R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and onsite FFIEC IT Security Audits

July 23, 2023

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.
FFIEC IT audits - I am performing FFIEC IT audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.


MISCELLANEOUS CYBERSECURITY NEWS:

Email hack prompts call for Microsoft to make security logs free - Microsoft has been criticized for charging its cloud services customers extra to access security logs after a China-based threat group hacked email accounts from more than two dozen organizations, including U.S. government agencies. https://www.scmagazine.com/analysis/security-awareness/email-hack-prompts-call-for-microsoft-to-make-security-logs-free

The 5 Riskiest Connected Devices in 2023: IT, IoT, OT, IoMT - Since 2020, Forescout Research – Vedere Labs has been tracking the riskiest devices on organizations’ networks. In 2020, we released the first Enterprise of Things Security Report, followed in 2022 with the Riskiest Connected Devices in Enterprise Networks report. https://www.forescout.com/blog/riskiest-connected-devices-it-iot-ot-iomt/

CISA shares free tools to help secure data in the cloud - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shared a factsheet providing details on free tools and guidance for securing digital assets after switching to the cloud from on-premises environments. https://www.bleepingcomputer.com/news/security/cisa-shares-free-tools-to-help-secure-data-in-the-cloud/

USB drive malware attacks spiking again in first half of 2023 - What's old is new again, with researchers seeing a threefold increase in malware distributed through USB drives in the first half of 2023. https://www.bleepingcomputer.com/news/security/usb-drive-malware-attacks-spiking-again-in-first-half-of-2023/

FCC launches ‘U.S. Cyber Trust Mark’ labeling for IoT devices - The White House and the Federal Communications Commission introduced a "U.S. Cyber Trust Mark" labeling program on Tuesday that aims to push IoT device makers to better secure their gadgets and give consumers reassurance that a product is secure before buying it. https://www.scmagazine.com/news/device-security/biden-fcc-u-s-cyber-trust-mark-labeling

Why company executives should not post their home addresses online - Most businesses employ extensive processes and technology to prevent online attacks on their team members and IT systems – anti-virus, anti-spam and phishing prevention tools have become ubiquitous, and ongoing cybersecurity training for staff has become standard. https://www.scmagazine.com/perspective/privacy/why-company-executives-should-not-post-their-home-addresses-online

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Dating app spills 340GB of steamy data and 260,000 user profiles - Over 260,000 dating app account records and 340 gigabytes of images and private chat logs were left open to the public on an Amazon Web Services S3 storage bucket. Impacted was the dating service 419 Dating - Chat & Flirt, developed by Siling App based in Hong Kong. https://www.scmagazine.com/news/privacy/dating-app-spills-340gb-of-steamy-data-and-260000-user-profiles

Lessons to learn from last week’s email breach on federal agencies by a Chinese APT group - We learned early last week that a group of Chinese hackers exploited a vulnerability in Microsoft’s cloud email service to gain access to the cloud-based email accounts at 25 organizations. https://www.scmagazine.com/perspective/cloud-security/lessons-to-learn-from-last-weeks-email-breach-on-federal-agencies-by-a-chinese-apt-group

Chinese hacking operation puts Microsoft in the crosshairs over security failures - Revelations that hackers in China used a Microsoft security flaw to execute a highly targeted, sophisticated operation targeting some two dozen entities, including the U.S. commerce secretary, have officials and researchers alike exasperated that the company’s products have once again been used to pull off an intelligence coup. https://cyberscoop.com/microsoft-china-hacking-state/

JumpCloud, an IT firm serving 200,000 orgs, says it was hacked by nation-state - JumpCloud, a cloud-based IT management service that lists Cars.com, GoFundMe, and Foursquare among its 5,000 paying customers, experienced a security breach carried out by hackers working for a nation-state, the company said last week. https://arstechnica.com/security/2023/07/jumpcloud-says-nation-state-hacker-breach-targeted-some-of-its-customers/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 1 of 2)
 
 Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
    
    
Product Certification and Security Scanning Products
    
    
Several organizations exist which independently assess and certify the adequacy of firewalls and other computer system related products. Typically, certified products have been tested for their ability to permit and sustain business functions while protecting against both common and evolving attacks.
    
    Security scanning tools should be run frequently by system administrators to identify any new vulnerabilities or changes in the system. Ideally, the scan should be run both with and without the firewall in place so the firewall's protective capabilities can be fully evaluated. Identifying the susceptibility of the system without the firewall is useful for determining contingency procedures should the firewall ever go down. Some scanning tools have different versions with varying degrees of intrusion/attack attempts.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
  
  5.3 System-Specific Policy
  
  Program policy and issue-specific policy both address policy from a broad level, usually encompassing the entire organization. However, they do not provide sufficient information or direction, for example, to be used in establishing an access control list or in training users on what actions are permitted. System-specific policy fills this need. It is much more focused, since it addresses only one system.
  
  Many security policy decisions may apply only at the system level and may vary from system to system within the same organization. While these decisions may appear to be too detailed to be policy, they can be extremely important, with significant impacts on system usage and security. These types of decisions can be made by a management official, not by a technical system administrator. (The impacts of these decisions, however, are often analyzed by technical system administrators.)
  
  To develop a cohesive and comprehensive set of security policies, officials may use a management process that derives security rules from security goals. It is helpful to consider a two-level model for system security policy: security objectives and operational security rules, which together comprise the system-specific policy. Closely linked and often difficult to distinguish, however, is the implementation of the policy in technology.
  
  System-specific security policy includes two components: security objectives and operational security rules. It is often accompanied by implementing procedures and guidelines.
  
  5.3.1 Security Objectives
  

  The first step in the management process is to define security objectives for the specific system. Although, this process may start with an analysis of the need for integrity, availability, and confidentiality, it should not stop there. A security objective needs to more specific; it should be concrete and well defined. It also should be stated so that it is clear that the objective is achievable. This process will also draw upon other applicable organization policies.
  Security objectives consist of a series of statements that describe meaningful actions about explicit resources. These objectives should be based on system functional or mission requirements, but should state the security actions that support the requirements.
  
  Development of system-specific policy will require management to make trade-offs, since it is unlikely that all desired security objectives will be able to be fully met. Management will face cost, operational, technical, and other constraints.
  
  Sample Security Objective:  Only individuals in the accounting and personnel departments are authorized to provide or modify information used in payroll processing.


PLEASE NOTE:
 
Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.