R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc., the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and onsite FFIEC IT Security Audits

July 21, 2024

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Gold Standard Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.
Bank regulatory FFIEC IT audits - I perform annual IT audits required by the regulatory agencies for banks and credit unions. I am a former bank examiner over 30 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.


MISCELLANEOUS CYBERSECURITY NEWS:

Internet Explorer still used as a malware vehicle by threat actors - Microsoft’s notorious Internet Explorer has been brought out of retirement by threat actors using its security holes to serve malware. https://www.scmagazine.com/news/internet-explorer-still-used-as-a-malware-vehicle-by-threat-actors

After some lost battles, privacy laws continue their steady march across the states - Data privacy advocates took a couple of losses recently in the United States. A proposed data privacy law in Vermont, which would have been one of the strongest in the country, was vetoed in June by Republican Gov. Phil Scott. https://www.scmagazine.com/perspective/after-some-lost-battles-privacy-laws-continue-their-steady-march-across-the-us

Australia instructs government entities to check for tech exposed to foreign control - Australia has instructed all of its government entities to take stock of their entire technology estates and identify any assets that could be controlled or manipulated by foreign states. https://therecord.media/australia-government-agencies-check-technology-foreign-control

You had a year to patch this Veeam flaw – and now it's going to hurt some more - Yet another new ransomware gang, this one dubbed EstateRansomware, is now exploiting a Veeam vulnerability that was patched more than a year ago to deploy file-encrypting malware, a LockBit variant, and extort payments from victims. https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/

5 questions to ask about the latest news surrounding the AT&T breach - A search of the internet for news on the recent AT&T breach and the mind can only boggle at what’s going on with this story. https://www.scmagazine.com/news/5-questions-to-ask-about-the-latest-news-surrounding-the-att-breach

Singapore's banks to ditch texted one-time passwords - After around two decades of allowing one-time passwords (OTPs) delivered by text message to assist log ins to bank accounts in Singapore, the city-state will abandon the authentication technique. https://www.theregister.com/2024/07/12/singapore_banks_fight_phishing/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Massive Snowflake-linked attack exposes data on nearly 110M AT&T customers - Attackers breached AT&T’s Snowflake environment for 11 days in April, and stole customers’ call and text message records spanning a six-month period from 2022. https://www.cybersecuritydive.com/news/att-cyberattack-snowflake-environment/721235/

Snowflake-linked attack on Advance Auto Parts exposes 2.3 million people - One of the few customers to publicly link Snowflake to a third-party intrusion said its database was breached for 40 days. https://www.cybersecuritydive.com/news/advance-auto-parts-snowflake-data-breach/721353/

AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack - Data breach exposed records of call and text interactions for nearly all AT&T’s wireless customers and has been linked to the recent attacks targeting Snowflake customers. https://www.securityweek.com/att-data-breach-nearly-all-wireless-customers-exposed-in-massive-hack/

AT&T reportedly paid ransom for deletion of stolen call logs after culprit allegedly detained - The scale of AT&T’s data breach continued to widen over the weekend, with reports emerging that AT&T paid a $370,000 ransom to a hacker who obtained the logs of calls and texts to more than 100 million customers. https://therecord.media/att-ransom-data-breach

Car dealer software slinger CDK Global said to have paid $25M ransom after cyberattack - CDK Global reportedly paid a $25 million ransom in Bitcoin after its servers were knocked offline by crippling ransomware. https://www.theregister.com/2024/07/12/cdk_ransom_payout/

Medical Appointments Still Affected Due to Synnovis Attack - NHS England report a reduction of postponements. Around 8,000 procedures and appointments have been affected due to the early June ransomware attack on Synnovis. https://insight.scmagazineuk.com/medical-appointments-still-affected-due-to-synnovis-attack

Millions Impacted by Breach at Advance Auto Parts Linked to Snowflake Incident - American automotive aftermarket parts provider Advance Auto Parts is notifying over 2.3 million individuals that their personal information was compromised in the Snowflake incident earlier this year. https://www.securityweek.com/millions-impacted-by-breach-at-advance-auto-parts-linked-to-snowflake-incident/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (2 of 12)
  
  The Importance of an Incident Response Program
  
  A bank's ability to respond to security incidents in a planned and coordinated fashion is important to the success of its information security program. While IRPs are important for many reasons, three are highlighted in this article.
  
  First, though incident prevention is important, focusing solely on prevention may not be enough to insulate a bank from the effects of a security breach. Despite the industry's efforts at identifying and correcting security vulnerabilities, every bank is susceptible to weaknesses such as improperly configured systems, software vulnerabilities, and zero-day exploits.  Compounding the problem is the difficulty an organization experiences in sustaining a "fully secured" posture. Over the long term, a large amount of resources (time, money, personnel, and expertise) is needed to maintain security commensurate with all potential vulnerabilities. Inevitably, an organization faces a point of diminishing returns whereby the extra resources applied to incident prevention bring a lesser amount of security value. Even the best information security program may not identify every vulnerability and prevent every incident, so banks are best served by incorporating formal incident response planning to complement strong prevention measures. In the event management's efforts do not prevent all security incidents (for whatever reason), IRPs are necessary to reduce the sustained damage to the bank.
  
  Second, regulatory agencies have recognized the value of IRPs and have mandated that certain incident response requirements be included in a bank's information security program. In March 2001, the FDIC, the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), and the Board of Governors of the Federal Reserve System (FRB) (collectively, the Federal bank regulatory agencies) jointly issued guidelines establishing standards for safeguarding customer information, as required by the Gramm-Leach-Bliley Act of 1999.  These standards require banks to adopt response programs as a security measure. In April 2005, the Federal bank regulatory agencies issued interpretive guidance regarding response programs.  This additional guidance describes IRPs and prescribes standard procedures that should be included in IRPs. In addition to Federal regulation in this area, at least 32 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information.  Therefore, the increased regulatory attention devoted to incident response has made the development of IRPs a legal necessity.
  
  Finally, IRPs are in the best interests of the bank. A well-developed IRP that is integrated into an overall information security program strengthens the institution in a variety of ways. Perhaps most important, IRPs help the bank contain the damage resulting from a security breach and lessen its downstream effect. Timely and decisive action can also limit the harm to the bank's reputation, reduce negative publicity, and help the bank identify and remedy the underlying causes of the security incident so that mistakes are not destined to be repeated.
Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
   
   Routing (Part 1 of 2)
   
   Packets are moved through networks using routers, switches, and hubs. The unique IP address is commonly used in routing. Since users typically use text names instead of IP addresses for their addressing, the user's software must obtain the numeric IP address before sending the message. The IP addresses are obtained from the Domain Naming System (DNS), a distributed database of text names (e.g., anybank.com) and their associated IP addresses. For example, financial institution customers might enter the URL of the Web site in their Web browser. The user's browser queries the domain name server for the IP associated with anybank.com. Once the IP is obtained, the message is sent. Although the example depicts an external address, DNS can also function on internal addresses.
   
   A router directs where data packets will go based on a table that links the destination IP address with the IP address of the next machine that should receive the packet. Packets are forwarded from router to router in that manner until they arrive at their destination.  Since the router reads the packet header and uses a table for routing, logic can be included that provides an initial means of access control by filtering the IP address and port information contained in the message header. Simply put, the router can refuse to forward, or forward to a quarantine or other restricted area, any packets that contain IP addresses or ports that the institution deems undesirable. Security policies should define the filtering required by the router, including the type of access permitted between sensitive source and destination IP addresses. Network administrators implement these policies by configuring an access configuration table, which creates a filtering router or a basic firewall.
   
   A switch directs the path a message will take within the network. Switching works faster than IP routing because the switch only looks at the network address for each message and directs the message to the appropriate computer. Unlike routers, switches do not support packet filtering. Switches, however, are designed to send messages only to the device for which they were intended. The security benefits from that design can be defeated and traffic through a switch can be sniffed.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section III. Operational Controls - Chapter 10 - PERSONNEL/USERS ISSUES
 
 Many important issues in computer security involve human users, designers, implementers, and managers. A broad range of security issues relate to how these individuals interact with computers and the access and authorities they need to do their job. No computer system can be secured without properly addressing these security issues.
 
 This chapter examines issues concerning the staffing of positions that interact with computer systems; the administration of users on a system, including considerations for terminating employee access; and special considerations that may arise when contractors or the public have access to systems. Personnel issues are closely linked to logical access controls.
 
 10.1 Staffing
 
 The staffing process generally involves at least four steps and can apply equally to general users as well as to application managers, system management personnel, and security personnel. These four steps are: (1) defining the job, normally involving the development of a position description; (2) determining the sensitivity of the position; (3) filling the position, which involves screening applicants and selecting an individual; and (4) training.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.