Internet Banking News

July 26, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - As a result of the crisis and to help protect your staff, I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - EU court kills Privacy Shield, wreaks havoc on digital economy - The EU court decision in the Schrems II case that effectively kills the Privacy Shield pact hammered out four years ago between the U.S. and EU could cripple multinational companies’ ability to operate as they scramble to scrutinize their data transfer mechanisms. https://www.scmagazine.com/home/security-news/eu-court-kills-privacy-shield-wreaks-havoc-on-digital-economy/

Credit union's lawsuit against Fiserv is a test for cybersecurity liability - After more than a year of legal wrangling and bureaucratic delays, a major lawsuit is moving forward against a fintech giant for its allegedly lax cybersecurity practices. https://www.cyberscoop.com/fiserv-bessemer-credit-union-lawsuit-cyber-consequences/

How Do CCPA and GDPR Differ? CCPA Requires More Effective Data Management - The enforcement deadline for the California Consumer Privacy Act (CCPA) passed a couple of weeks ago, so for all intents and purposes it’s now in effect. The CCPA was modeled after the European Union’s General Data Protection Regulation (GDPR) that requires companies to share how personal data gets collected and gives consumers the option to have their data deleted. https://www.scmagazine.com/home/opinion/executive-insight/how-do-ccpa-and-gdpr-differ-ccpa-requires-more-effective-data-management/

Twitter hack is a reminder of the dangers of unfettered employee access - Twitter’s acknowledgement that a “coordinated social engineering campaign” involving multiple employees was behind a hack of prominent verified accounts raises significant questions as to whether business organizations are implementing effective security controls that limit potential insider threats’ access to back-end administrative tools. https://www.scmagazine.com/home/security-news/insider-threats/twitter-hack-is-a-reminder-of-the-dangers-of-unfettered-employee-access/

IDENTITY THEFT RESOURCE CENTER SEES A DATA BREACH DECREASE IN FIRST QUARTER OF 2020 - Since 2005, the Identity Theft Resource Center has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. https://www.idtheftcenter.org/identity-theft-resource-center-sees-a-data-breach-decrease-in-first-quarter-of-2020/

Here's what that Capital One court decision means for corporate cybersecurity - When a judge ruled last month that Capital One must provide outsiders with a third-party incident response report detailing the circumstances around the bank’s massive data breach, the cybersecurity world took notice. https://www.cyberscoop.com/capital-one-incident-response-mandiant-decision/

COVID-19 accounts for most 2020 cyberattacks - The pandemic has served as a catalyst for much of the hacking increases during the first half of 2020, with weekly COVID-19-related phishing attacks growing from under 5,000 in February to more than 200,000 in late April. https://www.scmagazine.com/home/security-news/covid-19-accounts-for-most-2020-cyberattacks/

Fast-charging hacks can melt phones, compromise firmware - Fast-charging technology might let users charge their mobile phones within minutes instead of hours – that is, if a hacker doesn’t cause them to catch on fire. https://www.scmagazine.com/home/mobile-end-point-security/fast-charging-hacks-can-melt-phones-compromise-firmware/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - FYI Russia is totally hacking the West's labs in search of COVID-19 vaccine files, say UK, US, Canada cyber-spies - Russian hackers at the state's FSB spy agency have been caught breaking into Western institutions working on potential vaccines for the COVID-19 coronavirus in hope of stealing said research. https://www.theregister.com/2020/07/16/russia_coronavirus_hacking/

The Fake Cisco - Producing counterfeit products is, and always was, a great business if you don't mind being on the wrong side of things. No need to invest in a costly R&D process, no need to select the best performing and looking materials; the only criterion is the cost of manufacture. https://labs.f-secure.com/publications/the-fake-cisco/

Phishing attack hid in Google Cloud Services - Details of a phishing attack concealed in Google Cloud Services point to a fast-growing trend that has hackers disguising malicious activities in cloud service providers. https://www.scmagazine.com/home/security-news/cloud-security/phishing-attack-hid-in-google-cloud-services/

Lorien Health Services discloses ransomware attack affecting nearly 50,000 - Lorien Health Services in Maryland announced that it was the victim of a ransomware incident in early June. Data was stolen and then encrypted during the incident. https://www.bleepingcomputer.com/news/security/lorien-health-services-discloses-ransomware-attack-affecting-nearly-50-000/

Two more cyber-attacks hit Israel's water system - First attack hit in April when hackers tried to modify water chlorine levels, officials said. Two more cyber-attacks have hit Israel's water management facilities, officials from the Water Authority said last week. https://www.zdnet.com/article/two-more-cyber-attacks-hit-israels-water-system/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 7 of 10)

   B. RISK MANAGEMENT TECHNIQUES

   Planning Weblinking Relationships

   Agreements

   If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:

   1) dissatisfied purchasers of third-party products or services;

   2) patent or trademark holders for infringement by the third party; and

   3) persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.

   The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.

   In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.

   Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations. For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter

FFIEC IT SECURITY - This concludes our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Part III. Risks Associated with Both Internal Wireless Networks and Wireless Internet Devices

Evolution and Obsolescence

As the wireless technologies available today evolve, financial institutions and their customers face the risk of current investments becoming obsolete in a relatively short time. As demonstrated by the weaknesses in WEP and earlier versions of WAP and the changes in standards for wireless technologies, wireless networking as a technology may change significantly before it is considered mature. Financial institutions that invest heavily in components that may become obsolete quickly may feel the cost of adopting an immature technology.

Controlling the Impact of Obsolescence

Wireless internal networks are subject to the same types of evolution that encompass the computing environment in general. Key questions to ask a vendor before purchasing a wireless internal network solution include:

1) What is the upgrade path to the next class of network?
2) Do the devices support firmware (Flash) upgrades for security patches and upgrades?
3) How does the vendor distribute security information and patches?

The financial institution should also consider the evolving standards of the wireless community. Before entering into an expensive implementation, the institution should research when the next major advances in wireless are likely to be released. Bank management can then make an informed decision on whether the implementation should be based on currently available technology or a future implementation based on newer technology.

The potential obsolescence of wireless customer access can be controlled in other ways. As the financial institution designs applications that are to be delivered through wireless devices, they should design the application so that the business logic is not tied to a particular wireless technology. This can be accomplished by placing the majority of the business logic on back-end or mid-tier servers that are independent of the wireless application server. The wireless application server then becomes a connection point between the customer and the transactions performed. As the institution decides to upgrade or replace the application server, the business logic can remain relatively undisturbed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

  11.3 Step 3: Anticipating Potential Contingencies or Disasters

  Although it is impossible to think of all the things that can go wrong, the next step is to identify a likely range of problems. The development of scenarios will help an organization develop a plan to address the wide range of things that can go wrong.

  Scenarios should include small and large contingencies. While some general classes of contingency scenarios are obvious, imagination and creativity, as well as research, can point to other possible, but less obvious, contingencies. The contingency scenarios should address each of the resources described above. The following are examples of some of the types of questions that contingency scenarios may address:

  Human Resources: Can people get to work? Are key personnel willing to cross a picket line? Are there critical skills and knowledge possessed by one person? Can people easily get to an alternative site?

  Processing Capability: Are the computers harmed? What happens if some of the computers are inoperable, but not all?

  Automated Applications and Data: Has data integrity been affected? Is an application sabotaged? Can an application run on a different processing platform?

  Computer-Based Services: Can the computers communicate? To where? Can people communicate? Are information services down? For how long?

  Infrastructure: Do people have a place to sit? Do they have equipment to do their jobs? Can they occupy the building?

  Documents/Paper: Can needed records be found? Are they readable?

  Examples of Some Less Obvious Contingencies

  1. A computer center in the basement of a building had a minor problem with rats. Exterminators killed the rats, but the bodies were not retrieved because they were hidden under the raised flooring and in the pipe conduits. Employees could only enter the data center with gas masks because of the decomposing rats.

  2. After the World Trade Center explosion when people reentered the building, they turned on their computer systems to check for problems. Dust and smoke damaged many systems when they were turned on. If the systems had been cleaned first, there would not have been significant damage.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.