Internet Banking News

April 4, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - This company was hit by ransomware. Here's what they did next, and why they didn't pay up - "When it hit, we ran to our server room and data centre and started pulling plugs out." How one company was hit by ransomware, but refused to pay up. https://www.zdnet.com/article/this-company-was-hit-with-ransomware-heres-what-they-did-next-and-why-they-didnt-pay-up/

New certificate program teaches cloud auditing in a multi-tenant architecture - If you think you can audit your cloud-based IT infrastructure the exact same way that you assess security and privacy on a traditional on-premises network, you may be due for a reality check. https://www.scmagazine.com/home/security-news/cloud-security/new-certificate-program-teaches-cloud-auditing-in-a-multi-tenant-architecture/

For remote workforces, don’t overlook printer security - As IT gets more decentralized because of the work-from-home culture caused by the pandemic, securing connected devices has become critical as organizations continue their cloud transformation journeys. https://www.scmagazine.com/perspectives/for-remote-workforces-dont-overlook-printer-security/

Healthcare haunted by account security - The healthcare sector’s information security could use a check up. according to a new study by Varonis that tracked 3 billion files across 58 health care firms, one in five files were visible to all employees – including one in eight containing sensitive information. https://www.scmagazine.com/home/security-news/privacy-compliance/report-healthcare-haunted-by-account-security/

In wake of giant software hacks, application security tactics due for an overhaul - Collectively racking up a victim count in the tens of thousands, high-profile attacks targeting users of SolarWinds Orion and Microsoft Exchange serve as a harsh reminder that threats to software security remain one of the biggest issues facing the security landscape today. https://www.scmagazine.com/application-security/in-wake-of-giant-software-hacks-application-security-tactics-due-for-an-overhaul/

A strong year ahead for recruiting cyber professionals - Cybersecurity recruitment in 2021 has never been more exciting. If we go back to the start of the pandemic, it was well-documented that organizations went into “survival mode” when the pandemic started to hit. Thousands of live positions were put on hold and there were some cases of candidates having had offers retracted by certain companies. https://www.scmagazine.com/perspectives/a-strong-year-ahead-for-recruiting-cyber-professionals/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Policyholders may be the primary target in hack of cyber insurance provider CNA - Insurance firm CNA Financial, a prominent provider of cyber insurance, confirmed a cyberattack against its systems, which has some concerned that cybercriminals may target policyholders. https://www.scmagazine.com/home/security-news/ransomware/policyholders-may-be-the-primary-target-in-hack-of-cyber-insurance-provider-cna/

Alert: Further targeted ransomware attacks on the UK education sector by cyber criminals - The NCSC is responding to further targeted ransomware attacks on the education sector by cyber criminals. https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector

Ransomware Attack Foils IoT Giant Sierra Wireless - A ransomware attack on leading internet-of-things (IoT) manufacturer Sierra Wireless this week ground its production activity to a halt and froze various other internal operations. https://threatpost.com/ransomware-iot-sierra-wireless/165003/

Spanish labor agency suffers ransomware attack, union says - A ransomware attack has affected IT systems at a Spanish government agency that manages unemployment benefits, disrupting “hundreds of thousands” of appointments at the agency, a Spanish labor union said Tuesday. https://www.cyberscoop.com/spain-ransomware-employment-agency-sepe/

Ransomware gang leaks data stolen from Colorado, Miami universities - Grades and social security numbers for students at the University of Colorado and University of Miami patient data have been posted online by the Clop ransomware group. https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-stolen-from-colorado-miami-universities/

Top insurer CNA disconnects systems after cyberattack - CNA, one of the U.S.’s top providers of cybersecurity insurance, is struggling with a cyberattack that prompted it to disconnect its systems from its network. https://www.cyberscoop.com/cna-cyber-insurance-breach/

Phish Leads to Breach at Calif. State Controller - A phishing attack last week gave attackers access to email and files at the California State Controller’s Office (SCO), an agency responsible for handling more than $100 billion in public funds each year. https://krebsonsecurity.com/2021/03/phish-leads-to-breach-at-calif-state-controller/

After oil giant Shell hit by Clop ransomware gang, workers' visas dumped online as part of extortion attempt - Another day, another data nightmare - Royal Dutch Shell is the latest corporation to be attacked by the Clop ransomware gang. https://www.theregister.com/2021/03/29/shell_clop_ransomware_leaks_update/

Ransomware gang leaks data from US military contractor the PDI Group - A major supplier of military equipment to the US Air Force and militaries across the globe appears to have fallen victim to a ransomware attack. https://therecord.media/ransomware-gang-leaks-data-from-us-military-contractor-the-pdi-group/

Park Hill schools told to pay ransom in malware attack. Here’s what they did instead - Park Hill officials confirmed Tuesday that a ransomware attack was the cause of the major system outage that forced the school district to cancel classes early last week. https://www.kansascity.com/news/local/education/article250321501.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 2 of 2)

   In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

FFIEC IT SECURITY - We begin our series on the FFIEC interagency Information Security Booklet. This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants. Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm. There is no charge for the e-newsletter.

SECURITY OBJECTIVES

Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT) - related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.

  1) Availability - The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.

  2) Integrity of Data or Systems - System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.

  3) Confidentiality of Data or Systems - Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.

  4) Accountability - Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records.

  5) Assurance - Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.

  Appropriate security controls are necessary for financial institutions to challenge potential customer or user claims that they did not initiate a transaction. Financial institutions can accomplish this by achieving both integrity and accountability to produce what is known as non-repudiation. Non-repudiation occurs when the financial institution demonstrates that the originators who initiated the transaction are who they say they are, the recipient is the intended counter party, and no changes occurred in transit or storage. Non-repudiation can reduce fraud and promote the legal enforceability of electronic agreements and transactions. While non-repudiation is a goal and is conceptually clear, the manner in which non-repudiation can be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

  13.6.6 Maintain the Program

  Computer technology is an ever-changing field. Efforts should be made to keep abreast of changes in computer technology and security requirements. A training program that meets an organization's needs today may become ineffective when the organization starts to use a new application or changes its environment, such as by connecting to the Internet. Likewise, an awareness program can become obsolete if laws or organization policies change. For example, the awareness program should make employees aware of a new policy on e-mail usage. Employees may discount the CSAT program, and by association the importance of computer security, if the program does not provide current information.

  13.6.7 Evaluate the Program

  It is often difficult to measure the effectiveness of an awareness or training program. Nevertheless, an evaluation should attempt to ascertain how much information is retained, to what extent computer security procedures are being followed, and general attitudes toward computer security. The results of such an evaluation should help identify and correct problems. Some evaluation methods (which can be used in conjunction with one another) are:

  1) Use student evaluations.

  2) Observe how well employees follow recommended security procedures.

  3) Test employees on material covered.

  4) Monitor the number and kind of computer security incidents reported before and after the program is implemented.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.