Internet Banking News

May 15, 2022

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Remote bank regulatory FFIEC IT audits - I am performing virtual/remote bank regality FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

MISCELLANEOUS CYBERSECURITY NEWS:

New framework aims to secure digital health apps not covered by HIPAA - A new framework developed and released by several healthcare stakeholder groups takes aim at securing digital health technologies and mobile health apps, the vast majority of which fall outside of The Health Insurance Portability and Accountability Act regulation. https://www.scmagazine.com/analysis/privacy/new-framework-aims-to-secure-digital-health-apps-not-covered-by-hipaa

Securities and Exchange Commission doubles enforcement team for crypto markets - Investment company malfeasance has played a key role in cinematic and real-world incidents in recent years. Hence, the U.S. Securities and Exchange Commission is eager to reduce negative appearances. https://www.scmagazine.com/analysis/cybercrime/security-and-exchange-commission-doubles-enforcement-team-for-crypto-markets

Apple, Google and Microsoft promise passwordless authentication - In honor of World Password Day, Apple, Google, and Microsoft on Thursday announced plans to expand support for the passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium (W3C).
https://www.scmagazine.com/news/identity-and-access/apple-google-and-microsoft-promise-passwordless-authentication
https://www.zdnet.com/article/google-apple-microsoft-make-a-new-commitment-for-a-passwordless-future/

Cisco makes public its Cloud Controls Framework for security requirements - Cisco on Thursday released its Cloud Controls Framework (CCF), a set of comprehensive international and national security compliance and certification requirements combined into one framework. https://www.scmagazine.com/news/cloud-security/cisco-makes-public-its-cloud-controls-framework-for-security-requirements

Please stop giving bad password advice - Another day, another breach, and another round of advice by “security experts” and government spokespeople about how to make passwords safe. Let’s just cut to the chase. There’s no way to make passwords safe. https://www.scmagazine.com/perspective/identity-and-access/please-stop-giving-bad-password-advice%EF%BF%BC

HSCC Creates Operational Continuity Checklist For Navigating Cyberattacks - HSCC’s latest guide provides tips for maintaining operational continuity amid a serious cyberattack. https://healthitsecurity.com/news/hscc-creates-operational-continuity-checklist-for-navigating-cyberattacks

Tech group pushes back against SEC cyber rules, warns of reporting overload - A prominent tech trade group is asking the Securities and Exchange Commission to hold off implementing a slew of new cybersecurity-related regulations, saying it could confuse industry and step on similar efforts by other agencies. https://www.scmagazine.com/analysis/ransomware/tech-group-pushes-back-against-sec-cyber-rules-warns-of-reporting-overload

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Ransomware groups keep healthcare in sights, selling access on the dark web - Data from the Department of Health and Human Services Cybersecurity Program shows the rate of initial access brokers selling access to healthcare networks to ransomware groups and affiliates has remained constant from the end of 2021 through the first half of the year. https://www.scmagazine.com/analysis/ransomware/ransomware-groups-keep-healthcare-in-sights-selling-access-on-the-dark-web

Pro-Ukrainian hackers boast success in disrupting Russian alcohol industry with DDoS attacks - A volunteer hacker group coordinated by Ukraine successfully disrupted aspects of the Russian alcohol industry by targeting the mandatory government sales tracking service, according to several reports in Russian media outlets. https://www.scmagazine.com/analysis/malware/pro-ukrainian-hackers-boast-success-in-disrupting-russian-alcohol-industry-with-ddos-attacks

Another database compromise reported in GitHub, Heroku, OAuth tokens case - In a Thursday update to the stolen GitHub integration OAuth tokens case reported last month, Salesforce owned Heroku said the company’s investigation found that the same compromised token that was used in April’s attack was used to gain access to a database and exfiltrate the hashed and salted passwords of customer user accounts. https://www.scmagazine.com/news/application-security/another-database-compromise-reported-in-github-heroku-oauth-tokens-case

Business email compromise scams netted $43 billion in losses as new variations emerge, FBI says - Long the bane of the financial industry, business email compromise (BEC) is getting worse, as savvy cybercriminals find sly new avenues to make their fraudulent requests appear believable. https://www.scmagazine.com/analysis/email-security/business-email-compromise-scams-netted-43-billion-in-losses-as-new-variations-emerge-fbi-says

US agricultural machinery maker AGCO hit by ransomware attack - AGCO, a leading US-based agricultural machinery producer, has announced it was hit by a ransomware attack impacting some of its production facilities. https://www.bleepingcomputer.com/news/security/us-agricultural-machinery-maker-agco-hit-by-ransomware-attack/

Costa Rica Declares State of Emergency Under Sustained Conti Cyberattacks - Newly elected Costa Rican president Rodrigo Chaves has declared a state of national cybersecurity emergency after weeks of fallout from a Conti ransomware attack that has crippled the country's government and economy. https://www.darkreading.com/attacks-breaches/costa-rica-declares-state-of-emergency-under-sustained-conti-cyberattacks

Still recovering, Oklahoma clinic confirms ransomware attack, data breach - The ongoing network disruption at Oklahoma City Indian Clinic was brought on by a ransomware attack, a newly released notification confirms. OKCIC also informed 38,239 patients that their protected health information was accessed during the incident. https://www.scmagazine.com/analysis/ransomware/still-recovering-oklahoma-clinic-confirms-ransomware-attack-data-breach

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (9 of 12)

  Organize a public relations program.

  Whether a bank is a local, national, or global firm, negative publicity about a security compromise is a distinct possibility. To address potential reputation risks associated with a given incident, some banks have organized public relations programs and designated specific points of contact to oversee the program. A well-defined public relations program can provide a specific avenue for open communications with both the media and the institution's customers.

  Recovery

  Recovering from an incident essentially involves restoring systems to a known good state or returning processes and procedures to a functional state. Some banks have incorporated the following best practices related to the recovery process in their IRPs.

  Determine whether configurations or processes should be changed.

  If an institution is the subject of a security compromise, the goals in the recovery process are to eliminate the cause of the incident and ensure that the possibility of a repeat event is minimized. A key component of this process is determining whether system configurations or other processes should be changed. In the case of technical compromises, such as a successful network intrusion, the IRP can prompt management to update or modify system configurations to help prevent further incidents. Part of this process may include implementing an effective, ongoing patch management program, which can reduce exposure to identified technical vulnerabilities. In terms of non-technical compromises, the IRP can direct management to review operational procedures or processes and implement changes designed to prevent a repeat incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

  ENCRYPTION - HOW ENCRYPTION WORKS

  In general, encryption functions by taking data and a variable, called a "key," and processing those items through a fixed algorithm to create the encrypted text. The strength of the encrypted text is determined by the entropy, or degree of uncertainty, in the key and the algorithm. Key length and key selection criteria are important determinants of entropy. Greater key lengths generally indicate more possible keys. More important than key length, however, is the potential limitation of possible keys posed by the key selection criteria. For instance, a 128-bit key has much less than 128 bits of entropy if it is selected from only certain letters or numbers. The full 128 bits of entropy will only be realized if the key is randomly selected across the entire 128-bit range.

  The encryption algorithm is also important. Creating a mathematical algorithm that does not limit the entropy of the key and testing the algorithm to ensure its integrity are difficult. Since the strength of an algorithm is related to its ability to maximize entropy instead of its secrecy, algorithms are generally made public and subject to peer review. The more that the algorithm is tested by knowledgeable worldwide experts, the more the algorithm can be trusted to perform as expected. Examples of public algorithms are AES, DES and Triple DES, HSA - 1, and RSA.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 19 - CRYPTOGRAPHY

  Cryptography is a branch of mathematics based on the transformation of data. It provides an important tool for protecting information and is used in many aspects of computer security. For example, cryptography can help provide data confidentiality, integrity, electronic signatures, and advanced user authentication. Although modern cryptography relies upon advanced mathematics, users can reap its benefits without understanding its mathematical underpinnings.

  This chapter describes cryptography as a tool for satisfying a wide spectrum of computer security needs and requirements. It describes fundamental aspects of the basic cryptographic technologies and some specific ways cryptography can be applied to improve security. The chapter also explores some of the important issues that should be considered when incorporating cryptography into computer systems.

  Cryptography is traditionally associated only with keeping data secret. However, modern cryptography can be used to provide many security services, such as electronic signatures and ensuring that data has not been modified.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.