R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and Onsite FFIEC IT Audits

June 11, 2023

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.
FFIEC IT audits - I am performing FFIEC IT audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.


MISCELLANEOUS CYBERSECURITY NEWS:
Researchers tell owners to “assume compromise” of unpatched Zyxel firewalls - Firewalls made by Zyxel are being wrangled into a destructive botnet, which is taking control of them by exploiting a recently patched vulnerability with a severity rating of 9.8 out of a possible 10. https://arstechnica.com/information-technology/2023/05/researchers-tell-owners-to-assume-compromise-of-unpatched-zyxel-firewalls/

Amazon to pay $30.8M for Alexa and Ring privacy violations - Amazon will pay $30.8 million and implement new privacy and security programs to settle dual privacy breach claims made against its Alexa and Ring services.
https://www.scmagazine.com/news/privacy/amazon-30-8m-alexa-ring-privacy-violations
https://www.govinfosecurity.com/ring-settles-ftc-allegations-poor-cybersecurity-privacy-a-22202

Data leaks top SaaS security incidents, IT pros say - Over 55% of security executives said they experienced a security incident in their software-as-a-service (SaaS) environment over the last two years, a 12% increase from the previous year, according to a Cloud Security Alliance survey. https://www.scmagazine.com/news/cloud-security/data-leaks-saas-security
 
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Toyota finds more misconfigured servers leaking customer info - Toyota Motor Corporation has discovered two additional misconfigured cloud services that leaked car owners' personal information for over seven years. https://www.bleepingcomputer.com/news/security/toyota-finds-more-misconfigured-servers-leaking-customer-info/

Criminals spent 10 days in US dental insurer's systems extracting data of 9 million - The criminals who hit one of the biggest government-backed dental care and insurance providers in the US earlier this year hung about for 10 days while they extracted info on nearly 9 million people, including kids from poverty-stricken homes. https://www.theregister.com/2023/05/31/mcna_breach/

Idaho Falls Community Hospital Managing IT Issue - Idaho Falls Community Hospital and our partner clinics recently identified a cybersecurity incident on our IT systems. https://www.idahofallscommunityhospital.com/blog/posts/2023/may/idaho-falls-community-hospital-managing-it-issue/

Enzo Biochem Hit by Ransomware, 2.5 Million Patients' Data Compromised - Enzo Biochem, a biotechnology company renowned for producing and distributing DNA-based tests designed to identify viral and bacterial diseases, has recently confirmed in a filing with the Securities and Exchange Commission (SEC) that it fell victim to a ransomware attack. https://www.infosecurity-magazine.com/news/enzo-biochem-hit-ransomware/

KeePass v2.54 fixes bug that leaked cleartext master password - KeePass has released version 2.54, fixing the CVE-2023-32784 vulnerability that allows the extraction of the cleartext master password from the application's memory. https://www.bleepingcomputer.com/news/security/keepass-v254-fixes-bug-that-leaked-cleartext-master-password/

MOVEit victims emerge: British Airways, BBC and Nova Scotia - The first of what is expected to become a long list of organizations have confirmed they had data stolen through an attack on MOVEit file transfer solutions, attributed to advanced persistent threat group Lace Tempest. https://www.scmagazine.com/news/malware/moveit-victims-british-airways-bbc-nova-scotia

Systems hack enables data theft, access for 8.9M MCNA Dental patients - The health information tied to 8.9 million patients enrolled in Florida Healthy Kids Corporation (FHKC) and the Florida Agency for Health Care Administration's Medicaid insurance programs was stolen after a systems hack on MCNA, their dental benefits and services provider. https://www.scmagazine.com/news/ransomware/systems-hack-data-theft-8-9m-mcna-dental-patients

Return to the top of the newsletter

WEB SITE COMPLIANCE Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
   
   Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.
   
   Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

 Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
    
    SECURITY MEASURES
    
    Symmetric and Asymmetric Key Systems 
    
    There are two types of cryptographic key systems, symmetric and asymmetric.  With a  symmetric key system (also known as secret key or private key systems), all parties have the same key.  The keys can be used to encrypt and decrypt messages, and must be kept secret or the security is compromised.  For the parties to get the same key, there has to be a way to securely distribute the key to each party.  While this can be done, the security controls necessary make this system impractical for widespread and commercial use on an open network like the Internet.  Asymmetric key systems can solve this problem. 
    
    In an asymmetric key system (also known as a public key system), two keys are used. One key is kept secret, and therefore is referred to as the "private key."  The other key is made widely available to anyone who wants it, and is referred to as the "public key."  The private and public keys are mathematically related so that information encrypted with the private key can only be decrypted by the corresponding public key.  Similarly, information encrypted with the public key can only be decrypted by the corresponding private key. The private key, regardless of the key system utilized, is typically specific to a party or computer system.  Therefore, the sender of a message can be authenticated as the private key holder by anyone decrypting the message with a public key.  Importantly, it is mathematically impossible for the holder of any public key to use it to figure out what the private key is.  The keys can be stored either on a computer or on a physically separate medium such as a smart card.
    
    Regardless of the key system utilized, physical controls must exist to protect the confidentiality and access to the key(s).  In addition, the key itself must be strong enough for the intended application.  The appropriate encryption key may vary depending on how sensitive the transmitted or stored data is, with stronger keys utilized for highly confidential or sensitive data.  Stronger encryption may also be necessary to protect data that is in an open environment, such as on a Web server, for long time periods.  Because the strength of the key is determined by its length, the longer the key, the harder it is for high-speed computers to break the code.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -  We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 4.9 Threats to Personal Privacy
  
  The accumulation of vast amounts of electronic information about individuals by governments, credit bureaus, and private companies, combined with the ability of computers to monitor, process, and aggregate large amounts of information about individuals have created a threat to individual privacy. The possibility that all of this information and technology may be able to be linked together has arisen as a specter of the modern information age. This is often referred to as "Big Brother." To guard against such intrusion, Congress has enacted legislation, over the years, such as the Privacy Act of 1974 and the Computer Matching and Privacy Protection Act of 1988, which defines the boundaries of the legitimate uses of personal information collected by the government.
  
  The threat to personal privacy arises from many sources. In several cases federal and state employees have sold personal information to private investigators or other "information brokers." One such case was uncovered in 1992 when the Justice Department announced the arrest of over two dozen individuals engaged in buying and selling information from Social Security Administration (SSA) computer files.42 During the investigation, auditors learned that SSA employees had unrestricted access to over 130 million employment records. Another investigation found that 5 percent of the employees in one region of the IRS had browsed through tax records of friends, relatives, and celebrities. Some of the employees used the information to create fraudulent tax refunds, but many were acting simply out of curiosity.
  
  As more of these cases come to light, many individuals are becoming increasingly concerned about threats to their personal privacy. A July 1993 special report in MacWorld cited polling data taken by Louis Harris and Associates showing that in 1970 only 33 percent of respondents were concerned about personal privacy. By 1990, that number had jumped to 79 percent.
  
  While the magnitude and cost to society of the personal privacy threat are difficult to gauge, it is apparent that information technology is becoming powerful enough to warrant fears of both government and corporate "Big Brothers." Increased awareness of the problem is needed.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.