Internet Banking News

August 2, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - As a result of the crisis and to help protect your staff, I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - 5 traits all the best CISOs have - As someone regularly hired to lead red-team engagements that hack into Fortune 500 organizations, I’ve had the opportunity to work with - and go up against - many different types of security leaders. https://www.scmagazine.com/perspectives/5-things-the-best-cisos-do/

Federal agencies warn foreign hackers are targeting critical infrastructure - The National Security Agency (NSA) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that foreign hackers are attempting to target U.S. critical infrastructure. https://thehill.com/policy/cybersecurity/508748-federal-agencies-warn-foreign-hackers-are-targeting-critical

Chinese-made drone app may be spying on Americans - An Android application that controls a drone manufactured by China-based Da Jiang Innovations (DJI) contains a self-update feature that bypasses the Google Play Store, thus creating the ability for the app to transmit sensitive personal information to DJI’s servers or possibly the Chinese government. https://www.scmagazine.com/home/security-news/apts-cyberespionage/chinese-made-drone-app-may-be-spying-on-americans/

Broadened CIA cyberattack powers put businesses on alert - The greater business community should be on higher alert for cyberattacks by nation-state actors after the report last week that President Trump signed a “presidential finding” around cyberwarfare that gives the CIA broader powers to launch cyberattacks against U.S. adversaries. https://www.scmagazine.com/home/security-news/broadened-cia-cyberattack-powers-put-businesses-on-alert/

Thinking of a Cybersecurity Career? Read This - Thousands of people graduate from colleges and universities each year with cybersecurity or computer science degrees only to find employers are less than thrilled about their hands-on, foundational skills. https://krebsonsecurity.com/2020/07/thinking-of-a-cybersecurity-career-read-this/

Critical VPN vulnerabilities pose danger to OT networks - The VPN approach for remote security may not be as secure as previously believed, new research has found. https://www.scmagazine.com/home/security-news/critical-vpn-vulnerabilities-pose-danger-to-ot-networks/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Dave ShinyHunters hack exposes 7.5 million user records - Overdraft protection and cash advance service Dave suffered a data breach that appeared to involve the practices of a former third-party vendor, resulting in its database containing 7.5 million user records being sold at auction and then released later for free on hacker forums. https://www.scmagazine.com/home/security-news/dave-shinyhunters-hack-exposes-7-5-million-user-records/

Twitter hackers accessed direct messages for 36 accounts - The hackers who ran a cryptocurrency scam using high-profile, verified Twitter accounts, including those belonging to Joe Biden, Apple, Bill Gates, Uber and Barack Obama, accessed the direct messages (DMs) of 36 accounts and downloaded account data from eight accounts via “Your Twitter Data.” https://www.scmagazine.com/home/security-news/twitter-hackers-accessed-direct-messages-for-36-accounts/

Instacart customer accounts for sale on dark web - Instacart may have offered Americans a way to stay safe during the pandemic by doing their grocery shopping online but now the grocery app may have put customers at risk after 278,531 accounts were found on sale in two dark web stores. https://www.scmagazine.com/home/security-news/instacart-customer-accounts-for-sale-on-dark-web/

Misconfigured S3 exposes Twilio users to Magecart attack - A misconfiguration in an S3 bucket that was hosting a Twilio Javascript library caused a bad threat actor to inject code that made Twilio users load an extraneous URL on their browsers that has been associated with the Magecart group of attacks. https://www.scmagazine.com/home/security-news/misconfigured-s3-exposes-twilio-users-to-magecart-attack/

Congrats, First American Title Insurance, you've made technology history. For all the wrong reasons - A California-based insurer that inadvertently left tens of millions of private customer records open to the internet has become the first company to be charged by New York's Department of Financial Services (DFS) for cybersecurity rule violations. https://www.theregister.com/2020/07/23/american_title_insurance_ny/

Garmin services and production go down after ransomware attack - Smartwatch and wearables maker Garmin has shut down several of its services on July 23 to deal with a ransomware attack that has encrypted its internal network and some production systems, ZDNet has learned. https://www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack/

GEDmatch confirms data breach after users’ DNA profile data made available to police - GEDmatch, the DNA analysis site that police used to catch the so-called Golden State Killer, was pulled briefly offline on Sunday while its parent company investigated how its users’ DNA profile data apparently became available to law enforcement searches.
https://techcrunch.com/2020/07/22/gedmatch-investigating-dna-profile-law-enforcement/
https://www.scmagazine.com/home/security-news/cybercrime/dna-companies-vulnerable-to-phishing-privacy-violations-after-attacks/

SEI Investments customer data exposed in ransomware attack on vendor - A May ransomware attack on M.J. Brunner Inc. exposed data pertaining to clients of SEI Investments Co., among them money managers like Pacific Investment Management Co. (Pimco), Fortress Investment Group LLC and Centerbridge Partners. https://www.scmagazine.com/home/security-news/ransomware/sei-investments-customer-data-exposed-in-ransomware-attack-on-vendor/

Avon attackers may have exploited unprotected web server - An openly accessible web server has emerged as a possible attack vector used by cybercriminals in a reported ransomware incident that affected personal care and beauty marketer Avon Products last June. https://www.scmagazine.com/website-web-server-security/did-avon-attackers-exploit-an-unprotected-web-server-as-a-path-of-least-resistance/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 8 of 10)

   B. RISK MANAGEMENT TECHNIQUES

   Implementing Weblinking Relationships

   The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.

   Disclaimers and Disclosures

   Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.

   In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.

   A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.

   In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.

Return to the top of the newsletter

FFIEC IT SECURITY - We begin a new series from the FDIC "Security Risks Associated with the Internet." While this Financial Institution Letter was published in December 1997, the issues still are relevant.

  This FDIC paper alerts financial institutions to the fundamental technological risks presented by use of the Internet. Regardless of whether systems are maintained in-house or services are outsourced, bank management is responsible for protecting systems and data from compromise.

  Security Risks

  The Internet is inherently insecure. By design, it is an open network which facilitates the flow of information between computers. Technologies are being developed so the Internet may be used for secure electronic commerce transactions, but failure to review and address the inherent risk factors increases the likelihood of system or data compromise. Five areas of concern relating to both transactional and system security issues, as discussed below, are: Data Privacy and Confidentiality, Data Integrity, Authentication, Non-repudiation, and Access Control/System Design.

  Data Privacy and Confidentiality

  Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be monitored or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, or loans) or passwords.

  Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

  11.2 Step 2: Identifying the Resources That Support Critical Functions

  Resources That Support Critical Functions:
  ! Human Resources
  ! Processing Capability
  ! Computer-Based Services
  ! Data and Applications
  ! Physical Infrastructure
  ! Documents and Papers

  11.2.1 Human Resources

  People are perhaps an organization's most obvious resource. Some functions require the effort of specific individuals, some require specialized expertise, and some only require individuals who can be trained to perform a specific task. Within the information technology field, human resources include both operators (such as technicians or system programmers) and users (such as data entry clerks or information analysts).

  11.2.2 Processing Capability

  Contingency Planning Teams - To understand what resources are needed from each of the six resource categories and to understand how the resources support critical functions, it is often necessary to establish a contingency planning team. A typical team contains representatives from various organizational elements, and is often headed by a contingency planning coordinator. It has representatives from the following three groups:

  1) business-oriented groups , such as representatives from functional areas;

  2) facilities management; and

  3) technology management.

  Various other groups are called on as needed including financial management, personnel, training, safety, computer security, physical security, and public affairs.

  Traditionally contingency planning has focused on processing power (i.e., if the data center is down, how can applications dependent on it continue to be processed?). Although the need for data center backup remains vital, today's other processing alternatives are also important. Local area networks (LANs), minicomputers, workstations, and personal computers in all forms of centralized and distributed processing may be performing critical tasks.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.