Internet Banking News

August 1, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with 40 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.FYI - Two cyber insurance industry initiatives grapple with rise of ransomware - Twice in the past few weeks, insurers have joined together in response to the spiraling ransomware attacks that have rocked their industry. https://www.cyberscoop.com/cyberacuview-apcia-cyber-insurance-ransomware/

FYI - Big ransomware attacks could bring hidden credit implications for targeted industries - A major credit rating agency is warning that ransomware attacks can not only lead to outages and downstream infection of a victim’s customers, it can also have a material impact on the credit of entire industries. https://www.scmagazine.com/analysis/ransomware/the-bottom-line-big-ransomware-attacks-could-bring-hidden-credit-implications-for-targeted-industries

EU moves to deanonymize cryptocurrency - The European Commission proposed a package of laws this week to combat money laundering and financial crime, including a move to expand money-laundering rules to cryptocurrency. Bringing anti-money-laundering (AML) rules into the digital currency domain is often mentioned as a key component of mitigating ransomware. https://www.scmagazine.com/analysis/cryptocurrency/eu-moves-to-deanonymize-cryptocurrency

Exposed: In wake of COVID-19 tech buying surge, medical device security in need of overhaul - In the rush to respond to COVID-19, many health care providers swiftly onboarded technologies to support the nation’s response and enable the rapid adoption of remote digital health platforms, such as connected medical devices and telemedicine tools. https://www.scmagazine.com/feature/asset-management/in-wake-of-covid-19-tech-buying-surge-medical-device-security-requires-overhaul

CISA issues malware analysis reports from ongoing Pulse row - Building on its ongoing guidance involving actively exploited vulnerabilities in Ivanti's Pulse Secure products, the Cybersecurity and Infrastructure Security Agency released 13 malware analysis reports Wednesday. https://www.scmagazine.com/news/malware/cisa-issues-malware-analysis-reports-from-ongoing-pulse-row

Kaseya delivers third-party decryption key to unlock files of ransomware victims - Kaseya, the IT company hit by ransomware in early July, confirmed in a statement that it has obtained a decryption key from a third party. https://www.scmagazine.com/news/ransomware/kaseya-delivers-third-party-decryption-key-to-unlock-files-of-ransomware-victims

TSA pushes more cybersecurity mandates on critical pipeline owners, emphasizing ransomware - The Transportation Security Administration on Tuesday handed down additional cybersecurity requirements for owners of major pipelines, this time focused on ransomware. https://www.cyberscoop.com/tsa-pipeline-ransomware-directive/

Law enforcement, CISA lobby for breach reporting requirement - At a Senate Judiciary hearing covering a diverse array of ransomware policy options, witnesses from the Department of Justice, FBI, CISA and the Secret Service backed widely discussed proposals to require enterprises to report breaches to the federal government. https://www.scmagazine.com/analysis/legislation/law-enforcement-cisa-lobby-for-breach-reporting-requirement

Cloud mishaps will worsen in the year ahead, say majority of security pros - A survey of cloud security professionals by Fugue has found that 36% of organizations suffered a serious cloud security leak or breach in the past 12 months – and 64% say the problem will get worse or remain unchanged in the year ahead. https://www.scmagazine.com/news/cloud-security/cloud-mishaps-will-worsen-in-the-year-ahead-say-majority-of-security-pros

Health care sees largest data breach costs at $9.23M, while 76% fail to secure supply chain - The average cost of a data breach in the health care sector tops $9.23 million, the highest of all 17 sectors analyzed for the IBM Security 2021 Cost of a Data Breach Report. Meanwhile, a new CynergisTek report shows 76% of providers are failing to secure their supply chains, one of the sector’s biggest blindspots. https://www.scmagazine.com/feature/breach/health-care-sees-largest-data-breach-costs-at-9-23m-while-76-fail-to-secure-supply-chain

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Akamai has trouble and the internet hiccups again - If your internet's acting up today, it's not you. It's the internet. Specifically, major content delivery network Akamai is having DNS trouble. You've heard it before, you'll hear it again. Once more with feeling, the internet is having real trouble as we move into July 22's early afternoon on the US East coast. https://www.zdnet.com/article/akamai-has-trouble-and-the-internet-hiccups-up-again/

Saudi Aramco confirms data leak after $50 million cyber ransom demand - Saudi Aramco, the world’s largest oil producer, confirmed on Wednesday that some of its company files had been leaked via a contractor, after a cyber extortionist claimed to have seized troves of its data last month and demanded a $50 million ransom from the company. https://arstechnica.com/information-technology/2021/07/saudi-aramco-confirms-data-leak-after-50-million-cyber-ransom-demand/

Florida DEO Discloses Data Breach Affecting 58,000 Accounts - Florida's Department of Economic Opportunity (DEO) has disclosed a data breach that affected its unemployment benefits system and targeted 57,920 claimant accounts. https://www.darkreading.com/attacks-breaches/florida-deo-discloses-data-breach-affecting-58-000-accounts

Brazil creates cyberattack response network - Federal government bodies unite to share information and better respond to major incidents. Brazil has created a cyberattack response network aimed at promoting faster response to cyber threats and vulnerabilities through coordination between federal government bodies. https://www.zdnet.com/article/brazil-creates-cyberattack-response-network/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 1 of 2)

   Hardware and software located in a user department are often less secure than that located in a computer room. Distributed hardware and software environments (e.g., local area networks or LANs) that offer a full range of applications for small financial institutions as well as larger organizations are commonly housed throughout the organization, without special environmental controls or raised flooring. In such situations, physical security precautions are often less sophisticated than those found in large data centers, and overall building security becomes more important. Internal control procedures are necessary for all hardware and software deployed in distributed, and less secure, environments. The level of security surrounding any IS hardware and software should depend on the sensitivity of the data that can be accessed, the significance of applications processed, the cost of the equipment, and the availability of backup equipment.

   Because of their portability and location in distributed environments, PCs often are prime targets for theft and misuse. The location of PCs and the sensitivity of the data and systems they access determine the extent of physical security required. For PCs in unrestricted areas such as a branch lobby, a counter or divider may provide the only barrier to public access. In these cases, institutions should consider securing PCs to workstations, locking or removing disk drives, and using screensaver passwords or automatic timeouts. Employees also should have only the access to PCs and data they need to perform their job. The sensitivity of the data processed or accessed by the computer usually dictates the level of control required. The effectiveness of security measures depends on employee awareness and enforcement of these controls.

   An advantage of PCs is that they can operate in an office environment, providing flexible and informal operations. However, as with larger systems, PCs are sensitive to environmental factors such as smoke, dust, heat, humidity, food particles, and liquids. Because they are not usually located within a secure area, policies should be adapted to provide protection from ordinary contaminants.

   Other environmental problems to guard against include electrical power surges and static electricity. The electrical power supply in an office environment is sufficient for a PC's requirements. However, periodic fluctuations in power (surges) can cause equipment damage or loss of data. PCs in environments that generate static electricity are susceptible to static electrical discharges that can cause damage to PC components or memory.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

   Access Rights Administration (4 of 5)

   The access rights process programs the system to allow the users only the access rights they were granted. Since access rights do not automatically expire or update, periodic updating and review of access rights on the system is necessary. Updating should occur when an individual's business needs for system use changes. Many job changes can result in an expansion or reduction of access rights. Job events that would trigger a removal of access rights include transfers, resignations, and terminations. Institutions should take particular care to remove promptly the access rights for users who have remote access privileges, and those who administer the institution's systems.

   Because updating may not always be accurate, periodic review of user accounts is a good control to test whether the access right removal processes are functioning, and whether users exist who should have their rights rescinded or reduced. Financial institutions should review access rights on a schedule commensurate with risk.

   Access rights to new software and hardware present a unique problem. Typically, hardware and software are installed with default users, with at least one default user having full access rights. Easily obtainable lists of popular software exist that identify the default users and passwords, enabling anyone with access to the system to obtain the default user's access. Default user accounts should either be disabled, or the authentication to the account should be changed. Additionally, access to these default accounts should be monitored more closely than other accounts.

   Sometimes software installs with a default account that allows anonymous access. Anonymous access is appropriate, for instance, where the general public accesses an informational web server. Systems that allow access to or store sensitive information, including customer information, should be protected against anonymous access.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY

  15.9 Interdependencies

  Physical and environmental security measures rely on and support the proper functioning of many of the other areas discussed in this handbook. Among the most important are the following:

  Logical Access Controls. Physical security controls augment technical means for controlling access to information and processing. Even if the most advanced and best-implemented logical access controls are in place, if physical security measures are inadequate, logical access controls may be circumvented by directly accessing the hardware and storage media. For example, a computer system may be rebooted using different software.

  Contingency Planning. A large portion of the contingency planning process involves the failure of physical and environmental controls. Having sound controls, therefore, can help minimize losses from such contingencies.

  Identification and Authentication (I&A). Many physical access control systems require that people be identified and authenticated. Automated physical security access controls can use the same types of I&A as other computer systems. In addition, it is possible to use the same tokens (e.g., badges) as those used for other computer-based I&A.

  Other. Physical and environmental controls are also closely linked to the activities of the local guard force, fire house, life safety office, and medical office. These organizations should be consulted for their expertise in planning controls for the systems environment.

  15.10 Cost Considerations

  Costs associated with physical security measures range greatly. Useful generalizations about costs, therefore, are difficult make. Some measures, such as keeping a door locked, may be a trivial expense. Other features, such as fire-detection and -suppression systems, can be far more costly. Cost considerations should include operation. For example, adding controlled-entry doors requires persons using the door to stop and unlock it. Locks also require physical key management and accounting (and rekeying when keys are lost or stolen). Often these effects will be inconsequential, but they should be fully considered. As with other security measures, the objective is to select those that are cost-beneficial.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.