R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and onsite FFIEC IT Security Audits

August 6, 2023

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.
FFIEC IT audits - I am performing FFIEC IT audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.


MISCELLANEOUS CYBERSECURITY NEWS:

2023 SANS Security Awareness Report - Complimentary copy of the 2023 SANS Secu

What the industry must do to attract more women into cybersecurity - The excitement and fulfillment derived from working in cybersecurity and the SOC are often powerful motivators to draw more women into this fun and rewarding field. https://www.scmagazine.com/perspective/what-the-industry-must-do-to-attract-more-women-into-cybersecurity

Crooks pwned your servers? You've got four days to tell us, SEC tells public companies - Public companies that suffer a computer crime likely to cause a "material" hit to an investor will soon face a four-day time limit to disclose the incident, according to rules approved today by the US Securities and Exchange Commission. https://www.theregister.com/2023/07/26/sec_reporting_security/

GOVERNMENTTSA Updates Pipeline Cybersecurity Requirements - The TSA has released updated cybersecurity requirements for pipeline owners and operators, instructing them to test assessment and incident response plans. The Transportation Security Administration (TSA) announced on Wednesday an update to its cybersecurity requirements for oil and natural gas pipeline owners and operators. https://www.securityweek.com/tsa-updates-pipeline-cybersecurity-requirements/

Biden Administration Unveils National Cyber Workforce and Education Strategy - The National Cyber Workforce and Education Strategy (NCWES) aims to fill cyber workforce vacancies across the country and improve diversity and inclusion in the field. https://healthitsecurity.com/news/biden-administration-unveils-national-cyber-workforce-and-education-strategy

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

MOVEit bug tied to breach of up to 11M records via government contractor - The number of organizations hit by the MOVEit file transfer application bug now includes government contractor Maximus. Impacted in the attack are up to 11 million Maximus customers. https://www.scmagazine.com/news/moveit-bug-tied-to-breach-of-up-to-11m-records-via-govt-contractor

Ivanti Zero-Day Exploit Disrupts Norway's Government Services - A zero-day authentication bypass vulnerability in Ivanti software was exploited to carry out an attack on the Norwegian Ministries Security and Service Organization. https://www.darkreading.com/dr-global/ivanti-zero-day-exploit-disrupts-norway-government-services

China-backed hackers suspected in NetScaler RCE attacks - An unidentified espionage-focused hacking group believed to be aligned to the Chinese government is being blamed for recent attacks against Citrix NetScaler application delivery controller (ADC) appliances exploiting a now-patched zero-day bug. https://www.scmagazine.com/news/china-backed-hackers-suspected-netscaler-rce-attacks

Israel's largest oil refinery website offline after DDoS attack - Website of Israel's largest oil refinery operator, BAZAN Group is inaccessible from most parts of the world as threat actors claim to have hacked the Group's cyber systems. https://www.bleepingcomputer.com/news/security/israels-largest-oil-refinery-website-offline-after-ddos-attack/

Exclusive: Pentagon Investigates ‘Critical Compromise’ Of Air Force Communications Systems - The Pentagon is investigating what it has called a “critical compromise” of communications across 17 Air Force facilities by one of its engineers, according to a search warrant obtained by Forbes. https://www.forbes.com/sites/thomasbrewster/2023/07/29/exclusive-pentagon-suffers-critical-compromise-of-air-force-communications

Return to the top of the newsletter

WEB SITE COMPLIANCE - Expedited Funds Availability Act (Regulation CC)
   
   Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed.

 Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
     
     Logical Access Controls (Part 2 of 2)
     
     Tokens
     
     Token technology relies on a separate physical device, which is retained by an individual, to verify the user's identity. The token resembles a small hand-held card or calculator and is used to generate passwords. The device is usually synchronized with security software in the host computer such as an internal clock or an identical time based mathematical algorithm. Tokens are well suited for one‑time password generation and access control. A separate PIN is typically required to activate the token.
     
     Smart Cards
     
     Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an embedded computer chip. The chip includes a processor, operating system, and both read only memory (ROM) and random access memory (RAM). They can be used to generate one-time passwords when prompted by a host computer, or to carry cryptographic keys. A smart card reader is required for their use.
     
     Biometrics 
     
     Biometrics involves identification and verification of an individual based on some physical characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This technology is advancing rapidly, and offers an alternative means to authenticate a user.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
  
  5.3.3 System-Specific Policy Implementation
  
  Technology plays an important - but not sole - role in enforcing system-specific policies. When technology is used to enforce policy, it is important not to neglect nontechnology-based methods. For example, technical system-based controls could be used to limit the printing of confidential reports to a particular printer. However, corresponding physical security measures would also have to be in place to limit access to the printer output or the desired security objective would not be achieved.
   
  Technical methods frequently used to implement system-security policy are likely to include the use of logical access controls. However, there are other automated means of enforcing or supporting security policy that typically supplement logical access controls. For example, technology can be used to block telephone users from calling certain numbers. Intrusion-detection software can alert system administrators to suspicious activity or can take action to stop the activity. Personal computers can be configured to prevent booting from a floppy disk.
  
  Technology-based enforcement of system-security policy has both advantages and disadvantages. A computer system, properly designed, programmed, installed, configured, and maintained, consistently enforces policy within the computer system, although no computer can force users to follow all procedures. Management controls also play an important role - and should not be neglected. In addition, deviations from the policy may sometimes be necessary and appropriate; such deviations may be difficult to implement easily with some technical controls. This situation occurs frequently if implementation of the security policy is too rigid (which can occur when the system analysts fail to anticipate contingencies and prepare for them).

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.