Internet Banking News

August 9, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - ‘We want to have more protection’: Arrested pen testers push for Good Samaritan law - Prosecutors dropped felony criminal charges against a pair of ethical pen testers arrested while assessing the security of an Iowa courthouse. But the the two men are not ready move on just yet. https://www.scmagazine.com/home/security-news/legal-security-news/arrested-coalfire-pen-testers-push-for-good-samaritan-law/

New York, Siemens to develop cyber Center of Excellence for utilities - Recognizing that the electric utility industry needs an industry-specific response to its cybersecurity challenges, the New York Power Authority (NYPA) and Siemens Energy plan to develop a Cybersecurity Center of Excellence that will focus on building practical security tools for small- and mid-sized utilities. https://www.scmagazine.com/home/security-news/new-york-power-authority-siemens-energy-to-build-cybersecurity-center-of-excellence/

How to make security simple for IT users - Companies could make corporate IT environments a lot safer from external threats if those pesky humans would stop clicking on so many sketchy links. Or sharing passwords. Or using bad passwords. Or finding loopholes in the corporate security policy. https://www.scmagazine.com/perspectives/how-to-make-security-simple-for-it-users/

Ransomware: How clicking on one email left a whole business in big trouble - A food and drink manufacturer fell victim to a ransomware attack and crucially didn't give into the extortion demand - but it could've been much worse. https://www.zdnet.com/article/ransomware-how-clicking-on-one-phishing-email-left-a-whole-business-in-big-trouble/

GAO - The federal government has spent billions on information technology projects that have failed or performed poorly. Some agencies have had massive cybersecurity failures. These IT efforts often suffered from ineffective management. https://www.gao.gov/products/GAO-20-691T?utm_campaign=usgao_email&utm_content=topic_it&utm_medium=email&utm_source=govdelivery

Financial institutions likely to doubledown on security spending - Prior to the pandemic, financial institutions spent an average $2,700 on cybersecurity per full-time employee, up from $2,300 the previous year. COVID-19 now drives the need for companies to doubledown on cybersecurity going forward, according to a study from Deloitte’s cyber risk and strategic risk services group in conjunction with the Financial Services Information Sharing and Analysis Center (FS-ISAC). https://www.scmagazine.com/home/security-news/pandemic-accelerating-security-at-financial-institutions/

Emerging Products: Breach and attack simulation technologies - Organizations have no way of knowing the efficacy of controls configurations or the performance of existing security investments without data from frequent assessments. Additionally, most compliance standards today mandate regular security testing as part of their frameworks. https://www.scmagazine.com/home/reviews/emerging-products-breach-and-attack-simulation-technologies-2/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ransomware gang publishes tens of GBs of internal data from LG and Xerox - Maze gang publishes internal data from LG and Xerox after failed extortion attempt. The operators of the Maze ransomware have published today tens of GB of internal data from the networks of enterprise business giants LG and Xerox following two failed extortion attempts. https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/

Confirmed: Garmin received decryptor for WastedLocker ransomware - BleepingComputer can confirm that Garmin has received the decryption key to recover their files encrypted in the WastedLocker Ransomware attack. https://www.bleepingcomputer.com/news/security/confirmed-garmin-received-decryptor-for-wastedlocker-ransomware/

First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo - $4.5m may have gone into crims' pockets after bookings biz hit by Ragnar Locker nasty - Exclusive US corporate travel management firm Carlson Wagonlit Travel has suffered an intrusion and it is believed the company paid a $4.5m ransom to get its data back. https://www.theregister.com/2020/07/31/carlson_wagonlit_travel_ragnarlocker_ransom_paid/

Texas School District Forks Over $50K in Ransomware Attack - Athens School District will pay hackers $50,000 in cryptocurrency after district servers and data were encrypted. The cyberattack delayed the start of the school year by at least another week. https://www.govtech.com/security/Texas-School-District-to-Fork-Over-50K-in-Ransomware-Attack.html

Misconfigured servers contributed to more than 200 cloud breaches - Misconfigured storage services in 93 percent of cloud deployments have contributed to more than 200 breaches over the past two years, exposing more than 30 billion records, according to a report from Accurics, which predicted that cloud breaches are likely to increase in both velocity and scale. https://www.scmagazine.com/home/security-news/cloud-misconfigurations-contributed-to-more-than-200-breaches/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 9 of 10)

   B. RISK MANAGEMENT TECHNIQUES

   Implementing Weblinking Relationships

   Customer Service Complaints

   Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.

   Monitoring Weblinking Relationships

   The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements. Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

  Data Integrity

  Potentially, the open architecture of the Internet can allow those with specific knowledge and tools to alter or modify data during a transmission. Data integrity could also be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.

  Authentication

  Essential in electronic commerce is the need to verify that a particular communication, transaction, or access request is legitimate. To illustrate, computer systems on the Internet are identified by an Internet protocol (IP) address, much like a telephone is identified by a phone number. Through a variety of techniques, generally known as "IP spoofing" (i.e., impersonating), one computer can actually claim to be another. Likewise, user identity can be misrepresented as well. In fact, it is relatively simple to send email which appears to have come from someone else, or even send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

  11.2 Step 2: Identifying the Resources That Support Critical Functions

  11.2.3 Automated Applications and Data

  Computer systems run applications that process data. Without current electronic versions of both applications and data, computerized processing may not be possible. If the processing is being performed on alternate hardware, the applications must be compatible with the alternate hardware, operating systems and other software (including version and configuration), and numerous other technical factors. Because of the complexity, it is normally necessary to periodically verify compatibility.

  11.2.4 Computer-Based Services

  An organization uses many different kinds of computer-based services to perform its functions. The two most important are normally communications services and information services. Communications can be further categorized as data and voice communications; however, in many organizations these are managed by the same service. Information services include any source of information outside of the organization. Many of these sources are becoming automated, including on-line government and private databases, news services, and bulletin boards.

  11.2.5 Physical Infrastructure

  For people to work effectively, they need a safe working environment and appropriate equipment and utilities. This can include office space, heating, cooling, venting, power, water, sewage, other utilities, desks, telephones, fax machines, personal computers, terminals, courier services, file cabinets, and many other items. In addition, computers also need space and utilities, such as electricity. Electronic and paper media used to store applications and data also have physical requirements

  11.2.6 Documents and Papers

  Many functions rely on vital records and various documents, papers, or forms. These records could be important because of a legal need (such as being able to produce a signed copy of a loan) or because they are the only record of the information. Records can be maintained on paper, microfiche, microfilm, magnetic media, or optical disk.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.