Internet Banking News

June 28, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual IT audits - As a result of the crisis and to help protect your staff, I am performing virtual FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Virtually no mobile phone app is safe from data theft: report - More than three-fourths (76 percent) of mobile banking vulnerabilities can be exploited without physical access to the device is just one of numerous sobering findings from Positive Technologies in a report released today. https://www.scmagazine.com/home/security-news/virtually-no-mobile-phone-app-is-safe-from-data-theft-report/

When Security Takes a Backseat to Productivity - So ends a key section of a report the U.S. Central Intelligence Agency produced in the wake of a mammoth data breach in 2016 that led to Wikileaks publishing thousands of classified documents stolen from the agency’s offensive cyber operations division. https://krebsonsecurity.com/2020/06/when-security-takes-a-backseat-to-productivity/

NSA Pilot Providing Secure DNS Services to DIB - The National Security Agency (NSA) is conducting a pilot program through a commercial managed service provider that provides secure domain-name system (DNS) services to a group of defense industrial base (DIB) companies. https://www.meritalk.com/articles/nsa-pilot-providing-secure-dns-services-to-dib/

A Legion of Bugs Puts Hundreds of Millions of IoT Devices at Risk - The so-called Ripple20 vulnerabilities affect equipment found in data centers, power grids, and more. https://www.wired.com/story/ripple20-iot-vulnerabilities/

How spies used LinkedIn to hack European defense companies - For LinkedIn users, receiving unsolicited messages from pushy job recruiters comes with the territory. It’s an annoyance for some, a welcome path toward a new gig for others. https://www.cyberscoop.com/defense-companies-hacked-linkedin-eset-lazarus-group/

Risk assessments reveal businesses remain deficient in security compliance, training - An analysis of more than 100 risk self-assessments conducted by business organizations across a cross-section of industries revealed that over 65 percent admitted to achieving zero-to-minimal compliance of U.S. state data privacy and security regulations, including myriad breach laws and the California Consumer Privacy Act. https://www.scmagazine.com/infosec-world-2020/risk-assessments-reveal-businesses-remain-deficient-in-security-compliance-training/

Cyberattackers raising stakes in financial sector, security experts tell House subcommittee - Cyberattacks on the U.S. financial sector amid COVID-19 rose 238 percent over the first five months of 2020, VMware/Carbon Black told Congress during a House Subcommittee on National Security, International Development and Monetary Policy virtual hearing Tuesday. https://www.scmagazine.com/home/finance/cyberattackers-raising-stakes-in-financial-sector-security-experts-tell-house-subcommittee/

Australian PM says nation under serious state-run 'cyber attack' – Microsoft, Citrix, Telerik UI bugs 'exploited' - Australian Prime Minister Scott Morrison has called a snap press conference to reveal that the nation is under cyber-attack by a state-based actor, but the nation’s infosec advice agency says that while the attacker has gained access to some systems it has not conducted “any disruptive or destructive activities within victim environments.” https://www.theregister.com/2020/06/19/australia_state_cyberattack/

Cracking the cyber liability code leads to better insurance coverage - The cyber insurance market continues to evolve and mature with coverage enhancements, along with an abundance of carriers. With so many carriers entering the market, it’s more important than ever for companies to take their time and read the fine print. https://www.scmagazine.com/infosec-world-2020/cracking-the-cyber-liability-code-leads-to-better-insurance-coverage/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - T-Mobile’s outage yesterday was so big that even Ajit Pai is mad - But Pai's FCC has a history of letting carriers off easy. T-Mobile's network suffered an outage across the US yesterday, and the Federal Communications Commission is investigating. https://arstechnica.com/tech-policy/2020/06/t-mobiles-outage-yesterday-was-so-big-that-even-ajit-pai-is-mad/

Attackers launched a massive distributed denial-of-service against a specific website hosted by a hosting provider in early June. Not only was the 1.44 terabit-per-second DDoS attack the largest Akamai has seen to date, it was also one of the most complex to resolve, according to Akamai. https://duo.com/decipher/unnamed-web-host-hit-with-ddos-attack

BlueLeaks files expose data from law enforcement, fusion centers - As protesters continue to take to the streets to demand racial justice and police reform in the wake of George Floyd’s death, the activist group DDoSecrets published data on a searchable portal that it says was nicked from more than 200 law enforcement agencies and fusion centers in the U.S. https://www.scmagazine.com/home/security-news/blueleaks-files-expose-data-from-law-enforcement-fusion-centers/

Web-skimming scam infected e-commerce sites on three continents - About two dozen e-commerce websites in North America, South America and Europe were recently “web-skimmed” through a ruse pretending to be Google Analytics. https://www.scmagazine.com/home/security-news/web-skimming-scam-infected-e-commerce-sites-on-three-continents/

Arkansas, Illinois COVID-19 unemployment websites leak data - Arkansas and Illinois both reportedly exposed sensitive citizen data after failing to adequately secure web services that the states urgently propped up in order to process applications for the federal Pandemic Unemployment Assistance program. https://www.scmagazine.com/website-web-server-security/arkansas-illinois-covid-19-unemployment-websites-leak-data/

British airline easyJet breached, data of 9 million customers compromised - An attack against British airline easyJet by “a highly sophisticated source” accessed the email addresses and travel details of approximately nine million customers, including credit card details of 2,208 customers. https://www.scmagazine.com/home/security-news/british-airline-easyjet-breached-data-of-9-million-customers-compromised/

Australia's Lion brewery hit by second cyber attack as nation staggers under suspected Chinese digital assault - As Australia reels under sustained cyber attacks following increased Chinese diplomatic hostility, the country's Lion brewery and dairy conglomerate has been hit for the second time. https://www.theregister.com/2020/06/19/lion_brewery_second_cyber_attack_australia/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 3 of 10)

A. RISK DISCUSSION

Reputation Risk

Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

nature of the third-party product or service;
trade name of the third party; and
website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

  PART I. Risks Associated with Wireless Internal Networks

  Financial institutions are evaluating wireless networks as an alternative to the traditional cable to the desktop network. Currently, wireless networks can provide speeds of up to 11 Mbps between the workstation and the wireless access device without the need for cabling individual workstations. Wireless networks also offer added mobility allowing users to travel through the facility without losing their network connection. Wireless networks are also being used to provide connectivity between geographically close locations as an alternative to installing dedicated telecommunication lines.

  Wireless differs from traditional hard-wired networking in that it provides connectivity to the network by broadcasting radio signals through the airways. Wireless networks operate using a set of FCC licensed frequencies to communicate between workstations and wireless access points. By installing wireless access points, an institution can expand its network to include workstations within broadcast range of the network access point.

  The most prevalent class of wireless networks currently available is based on the IEEE 802.11b wireless standard. The standard is supported by a variety of vendors for both network cards and wireless network access points. The wireless transmissions can be encrypted using "Wired Equivalent Privacy" (WEP) encryption. WEP is intended to provide confidentiality and integrity of data and a degree of access control over the network. By design, WEP encrypts traffic between an access point and the client. However, this encryption method has fundamental weaknesses that make it vulnerable. WEP is vulnerable to the following types of decryption attacks:

  1) Decrypting information based on statistical analysis;

  2) Injecting new traffic from unauthorized mobile stations based on known plain text;

  3) Decrypting traffic based on tricking the access point;

  4) Dictionary-building attacks that, after analyzing about a day's worth of traffic, allow real-time automated decryption of all traffic (a dictionary-building attack creates a translation table that can be used to convert encrypted information into plain text without executing the decryption routine); and

  5) Attacks based on documented weaknesses in the RC4 encryption algorithm that allow an attacker to rapidly determine the encryption key used to encrypt the user's session).

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT

  6.5 Elements of Effective System-Level Programs

  Like the central computer security program, many factors influence how successful a system-level computer security program is. Many of these are similar to the central program. This section addresses some additional considerations.

  Security Plans. The Computer Security Act mandates that agencies develop computer security and privacy plans for sensitive systems. These plans ensure that each federal and federal interest system has appropriate and cost-effective security. System-level security personnel should be in a position to develop and implement security plans. Chapter 8 discusses the plans in more detail.

  System-Specific Security Policy. Many computer security policy issues need to be addressed on a system-specific basis. The issues can vary for each system, although access control and the designation of personnel with security responsibility are likely to be needed for all systems. A cohesive and comprehensive set of security policies can be developed by using a process that derives security rules from security goals, as discussed in Chapter 5.
  Life Cycle Management. As discussed in Chapter 8, security must be managed throughout a system's life cycle. This specifically includes ensuring that changes to the system are made with attention to security and that accreditation is accomplished.

  Integration With System Operations. The system-level computer security program should consist of people who understand the system, its mission, its technology, and its operating environment. Effective security management usually needs to be integrated into the management of the system. Effective integration will ensure that system managers and application owners consider security in the planning and operation of the system. The system security manager/officer should be able to participate in the selection and implementation of appropriate technical controls and security procedures and should understand system vulnerabilities. Also, the system-level computer security program should be capable of responding to security problems in a timely manner.

  For large systems, such as a mainframe data center, the security program will often include a manager and several staff positions in such areas as access control, user administration, and contingency and disaster planning. For small systems, such as an officewide local-area-network (LAN), the LAN administrator may have adjunct security responsibilities.

  Separation From Operations. A natural tension often exists between computer security and operational elements. In many instances, operational components -- which tend to be far larger and therefore more influential -- seek to resolve this tension by embedding the computer security program in computer operations. The typical result of this organizational strategy is a computer security program that lacks independence, has minimal authority, receives little management attention, and has few resources. As early as 1978, GAO identified this organizational mode as one of the principal basic weaknesses in federal agency computer security programs. System-level programs face this problem most often.

  This conflict between the need to be a part of system management and the need for independence has several solutions. The basis of many of the solutions is a link between the computer security program and upper management, often through the central computer security program. A key requirement of this setup is the existence of a reporting structure that does not include system management. Another possibility is for the computer security program to be completely independent of system management and to report directly to higher management. There are many hybrids and permutations, such as co-location of computer security and systems management staff but separate reporting (and supervisory) structures. Figure 6.4 presents one example of placement of the computer security program within a typical Federal agency.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.