Internet Banking News

June 6, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Is the attack on Fujitsu’s ProjectWEB SaaS platform the next SolarWinds? - While still early, some researchers view the reported hacking into Fujitsu’s ProjectWEB software-as-a-service (SaaS) platform as a nation-state attack with similarities to the SolarWinds hack that infiltrated government agencies. https://www.scmagazine.com/home/security-news/data-breach/is-the-attack-on-fujitsus-projectweb-saas-platform-the-next-big-supply-chain-attack/

Federal Agencies Struggling With Supply Chain Security - After SolarWinds Attack, Agencies Are Not Making Security Upgrades, GAO Reports - More than five months after the SolarWinds supply chain attack came to light, federal agencies continue to struggle with supply chain security, according to a Government Accountability Office official who testified at a congressional hearing Tuesday. https://www.govinfosecurity.com/federal-agencies-struggling-supply-chain-security-a-16746

GAO-21-466PR, May 24 - This report outlines 1 priority open recommendation for the Federal Deposit Insurance Corporation, as of April 2021. FDIC should work with other banking regulators to communicate appropriate uses of alternative data in credit underwriting. https://www.gao.gov/products/gao-21-466pr

Three takeaways from the Colonial Pipeline attack - Three weeks ago, the shutdown of operations of Colonial Pipeline captured the attention of the security community, government and consumers that suddenly couldn’t fill their gas tanks. Interestingly, interpretation of the incident – and the significance of the incident – varied. https://www.scmagazine.com/home/security-news/ransomware/myths-versus-reality-three-takeaways-from-the-colonial-pipeline-attack/

Have I Been Pwned teams with FBI, gives open-source access to code - The breach aggregator Have I Been Pwned, one of the most popular tools to test the real-world strength of passwords, made two significant announcements on Friday: A collaboration with the FBI to obtain new, hacked passwords, and contributing some of its code-base to the open-source community. https://www.scmagazine.com/password-management/have-i-been-pwned-teams-with-fbi-gives-open-source-access-to-code/

Army wants teleworkers to switch off smart IoT devices - The days of reminders of packages on the porch from a smartwatch or Netflix running as white noise from a smart TV in the background have come to an end -- at least for Army personnel working remotely. https://fcw.com/articles/2021/05/27/army-iot-crackdown-telework.aspx

SolarWinds lawsuit claims private equity owners ‘sacrificed cybersecurity to boost short-term profits’ - A class action lawsuit brought by SolarWinds shareholders following last year’s supply chain compromise of the company’s Orion management software added two new defendants: the private equity firms who owned the company and sold hundreds of millions of dollars in stock just days before the hack was publicly disclosed. https://www.scmagazine.com/home/solarwinds-hack/solarwinds-lawsuit-claims-private-equity-owners-sacrificed-cybersecurity-to-boost-short-term-profits/

House bill would require federal contractors to put in place vulnerability disclosure programs - Rep. Ted Lieu, D-Calif., will announce Tuesday a bill that would require all federal contractors to have a vulnerability disclosure program. https://www.scmagazine.com/home/government/bill-would-require-contractors-to-have-vulnerability-disclosure-programs/

Only 17% of organizations encrypt at least half of their sensitive cloud data - New research by Thales on security trends one year into the pandemic found that about 50% of businesses say that they store more than 40% of their data in external cloud environments, but only 17% have encrypted at least half of their sensitive data in the cloud. https://www.scmagazine.com/home/security-news/only-17-of-organizations-encrypt-at-least-half-of-their-sensitive-cloud-data/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Various Japanese government entities had data stolen in cyber attack - Japanese government data stored in Fujitsu software has reportedly been accessed and stolen by hackers. Data from various Japanese government entities has reportedly been stolen by hackers that gained access to Fujitsu's ProjectWEB platform. https://www.zdnet.com/article/various-japanese-government-entities-had-data-stolen-in-cyber-attack-report/

Global meat processor JBS shuts part of operation to blunt cyberattack fallout - The North American and Australian IT systems of JBS, the largest meat processing company in the world, were the target of “an organized cybersecurity attack,” the company said in a statement Monday, confirming that its customers and supply chain could be impacted. https://www.scmagazine.com/home/security-news/data-breach/jbs-hit-by-cyberattack-warns-suppliers-and-customers-of-potential-impact/

US nuclear weapon bunker security secrets spill from online flashcards since 2013 - Details of some US nuclear missile bunkers in Europe, which contain live warheads, along with secret codewords used by guards to signal that they’re being threatened by enemies, were exposed for nearly a decade through online flashcards used for education, but which were left publicly available. https://www.theregister.com/2021/05/28/flashcards_military_nuclear/

Swedish Health Agency shuts down SmiNet after hacking attempts - The Swedish Public Health Agency (Folkhälsomyndigheten) has shut down SmiNet, the country's infectious diseases database, on Thursday after it was targeted in several hacking attempts. https://www.bleepingcomputer.com/news/security/swedish-health-agency-shuts-down-sminet-after-hacking-attempts/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

   Hackers may use "social engineering" a scheme using social techniques to obtain technical information required to access a system. A hacker may claim to be someone authorized to access the system such as an employee or a certain vendor or contractor. The hacker may then attempt to get a real employee to reveal user names or passwords, or even set up new computer accounts. Another threat involves the practice of "war-dialing" in which hackers use a program that automatically dials telephone numbers and searches for modem lines that bypass network firewalls and other security measures. A few other common forms of system attack include:

   Denial of service (system failure), which is any action preventing a system from operating as intended. It may be the unauthorized destruction, modification, or delay of service. For example, in an "SYN Flood" attack, a system can be flooded with requests to establish a connection, leaving the system with more open connections than it can support. Then, legitimate users of the system being attacked are not allowed to connect until the open connections are closed or can time out.

   Internet Protocol (IP) spoofing, which allows an intruder via the Internet to effectively impersonate a local system's IP address in an attempt to gain access to that system. If other local systems perform session authentication based on a connections IP address, those systems may misinterpret incoming connections from the intruder as originating from a local trusted host and not require a password.

   Trojan horses, which are programs that contain additional (hidden) functions that usually allow malicious or unintended activities. A Trojan horse program generally performs unintended functions that may include replacing programs, or collecting, falsifying, or destroying data. Trojan horses can be attached to e-mails and may create a "back door" that allows unrestricted access to a system. The programs may automatically exclude logging and other information that would allow the intruder to be traced.

   Viruses, which are computer programs that may be embedded in other code and can self-replicate. Once active, they may take unwanted and unexpected actions that can result in either nondestructive or destructive outcomes in the host computer programs. The virus program may also move into multiple platforms, data files, or devices on a system and spread through multiple systems in a network. Virus programs may be contained in an e-mail attachment and become active when the attachment is opened.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   INFORMATION SECURITY RISK ASSESSMENT

   PRIORITIZE RESPONSES

   This phase ranks the risk (outcomes and probabilities) presented by various scenarios produced in the analysis phase to prioritize management's response. Management may decide that since some risks do not meet the threshold set in their security requirement, they will accept those risks and not proceed with a mitigation strategy. Other risks may require immediate corrective action. Still others may require mitigation, either fully or partially, over time. Risks that warrant action are addressed in the information security strategy.

   In some borderline instances, or if planned controls cannot fully mitigate the risk, management may need to review the risk assessment and risk ranking with the board of directors or a delegated committee. The board should then document its acceptance of the risk or authorize other risk mitigation measures.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

14.8 Interdependencies

There are support and operations components in most of the controls discussed in this handbook.

Personnel. Most support and operations staff have special access to the system. Some organizations conduct background checks on individuals filling these positions to screen out possibly untrustworthy individuals.

Incident Handling. Support and operations may include an organization's incident handling staff. Even if they are separate organizations, they need to work together to recognize and respond to incidents.

Contingency Planning. Support and operations normally provides technical input to contingency planning and carries out the activities of making backups, updating documentation, and practicing responding to contingencies.

Security Awareness, Training, and Education. Support and operations staff should be trained in security procedures and should be aware of the importance of security. In addition, they provide technical expertise needed to teach users how to secure their systems.

Physical and Environmental. Support and operations staff often controls the immediate physical area around the computer system.

Technical Controls. The technical controls are installed, maintained, and used by support and operations staff. They create the user accounts, add users to access control lists, review audit logs for unusual activity, control bulk encryption over telecommunications links, and perform the countless operational tasks needed to use technical controls effectively. In addition, support and operations staff provides needed input to the selection of controls based on their knowledge of system capabilities and operational constraints.

Assurance. Support and operations staff ensures that changes to a system do not introduce security vulnerabilities by using assurance methods to evaluate or test the changes and their effect on the system. Operational assurance is normally performed by support and operations staff.

14.9 Cost Considerations

The cost of ensuring adequate security in day-to-day support and operations is largely dependent upon the size and characteristics of the operating environment and the nature of the processing being performed. If sufficient support personnel are already available, it is important that they be trained in the security aspects of their assigned jobs; it is usually not necessary to hire additional support and operations security specialists. Training, both initial and ongoing, is a cost of successfully incorporating security measures into support and operations activities.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.