Internet Banking News

July 19, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - As a result of the crisis and to help protect your staff, I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Are your fleet’s vehicles leaking your data secrets? - Enterprise CISOs are used to worrying about corporate data leaks via typical mobile, remote locations, IoT and Shadow IT. https://www.scmagazine.com/home/security-news/privacy-compliance/are-your-fleets-vehicles-leaking-your-data-secrets/

Hundreds of forgotten corners of mega-corp websites fall into the hands of spammers and malware slingers - DNS entries left pointing to Azure-hosted server names snatched by miscreants for mischief - Exclusive More than 240 website subdomains belonging to organizations large and small, including household names, were hijacked to redirect netizens to malware, X-rated material, online gambling, and other unexpected content. https://www.theregister.com/2020/07/07/microsoft_azure_takeovers/

Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle - DigiCert says, come Saturday, July 11, it will revoke tens of thousands of encryption certificates issued by intermediaries that were not properly audited. https://www.theregister.com/2020/07/10/digicert_pulls_certs/

German authorities seize 'BlueLeaks' server that hosted data on US cops - BlueLeaks portal is now down. The website hosted 269 GB of files stolen from more than 200 US police departments and fusion training centers. https://www.zdnet.com/article/german-authorities-seize-blueleaks-server-that-hosted-data-on-us-cops/

5 Ways to Create a Security-First Mindset - Now that millions of people are suddenly working from home because of the COVID-19 pandemic, companies need ways to create a connected and protected remote business and workforce. https://www.scmagazine.com/home/opinion/executive-insight/5-ways-to-create-a-security-first-mindset/

A game of 'cat and mouse': Hacking attacks on hospitals for patient data increase during coronavirus pandemic - On the day before the July 4 holiday weekend, Mount Auburn Hospital's information technology team identified some unusual activity. Alarmed, they quickly took steps to disconnect the Cambridge hospital's computer system from the internet. They switched to backup manual procedures instead of automatic ones. https://www.usatoday.com/story/news/health/2020/07/12/hospitals-see-rise-patient-data-hacking-attacks-during-covid-19/5403402002/

Amazon Says It Didn’t Mean to Ban Employees From Using TikTok - AROUND MIDDAY FRIDAY, some employees at Amazon began posting on Twitter about another beloved, but increasingly embattled, online platform: TikTok. They griped that they would soon be unable to use it on their phones. https://www.wired.com/story/amazon-bans-tiktok-employees-phones/

Secret Service merging electronic and financial crime task forces to combat cybercrime - The Secret Service is combining its Electronic Crimes Task Forces (ECTFs) and Financial Crimes Task Forces (FCTFs) into one unified network, the agency announced Thursday. https://www.cyberscoop.com/secret-service-reorganization-task-force-cybercrime-financial-crime/

U.S. top in significant cyberattacks on CSIS list - The U.S. by far has been hit harder than any other country in the world with 156 “significant” cyberattacks since 2006, according to new data from the U.S.-based think tank Center for Strategic and International Studies (CSIS) that chronicles major hacks up until last month. https://www.scmagazine.com/home/security-news/u-s-top-in-significant-cyberattacks-on-csis-list/

Huawei ban driven by security, trade considerations - The recent U.K. ban on the use of Huawei technology in its 5G wireless network is likely as much about salvaging the deteriorating U.S.-U.K. Sino relationship and restoring trade normalcy as it is about security. https://www.scmagazine.com/home/security-news/huawei-ban-driven-by-security-trade-considerations/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Argenta shuts down 143 cash machines after new cyber-attack - The Antwerp-based savings bank Argenta has shut down 143 cash machines after suffering two new cyber-attacks at the weekend. The bank suffered its first cyber-attack at the end of June, when thieves attempted to take over control of cash machines in Ranst and Borsbeek, both in Antwerp province, using a technique known as ‘jackpotting’. https://www.brusselstimes.com/all-news/business/121291/argenta-shuts-down-143-cash-machines-after-new-cyber-attack/

Critical SAP flaw puts 40,000 users at risk - More than 40,000 SAP users of an estimated 2,500 internet facing systems should move quickly to patch a Remotely Exploitable Code On NetWeaver (RECON) vulnerability that scored a 10 out of 10 on the bug-severity CVSS scale and which could give an attacker full enterprise control. https://www.scmagazine.com/home/security-news/critical-sap-flaw-puts-40000-users-at-risk/

Twitter hacked in cryptocurrency scam - Verified Twitter accounts belonging to high-profile individuals and companies like Joe Biden, Bill Gates, Apple and Elon Musk promised followers a large pay out if they’d just send bitcoin to a block chain address - ostensibly to donate to Covid-19 community aid - after the social media platform was breached. https://www.scmagazine.com/home/security-news/biden-gates-twitter-hacked-in-cryptocurrency-scam/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 6 of 10)

   B. RISK MANAGEMENT TECHNIQUES

   Planning Weblinking Relationships

   Due Diligence

   A financial institution should conduct sufficient due diligence to determine whether it wishes to be associated with the quality of products, services, and overall content provided by third-party sites. A financial institution should consider more product-focused due diligence if the third parties are providing financial products, services, or other financial website content. In this case, customers may be more likely to assume the institution reviewed and approved such products and services. In addition to reviewing the linked third-party's financial statements and its customer service performance levels, a financial institution should consider a review of the privacy and security policies and procedures of the third party. Also, the financial institution should consider the character of the linked party by considering its past compliance with laws and regulations and whether the linked advertisements might by viewed as deceptive advertising in violation of Section 5 of the Federal Trade Commission Act.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

  Risk Mitigation Components - Wireless Internet Devices

  For wireless customer access, the financial institution should institute policies and standards requiring that information and transactions be encrypted throughout the link between the customer and the institution. Financial institutions should carefully consider the impact of implementing technologies requiring that a third party have control over unencrypted customer information and transactions.

  As wireless application technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless application services. They should also consider informing customers when wireless Internet devices that require the use of communications protocols deemed insecure will no longer be supported by the institution.

  The financial institution should consider having regular independent security testing performed on its wireless customer access application. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless application security implementation and conformity to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

  11.1 Step 1: Identifying the Mission- or Business-Critical Function

  Protecting the continuity of an organization's mission or business is very difficult if it is not clearly identified. Managers need to understand the organization from a point of view that usually extends beyond the area they control. The definition of an organization's critical mission or business functions is often called a business plan.

  Since the development of a business plan will be used to support contingency planning, it is necessary not only to identify critical missions and businesses, but also to set priorities for them. A fully redundant capability for each function is prohibitively expensive for most organizations. In the event of a disaster, certain functions will not be performed. If appropriate priorities have been set (and approved by senior management), it could mean the difference in the organization's ability to survive a disaster.

  11.2 Step 2: Identifying the Resources That Support Critical Functions

  After identifying critical missions and business functions, it is necessary to identify the supporting resources, the time frames in which each resource is used (e.g., is the resource needed constantly or only at the end of the month?), and the effect on the mission or business of the unavailability of the resource. In identifying resources, a traditional problem has been that different managers oversee different resources. They may not realize how resources interact to support the organization's mission or business. Many of these resources are not computer resources. Contingency planning should address all the resources needed to perform a function, regardless whether they directly relate to a computer.

  The analysis of needed resources should be conducted by those who understand how the function is performed and the dependencies of various resources on other resources and other critical relationships. This will allow an organization to assign priorities to resources since not all elements of all resources are crucial to the critical functions.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.