Internet Banking News

May 16, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - White House: Colonial should be its own ‘first line of defense’ against attacks - At a press conference listing all the actions taken thus far by the White House to respond to the ransomware attack on the Colonial Pipeline, officials acknowledged that the primary onus on protecting the country from attacks on critical infrastructure remains outside the White House’s hands. https://www.scmagazine.com/home/security-news/white-house-colonial-should-be-its-own-first-line-of-defense-against-attacks/

Colonial Pipeline attack: What government can do to deter critical infrastructure cybercriminals - The cyberattack on the Colonial Pipeline spurred a clear message from the White House Monday that the onus lies with critical infrastructure owners and operators to secure their own networks. https://www.scmagazine.com/home/security-news/ransomware/the-colonial-pipeline-attack-what-government-can-do-to-deter-critical-infrastructure-attacks/

SolarWinds hires CISO from within, enabling a quicker security transformation - SolarWinds this week announced that its vice president of security Tim Brown has taken on the additional title of chief information security officer, as part of the company’s ongoing efforts to institute a secure-by-design posture following the devastating supply chain attack on its Orion IT administration software. https://www.scmagazine.com/home/security-news/solarwinds-hires-ciso-from-within-enabling-a-quicker-security-transformation/

Here’s the breakdown of cybersecurity stats only law firms usually see - A law firm with a massive data and privacy presence, compiles data from their client’s experiences to offer a rare lawyer’s perspective on cyber statistics. https://www.scmagazine.com/home/security-news/legal-security-news/heres-the-breakdown-of-cybersecurity-stats-only-law-firms-usually-see/

US spy agencies review software suppliers' ties to Russia following SolarWinds hack - U.S. intelligence agencies have begun a review of supply chain risks emanating from Russia in light of the far-reaching hacking campaign that exploited software made by SolarWinds and other vendors, a top Justice Department official said Thursday. https://www.cyberscoop.com/russia-solarwinds-supply-chain-fbi/

Cybersecurity and Infrastructure Security Agency (CISA) - Malware Analysis Report (AR21-126B) - MAR-10324784-1.v1: FiveHands Ransomware - This report is provided "as is" for informational purposes only. https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b

NIST Seeks Input on HIPAA Security Rule Guidance Update - The National Institute of Standards and Technology is seeking public comment as it plans to update its 2008 guidance for implementing the HIPAA Security Rule, which went into effect about 20 years ago. https://www.govinfosecurity.com/nist-seeks-input-on-hipaa-security-rule-guidance-update-a-16519

Small and medium businesses need their own federal cyber policy, say advocates - Small to medium sized businesses have drastically different cybersecurity preparedness, capacity and overall posture than their king-sized brethren. https://www.scmagazine.com/home/government/small-and-medium-businesses-need-their-own-federal-cyber-policy-say-advocates/

AXA pledges to stop reimbursing ransom payments for French ransomware victims - One of Europe’s biggest insurers is now suspending policies in France that reimburse victims for ransomware payments. Insurance company AXA has revealed that, at the request of French government officials, it will end cyber insurance policies in France that pay ransomware victims back for ransoms paid out to cybercriminals. https://www.zdnet.com/article/axa-pledges-to-stop-reimbursing-ransom-payments-for-french-ransomware-victims/

Russian cyber-spies changed tactics after the UK and US outed their techniques - so here's a list of those changes - Plus: NCSC warns of how hostile powers may exploit smart city infrastructure. https://www.theregister.com/2021/05/07/ncsc_russia_vulns_smart_cities_china_warning/

Biden signs massive cyber order, using federal buying power to influence broader private sector practices - Microsoft Exchange hacking and the Colonial Pipeline shutdown, the Biden administration has been beset with wall to wall cybersecurity crises. Today, President Joe Biden signed an executive order to fight back. https://www.scmagazine.com/home/government/biden-signs-massive-order-on-cybersecurity/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - AWS configuration issues lead to exposure of 5 million records - Researchers reported on Tuesday that Amazon Web Services System Manager (SSM) misconfigurations led to the potential exposure of more than 5 million documents with personally identifiable information and credit card transactions on more than 3,000 SSM documents. https://www.scmagazine.com/home/security-news/cloud-security/aws-configuration-issues-lead-to-exposure-of-5-million-records/

Ryuk ransomware finds foothold in bio research institute through student who wouldn’t pay for software - Security researchers have provided insight into how a single student unwittingly became the conduit for a ransomware infection that cost a biomolecular institute a weeks' worth of vital research. https://www.zdnet.com/article/ryuk-ransomware-finds-foothold-in-bio-research-institute-through-a-student-who-wouldnt-pay-for-software/

Massive DDoS Attack Disrupts Belgium Parliament - A large-scale incident earlier this week against Belnet and other ISPs has sent a wave of internet disruption across numerous Belgian government, scientific and educational institutions. https://threatpost.com/ddos-disrupts-belgium/165911/

Ransomware attack on healthcare admin company CaptureRx exposes multiple providers across United States - Faxton St. Luke’s Healthcare in New York, Randolph, VT-based Gifford Health Care and Thrifty Drug Stores are just a few of the victims. https://www.zdnet.com/article/ransomware-attack-on-healthcare-admin-company-capturerx-exposes-multiple-providers-across-united-states/

Tulsa Deals With Aftermath of Ransomware Attack - Weekend attack shuts down several city sites and service. The City of Tulsa is dealing with several system and service outages after being hit by a ransomware attack over the weekend. https://www.darkreading.com/attacks-breaches/tulsa-deals-with-aftermath-of-ransomware-attack/d/d-id/1340967

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

   Performing the Risk Assessment and Determining Vulnerabilities

   Performing a sound risk assessment is critical to establishing an effective information security program. The risk assessment provides a framework for establishing policy guidelines and identifying the risk assessment tools and practices that may be appropriate for an institution. Banks still should have a written information security policy, sound security policy guidelines, and well-designed system architecture, as well as provide for physical security, employee education, and testing, as part of an effective program.

   When institutions contract with third-party providers for information system services, they should have a sound oversight program. At a minimum, the security-related clauses of a written contract should define the responsibilities of both parties with respect to data confidentiality, system security, and notification procedures in the event of data or system compromise. The institution needs to conduct a sufficient analysis of the provider's security program, including how the provider uses available risk assessment tools and practices. Institutions also should obtain copies of independent penetration tests run against the provider's system.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   INFORMATION SECURITY RISK ASSESSMENT

   KEY STEPS

   Common elements of risk assessment approaches involve three phases: information gathering, analysis, and prioritizing responses. Vendor concerns add additional elements to the process.

   INFORMATION GATHERING

   Identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution's risk environment. Once gathered, the information can be catalogued to facilitate later analysis. Information gathering generally includes the following actions:

   1) Obtaining listings of information system assets (e.g., data, software, and hardware). Inventories on a device - by - device basis can be helpful in risk assessment as well as risk mitigation. Inventories should consider whether data resides in house or at a TSP.

   2) Determining threats to those assets, resulting from people with malicious intent, employees and others who accidentally cause damage, and environmental problems that are outside the control of the organization (e.g., natural disasters, failures of interdependent infrastructures such as power, telecommunications, etc.).

   3) Identifying organizational vulnerabilities (e.g., weak senior management support, ineffective training, inadequate expertise or resource allocation, and inadequate policies, standards, or procedures).

   4) Identifying technical vulnerabilities (e.g., vulnerabilities in hardware and software, configurations of hosts, networks, workstations, and remote access).

   5) Documenting current controls and security processes, including both information technology and physical security.

   6) Identifying security requirements and considerations (e.g., GLBA).

   7) Maintaining the risk assessment process requires institutions to review and update their risk assessment at least once a year, or more frequently in response to material changes in any of the six actions above.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

14.5.3 Integrity Verification

When electronically stored information is read into a computer system, it may be necessary to determine whether it has been read correctly or subject to any modification. The integrity of electronic information can be verified using error detection and correction or, if intentional modifications are a threat, cryptographic-based technologies.

14.5.4 Physical Access Protection

Media can be stolen, destroyed, replaced with a look-alike copy, or lost. Physical access controls, which can limit these problems, include locked doors, desks, file cabinets, or safes.

If the media requires protection at all times, it may be necessary to actually output data to the media in a secure location (e.g., printing to a printer in a locked room instead of to a general-purpose printer in a common area).

Physical protection of media should be extended to backup copies stored offsite. They generally should be accorded an equivalent level of protection to media containing the same information stored onsite. (Equivalent protection does not mean that the security measures need to be exactly the same. The controls at the off-site location are quite likely to be different from the controls at the regular site.)

14.5.5 Environmental Protection

Magnetic media, such as diskettes or magnetic tape, require environmental protection, since they are sensitive to temperature, liquids, magnetism, smoke, and dust. Other media (e.g., paper and optical storage) may have different sensitivities to environmental factors.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.