Internet Banking News

April 11, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Just like cyber became a C-suite issue, it’s also now your governor’s concern - It took a while to catch on, but organizations are starting to understand that cybersecurity is not just an IT problem but a C-level issue that concerns an organization’s leading executives and decision-makers. In the corporate world, this certainly includes the CEO – and in the public sector, the state-level equivalent of the CEO is the governor’s office. https://www.scmagazine.com/featured/just-like-cyber-became-a-c-suite-issue-its-also-now-your-governors-concern/

CISA encourages everyone to follow updated guidance for Microsoft Exchange fixes - The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a supplemental direction to Emergency Directive (ED) 21-02, which lays out hardening, forensic triage and reporting requirements designed to mitigate vulnerabilities found in the wake of the massive Microsoft Exchange vulnerability hacks that have affected tens of thousands of organizations. https://www.scmagazine.com/home/security-news/vulnerabilities/cisa-encourages-everyone-to-follow-updated-guidance-for-microsoft-exchange-fixes/

Health care organizations funnel dollars into security as pandemic, medical developments drive surge in attacks - The COVID-19 pandemic highlighted serious vulnerabilities in the handling and processing of healthcare data, according to a report conducted by CRA Business Intelligence and underwritten by Infoblox. The full report can be found here. https://www.scmagazine.com/home/cra-business-intelligence/health-care-organizations-funnel-dollars-into-security-as-pandemic-medical-developments-drive-surge-in-attacks/

Exchange Server attacks: Run this Microsoft malware scanner now, CISA tells government agencies - US federal agencies need to immediately begin more clean-up work on potentially compromised Exchange servers. The Cybersecurity and Infrastructure Security Agency (CISA) has instructed US government agencies with on-premise Exchange systems to run Microsoft malware scanners and report results by April 5. https://www.zdnet.com/article/exchange-server-attacks-run-this-microsoft-malware-scanner-now-cisa-tells-government-agencies/

Kansas man indicted in connection with 2019 hack at water utility - A water tower in Ellsworth, Kansas. A local man has been indicted for hacking the county's water utility. A U.S. grand jury has indicted a 22-year-old man for allegedly hacking the computer system of a rural water utility in Kansas and shutting down processes that affect procedures for cleaning and disinfecting water. https://www.cyberscoop.com/kansas-ellsworth-water-district-hack-travnichek/

Encryption debate could have enterprise security implications - United Kingdom Home Secretary Priti Patel is set to tell a conference of child protection activists that end-to-end encryption puts children at risk, according to a draft invitation seen by Wired UK. https://www.scmagazine.com/home/security-news/encryption-data-security/encryption-debate-could-have-enterprise-security-implications/

Four in 10 temporary BYOD policies will become permanent - During coronavirus lockdown, many organizations hurriedly created temporary bring your own device or bring your own PC policies. The annual Verizon Mobile Security Report found that around four in 10 will remain permanent, even after employees return to the office. https://www.scmagazine.com/home/security-news/mobile-security/four-in-ten-temporary-byod-policies-will-become-permanent/

Probing restrictions may stilt Pentagon’s vulnerability disclosure program for contractors - The Department of Defense is putting the systems and networks of defense contractors to the test in a new pilot vulnerability disclosure program, the latest indicator of the government’s desire to expand upon its previous ventures crowdsourcing cybersecurity. https://www.scmagazine.com/home/security-news/vulnerabilities/probing-restrictions-may-stilt-pentagons-vulnerability-disclosure-program-for-contractors/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ransomware group targets universities in Maryland, California in new data leaks - Updated: This follows similar extortion attempts impacting two other US universities this month. The Clop ransomware group has posted financial documents and passport information allegedly belonging to the University of Maryland and the University of California online. https://www.zdnet.com/article/ransomware-group-targets-universities-of-maryland-california-in-new-data-leaks/

APT Charming Kitten Pounces on Medical Researchers - Security researchers have linked a late-2020 phishing campaign aimed at stealing credentials from 25 senior professionals at medical research organizations in the United States and Israel to an advanced persistent threat group with links to Iran called Charming Kitten. https://threatpost.com/charming-kitten-pounces-on-researchers/165129/

Brown U. cuts off data center after detecting 'cybersecurity threat' - Brown University is taking “aggressive steps” this week to protect its networks after detecting a cybersecurity threat, the school’s chief information officer announced in a campus-wide alert on Tuesday. https://edscoop.com/brown-u-cuts-off-data-center-after-detecting-cybersecurity-threat/

And that's yet another UK education body under attack from ransomware: Servers, email, phones yanked offline - The Harris Federation, a not-for-profit charity responsible for running 50 primary and secondary academies in London and Essex, has become the latest UK education body to fall victim to ransomware. https://www.theregister.com/2021/03/30/harris_federation_ransomware/

Conti ransomware gang hits Broward County Schools with $40M demand - Coral Glades High School, part of Broward County Public Schools. The $40 million ransomware attack on the district was one of a wave of cases targeting educational institutions over the last couple of weeks. https://www.scmagazine.com/home/security-news/conti-ransomware-gang-hits-broward-county-schools-with-40m-demand/

Breach limited to 3rd-party vendor, but attackers trying to make exposure seem worse - Cloud security company Qualys said that follow up investigations have confirmed that the data breach it suffered in late 2020 and early 2021 was limited to customer data housed on third-party service provider Accellion’s file transfer system. https://www.scmagazine.com/home/security-news/data-breach/qualys-breach-limited-to-3rd-party-vendor-but-attackers-trying-to-make-exposure-seem-worse/

Malware attack is preventing car inspections in eight US states - A malware cyberattack on emissions testing company Applus Technologies is preventing vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin. https://www.bleepingcomputer.com/news/security/malware-attack-is-preventing-car-inspections-in-eight-us-states/

Conti ransomware gang hits Broward County Schools with $40M demand - Coral Glades High School, part of Broward County Public Schools. The $40 million ransomware attack on the district was one of a wave of cases targeting educational institutions over the last couple of weeks. https://www.scmagazine.com/home/security-news/conti-ransomware-gang-hits-broward-county-schools-with-40m-demand/

Facebook data on 533 million users posted online - Data posted on a cybercrime forum includes phone numbers, Facebook IDs, birth dates, gender and location. Data of 533 million Facebook users including phone numbers, Facebook IDs, full names, birth dates and other information have been posted online. https://www.zdnet.com/article/facebook-data-on-533-million-users-posted-online/

Stolen Stanford data leaked after Accellion breach - The list of higher education institutions that’ve had student and faculty data stolen and published online after the compromise of a file-transfer application made by the software company Accellion now includes Stanford University, following the appearance this week of school files on a leak site operated by the hacking group believed to be responsible for the ongoing breach. https://edscoop.com/now-stanford-has-had-stolen-data-leaked-after-accellion-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Expedited Funds Availability Act (Regulation CC)

   Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed.

Return to the top of the newsletter

FFIEC IT SECURITY - e continue our series on the FFIEC interagency Information Security Booklet. This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants. Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm. There is no charge for the e-newsletter.

  SECURITY PROCESS

  Action Summary - Financial institutions should implement an ongoing security process, and assign clear and appropriate roles and responsibilities to the board of directors, management, and employees.

  OVERVIEW

  The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and ensure accountability for system actions. The process includes five areas that serve as the framework for this booklet:

  1) Information Security Risk Assessment - A process to identify threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.

  2) Information Security Strategy - A plan to mitigate risk that integrates technology, policies, procedures and training. The plan should be reviewed and approved by the board of directors.

  3) Security Controls Implementation - The acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk - appropriate controls, and assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties.

  4) Security Testing - The use of various methodologies to gain assurance that risks are appropriately assessed and mitigated. These testing methodologies should verify that significant controls are effective and performing as intended.

  5) Monitoring and Updating - The process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used to update the risk assessment, strategy, and controls. Monitoring and updating makes the process continuous instead of a one - time event.

  Security risk variables include threats, vulnerabilities, attack techniques, the expected frequency of attacks, financial institution operations and technology, and the financial institution's defensive posture. All of these variables change constantly. Therefore, an institution's management of the risks requires an ongoing process.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

  13.7 Interdependencies

  Training can, and in most cases should, be used to support every control in the handbook. All controls are more effective if designers, implementers, and users are thoroughly trained.

  Policy. Training is a critical means of informing employees of the contents of and reasons for the organization's policies.

  Security Program Management. Federal agencies need to ensure that appropriate computer security awareness and training is provided, as required under the Computer Security Act of 1987. A security program should ensure that an organization is meeting all applicable laws and regulations.

  Personnel/User Issues. Awareness, training, and education are often included with other personnel/user issues. Training is often required before access is granted to a computer system.

  13.8 Cost Considerations

  The major cost considerations in awareness, training, and education programs are:

  1) the cost of preparing and updating materials, including the time of the preparer;

  2) the cost of those providing the instruction;

  3) employee time attending courses and lectures or watching videos; and

  4) the cost of outside courses and consultants (both of which may including travel expenses), including course maintenance.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.