Internet Banking News

May 14, 2023

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FFIEC IT audits - I am performing FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

MISCELLANEOUS CYBERSECURITY NEWS:

Insurers can't use 'act of war' excuse to avoid Merck's $1.4B NotPetya payout - Merck's insurers can't use an "act of war" clause to deny the pharmaceutical giant an enormous payout to clean up its NotPetya infection, a court has ruled. https://www.theregister.com/2023/05/03/merck_14bn_insurance_payout_upheld/

Chrome's HTTPS padlock heads to Google Graveyard - LOGOWATCH Google plans to retire the padlock icon that appears in the Chrome status bar during a secure HTTPS web browsing session because the interface graphic has outlived its usefulness. https://www.theregister.com/2023/05/03/google_chrome_padlock/

Ex-Uber security chief sentenced to three years of probation for data-breach cover-up - Former chief security officer for Uber, was sentenced on May 4 to a three-year term of probation, ordered to pay a fine of $50,000 and must work 200 hours of community service tied to a cover-up of Uber’s 2016 breach. https://www.scmagazine.com/news/leadership/ex-uber-security-chief-sentenced-probation-data-breach-cover-up

Incident response teams list their top methods for measuring readiness - Tabletop exercises tops the list for readiness, with 55% of survey respondents saying they use methods like discussion-based brainstorming to measure readiness for cybersecurity incidents. https://www.scmagazine.com/resource/incident-response/incident-response-teams-list-their-top-methods-for-measuring-readiness

New White House AI Initiatives Include AI Software-Vetting Event at DEF CON - The White House this week announced new actions to promote responsible AI innovation that will have significant implications for cybersecurity. https://www.darkreading.com/attacks-breaches/new-white-house-ai-initiatives-include-def-con-event

Victims’ reluctance to report ransomware stymies efforts to curb cyberattacks, say federal officials - Federal officials say they need more victims to report when they've been hit by ransomware in order to better defend against the problem. https://cyberscoop.com/ransomware-data-task-force-washington/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Tennessee health system stops all operations amid cyberattack recovery - Murfreesboro Medical Clinic & SurgiCenter was forced offline after a cyberattack was deployed on April 22. In response, the Tennessee provider closed all operations and launched an emergency shutdown of the network to prevent the attack from spreading. https://www.scmagazine.com/news/breach/tennessee-health-system-stops-all-operations-amid-cyberattack-recovery

Ransomware Attack Affects Dallas Police, Court Websites - Dallas was hit with a computer ransomware attack Wednesday that brought down its Police Department and City Hall websites and caused some jury trials to be canceled, officials said. https://www.securityweek.com/ransomware-attack-affects-dallas-police-court-websites/

Western Digital says hackers stole customer data in March cyberattack - Western Digital has taken its store offline and sent customers data breach notifications after confirming that hackers stole sensitive personal information in a March cyberattack. https://www.bleepingcomputer.com/news/security/western-digital-says-hackers-stole-customer-data-in-march-cyberattack/

Cloud-Based EHR Vendor Notifying 1 Million of Data Breach - Cloud-based electronic health records vendor NextGen Healthcare is notifying more than 1 million individuals of a data compromise involving stolen credentials. The data breach is at least the second alleged data security incident the company has investigated since January. https://www.govinfosecurity.com/cloud-based-ehr-vendor-notifying-1-million-data-breach-a-22008

$1.1M Paid to Resolve Ransomware Attack on California County - A $1.1 million payment was made to resolve a ransomware attack on a California county’s law enforcement computer network, Southern California News Group reported. https://www.securityweek.com/1-1m-paid-to-resolve-ransomware-attack-on-california-county/

Salesforce Community Cloud data leaks shine light on misconfigurations - Reported misconfigurations in the Salesforce Community Cloud once again shows how the industry needs to do a better job explaining the shared responsibility model for cloud apps. https://www.scmagazine.com/news/cloud-security/salesforce-community-cloud-data-leaks-misconfigurations

Return to the top of the newsletter

WEB SITE COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

  System Architecture and Design

  The Internet can facilitate unchecked and/or undesired access to internal systems, unless systems are appropriately designed and controlled. Unwelcome system access could be achieved through IP spoofing techniques, where an intruder may impersonate a local or internal system and be granted access without a password. If access to the system is based only on an IP address, any user could gain access by masquerading as a legitimate, authorized user by "spoofing" the user's address. Not only could any user of that system gain access to the targeted system, but so could any system that it trusts.

  Improper access can also result from other technically permissible activities that have not been properly restricted or secured. For example, application layer protocols are the standard sets of rules that determine how computers communicate across the Internet. Numerous application layer protocols, each with different functions and a wide array of data exchange capabilities, are utilized on the Internet. The most familiar, Hyper Text Transfer Protocol (HTTP), facilitates the movement of text and images. But other types of protocols, such as File Transfer Protocol (FTP), permit the transfer, copying, and deleting of files between computers. Telnet protocol actually enables one computer to log in to another. Protocols such as FTP and Telnet exemplify activities which may be improper for a given system, even though the activities are within the scope of the protocol architecture.

  The open architecture of the Internet also makes it easy for system attacks to be launched against systems from anywhere in the world. Systems can even be accessed and then used to launch attacks against other systems. A typical attack would be a denial of service attack, which is intended to bring down a server, system, or application. This might be done by overwhelming a system with so many requests that it shuts down. Or, an attack could be as simple as accessing and altering a Web site, such as changing advertised rates on certificates of deposit.

  Security Scanning Products

  A number of software programs exist which run automated security scans against Web servers, firewalls, and internal networks. These programs are generally very effective at identifying weaknesses that may allow unauthorized system access or other attacks against the system. Although these products are marketed as security tools to system administrators and information systems personnel, they are available to anyone and may be used with malicious intent. In some cases, the products are freely available on the Internet.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 4.3 Employee Sabotage

Employees are most familiar with their employer's computers and applications, including knowing what actions might cause the most damage, mischief, or sabotage. The downsizing of organizations in both the public and private sectors has created a group of individuals with organizational knowledge, who may retain potential system access (e.g., if system accounts are not deleted in a timely manner). The number of incidents of employee sabotage is believed to be much smaller than the instances of theft, but the cost of such incidents can be quite high.

Martin Sprouse, author of Sabotage in the American Workplace, reported that the motivation for sabotage can range from altruism to revenge:
As long as people feel cheated, bored, harassed, endangered, or betrayed at work, sabotage will be used as a direct method of achieving job satisfaction -- the kind that never has to get the bosses' approval.

Common examples of computer-related employee sabotage include:
1) destroying hardware or facilities,
2) planting logic bombs that destroy programs or data,
3) entering data incorrectly,
4) "crashing" systems,
5) deleting data,
6) holding data hostage, and
7) changing data.

Chapter 4.4 Loss of Physical and Infrastructure Support

The loss of supporting infrastructure includes power failures (outages, spikes, and brownouts), loss of communications, water outages and leaks, sewer problems, lack of transportation services, fire, flood, civil unrest, and strikes. These losses include such dramatic events as the explosion at the World Trade Center and the Chicago tunnel flood, as well as more common events, such as broken water pipes. Many of these issues are covered in Chapter. A loss of infrastructure often results in system downtime, sometimes in unexpected ways. For example, employees may not be able to get to work during a winter storm, although the computer system may be functional.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.