Internet Banking News

July 12, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - As a result of the crisis and to help protect your staff, I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - USB a prevalent industrial vector vulnerability for OT systems - While the ubiquitous USB remains an integral tool to facilitate transferable computing, such removable media is the second most prevalent industrial vector vulnerability for operational technology (OT) systems, according to a Honeywell report. https://www.scmagazine.com/home/security-news/vulnerabilities/usb-prevalent-industrial-vector-vulnerability-for-ot-systems/

FDIC Names Bob De Luca Deputy Chief Information Officer - In his new role, Mr. De Luca will oversee the day-to-day administrative functions of the FDIC’s Chief Information Officer Organization and will lead the agency’s efforts to improve application and infrastructure security. www.fdic.gov/news/press-releases/2020/pr20082.html

5 Ways vCISOs Move the Security Needle - Data has become more valuable than ever and organizations must make protecting it a top priority. According to IBM and the Ponemon Institute, the average data breach now costs American companies $8.19 million. https://www.scmagazine.com/home/opinion/executive-insight/5-ways-vcisos-move-the-security-needle/

Frequency, size of fines for failing to secure data will grow by 2025, report - A little over two years since GDPR took effect and a few days after California began to enforce the CCPA, a study found more than one-third – 37 percent – of U.K. cybersecurity professionals expect the number and monetary amount of fines their employers face for not adequately safeguarding data will increase by 2025 even though more than three-fourths (76 percent) believe their companies’ processes for storing data safely are “good” or “excellent.” https://www.scmagazine.com/home/security-news/frequency-size-of-fines-for-failing-to-secure-data-will-grow-by-2025-report/

Mounting IIoT cyber risks must be addressed now to prevent catastrophe: report - Critical infrastructure globally across sectors are at a particularly vulnerable state due to the continued heightened pace of cyberattacks on the Industrial Internet of Things (IIoT), according to a report from Lloyd’s Register Foundation, the U.K.-based global safety charity. https://www.scmagazine.com/home/security-news/mounting-iiot-cyber-risks-must-be-addressed-now-to-prevent-catastrophe-report/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - LeBron James among the 1st stars to have their stolen law firm files put up for auction -The Sodinokibi/REvil ransomware gang has apparently made good on its threat to auction off files it lifted from celebrity law firm Grubman Shire Meiselas & Sacks. https://www.scmagazine.com/home/security-news/cybercrime/lebron-james-among-the-1st-stars-to-have-their-stolen-law-firm-files-put-up-for-auction/

NetWalker ransomware group claims attack on Fort Worth transportation agency - Another Texas-based government institution may have fallen victim to ransomware actors. According to a reliable source, the cybercriminals behind the malicious encryptor NetWalker have published online evidence of an attack on Trinity Metro, a transit agency that operates bus and commuter rail transportation services in Fort Worth and its nearby Tarrant County suburbs. https://www.scmagazine.com/home/security-news/ransomware/netwalker-ransomware-group-claims-attack-on-fort-worth-transportation-agency/

BMW customer database for sale on dark web - A database of 384,319 BMW car owners in the U.K. is being offered for sale on an underground forum by the KelvinSecurity Team hacking group, according to KELA, a darknet threat intelligence firm, based in Tel Aviv. https://www.scmagazine.com/home/security-news/bmw-customer-database-for-sale-on-dark-web/

Ransomware attack on insurance MSP Xchanging affects clients - Global IT services and solutions provider DXC Technology announced over the weekend a ransomware attack on systems from its Xchanging subsidiary. https://www.bleepingcomputer.com/news/security/ransomware-attack-on-insurance-msp-xchanging-affects-clients/

Exposed dating service databases leak sensitive info on romance-seekers - A series of database misconfigurations publicly exposed the personal information and private messages of more than 100 million dating website and mobile app account holders. https://www.scmagazine.com/home/security-news/database-security/exposed-dating-service-databases-leak-sensitive-info-on-romance-seekers/

EDP Renewables says PII compromised in Ragnar Locker attack - An apparent Ragnar Locker ransomware attack on the parent company of EDP Renewables put information of some of its customers at risk although the firm said it has no evidence PII was accessed. https://www.scmagazine.com/home/security-news/edp-renewables-says-pii-compromised-in-ragnar-locker-attack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 5 of 10)

   B. RISK MANAGEMENT TECHNIQUES

   Introduction

   Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

   Planning Weblinking Relationships

   In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

   1) due diligence with respect to third parties to which the financial institution is considering links; and

   2) written agreements with significant third parties.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

  Part II. Risks Associated with Wireless Internet Devices

  As wireless Internet devices become more prevalent in the marketplace, financial institutions are adopting wireless application technologies as a channel for reaching their customers. Wireless Internet services are becoming available in major cities across the United States. Through wireless banking applications, a financial institution customer could access account information and perform routine non-cash transactions without having to visit a branch or ATM.

  The wireless Internet devices available today present attractive methods for offering and using financial services. Customers have access to financial information from anywhere they can receive wireless Internet access. Many of the wireless devices have built-in encryption through industry-standard encryption methods. This encryption has its limits based on the processing capabilities of the device and the underlying network architecture.

  A popular standard for offering wireless applications is through the use of the Wireless Application Protocol (WAP). WAP is designed to bring Internet application capabilities to some of the simplest user interfaces. Unlike the Web browser that is available on most personal computer workstations, the browser in a wireless device (such as a cell phone) has a limited display that in many cases can provide little, if any, graphical capabilities. The interface is also limited in the amount of information that can be displayed easily on the screen. Further, the user is limited by the keying capabilities of the device and often must resort to many key presses for simple words.

  The limited processing capabilities of these devices restrict the robustness of the encryption network transmissions. Effective encryption is, by nature, processing-intensive and often requires complex calculations. The time required to complete the encryption calculations on a device with limited processing capabilities may result in unreasonable delays for the device's user. Therefore, simpler encryption algorithms and smaller keys may be used to speed the process of obtaining access.

  WAP is an evolving protocol. The most recent specification of WAP (WAP 2.0 - July 2001) offers the capability of encrypting network conversations all the way from the WAP server (at the financial institution) to the WAP client (the financial institution customer). Unfortunately, WAP 2.0 has not yet been fully adopted by vendors that provide the building blocks for WAP applications. Previous versions of WAP provide encryption between the WAP client and a WAP gateway (owned by the Wireless Provider). The WAP gateway then must re-encrypt the information before it is sent across the Internet to the financial institution. Therefore, sensitive information is available at the wireless provider in an unencrypted form. This limits the financial institution's ability to provide appropriate security over customer information.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

  A computer security contingency is an event with the potential to disrupt computer operations, thereby disrupting critical mission and business functions. Such an event could be a power outage, hardware failure, fire, or storm. If the event is very destructive, it is often called a disaster.

  To avert potential contingencies and disasters or minimize the damage they cause organizations can take steps early to control the event. Generally called contingency planning, this activity is closely related to incident handling, which primarily addresses malicious technical threats such as hackers and viruses.

  Contingency planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization's critical functions operating in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization.

  This chapter presents the contingency planning process in six steps:

  1) Identifying the mission- or business-critical functions.

  2) Identifying the resources that support the critical functions.

  3) Anticipating potential contingencies or disasters.

  4) Selecting contingency planning strategies.

  5) Implementing the contingency strategies.

  6) Testing and revising the strategy.

  Contingency planning directly supports an organization's goal of continued operations. Organizations practice contingency planning because it makes good business sense.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.