Internet Banking News

July 18, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.FYI - Two cyber insurance industry initiatives grapple with rise of ransomware - Twice in the past few weeks, insurers have joined together in response to the spiraling ransomware attacks that have rocked their industry. https://www.cyberscoop.com/cyberacuview-apcia-cyber-insurance-ransomware/

Proposed law seeks to boost federal cyber workforce through apprenticeships, training - Infosec training and apprenticeship experts are applauding a recently proposed bipartisan legislation that, if signed into law, would bolster the federal cyber workforce through an apprenticeship program at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and a pilot training program administered by the Department of Veterans Affairs. https://www.scmagazine.com/home/government/proposed-law-seeks-to-boost-federal-cyber-workforce-through-apprenticeships-training/

Kaseya ransomware attack: What we know now - Here is everything we know so far. ZDNet will update this primer as we learn more. Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. https://www.zdnet.com/article/kaseya-ransomware-attack-what-we-know-now/

Colorado’s new law ups need for privacy awareness training - Following in the footsteps of California and Virginia, Colorado last week became the third U.S. state to officially pass a comprehensive consumer privacy law. https://www.scmagazine.com/home/security-news/privacy-compliance/colorados-new-law-ups-need-for-privacy-awareness-training/

Could allowlisting reduce the impact of ransomware, cyberattacks on health care? - A recent IDC report confirmed the health care sector is more vulnerable to the consequences of cyberattacks than other industries and the most likely to suffer application downtime, with 53% of covered entities reporting downtime after an attack. https://www.scmagazine.com/home/health-care/could-allowlisting-reduce-the-impact-of-ransomware-cyberattacks-on-health-care/

Everyday IT Tools Can Offer ‘God Mode’ for Hackers - Attackers are increasingly attuned to the power and potential of remote management software. https://www.wired.com/story/it-management-tools-hacking-jamf-kaseya/

Cyberattacks drive 185% spike in health care data breaches in 2021 - More than 22.8 million patients have been impacted by a health care data breach so far in 2021, a whopping 185% increase from the same time period last year where just 7.9 million individuals were affected according to a new report from Fortified Health Security. https://www.scmagazine.com/home/health-care/report-cyberattacks-drive-185-spike-in-health-care-data-breaches-in-2021/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Kroger reaches $5M settlement with breach victims, as Supreme Court defines ‘actual harm’ - Kroger reached a $5 million lawsuit settlement with individuals impacted by a breach reported in February. The settlement was the third legal action tied to a health care data breach this week, shedding light on the rise in breach-related lawsuit trends in the sector in the last few years. https://www.scmagazine.com/home/security-news/data-breach/kroger-reaches-5m-settlement-with-breach-victims-as-supreme-court-defines-actual-harm/

Online course provider Coursera hit with API issues, with cloud driving additional exposure - Researchers on Thursday disclosed that over the past year they found and later fixed a broken object level authorization (BOLA) vulnerability and many other API issues on the platform used by online course provider Coursera. https://www.scmagazine.com/home/security-news/cloud-security/online-course-provider-coursera-hit-with-api-issues-with-cloud-driving-additional-exposure/

Website of Mongolian certificate authority served backdoored client installer - Researchers say the domain was breached eight times in a short window. Mongolian certification authority (CA) official website was harboring malware and facilitated downloads of a backdoored client to users. https://www.zdnet.com/article/website-of-mongolian-certificate-authority-backdoored-served-malware/

Joplin, Mo., City Government Suffers Ransomware Attack - The Joplin Police Department notified the local newspaper on Wednesday morning that the city’s computers were down, and as such, the newspaper would not be able to access the local crime reports. https://www.govtech.com/security/joplin-mo-city-government-suffers-ransomware-attack

Data of 1.2M patients stolen prior to third-party vendor ransomware attack - Practicefirst Medical Management Solutions and PBS Medcode recently notified 1.2 million patients that their data was accessed and stolen from its network, ahead of a ransomware attack deployed on Dec. 25, 2020. https://www.scmagazine.com/home/health-care/data-of-1-2m-patients-stolen-prior-to-third-party-vendor-ransomware-attack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We conclude our review of the FDIC paper "Risk Assessment Tools and Practices of Information System Security." We hope you have found this series useful.

   INCIDENT RESPONSE - Discusses implementing an incident response strategy for the response component of an institution's information security program. After implementing a defense strategy and monitoring for new attacks, hacker activities, and unauthorized insider access, management should develop a response strategy. The sophistication of an incident response plan will vary depending on the risks inherent in each system deployed and the resources available to an institution. In developing a response strategy or plan, management should consider the following:

   1) The plan should provide a platform from which an institution can prepare for, address, and respond to intrusions or unauthorized activity. The beginning point is to assess the systems at risk, as identified in the overall risk assessment, and consider the potential types of security incidents.

   2) The plan should identify what constitutes a break-in or system misuse, and incidents should be prioritized by the seriousness of the attack or system misuse.

   3) Individuals should be appointed and empowered with the latitude and authority to respond to an incident. The plan should include what the appropriate responses may be for potential intrusions or system misuse.

   4) A recovery plan should be established, and in some cases, an incident response team should be identified.

   5) The plan should include procedures to officially report the incidents to senior management, the board of directors, legal counsel, and law enforcement agents as appropriate.

   FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

   Access Rights Administration (2 of 5)

   System devices, programs, and data are system resources. Each system resource may need to be accessed by other system resources and individuals in order for work to be performed. Access beyond the minimum required for work to be performed exposes the institution's systems and information to a loss of confidentiality, integrity, and availability. Accordingly, the goal of access rights administration is to identify and restrict access to any particular system resource to the minimum required for work to be performed. The financial institution's security policy should address access rights to system resources and how those rights are to be administered.

   Management and information system administrators should critically evaluate information system access privileges and establish access controls to prevent unwarranted access. Access rights should be based upon the needs of the applicable user or system resource to carry out legitimate and approved activities on the financial institution's information systems. Policies, procedures, and criteria need to be established for both the granting of appropriate access rights and for the purpose of establishing those legitimate activities. Formal access rights administration for users consists of four processes:

   ! An enrollment process to add new users to the system;

   ! An authorization process to add, delete, or modify authorized user access to operating systems, applications, directories, files, and specific types of information;

   ! An authentication process to identify the user during subsequent activities; and

   ! A monitoring process to oversee and manage the access rights granted to each user on the system.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY

  15.5 Plumbing Leaks

  While plumbing leaks do not occur every day, they can be seriously disruptive. The building's plumbing drawings can help locate plumbing lines that might endanger system hardware. These lines include hot and cold water, chilled water supply and return lines, steam lines, automatic sprinkler lines, fire hose standpipes, and drains. If a building includes a laboratory or manufacturing spaces, there may be other lines that conduct water, corrosive or toxic chemicals, or gases.

  As a rule, analysis often shows that the cost to relocate threatening lines is difficult to justify. However, the location of shutoff valves and procedures that should be followed in the event of a failure must be specified. Operating and security personnel should have this information immediately available for use in an emergency. In some cases, it may be possible to relocate system hardware, particularly distributed LAN hardware.

  15.6 Interception of Data

  Depending on the type of data a system processes, there may be a significant risk if the data is intercepted. There are three routes of data interception: direct observation, interception of data transmission, and electromagnetic interception.

  Direct Observation. System terminal and workstation display screens may be observed by unauthorized persons. In most cases, it is relatively easy to relocate the display to eliminate the exposure.

  Interception of Data Transmissions. If an interceptor can gain access to data transmission lines, it may be feasible to tap into the lines and read the data being transmitted. Network monitoring tools can be used to capture data packets. Of course, the interceptor cannot control what is transmitted, and so may not be able to immediately observe data of interest. However, over a period of time there may be a serious level of disclosure. Local area networks typically broadcast messages.106 Consequently, all traffic, including passwords, could be retrieved. Interceptors could also transmit spurious data on tapped lines, either for purposes of disruption or for fraud.

  Electromagnetic Interception. Systems routinely radiate electromagnetic energy that can be detected with special-purpose radio receivers. Successful interception will depend on the signal strength at the receiver location; the greater the separation between the system and the receiver, the lower the success rate. TEMPEST shielding, of either equipment or rooms, can be used to minimize the spread of electromagnetic signals. The signal-to-noise ratio at the receiver, determined in part by the number of competing emitters will also affect the success rate. The more workstations of the same type in the same location performing "random" activity, the more difficult it is to intercept a given workstation's radiation. On the other hand, the trend toward wireless (i.e., deliberate radiation) LAN connections may increase the likelihood of successful interception.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.