Internet Banking News

August 15, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - August 11, 2021 - The OCC, FDIC, and NCUA issues new guidance for risk management principles and practices that support a financial institution's authentication of (1) users accessing financial institution information systems, including employees, board members, third parties, and other systems, and (2) consumer and business customers accessing digital banking services.
https://www.occ.gov/news-issuances/bulletins/2021/bulletin-2021-36.html
https://www.fdic.gov/news/news/financial/2011/fil11050.html
https://www.ncua.gov/Resources/Documents/LCU2011-09.pdf

‘Do something!’ Action bias causes risky, knee-jerk reactions to breaches - When a data security incident happens, never say “Never again!” according to Josiah Dykstra, technical fellow at the National Security Agency’s Cybersecurity Collaboration Center. https://www.scmagazine.com/analysis/black-hat/do-something-action-bias-causes-risky-knee-jerk-reactions-to-breaches

Will feds start to assess company risk of ransomware attacks? They’re at least asking questions - The federal government appears to be exploring options for assessing individual organizations or entire vertical sectors for vulnerability to potential ransomware attacks. https://www.scmagazine.com/analysis/black-hat/will-feds-start-to-assess-company-risk-of-ransomware-attacks-theyre-at-least-asking-questions

As Attackers Circle, Federal Agencies Fail to Improve Cybersecurity - Despite being the frequent target of nation-state and criminal actors, nearly every US government agency gets a "C" or "D" for data security, according to a new Senate report. https://www.darkreading.com/security-monitoring/as-attackers-circle-federal-agencies-fail-to-improve-cybersecurity

Protecting Water Infrastructure Against Cyberattacks - Like many critical infrastructure verticals, the water industry faces increased cybersecurity risks. Water is managed locally or privately depending on where you live, making it incredibly difficult to regulate and manage. https://www.threatlocker.com/blog/protecting-water-infrastructure-against-cyberattacks

Hackers netting average of nearly $10,000 for stolen network access - The single most expensive offering seen by researchers was being offered for about $95,000. A new report from a cybersecurity company has spotlighted the thriving market on the dark web for network access that nets cybercriminals thousands of dollars. https://www.zdnet.com/article/hackers-netting-average-of-nearly-10000-for-stolen-network-access/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Audit finds some former WA government staff still have systems access after termination - An audit of three state government entities found none were consistently meeting all the criteria of an effective and efficient staff exit management process, with access to premises and IT systems not cancelled within 24 hours of staff leaving or, in some cases, at all. https://www.zdnet.com/article/audit-finds-some-former-wa-government-staff-still-have-systems-access-after-termination/

Every company in new survey had at least one security incident in a public cloud environment - The expansion of AWS services has led to increased complexity, leading to 100% of companies surveyed for a report released Wednesday by Vectra having experienced at least one security incident in their public cloud environment. https://www.scmagazine.com/news/cloud-security/every-company-in-new-survey-had-at-least-one-security-incident-in-a-public-cloud-environment

Misconfigured Salesforce Communities expose sensitive data in the cloud - Researchers on Tuesday said they have discovered publicly accessible Salesforce Communities that are misconfigured and potentially expose sensitive information about companies, their operations, clients, and partners. https://www.scmagazine.com/news/cloud-security/misconfigured-salesforce-communities-expose-sensitive-data-in-the-cloud

Joplin: City Computer Shutdown Was Ransomware Attack - The insurer for Joplin paid $320,00 to an unknown person after a ransomware attack shut down the city’s government’s computer system last month, Joplin City Manager Nick Edwards said Thursday. https://www.securityweek.com/joplin-city-computer-shutdown-was-ransomware-attack

Saudi Aramco confirms data leak after $50 million cyber ransom demand - Saudi Aramco, the world’s largest oil producer, confirmed on Wednesday that some of its company files had been leaked via a contractor, after a cyber extortionist claimed to have seized troves of its data last month and demanded a $50 million ransom from the company. https://arstechnica.com/information-technology/2021/07/saudi-aramco-confirms-data-leak-after-50-million-cyber-ransom-demand/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

   Legal and Reputational Risk Management

   To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand. The bank must have the ability to deliver e-banking services to all end-users and be able to maintain such availability in all circumstances. Effective incident response mechanisms are also critical to minimize operational, legal and reputational risks arising from unexpected events, including internal and external attacks, that may affect the provision of e-banking systems and services. To meet customers' expectations, banks should therefore have effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services.

Return to the top of the newsletter

FFIEC IT SECURITY - e continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

AUTHENTICATION

Action Summary - Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include

1) Selecting authentication mechanisms based on the risk associated with the particular application or services;
2) Considering whether multi - factor authentication is appropriate for each application, taking into account that multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and
3) Encrypting the transmission and storage of authenticators (e.g., passwords, PINs, digital certificates, and biometric templates).

Authentication is the verification of identity by a system based on the presentation of unique credentials to that system. The unique credentials are in the form of something the user knows, something the user has, or something the user is. Those forms exist as shared secrets, tokens, or biometrics. More than one form can be used in any authentication process. Authentication that relies on more than one form is called multi - factor authentication and is generally stronger than any single authentication method. Authentication contributes to the confidentiality of data and the accountability of actions performed on the system by verifying the unique identity of the system user.

Authentication is not identification as that term is used in the USA PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide assurance that the initial identification of a system user is proper. Authentication only provides assurance that the user of the system is the same user that was initially identified. Procedures for the initial identification of a system user are beyond the scope of this booklet.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION

  For most applications, trade-offs will have to be made among security, ease of use, and ease of administration, especially in modern networked environments.

  While it may appear that any of these means could provide strong authentication, there are problems associated with each. If people wanted to pretend to be someone else on a computer system, they can guess or learn that individual's password; they can also steal or fabricate tokens. Each method also has drawbacks for legitimate users and system administrators: users forget passwords and may lose tokens, and administrative overhead for keeping track of I&A data and tokens can be substantial. Biometric systems have significant technical, user acceptance, and cost problems as well.
  This section explains current I&A technologies and their benefits and drawbacks as they relate to the three means of authentication. Although some of the technologies make use of cryptography because it can significantly strengthen authentication, the explanations of cryptography appear in Chapter 19, rather than in this chapter.

  16.1 I&A Based on Something the User Knows

  The most common form of I&A is a user ID coupled with a password. This technique is based solely on something the user knows. There are other techniques besides conventional passwords that are based on knowledge, such as knowledge of a cryptographic key.

  16.1.1 Passwords

  In general, password systems work by requiring the user to enter a user ID and password (or pass phrase or personal identification number). The system compares the password to a previously stored password for that user ID. If there is a match, the user is authenticated and granted access.

  Benefits of Passwords. Passwords have been successfully providing security for computer systems for a long time. They are integrated into many operating systems, and users and system administrators are familiar with them. When properly managed in a controlled environment, they can provide effective security.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.