Internet Banking News

June 27, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.FYI - Ryuk ransomware recovery cost us $8.1m and counting, says Baltimore school authority - An organisation whose network was infected by Ryuk ransomware has spent $8.1m over seven months recovering from it – and that’s still not the end of it, according to US news reports. https://www.theregister.com/2021/06/16/baltimore_ryuk_ransomware_dollars_8_1m_recovery_cost/

HHS unveils patient matching standards, guidance to boost patient privacy - The Department of Health and Human Services unveiled the first draft of its Project USA technical specification guidance for public comment, designed to develop a unified standard for patient matching across the health sector to bolster data security and patient safety and privacy. https://www.scmagazine.com/home/security-news/privacy-compliance/hhs-unveils-patient-matching-standards-guidance-to-boost-patient-privacy/

Thousands of VMware vCenter Servers Remain Open to Attack Over the Internet - Three weeks after company disclosed two critical vulnerabilities in the workload management utility, many organizations have not patched the technology yet, security vendor says. https://www.darkreading.com/vulnerabilities---threats/thousands-of-vmware-vcenter-servers-remain-open-to-attack-over-the-internet/d/d-id/1341310

A practitioner’s guide to managing and measuring compliance risk - How do top security managers respond when the CEO asks: “Are we compliant?” Will the response change if a regulator asks the question during an examination? Or an attorney at a deposition? https://www.scmagazine.com/perspectives/a-practitioners-guide-to-managing-and-measuring-compliance-risk/

Would companies even abide by a ransomware payments ban? - One of the most common suggestions to deal with the ransomware scourge – also one of the most controversial – is to ban the payment of ransoms. https://www.scmagazine.com/featured/would-companies-even-abide-by-a-ransomware-payments-ban/

50,000 security disasters waiting to happen: The problem of America's water supplies - The hacker had the username and password for a former employee's TeamViewer account, a popular program that lets users remotely control their computers, according to a private report. https://www.nbcnews.com/tech/security/hacker-tried-poison-calif-water-supply-was-easy-entering-password-rcna1206

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Carnival discloses new data breach on email accounts - Carnival Corporation – which has been plagued by cyberattacks over the past few years – issued a breach disclosure on Thursday confirming hackers attacked email accounts and gained access to data about its customers and employees. https://www.scmagazine.com/home/email-security/carnival-discloses-new-data-breach-on-email-accounts/

Alina Lodge notifies patients of data breach tied to 2020 Blackbaud incident - The Blackbaud data breach was the largest health care-related incident of 2020, impacting an estimated two dozen providers and well over 10 million patients. Now, 2,565 patients of addiction treatment center Alina Lodge are being notified that their data was compromised during the massive vendor incident more than a year ago. https://www.scmagazine.com/featured/alina-lodge-notifies-patients-of-data-breach-tied-to-2020-blackbaud-incident/

ADATA suffers 700 GB data leak in Ragnar Locker ransomware attack - The Ragnar Locker ransomware gang have published download links for more than 700GB of archived data stolen from Taiwanese memory and storage chip maker ADATA. https://www.bleepingcomputer.com/news/security/adata-suffers-700-gb-data-leak-in-ragnar-locker-ransomware-attack/

Georgia fertility clinic discloses breach of patient SSNs and medical info after ransomware attack - A fertility clinic in Georgia has notified about 38,000 patients that their medical information and other data like social security numbers had been accessed by cybercriminals during a ransomware attack in April. https://www.zdnet.com/article/georgia-fertility-clinic-discloses-breach-of-patient-ssns-and-medical-info-after-ransomware-attack/

US supermarket chain Wegmans notifies customers of data breach - Wegmans Food Markets notified customers that some of their information was exposed after the company became aware that two of its databases were publicly accessible on the Internet because of a configuration issue. https://www.bleepingcomputer.com/news/security/us-supermarket-chain-wegmans-notifies-customers-of-data-breach/

Lawsuits filed against Scripps Health following ransomware attack, data theft - Two class action lawsuits were filed against Scripps Health following a ransomware attack and data exfiltration in May, which impacted the protected health information (PHI) of 150,000 patients. https://www.scmagazine.com/home/health-care/lawsuits-filed-against-scripps-health-following-ransomware-attack-data-theft/

Georgia St. Joseph’s/Candler health system shifts to downtime procedures amid ransomware attack - A ransomware attack against Georgia-based St. Joseph’s/Candler on June 17 spurred network outages and forced clinicians into EHR downtime procedures. Five days later, the workforce is continuing to use paper records for patient appointments. https://www.scmagazine.com/home/security-news/ransomware/georgia-st-josephs-candler-health-system-shifts-to-downtime-procedures-amid-ransomware-attack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

   PENETRATION ANALYSIS (Part 1 of 2)

   After the initial risk assessment is completed, management may determine that a penetration analysis (test) should be conducted. For the purpose of this paper, "penetration analysis" is broadly defined. Bank management should determine the scope and objectives of the analysis. The scope can range from a specific test of a particular information systems security or a review of multiple information security processes in an institution.

   A penetration analysis usually involves a team of experts who identify an information systems vulnerability to a series of attacks. The evaluators may attempt to circumvent the security features of a system by exploiting the identified vulnerabilities. Similar to running vulnerability scanning tools, the objective of a penetration analysis is to locate system vulnerabilities so that appropriate corrective steps can be taken.

   The analysis can apply to any institution with a network, but becomes more important if system access is allowed via an external connection such as the Internet. The analysis should be independent and may be conducted by a trusted third party, qualified internal audit team, or a combination of both. The information security policy should address the frequency and scope of the analysis. In determining the scope of the analysis, items to consider include internal vs. external threats, systems to include in the test, testing methods, and system architectures.

   A penetration analysis is a snapshot of the security at a point in time and does not provide a complete guaranty that the system(s) being tested is secure. It can test the effectiveness of security controls and preparedness measures. Depending on the scope of the analysis, the evaluators may work under the same constraints applied to ordinary internal or external users. Conversely, the evaluators may use all system design and implementation documentation. It is common for the evaluators to be given just the IP address of the institution and any other public information, such as a listing of officers that is normally available to outside hackers. The evaluators may use vulnerability assessment tools, and employ some of the attack methods discussed in this paper such as social engineering and war dialing. After completing the agreed-upon analysis, the evaluators should provide the institution a detailed written report. The report should identify vulnerabilities, prioritize weaknesses, and provide recommendations for corrective action.

   FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   INFORMATION SECURITY STRATEGY (1 of 2)

   Action Summary - Financial institutions should develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include

   1) Cost comparisons of different strategic approaches appropriate to the institution's environment and complexity,
   2) Layered controls that establish multiple control points between threats and organization assets, and
   3) Policies that guide officers and employees in implementing the security program.

   An information security strategy is a plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements. Typical steps to building a strategy include the definition of control objectives, the identification and assessment of approaches to meet the objectives, the selection of controls, the establishment of benchmarks and metrics, and the preparation of implementation and testing plans.

   The selection of controls is typically grounded in a cost comparison of different strategic approaches to risk mitigation. The cost comparison typically contrasts the costs of various approaches with the perceived gains a financial institution could realize in terms of increased confidentiality, availability, or integrity of systems and data. Those gains could include reduced financial losses, increased customer confidence, positive audit findings, and regulatory compliance. Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY

15.1 Physical Access Controls

Physical access controls restrict the entry and exit of personnel (and often equipment and media) from an area, such as an office building, suite, data center, or room containing a LAN server.

The control over physical access to the elements of a system can include controlled areas, barriers that isolate each area, entry points in the barriers that isolate each area, entry points in the barriers, and screening measures at each of the entry points. In addition, staff members who work in a restricted area serve an important role in providing physical security, as they can be trained to challenge people they do not recognize.

Physical access controls should address not only the area containing system hardware, but also locations of wiring used to connect elements of the system, the electric power service, the air conditioning and heating plant, telephone and data lines, backup media and source documents, and any other elements required system's operation. This means that all the areas in the building(s) that contain system elements must be identified.

There are many types of physical access controls, including badges, memory cards, guards, keys, true-floor-to-true-ceiling wall construction, fences, and locks.

It is also important to review the effectiveness of physical access controls in each area, both during normal business hours, and at other times-particularly when an area may be unoccupied. Effectiveness depends on both the characteristics of the control devices used (e.g., keycard-controlled doors) and the implementation and operation. Statements to the effect that "only authorized persons may enter this area" are not particularly effective. Organizations should determine whether intruders can easily defeat the controls, the extent to which strangers are challenged, and the effectiveness of other control procedures. Factors like these modify the effectiveness of physical controls.

The feasibility of surreptitious entry also needs to be considered. For example, it may be possible to go over the top of a partition that stops at the underside of a suspended ceiling or to cut a hole in a plasterboard partition in a location hidden by furniture. If a door is controlled by a combination lock, it may be possible to observe an authorized person entering the lock combination. If keycards are not carefully controlled, an intruder may be able to steal a card left on a desk or use a card passed back by an accomplice.

Corrective actions can address any of the factors listed above. Adding an additional barrier reduces the risk to the areas behind the barrier. Enhancing the screening at an entry point can reduce the number of penetrations. For example, a guard may provide a higher level of screening than a keycard-controlled door, or an anti-pass back feature can be added. Reorganizing traffic patterns, work flow, and work areas may reduce the number of people who need access to a restricted area. Physical modifications to barriers can reduce the vulnerability to surreptitious entry. Intrusion detectors, such as closed-circuit television cameras, motion detectors, and other devices, can detect intruders in unoccupied spaces.

Life Safety

It is important to understand that the objectives of physical access controls may be in conflict with those of life safety. Simply stated, life safety focuses on providing easy exit from a facility, particularly in an emergency, while physical security strives to control entry. In general, life safety must be given first consideration, but it is usually possible to achieve an effective balance between the two goals.

For example, it is often possible to equip emergency exit doors with a time delay. When one pushes on the panic bar, a loud alarm sounds, and the door is released after a brief delay. The expectation is that people will be deterred from using such exits improperly, but will not be significantly endangered during an emergency evacuation.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.