Internet Banking News

March 28, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Mitigate insider threats by focusing on people, process and technology - The pandemic has challenged CISOs worldwide to adapt their security strategies - often years early - to create a safe work-from-home environment. But this shift has caused a growing risk: the insider threat. https://www.scmagazine.com/perspectives/mitigate-insider-threats-by-focusing-on-people-process-and-technology/

FBI: Cybercrime skyrocketed in 2020, with email compromise scams accounting for 43% of losses - The FBI’s Internet Crime Complaint Center (IC3) released its annual report Wednesday, showing a sharp increase in cybercrime, both in quantity and cost in 2020. https://www.scmagazine.com/home/security-news/cybercrime/fbi-cybercrime-skyrocketed-in-2020-with-email-compromise-scams-accounting-for-43-of-losses/

Connecticut to consolidate IT into single agency - Connecticut Gov. Ned Lamont announced Wednesday that the state government will begin consolidating its federated IT operations into a single organization in an effort to improve agencies’ performance, upgrade technology assets more efficiently and strengthen cybersecurity. https://statescoop.com/connecticut-consolidates-technology/

Securing the Super Bowl: Lessons in network lockdown during mega events - Buccaneers vs. Chiefs. Tom Brady vs. Patrick Mahomes. Super Bowl LV featured an enticing matchup between two powerhouse teams and two star quarterbacks. But amidst this exciting sports action, there was a game within a game – a match-up with a lot more riding on the line than a trophy: Hackers vs. network defenders. https://www.scmagazine.com/home/security-news/network-security/securing-the-super-bowl-lessons-in-network-lockdown-during-mega-events/

The Cybersecurity Risks of Smart City Technologies - What Do The Experts Think? University of California, Berkeley https://cltc.berkeley.edu/wp-content/uploads/2021/03/Smart_City_Cybersecurity.pdf

What 2020 taught us about the need for deception technology - With almost the entire world’s focus on the pandemic this past year, hackers had it easy. Unlike in previous years, they didn’t really have to create unique malware variants – COVID-19 handed the bad guys options on a platter. https://www.scmagazine.com/perspectives/what-2020-taught-us-about-the-need-for-counterintelligence/

‘The race is on’: CISA raises alarm bells about ransomware attacks against Microsoft Exchange servers - Acting executive director of the Cybersecurity and Infrastructure Security Agency, issued both a warning and a hopeful message Monday to organizations struggling with the scourge of ransomware. https://www.scmagazine.com/home/security-news/ransomware/the-race-is-on-cisa-raises-alarm-bells-about-ransomware-attacks-against-microsoft-exchange-servers/

Managing the great return: What CISOs should consider when reopening the office - With the COVID-19 vaccine rollout, employees may soon accomplish what was for a year impossible for many: Returning to the office. That return will often include laptops that have been off-network for a year, translating to 365 days of pent-up alerts ready to flood security teams all at once. https://www.scmagazine.com/home/security-news/network-security/managing-the-great-return-what-cisos-should-consider-when-reopening-the-office/

Avoid these seven sins to stay out of data privacy hell - Data privacy management can feel like an eternal challenge that requires rolling a boulder up a hill only to see it roll back down again. Just when business processes are under control, a new data system, or regulation causes complications. https://www.scmagazine.com/perspectives/avoid-these-seven-sins-to-stay-out-of-data-privacy-hell/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Microsoft Exchange exploit a possible factor in $50M ransomware attack on Acer - Security researchers responded Monday to news of the REvil ransomware attack on computer and electronics manufacturer Acer late last week, mostly expressing shock over the $50 million price tag and advising the computer maker not to pay. https://www.scmagazine.com/home/security-news/ransomware/microsoft-exchange-exploit-a-possible-factor-in-50m-ransomware-attack-on-acer/

Hackers are exploiting a server vulnerability with a severity of 9.8 out of 10 - As if the mass-exploitation of Exchange servers wasn't enough, now there's BIG-IP. n a development security pros feared, attackers are actively targeting yet another set of critical server vulnerabilities that leave corporations and governments open to serious network intrusions. https://arstechnica.com/gadgets/2021/03/to-security-pros-dread-another-critical-server-vulnerability-is-under-exploit/

Energy giant Shell discloses data breach after Accellion hack - Energy giant Shell has disclosed a data breach after attackers compromised the company's secure file-sharing system powered by Accellion's File Transfer Appliance (FTA). https://www.bleepingcomputer.com/news/security/energy-giant-shell-discloses-data-breach-after-accellion-hack/

9,000 employees targeted in phishing attack against California agency - A California state agency was victimized by a phishing incident last week in which an employee clicked on a link that provided access to the employee’s account for some 24 hours. https://www.scmagazine.com/home/security-news/phishing/9000-employees-targeted-in-phishing-attack-against-california-agency/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter

FFIEC IT SECURITY - This completes our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Information Sharing.

Information sharing among reliable and reputable experts can help institutions reduce the risk of information system intrusions. The OCC encourages management to participate in information-sharing mechanisms as part of an effort to detect and respond to intrusions and vulnerabilities. Mechanisms for information sharing are being developed by many different organizations, each with a different mission and operation. In addition, many vendors offer information sharing and analysis services. Three organizations that are primarily involved with the federal government's national information security initiatives are the Financial Services Information Sharing and Analysis Center (FS/ISAC), the Federal Bureau of Investigation (FBI), and Carnegie Mellon University's CERT/CC.

  The FS/ISAC was formed in response to Presidential Decision Directive 63: Critical Infrastructure Protection (May 22, 1998), which encourages the banking, finance, and other industries to establish information-sharing efforts in conjunction with the federal government. The FS/ISAC allows financial services entities to report incidents anonymously. In turn, the FS/ISAC rapidly distributes information about attacks to the FS/ISAC members. Banks can contact FS/ISAC by telephone at (888) 660-0134, e-mail at admin@fsisac.com or their Web site at http://www.fsisac.com.

  The FBI operates the National Information Protection Center Infraguard outreach effort. Since Infraguard supports law enforcement efforts, Infraguard members submit two versions of an incident report. One complete version is used by law enforcement and contains information that identifies the reporting member. The other version does not contain that identifying information, and is distributed to other Infraguard members. Banks can contact the FBI by contacting local FBI field offices or via e-mail at nipc@fbi.gov.

  CERT/CC is part of a federally funded research and development center at Carnegie Mellon University that helps organizations identify vulnerabilities and recover from intrusions. It provides up-to-date information on specific attacks (including viruses and denial of service) and collates and shares information with other organizations. CERT/CC does not require membership to report problems. Banks can contact CERT/CC by phone at (412) 268-7090 or e-mail at cert@cert.org.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

  13.6.5 Administer the Program

  There are several important considerations for administering the CSAT program.

  Visibility. The visibility of a CSAT program plays a key role in its success. Efforts to achieve high visibility should begin during the early stages of CSAT program development. However, care should be give not to promise what cannot be delivered.

  Training Methods. The methods used in the CSAT program should be consistent with the material presented and tailored to the audience's needs. Some training and awareness methods and techniques are listed above (in the Techniques sections). Computer security awareness and training can be added to existing courses and presentations or taught separately. On-the-job training should also be considered.

  Training Topics. There are more topics in computer security than can be taught in any one course. Topics should be selected based on the audience's requirements.

  Training Materials. In general, higher-quality training materials are more favorably received and are more expensive. Costs, however, can be minimized since training materials can often be obtained from other organizations. The cost of modifying materials is normally less than developing training materials from scratch.

  Training Presentation. Consideration should be given to the frequency of training (e.g., annually or as needed), the length of training presentations (e.g., twenty minutes for general presentations, one hour for updates or one week for an off-site class), and the style of training presentation (e.g., formal presentation, informal discussion, computer-based training, humorous).

  The Federal Information Systems Security Educators' Association and NIST Computer Security Program Managers' Forum provide two means for federal government computer security program managers and training officers to share training ideas and materials.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.