Internet Banking News

June 14, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual IT audits - As a result of the crisis and to help protect your staff, I am performing virtual FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Phishing campaign targets remote workers with fake voicemail notifications - Looking for new angles to socially engineer employees working from home under COVID-19 conditions, attackers have devised a new phishing campaign that distributes emails that look as if they were generated by Private Branch Exchange (PBX), a legacy technology that integrates with employees’ email clients so they can receive their voicemail recordings. https://www.scmagazine.com/home/security-news/news-archive/coronavirus/phishing-campaign-targets-remote-workers-with-fake-voicemail-notifications/

Achieving an audacious goal by treating cybersecurity like a science - When humans discovered and learned to ‘obey’ the laws of physics and chemistry, we began to thrive in our world. It enabled us to make fire, build machines much stronger than ourselves, to cure diseases, to fly. https://www.scmagazine.com/home/opinion/achieving-an-audacious-goal-by-treating-cybersecurity-like-a-science-2/

Many Exchange Servers Are Still Vulnerable to Remote Exploit - A privilege-escalation vulnerability patched in February by Microsoft continues to affect Exchange servers, with more than 80% of Internet-connected servers remaining vulnerable, one firm reports. https://www.darkreading.com/attacks-breaches/many-exchange-servers-are-still-vulnerable-to-remote-exploit/d/d-id/1337986

House police reform bill includes face recognition provisions - Tucked into the police reform bill introduced by the House today are provisions for using body cameras along with a cursory rebuff of facial recognition, prompting privacy advocates to call for legislators to clarify that the technology should only be used for accountability, not surveillance. https://www.scmagazine.com/home/security-news/house-police-reform-bill-includes-face-recognition-provisions/

5 IoT Security Tips for Stay-At-Home Workers - As millions of employees across the world work from home because of the COVID-19 pandemic, IoT security has become more critical than ever as cybercriminals look to exploit the situation. https://www.scmagazine.com/home/opinion/5-iot-security-tips-for-stay-at-home-workers/

FBI warns hackers targeting mobile banking app users during pandemic - Hackers are increasingly taking aim at mobile banking app users in an effort to steal credentials and commander bank accounts, the FBI warned today. https://www.scmagazine.com/home/security-news/fbi-warns-hackers-targeting-mobile-banking-app-users-during-pandemic/

Honeypot study: Unsecured database simulation attacked 18x per day on average - Now there’s proof that every random minute counts when a database is left unsecured on the web. In fact, a recent Comparitech experiment led by researcher Bob Diachenko found that hackers attacked a simulation of an unsecured database an average of 18 times per day. https://www.scmagazine.com/home/security-news/honeypot-study-unsecured-database-simulation-attacked-18x-per-day-on-average/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - San Francisco benefits program breach exposes PII on 74,000 - A breach of the San Francisco Employees’ Retirement System (SFERS) may have exposed the information of 74,000 members, including names, addresses, birth dates, banking and IRS data as well as details on beneficiaries. https://www.scmagazine.com/home/security-news/data-breach/san-francisco-benefits-program-breach-exposes-pii-on-74000/

U.S. Nuclear Contractor Hit with Maze Ransomware, Data Leaked nuclear contractor maze ransomware - Westech International provides maintenance for the Minuteman III nuclear-missile program and runs programs for multiple branches of the military.Westech International provides maintenance for the Minuteman III nuclear-missile program and runs programs for multiple branches of the military. https://threatpost.com/nuclear-contractor-maze-ransomware-data-leaked/156289/

Attack targeted database credentials on 1.3 million WordPress sites - A massive attack at the end of May targeted the database credentials of some 1.3 million WordPress sites. https://www.scmagazine.com/home/security-news/attack-targeted-database-credentials-on-1-3-million-wordpress-sites/

German phishing scheme preyed on high-level execs needing PPE - One hundred German companies in need of personal protective equipment (PPE) such as facemasks and medical gear were targeted in a COVID-19 phishing scheme designed to steal and exfiltrate user credentials. https://www.scmagazine.com/home/security-news/german-phishing-scheme-preyed-on-high-level-execs-needing-ppe/

CPA Canada breach put 329,000 accounting pros at risk - A breach at Charter Professional Accountants of Canada (CPA Canada) by an unauthorized third party exposed the personal information of 329,000 individuals. https://www.scmagazine.com/home/security-news/data-breach/cpa-canada-breach-put-329000-accounting-pros-at-risk/

Phishing Attack Hits German Coronavirus Task Force - More than 100 executives at a multinational company that’s part of a German task force for creating coronavirus protective gear, were targeted in an ongoing phishing attack. https://threatpost.com/phishing-attack-german-coronavirus-task-force/156377/

Honda investigates possible ransomware attack, networks impacted - Computer networks in Europe and Japan from car manufacturer giant Honda have been affected by issues that are reportedly related to a SNAKE Ransomware cyber-attack. https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/

US aerospace services provider breached by Maze Ransomware - The Maze Ransomware gang breached and successfully encrypted the systems of VT San Antonio Aerospace, as well as stole and leaked unencrypted files from the company's compromised devices in April 2020. https://www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/

Fitness Depot hit by data breach after ISP fails to 'activate the antivirus' - Canadian retailer Fitness Depot announced customers that their personal and financial information was stolen following a breach that affected the company's e-commerce platform last month. https://www.bleepingcomputer.com/news/security/fitness-depot-hit-by-data-breach-after-isp-fails-to-activate-the-antivirus/

Ransomware crooks attack Conduent, another large IT provider - A ransomware attack disrupted IT services company Conduent’s work with its clients last week, another example of digital extortionists targeting key technology suppliers. https://www.cyberscoop.com/conduent-maze-ransomware/

Magecart skimmer strikes Fitness Depot at checkout - A Magecart credit card skimmer scheme used on Canadian fitness equipment retailer Fitness Depot’s e-commerce system Feb. 18 affected an undisclosed number of customers requesting either at-home delivery or in-store pickup at one of the company’s 40 stores. https://www.scmagazine.com/home/security-news/ransomware/magecart-strikes-strikes-fitness-depot-at-checkout/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We begin this week reviewing the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 1 of 10)

A. RISK DISCUSSION

Introduction

A significant number of financial institutions regulated by the financial institution regulatory agencies (Agencies) maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.

When financial institutions use weblinks to connect to third-party websites, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.

Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:

customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
customer dissatisfaction with the quality of products or services obtained from a third party; and
customer confusion as to whether certain regulatory protections apply to third-party products or services.

Return to the top of the newsletter

FFIEC IT SECURITY - Over the next few weeks, we will cover the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

  Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.

  Wireless Technology and the Risks of Implementation

  Wireless networks are rapidly becoming a cost-effective alternative for providing network connectivity to financial institution information systems. Institutions that are installing new networks are finding the installation costs of wireless networks competitive compared with traditional network wiring. Performance enhancements in wireless technology have also made the adoption of wireless networks attractive to institutions. Wireless networks operate at speeds that are sufficient to meet the needs of many institutions and can be seamlessly integrated into existing networks. Wireless networks can also be used to provide connectivity between geographically close locations without having to install dedicated lines.

  Wireless Internet access to banking applications is also becoming attractive to financial institutions. It offers customers the ability to perform routine banking tasks while away from the bank branch, automated teller machines or their own personal computers. Wireless Internet access is a standard feature on many new cellular phones and hand-held computers.

  Many of the risks that financial institutions face when implementing wireless technology are risks that exist in any networked environment (see FIL-67-2000, "Security Monitoring of Computer Networks," dated October 3, 2000, and the 1996 FFIEC Information Systems Examination Handbook, Volume 1, Chapter 15). However, wireless technology carries additional risks that financial institutions should consider when designing, implementing and operating a wireless network. Common risks include the potential:

  1) Compromise of customer information and transactions over the wireless network;

  2) Disruption of wireless service from radio transmissions of other wireless devices;

  3) Intrusion into the institution's network through wireless network connections; and

  4) Obsolescence of current systems due to rapidly changing standards.

  These risks could ultimately compromise the bank's computer system, potentially causing:

  1) Financial loss due to the execution of unauthorized transactions;

  2) Disclosure of confidential customer information, resulting in - among other things - identity theft (see FIL-39-2001, "Guidance on Identity Theft and Pretext Calling," dated May 9, 2001, and FIL-22-2001, "Guidelines Establishing Standards for Safeguarding Customer Information," dated March 14, 2001);

  3) Negative media attention, resulting in harm to the institution's reputation; and

  4) Loss of customer confidence.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT

  6.3 Elements of an Effective Central Computer Security Program

  For a central computer security program to be effective, it should be an established part of organization management. If system managers and applications owners do not need to consistently interact with the security program, then it can become an empty token of upper management's "commitment to security."

  Stable Program Management Function. A well-established program will have a program manager recognized within the organization as the central computer security program manager. In addition, the program will be staffed with able personnel, and links will be established between the program management function and computer security personnel in other parts of the organization. A computer security program is a complex function that needs a stable base from which to direct the management of such security resources as information and money. The benefits of an oversight function cannot be achieved if the computer security program is not recognized within an organization as having expertise and authority.

  Stable Resource Base. A well-established program will have a stable resource base in terms of personnel, funds, and other support. Without a stable resource base, it is impossible to plan and execute programs and projects effectively.

  Existence of Policy. Policy provides the foundation for the central computer security program and is the means for documenting and promulgating important decisions about computer security. A central computer security program should also publish standards, regulations, and guidelines that implement and expand on policy.

  Published Mission and Functions Statement. A published mission statement grounds the central computer security program into the unique operating environment of the organization. The statement clearly establishes the function of the computer security program and defines responsibilities for both the computer security program and other related programs and entities. Without such a statement, it is impossible to develop criteria for evaluating the effectiveness of the program.

  Long-Term Computer Security Strategy. A well-established program explores and develops long-term strategies to incorporate computer security into the next generation of information technology. Since the computer and telecommunications field moves rapidly, it is essential to plan for future operating environments.

  Compliance Program. A central computer security program needs to address compliance with national policies and requirements, as well as organization-specific requirements. National requirements include those prescribed under the Computer Security Act of 1987, OMB Circular A-130, the FIRMR, and Federal Information Processing Standards.

  Intraorganizational Liaison. Many offices within an organization can affect computer security. The Information Resources Management organization and physical security office are two obvious examples. However, computer security often overlaps with other offices, such as safety, reliability and quality assurance, internal control, or the Office of the Inspector General. An effective program should have established relationships with these groups in order to integrate computer security into the organization's management. The relationships should encompass more than just the sharing of information; the offices should influence each other.

  Liaison with External Groups. There are many sources of computer security information, such as NIST's Computer Security Program Managers' Forum, computer security clearinghouse, and the Forum of Incident Response and Security Teams (FIRST). An established program will be knowledgeable of and will take advantage of external sources of information. It will also be a provider of information.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.