Internet Banking News

May 9, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Ransomware Task Force releases long-awaited recommendations - The Ransomware Task Force, a collaboration of more than 60 stakeholders, released its long-awaited ransomware framework on Thursday morning, advocating nearly 50 interlocking government and private sector strategies to tackle the criminal scourge. https://www.scmagazine.com/home/security-news/ransomware/ransomware-task-force-releases-long-awaited-recommendations/

Cyber insurance companies need to focus more on risk profiles – and less on security ratings scores - Security ratings services have become a popular way for companies to assess their own cybersecurity posture, as well as that of their partners. And, while they are useful for establishing a data baseline of competence, they are often relied on as something more than that. https://www.scmagazine.com/perspectives/cyber-insurance-companies-need-to-focus-more-on-risk-profiles-and-less-on-security-rating-scores/

Tips on Enhancing Supply Chain Security - NIST, CISA Highlight Key Steps to Take - The U.S. Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology have released a report providing insights on how to enhance supply chain security in the wake of the SolarWinds attack. https://www.govinfosecurity.com/tips-on-enhancing-supply-chain-security-a-16479

FCC Supply Chain Security Strategy, Risk Of Fiber Shortage, Digital Literacy To Close Digital Divide - Risk management and security for supply chains is an increasingly important factor for small and mid-sized businesses, according to industry experts at a Federal Communications Commission event held Monday, and the agency has a strategy to protect the nation’s networks. https://broadbandbreakfast.com/2021/04/fcc-supply-chain-security-strategy-risk-of-fiber-shortage-digital-literacy-to-close-digital-divide/

NSA warns defense contractors to double check connections in light of Russian hacking - The National Security Agency warned defense contractors in a memo on Thursday to reexamine the security of the connections between their operational technology and information technology in light of recent alleged Russian hacking. https://www.cyberscoop.com/nsa-warns-defense-contractors-operational-technology-connections-russia-solarwinds/

Pulse Secure Ships Belated Fix for VPN Zero-Day - Embattled VPN technology vendor Pulse Secure on Monday updated an “out-of-cycle” advisory with patches for four major security vulnerabilities, including belated cover for an issue that’s already been exploited by advanced threat actors. https://www.securityweek.com/pulse-secure-ships-belated-fix-vpn-zero-day

SAP admits to ‘thousands’ of illegal software exports to Iran - SAP says it accepts “full responsibility for past conduct.” - SAP has reached a settlement with US investigators to close a prosecution relating to the violation of economic sanctions and the illegal export of software to Iran. https://www.zdnet.com/article/sap-admits-to-thousands-of-illegal-software-exports-to-iran/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ransomware gang Babuk claims DC’s Metropolitan Police was last caper – then goes dark - Babuk – the allegedly Russian-speaking ransomware gang targeting D.C.’s Metropolitan Police Department – posted on the dark web a message that it was shutting down, only to reverse course and pull the message from the site. https://www.scmagazine.com/home/security-news/ransomware/ransomware-gang-babuk-claims-dcs-metropolitan-police-was-last-caper-then-goes-dark/

Click Studios says stop tweeting: Phishers track breach notification info to craft new lures - Australian password security company Click Studios said it believes only a small fraction of its 29,000 customers were affected by a breach caused by a corrupted update containing malicious code. https://www.scmagazine.com/home/security-news/phishing/click-studios-says-stop-tweeting-phishers-track-breach-notification-info-to-craft-new-lures/

Washington DC police force confirms data breach after ransomware upstart Babuk posts trophies to Tor blog - Ransomware criminals have posted trophy pictures on their Tor blog after attacking the police force for US capital Washington DC. https://www.theregister.com/2021/04/27/washington_dc_police_ransomware/

DoppelPaymer Gang Leaks Files from Illinois AG After Ransom Negotiations Break Down - Information stolen in April 10 ransomware attack was posted on a dark web portal and includes private documents not published as part of public records. https://threatpost.com/doppelpaymer-leaks-illinois-ag/165694/

Whistler resort municipality hit by new ransomware operation - The Whistler municipality in British Columbia, Canada, has suffered a cyberattack at the hands of a new ransomware operation. https://www.bleepingcomputer.com/news/security/whistler-resort-municipality-hit-by-new-ransomware-operation/

More US agencies potentially hacked, this time with Pulse Secure exploits - At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US Cybersecurity and Infrastructure Security Agency said on Friday. https://arstechnica.com/gadgets/2021/04/more-us-agencies-potentially-hacked-this-time-with-pulse-secure-exploits/

Suspected Chinese state hackers target Russian submarine designer - Hackers suspected to work for the Chinese government have used a new malware called PortDoor to infiltrate the systems of an engineering company that designs submarines for the Russian Navy. https://www.bleepingcomputer.com/news/security/suspected-chinese-state-hackers-target-russian-submarine-designer/

Scripps Health Cyberattack Causes Widespread Hospital Outages - The San Diego-based hospital system diverted ambulances to other medical centers after a suspected ransomware attack. https://threatpost.com/scripps-health-cyberattack-hospital-outages/165817/

Swiss Cloud suffers Ransomware attack - Switzerland based cloud hosting provider Swiss Cloud suffered a ransomware attack that brought down the company’s server infrastructure. https://securereading.com/swiss-cloud-suffers-ransomware-attack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

   RISK ASSESSMENT/MANAGEMENT

   A thorough and proactive risk assessment is the first step in establishing a sound security program. This is the ongoing process of evaluating threats and vulnerabilities, and establishing an appropriate risk management program to mitigate potential monetary losses and harm to an institution's reputation. Threats have the potential to harm an institution, while vulnerabilities are weaknesses that can be exploited.

   The extent of the information security program should be commensurate with the degree of risk associated with the institution's systems, networks, and information assets. For example, compared to an information-only Web site, institutions offering transactional Internet banking activities are exposed to greater risks. Further, real-time funds transfers generally pose greater risks than delayed or batch-processed transactions because the items are processed immediately. The extent to which an institution contracts with third-party vendors will also affect the nature of the risk assessment program.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   INFORMATION SECURITY RISK ASSESSMENT

   OVERVIEW

   The quality of security controls can significantly influence all categories of risk. Traditionally, examiners and bankers recognize the direct impact on operational/transaction risk from incidents related to fraud, theft, or accidental damage. Many security weaknesses, however, can directly increase exposure in other risk areas. For example, the GLBA introduced additional legal/compliance risk due to the potential for regulatory noncompliance in safeguarding customer information. The potential for legal liability related to customer privacy breaches may present additional risk in the future. Effective application access controls can reduce credit and market risk by imposing risk limits on loan officers or traders. If a trader were to exceed the intended trade authority, the institution may unknowingly assume additional market risk exposure.

   A strong security program reduces levels of reputation and strategic risk by limiting the institution's vulnerability to intrusion attempts and maintaining customer confidence and trust in the institution. Security concerns can quickly erode customer confidence and potentially decrease the adoption rate and rate of return on investment for strategically important products or services. Examiners and risk managers should incorporate security issues into their risk assessment process for each risk category. Financial institutions should ensure that security risk assessments adequately consider potential risk in all business lines and risk categories.

   Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. An adequate assessment identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities. A risk assessment is a necessary pre-requisite to the formation of strategies that guide the institution as it develops, implements, tests, and maintains its information systems security posture. An initial risk assessment may involve a significant one-time effort, but the risk assessment process should be an ongoing part of the information security program.

   Risk assessments for most industries focus only on the risk to the business entity. Financial institutions should also consider the risk to their customers' information. For example, section 501(b) of the GLBA requires financial institutions to 'protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer."

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

14.5 Media Controls

Media controls include a variety of measures to provide physical and environmental protection and accountability for tapes, diskettes, printouts, and other media. From a security perspective, media controls should be designed to prevent the loss of confidentiality, integrity, or availability of information, including data or software, when stored outside the system. This can include storage of information before it is input to the system and after it is output.

The extent of media control depends upon many factors, including the type of data, the quantity of media, and the nature of the user environment. Physical and environmental protection is used to prevent unauthorized individuals from accessing the media. It also protects against such factors as heat, cold, or harmful magnetic fields. When necessary, logging the use of individual media (e.g., a tape cartridge) provides detailed accountability -- to hold authorized people responsible for their actions.

14.5.1 Marking

Controlling media may require some form of physical labeling. The labels can be used to identify media with special handling instructions, to locate needed information, or to log media (e.g., with serial/control numbers or bar codes) to support accountability. Identification is often by colored labels on diskettes or tapes or banner pages on printouts.

If labeling is used for special handling instructions, it is critical that people be appropriately trained. The marking of PC input and output is generally the responsibility of the user, not the system support staff. Marking backup diskettes can help prevent them from being accidentally overwritten.

Typical markings for media could include: Privacy Act Information, Company Proprietary, or Joe's Backup Tape. In each case, the individuals handling the media must know the applicable handling instructions. For example, at the Acme Patent Research Firm, proprietary information may not leave the building except under the care of a security officer. Also, Joe's Backup Tape should be easy to find in case something happens to Joe's system.

14.5.2 Logging

The logging of media is used to support accountability. Logs can include control numbers (or other tracking data), the times and dates of transfers, names and signatures of individuals involved, and other relevant information. Periodic spot checks or audits may be conducted to determine that no controlled items have been lost and that all are in the custody of individuals named in control logs. Automated media tracking systems may be helpful for maintaining inventories of tape and disk libraries.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.