Internet Banking News

April 25, 2021

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - The Biggest Security Threats to the US Are the Hardest to Define - IT'S BEEN TWO years since the heads of the top US intelligence agencies last came to Congress for an update on global threats; they skipped 2020 amid tensions with former president Donald Trump. In the Biden administration, though, the public hearing was back on Wednesday. https://www.wired.com/story/worldwide-threats-briefing-2021/

NSA: Top 5 vulnerabilities actively abused by Russian govt hackers - A joint advisory from the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) warn that the Russian Foreign Intelligence Service (SVR) is exploiting five vulnerabilities in attacks against U.S. organizations and interests. https://www.bleepingcomputer.com/news/security/nsa-top-5-vulnerabilities-actively-abused-by-russian-govt-hackers/

Cyber nonprofits ask billionaire philanthropists to show them some love - A contingent of leading cybersecurity organizations and nonprofits published an open letter on Friday, calling for large philanthropic foundations and internet billionaires to consider donating to their causes, citing a paucity of available grants and funds. https://www.scmagazine.com/home/security-news/cyber-nonprofits-ask-billionaire-philanthropists-to-show-them-some-love/

‘Every day is game day:’ Sports psychology expert applies his skills to cybersecurity - Baseball can be a game of heart-stopping pressure. One that requires patience, perseverance, stamina and resilience. https://www.scmagazine.com/home/security-news/every-day-is-game-day-sports-psychology-expert-applies-his-skills-to-cybersecurity/

Software Developer Arrested in Computer Sabotage Case - A software developer has been arrested and faces charges for allegedly placing malicious code on his employer's computer servers, the Justice Department reports. https://www.darkreading.com/software-developer-arrested-in-computer-sabotage-case/d/d-id/1340693

With details sparse, vendors scramble to make sense of Biden 100-day grid security plan - The Biden administration launched what it called a “bold” 100-day sprint to improve the cybersecurity of electric utilities on Tuesday. https://www.scmagazine.com/home/government/with-details-sparse-vendors-scramble-to-make-sense-of-biden-100-day-grid-security-plan/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Chinese threat actors extract big data and sell it on the dark web - Researchers on Monday reported that cybercriminals are taking advantage of China’s push to become a leader in big data by extracting legitimate big data sources and selling the stolen data on the Chinese-language dark web. https://www.scmagazine.com/home/security-news/database-security/chinese-threat-actors-extract-big-data-and-sell-it-on-the-dark-web/

Understanding Florida’s water treatment hack, and how to stop future attacks - At the onset of the pandemic, organizations rushed to deploy remote access to prevent costly interruptions and adapt their workforces to COVID-19. https://www.scmagazine.com/perspectives/understanding-floridas-water-treatment-hack-and-how-to-stop-future-attacks/

Codecov dev tool warns of stolen credentials from compromised script, undiscovered for two months - Codecov, makers of a code coverage tool used by over 29,000 customers, has warned that a compromised script may have stolen credentials over a period of two months, before it was discovered a few weeks ago. https://www.theregister.com/2021/04/19/codecov_warns_of_stolen_credentials/

Major BGP leak disrupts thousands of networks globally - A large BGP routing leak that occurred last night disrupted the connectivity for thousands of major networks and websites around the world. https://www.bleepingcomputer.com/news/security/major-bgp-leak-disrupts-thousands-of-networks-globally/

Someone is using SonicWall’s email security tool to hack customers - SonicWall’s email security solution is supposed to help protect customers from phishing attacks, business email compromise, ransomware and other email related threats. However, it appears some attackers have been using previously unknown cybersecurity vulnerabilities in the very same product to break into victim networks. https://www.scmagazine.com/home/email-security/someone-is-using-sonicwalls-email-security-tool-to-hack-customers/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

   To ensure the security of information systems and data, financial institutions should have a sound information security program that identifies, measures, monitors, and manages potential risk exposure. Fundamental to an effective information security program is ongoing risk assessment of threats and vulnerabilities surrounding networked and/or Internet systems. Institutions should consider the various measures available to support and enhance information security programs. The appendix to this paper describes certain vulnerability assessment tools and intrusion detection methods that can be useful in preventing and identifying attempted external break-ins or internal misuse of information systems. Institutions should also consider plans for responding to an information security incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet. This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants. Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm. There is no charge for the e-newsletter.

   ROLES AND RESPONSIBILITIES (2 of 2)

   Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements. A central authority should be responsible for establishing and monitoring the security program. Security management responsibilities, however, may be distributed throughout the institution from the IT department to various lines of business depending on the institution's size, complexity, culture, nature of operations, and other factors. The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.

   Senior management also has the responsibility to ensure integration of security controls throughout the organization. To support integration, senior management should

   1) Ensure the security process is governed by organizational policies and practices that are consistently applied,
   2) Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,
   3) Enforce compliance with the security program in a balanced and consistent manner across the organization, and
   4) Coordinate information security with physical security.

   Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors.

   Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies. Financial institutions can achieve effective employee awareness and understanding through security training, employee certifications of compliance, self - assessments, audits, and monitoring.

   Management also should consider the roles and responsibilities of external parties. Technology service providers (TSPs), contractors, customers, and others who have access to the institution's systems and data should have their security responsibilities clearly delineated and documented in contracts.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

14.1 User Support

In many organizations, user support takes place through a Help Desk. Help Desks can support an entire organization, a subunit, a specific system, or a combination of these. For smaller systems, the system administrator normally provides direct user support. Experienced users provide informal user support on most systems.

User support should be closely linked to the organization's incident handling capability. In many cases, the same personnel perform these functions.

An important security consideration for user support personnel is being able to recognize which problems (brought to their attention by users) are security-related. For example, users' inability to log onto a computer system may result from the disabling of their accounts due to too many failed access attempts. This could indicate the presence of hackers trying to guess users' passwords.

In general, system support and operations staff need to be able to identify security problems, respond appropriately, and inform appropriate individuals. A wide range of possible security problems exist. Some will be internal to custom applications, while others apply to off-the-shelf products. Additionally, problems can be software- or hardware-based.

The more responsive and knowledgeable system support and operation staff personnel are, the less user support will be provided informally. The support other users provide is important, but they may not be aware of the "whole picture."

Small systems are especially susceptible to viruses, while networks are particularly susceptible to hacker attacks, which can be targeted at multiple systems. System support personnel should be able to recognize attacks and know how to respond.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.