R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and Onsite FFIEC IT Audits

April 18, 2021

Please stay safe - We will recover.

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.
Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions.  I am a former bank examiner with 40 years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.

FYI - April 9, 2021 - Federal Disability Discrimination Law Does Not Require Websites Be Accessible, Appeals Court Holds - A website is not a “place of public accommodation” and an inaccessible website is not necessarily equal to the denial of goods or services, a federal appeals court has held in a groundbreaking decision on disability discrimination under Title III of the Americans with Disabilities Act (ADA). https://www.jacksonlewis.com/publication/federal-disability-discrimination-law-does-not-require-websites-be-accessible-appeals-court-holds

‘We have to adapt to new ways of thinking’ - A conversation with the head of cybersecurity and technology controls, and global chief information security officer for JPMorgan Chase. One of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here. https://www.scmagazine.com/home/from-the-collaborative/the-ascent/jason-witty-we-have-to-adapt-to-new-ways-of-thinking/

61 percent of employees fail basic cybersecurity quiz - Nearly 70% of employees polled in a new survey said they recently received cybersecurity training from their employers, yet 61% nevertheless failed when asked to take a basic quiz on the topic. https://www.scmagazine.com/home/security-news/61-percent-of-employees-fail-basic-cybersecurity-quiz/

Stuxnet sibling theory surges after Iran says nuke facility shut down by electrical fault - Iran has admitted that one of its nuclear facilities went offline over the weekend, and a single report claiming Israeli cyber-weapons were the cause has been widely accepted as a credible explanation for the incident. https://www.theregister.com/2021/04/12/iran_cyber_attack_theory/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Hackers hit nine countries, expose 623,036 payment card records - Researchers on Thursday said in a blog that user data of the Swarmshop card shop – which trades in stolen personal and payment records – was leaked online on March 17 and posted on a different underground forum that contained 12,344 records of the card shop admininstrators, sellers and buyers. https://www.scmagazine.com/home/security-news/cybercrime/hackers-hit-nine-countries-expose-623036-payment-card-records/

Major DC insurance provider hacked by 'foreign cybercriminals' - CareFirst BlueCross BlueShield’s Community Health Plan District of Columbia (CHPDC) suffered a data breach carried out by what it described as a “foreign cybercriminal” group in January that potentially impacted sensitive data, the company told customers this week. https://thehill.com/policy/cybersecurity/547250-major-dc-insurance-provider-hacked-by-foreign-cybercriminals

Belden Issues Supplemental Notification of Data Incident - As was first communicated on November 24, 2020, Belden was the victim of a sophisticated cyberattack that may have exposed the personal information of current and former employees and limited company information regarding some business partners. https://www.businesswire.com/news/home/20210407005885/en/Belden-Issues-Supplemental-Notification-of-Data-Incident

LinkedIn confirms leak of 500 million profiles online, maintains incident was not a breach - LinkedIn confirmed Thursday that 500 million LinkedIn profiles was put on sale on a hacker forum. https://www.scmagazine.com/home/security-news/phishing/linkedin-confirms-leak-of-500-million-profiles-online-maintains-incident-was-not-a-breach/

Washington State educational organizations targeted in cryptojacking spree - The lucrative nature of cryptocurrency means no industry is safe. US educational organizations are being targeted by threat actors intent on compromising their networks to covertly mine cryptocurrency. https://www.zdnet.com/article/washington-state-educational-organizations-targeted-in-cryptojacking-spree/ 

Dutch supermarkets run out of cheese after ransomware attack - A ransomware attack against conditioned warehousing and transportation provider Bakker Logistiek has caused a cheese shortage in Dutch supermarkets. https://www.bleepingcomputer.com/news/security/dutch-supermarkets-run-out-of-cheese-after-ransomware-attack/

Kentucky Unemployment Insurance Site Shuttered After Attack - The Kentucky Office of Unemployment Insurance shut down its account operations for four days - starting 12:01 a.m. Friday - while it battles a cyberattack that has forced it to reset more than 300,000 PINs to stop fraudsters from gaining access to accounts and diverting benefit payments. https://www.govinfosecurity.com/kentucky-unemployment-insurance-site-shuttered-after-attack-a-16376

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next few weeks we will cover the FDIC's paper "Risk Assessment Tools and Practices or Information System Security" dated July 7, 1999. This is our first selection for your reading.
   
   Whether financial institutions contract with third-party providers for computer services such as Internet banking, or maintain computer services in-house, bank management is responsible for ensuring that systems and data are protected against risks associated with emerging technologies and computer networks. If a bank is relying on a third-party provider, management must generally understand the provider's information security program to effectively evaluate the security system's ability to protect bank and customer data.
   
   The FDIC has previously issued guidance on information security concerns such as data privacy and confidentiality, data integrity, authentication, non-repudiation, and access control/system design. This paper is designed to supplement Financial Institution Letter 131-97, "Security Risks Associated With the Internet," dated December 18, 1997, and to complement the FDIC's safety and soundness electronic banking examination procedures. Related guidance can be found in the FFIEC Information Systems Examination Handbook.
Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security BookletThis booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 
   
   ROLES AND RESPONSIBILITIES (1 of 2)
   
   Information security is the responsibility of everyone at the institution, as well as the institution's service providers and contractors. The board, management, and employees all have different roles in developing and implementing an effective security process. The board of directors is responsible for overseeing the development, implementation, and maintenance of the institution's information security program. Oversight requires the board to provide management with guidance and receive reports on the effectiveness of management's response. The board should approve written information security policies and the information security program at least annually. The board should provide management with its expectations and requirements for:
   
   1)  Central oversight and coordination,
   2)  Areas of responsibility,
   3)  Risk measurement,
   4)  Monitoring and testing,
   5)  Reporting, and
   6)  Acceptable residual risk.
   
   Senior management's attitude towards security affects the entire organization's commitment to security. For example, the failure of a financial institution president to comply with security policies could undermine the entire organization's commitment to security.
   
   Senior management should designate one or more individuals as information security officers. Security officers should be responsible and accountable for security administration. At a minimum, they should directly manage or oversee risk assessment, development of policies, standards, and procedures, testing, and security reporting processes. Security officers should have the authority to respond to a security event by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value. They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS
 
 Computer support and operations refers to everything done to run a computer system. This includes both system administration and tasks external to the system that support its operation (e.g., maintaining documentation). It does not include system planning or design. The support and operation of any computer system, from a three-person local area network to a worldwide application serving thousands of users, is critical to maintaining the security of a system. Support and operations are routine activities that enable computer systems to function correctly. These include fixing software or hardware problems, loading and maintaining software, and helping users resolve problems.
 
 System management and administration staff generally perform support and operations tasks although sometimes users do. Larger systems may have full-time operators, system programmers, and support staff performing these tasks. Smaller systems may have a part-time administrator.
 
 The failure to consider security as part of the support and operations of computer systems is, for many organizations, their Achilles heel. Computer security system literature includes many examples of how organizations undermined their often expensive security measures because of poor documentation, old user accounts, conflicting software, or poor control of maintenance accounts. Also, an organization's policies and procedures often fail to address many of these important issues.
 
 The important security considerations within some of the major categories of support and operations are:
 
 1)  user support,
 2)  software support,
 3)  configuration management,
 4)  backups,
 5)  media controls,
 6)  documentation, and
 7)  maintenance.
 
 Some special considerations are noted for larger or smaller systems.
 
 The primary goal of computer support and operations is the continued and correct operation of a computer system. One of the goals of computer security is the availability and integrity of systems. These goals are very closely linked.
 
 This chapter addresses the support and operations activities directly related to security. Every control discussed in this handbook relies, in one way or another, on computer system support and operations. This chapter, however, focuses on areas not covered in other chapters. For example, operations personnel normally create user accounts on the system. This topic is covered in the Identification and Authentication chapter, so it is not discussed here. Similarly, the input from support and operations staff to the security awareness and training program is covered in the Security Awareness, Training, and Education chapter.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.