCC's "Technology Risk Management: PC Banking," management should ensure that an objective, qualified source conducts a penetration test of Internet banking systems at least once a year or more frequently when appropriate.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

   PART I. Risks Associated with Wireless Internal Networks

   Financial institutions are evaluating wireless networks as an alternative to the traditional cable to the desktop network. Currently, wireless networks can provide speeds of up to 11 Mbps between the workstation and the wireless access device without the need for cabling individual workstations. Wireless networks also offer added mobility allowing users to travel through the facility without losing their network connection. Wireless networks are also being used to provide connectivity between geographically close locations as an alternative to installing dedicated telecommunication lines.

   Wireless differs from traditional hard-wired networking in that it provides connectivity to the network by broadcasting radio signals through the airways. Wireless networks operate using a set of FCC licensed frequencies to communicate between workstations and wireless access points. By installing wireless access points, an institution can expand its network to include workstations within broadcast range of the network access point.

   The most prevalent class of wireless networks currently available is based on the IEEE 802.11b wireless standard. The standard is supported by a variety of vendors for both network cards and wireless network access points. The wireless transmissions can be encrypted using "Wired Equivalent Privacy" (WEP) encryption. WEP is intended to provide confidentiality and integrity of data and a degree of access control over the network. By design, WEP encrypts traffic between an access point and the client. However, this encryption method has fundamental weaknesses that make it vulnerable. WEP is vulnerable to the following types of decryption attacks:

   1) Decrypting information based on statistical analysis;

   2) Injecting new traffic from unauthorized mobile stations based on known plain text;

   3) Decrypting traffic based on tricking the access point;

   4) Dictionary-building attacks that, after analyzing about a day's worth of traffic, allow real-time automated decryption of all traffic (a dictionary-building attack creates a translation table that can be used to convert encrypted information into plain text without executing the decryption routine); and

   5) Attacks based on documented weaknesses in the RC4 encryption algorithm that allow an attacker to rapidly determine the encryption key used to encrypt the user's session).

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.