|
June 13, 2021
|
Does Your Financial Institution need an
affordable cybersecurity Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our cybersecurity audits
to ensure proper Internet security settings and
to
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b)
as well as the penetration
test complies with the FFIEC Cybersecurity Assessment Tool
regarding resilience testing.
The cybersecurity penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
focuses on
a hacker's perspective, which will help
you identify real-world cybersecurity weaknesses.
For more information, give R. Kinney Williams a call today at
Office/Cell 806-535-8300 or visit
http://www.internetbankingaudits.com/. |
Virtual/remote IT audits
- I am performing
virtual/remote FFIEC IT
audits for banks and credit unions.
I am a former
bank examiner with 40 years of IT auditing experience.
Please contact R. Kinney Williams at
examiner@yennik.com from your bank's email and I will send you
information and fees. All correspondence is
confidential.
FYI - White House sends out memo to
private sector on cyberattack protections - The White House has sent
out recommendations to the private sector over how to protect
themselves from cyber intrusions after a series of attacks left
companies and government agencies vulnerable.
https://thehill.com/policy/cybersecurity/556625-white-house-sends-out-recommendations-to-private-sector-on-protections
NIST Unveils Guide to Mobile Device Authentication for First
Responders - An increasing number of organizations are employing
mobile devices to give first responders immediate access to data.
NIST insights shed light on the role of biometrics for
authentication.
https://healthitsecurity.com/news/nist-unveils-guide-to-mobile-device-authentication-for-first-responders
Feds recover $2.3 million from Colonial Pipeline ransom - The
Department of Justice announced Monday it had recovered $2.3 million
in ransom paid by Colonial Pipeline.
https://www.scmagazine.com/home/security-news/ransomware/feds-recover-2-3-million-from-colonial-pipeline-ransom/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - Chinese threat actors hacked NYC
MTA using Pulse Secure zero-day - Chinese-backed threat actors
breached New York City's Metropolitan Transportation Authority (MTA)
network in April using a Pulse Secure zero-day.
https://www.bleepingcomputer.com/news/security/chinese-threat-actors-hacked-nyc-mta-using-pulse-secure-zero-day/
NYC’s Subway Operator and Martha’s Vineyard Ferry Latest to Report
Cyberattacks - Revelations of cyberattacks on transportation systems
in New York and Massachusetts heightened concerns about the threat
to U.S. businesses and essential services Wednesday, after hackers
held hostage the world’s largest meat processor this week.
https://www.wsj.com/articles/ransomware-scourge-continues-as-essential-services-are-hit-11622672685
Fujifilm becomes latest ransomware victim as White House urges
business leaders to take action - The National Security Council's
top cyber official, Anne Neuberger, released an open letter warning
businesses that every organization is at risk.
https://www.zdnet.com/article/fujifilm-becomes-latest-ransomware-victim-as-white-house-urges-business-leaders-to-take-action/
Sensitive medical, financial data exposed in extortion of
Massachusetts hospital - A hospital in Massachusetts quietly paid
off a ransomware gang after a February hack that exposed patients’
sensitive medical and financial data, the hospital said in a May 28
statement.
https://www.cyberscoop.com/hospital-ransomare-payment-sturdy-memorial/
Ransomware Struck Another Pipeline Firm - and 70GB of Data Leaked -
LineStar Integrity Services was hacked around the same time as
Colonial Pipeline, but radical transparency activists have brought
the attack to light.
https://www.wired.com/story/linestar-pipeline-ransomware-leak/
UF Health Florida hospitals back to pen and paper after cyberattack
- UF Health Central Florida has suffered a reported ransomware
attack that forced two hospitals to shut down portions of their IT
network.
https://www.bleepingcomputer.com/news/security/uf-health-florida-hospitals-back-to-pen-and-paper-after-cyberattack/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
VULNERABILITY ASSESSMENT TOOLS
Vulnerability assessment tools, also called security scanning
tools, assess the security of network or host systems and report
system vulnerabilities. These tools can scan networks, servers,
firewalls, routers, and applications for vulnerabilities. Generally,
the tools can detect known security flaws or bugs in software and
hardware, determine if the systems are susceptible to known attacks
and exploits, and search for system vulnerabilities such as settings
contrary to established security policies.
In evaluating a vulnerability assessment tool, management should
consider how frequently the tool is updated to include the detection
of any new weaknesses such as security flaws and bugs. If there is a
time delay before a system patch is made available to correct an
identified weakness, mitigating controls may be needed until the
system patch is issued.
Generally, vulnerability assessment tools are not run in
real-time, but they are commonly run on a periodic basis. When using
the tools, it is important to ensure that the results from the scan
are secure and only provided to authorized parties. The tools can
generate both technical and management reports, including text,
charts, and graphs. The vulnerability assessment reports can tell a
user what weaknesses exist and how to fix them. Some tools can
automatically fix vulnerabilities after detection.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (1 of 2)
A risk assessment is the key driver of the information security
process. Its effectiveness is directly related to the following key
practices:
1) Multidisciplinary and Knowledge - based Approach - A
consensus evaluation of the risks and risk mitigation practices
followed by the institution requires the involvement of a broad
range of users, with a range of expertise and business knowledge.
Not all users may have the same opinion of the severity of various
attacks, the importance of various controls, and the importance of
various data elements and information system components. Management
should apply a sufficient level of expertise to the assessment.
2) Systematic and Central Control - Defined procedures and
central control and coordination help to ensure standardization,
consistency, and completeness of risk assessment policies and
procedures, as well as coordination in planning and performance.
Central control and coordination will also facilitate an
organizational view of risks and lessons learned from the risk
assessment process.
3) Integrated Process - A risk assessment provides a foundation
for the remainder of the security process by guiding the selection
and implementation of security controls and the timing and nature of
testing those controls. Testing results, in turn, provide evidence
to the risk assessment process that the controls selected and
implemented are achieving their intended purpose. Testing can also
validate the basis for accepting risks.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY
The term physical and
environmental security, as used in this chapter, refers to
measures taken to protect systems, buildings, and related supporting
infrastructure against threats associated with their physical
environment. Physical and environmental security controls include
the following three broad areas:
1) The physical facility is usually the building, other structure,
or vehicle housing the system and network components. Systems can be
characterized, based upon their operating location, as static,
mobile, or portable. Static systems are installed in structures at
fixed locations. Mobile systems are installed in vehicles that
perform the function of a structure, but not at a fixed location.
Portable systems are not installed in fixed operating locations.
They may be operated in wide variety of locations, including
buildings or vehicles, or in the open. The physical characteristics
of these structures and vehicles determine the level of such
physical threats as fire, roof leaks, or unauthorized access.
2) The facility's general geographic operating location determines
the characteristics of natural threats, which include earthquakes
and flooding; man-made threats such as burglary, civil disorders, or
interception of transmissions and emanations; and damaging nearby
activities, including toxic chemical spills, explosions, fires, and
electromagnetic interference from emitters, such as radars.
3) Supporting facilities are those services (both technical and
human) that underpin the operation of the system. The system's
operation usually depends on supporting facilities such as electric
power, heating and air conditioning, and telecommunications. The
failure or substandard performance of these facilities may interrupt
operation of the system and may cause physical damage to system
hardware or stored data.
Physical and environmental security controls are implemented to
protect the facility housing system resources, the system resources
themselves, and the facilities used to support their operation. |
PLEASE NOTE: Some of the above links may have expired,
especially those from news organizations. We may have a copy of the
article, so please e-mail us at
examiner@yennik.com if we can be of assistance. |
