Internet Banking News

May 30, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.FYI - Miscreants started scanning for Exchange Hafnium vulns five minutes after Microsoft told world about zero-days - Being slow to patch just means you'll get pwned faster - Attackers began scanning for vulnerabilities just five minutes after Microsoft announced there were four zero-days in Exchange Serve. https://www.theregister.com/2021/05/19/hafnium_scans_5_mins_post_disclosure/

Massachusetts bets on cyber to boost economic recovery, add jobs - For the Commonwealth of Massachusetts, an ongoing investment in cybersecurity is also an investment in economic recovery. https://www.scmagazine.com/home/2021-rsa-conference/massachusetts-bets-on-cyber-to-boost-economic-recovery-add-jobs/

Embracing mainframe pen tests in the new normal - Until recently, mainframe penetration testing was performed onsite for no other reason than “it’s a mainframe.” Yet the majority of non-mainframe pen tests have always been carried out remotely. https://www.scmagazine.com/perspectives/embracing-mainframe-pen-tests-in-the-new-normal/

79% of observed Microsoft Exchange Server exposures occurred in the cloud - Researchers this week reported that when studying vulnerable Microsoft Exchange servers, some 79% of observed exposures took place in the cloud. https://www.scmagazine.com/home/security-news/cloud-security/79-of-observed-microsoft-exchange-server-exposures-occurred-in-the-cloud/

As market for cyber insurance booms, watchdog calls for better data - A federal watchdog agency found that while the cybersecurity insurance market boomed in recent years, rising premiums and struggles by some insurers to quantify the costs and losses that stem from cyber incidents remain some of the biggest obstacles to further adoption. https://www.scmagazine.com/home/security-news/data-breach/as-market-for-cyber-insurance-booms-watchdog-calls-for-better-data/

Goodbye Internet Explorer - and Good Riddance - Microsoft will finally put the venerated, vulnerability-ridden browser out to pasture, but it's still got a year to cause some trouble. https://www.wired.com/story/internet-explorer-browser-dead/

Average losses from compromised cloud accounts is more than $500,000 a year - Average total annual financial loss for companies from compromised cloud accounts is more than $500,000, according to new research. https://www.scmagazine.com/home/security-news/cloud-security/average-losses-from-compromised-cloud-accounts-is-more-than-500000-a-year/

DHS issues cyber order to pipeline operators in first move to regulate critical infrastructure sectors - The Transportation Security Administration, the Department of Homeland Security agency tasked with overseeing the security of oil and natural gas pipelines, put in place new pipeline cybersecurity requirements Wednesday morning. https://www.scmagazine.com/home/government/dhs-issues-cybersecurity-order-to-pipeline-operators/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - CNA Financial Paid $40 Million in Ransom After March Cyberattack - CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, according to people with knowledge of the attack. https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack

New Zealand hospitals infected by ransomware, cancel some surgeries - Intrusion believed to have entered through email - New Zealand's Waikato District Health Board (DHB) has been hit with a strain of ransomware that took down most IT services Tuesday morning and drastically reduced services at six of its affiliate hospitals. https://www.theregister.com/2021/05/19/new_zealand_hospitals_taken_down/

Irish officials warn of ongoing disruptions to health system, long recovery following ransomware incident - Dublin's Rotunda Hospital, a maternity hospital where doctors have told pregnant women not to come to appointments unless they are near their due date or it's an emergency after a ransomware incident disrupted IT systems. https://www.cyberscoop.com/ireland-ransomware-health-conti-recovery/

Irish officials warn of ongoing disruptions to health system, long recovery following ransomware incident - Irish officials say it will take “many weeks” to fully restore the IT infrastructure of the country’s $25 billion public health system following a ransomware attack last week. https://www.cyberscoop.com/ireland-ransomware-health-conti-recovery/

Student health insurance carrier Guard.me suffers a data breach - Student health insurance carrier guard.me has taken their website offline after a vulnerability allowed a threat actor to access policyholders' personal information. https://www.bleepingcomputer.com/news/security/student-health-insurance-carrier-guardme-suffers-a-data-breach/

FBI identifies 16 Conti ransomware attacks on US health care and first responder networks - The FBI reported that the Conti group that recently hit the Irish health system was responsible for at least 16 ransomware attacks during the past year that targeted U.S. health care and first responder networks, including law enforcement agencies, emergency medical services, 911 dispatch centers, and municipalities. https://www.scmagazine.com/home/security-news/fbi-identifies-16-conti-ransomware-attacks-on-us-health-care-and-first-responder-networks/

Air India discloses data of 4.5m passengers were stolen in SITA cyber attack - Air India passenger data, across a 10-year period, was stolen in the February cyber attack suffered by SITA. https://www.zdnet.com/article/air-india-discloses-data-of-4-5m-passengers-were-stolen-in-sita-cyber-attack/

Doncaster insurance firm One Call hit by not-dead-at-all Darkside ransomware gang - A Doncaster insurance company has been hit by ransomware from the Darkside crew – whose "press release" declaring it was shutting down its operations last week was taken at face value by some pundits. https://www.theregister.com/2021/05/21/darkside_ransomware_doncaster/

Toyota rear-ended by twin cyber attacks that left ransomware-shaped dents - Oh what a feeling, and in the same week as automaker announced new production pauses - Toyota has admitted to a pair of cyber-attacks. https://www.theregister.com/2021/05/21/toyota_cyber_attacks/

E-commerce giant suffers major data breach in Codecov incident - E-commerce platform Mercari has disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack. https://www.bleepingcomputer.com/news/security/e-commerce-giant-suffers-major-data-breach-in-codecov-incident/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

   Potential Threats To Consider

   Serious hackers, interested computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime, or even agents of espionage pose a potential threat to an institution's computer security. The Internet provides a wealth of information to banks and hackers alike on known security flaws in hardware and software. Using almost any search engine, average Internet users can quickly find information describing how to break into various systems by exploiting known security flaws and software bugs. Hackers also may breach security by misusing vulnerability assessment tools to probe network systems, then exploiting any identified weaknesses to gain unauthorized access to a system. Internal misuse of information systems remains an ever-present security threat.

   Many break-ins or insider misuses of information occur due to poor security programs. Hackers often exploit well-known weaknesses and security defects in operating systems that have not been appropriately addressed by the institution. Inadequate maintenance and improper system design may also allow hackers to exploit a security system. New security risks arise from evolving attack methods or newly detected holes and bugs in existing software and hardware. Also, new risks may be introduced as systems are altered or upgraded, or through the improper setup of available security-related tools. An institution needs to stay abreast of new security threats and vulnerabilities. It is equally important to keep up to date on the latest security patches and version upgrades that are available to fix security flaws and bugs. Information security and relevant vendor Web sites contain much of this information.

   Systems can be vulnerable to a variety of threats, including the misuse or theft of passwords. Hackers may use password cracking programs to figure out poorly selected passwords. The passwords may then be used to access other parts of the system. By monitoring network traffic, unauthorized users can easily steal unencrypted passwords. The theft of passwords is more difficult if they are encrypted. Employees or hackers may also attempt to compromise system administrator access (root access), tamper with critical files, read confidential e-mail, or initiate unauthorized e-mails or transactions.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

  INFORMATION SECURITY RISK ASSESSMENT

  ANALYZE INFORMATION (2 of 2)

  Since specific scenarios can become too numerous for financial institutions to address individually, various techniques are used to generalize and extend the scenarios. For instance, one technique starts with a specific scenario and looks at additional damage that could occur if the attacker had different knowledge or motivation. This technique allows the reviewers to see the full extent of risk that exists from a given vulnerability. Another technique aggregates scenarios by high-value system components.

  Scenarios should consider attacks against the logical security, physical security, and combinations of logical and physical attacks. In addition, scenarios could consider social engineering, which involves manipulation of human trust by an attacker to obtain access to computer systems. It is often easier for an attacker to obtain access through manipulation of one or more employees than to perform a logical or physical intrusion.

  The risk from any given scenario is a function of the probability of the event occurring and the impact on the institution. The probability and impact are directly influenced by the financial institution's business profile, the effectiveness of the financial institution's controls, and the relative strength of controls when compared to other industry targets.

  The probability of an event occurring is reflected in one of two ways. If reliable and timely probability data is available, institutions can use it. Since probability data is often limited, institutions can assign a qualitative probability, such as frequent, occasional, remote, and improbable.

  Frequently, TSPs perform some or all of the institution's information processing and storage. Reliance on a third party for hosting systems or processing does not remove the institution's responsibility for securing the information. It does change how the financial institution will fulfill its role. Accordingly, risk assessments should evaluate the sensitivity of information accessible to or processed by TSPs, the importance of the processing conducted by TSPs, communications between the TSP's systems and the institution, contractually required controls, and the testing of those controls. Additional vendor management guidance is contained in the FFIEC's statement on "Risk Management of Outsourced Technology Services," dated November 28, 2000.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

14.5.6 Transmittal

Media control may be transferred both within the organization and to outside elements. Possibilities for securing such transmittal include sealed and marked envelopes, authorized messenger or courier, or U.S. certified or registered mail.

14.5.7 Disposition

When media is disposed of, it may be important to ensure that information is not improperly disclosed. This applies both to media that is external to a computer system (such as a diskette) and to media inside a computer system, such as a hard disk. The process of removing information from media is called sanitization.

Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting is an effective method for clearing data from magnetic media. As the name implies, overwriting uses a program to write (1s, 0s, or a combination) onto the media. Common practice is to overwrite the media three times. Overwriting should not be confused with merely deleting the pointer to a file (which typically happens when a delete command is used). Overwriting requires that the media be in working order. Degaussing is a method to magnetically erase data from magnetic media. Two types of degausser exist: strong permanent magnets and electric degaussers. The final method of sanitization is destruction of the media by shredding or burning.

Many people throw away old diskettes, believing that erasing the files on the diskette has made the data un-retrievable. In reality, however, erasing a file simply removes the pointer to that file. The pointer tells the computer where the file is physically stored. Without this pointer, the files will not appear on a directory listing. This does not mean that the file was removed. Commonly available utility programs can often retrieve information that is presumed deleted.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.