Internet Banking News

August 16, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Garmin Risks Repeat Attack If It Paid $10 Million Ransom - A security expert has warned that Garmin is now an even bigger target if it paid the alleged $10 million ransom to free its systems of malware. https://www.forbes.com/sites/barrycollins/2020/07/28/garmin-risks-repeat-attack-if-it-paid-10-million-ransom/#1d86c8044a6e

Regulators levy $80 million fine, hammer Capital One for massive breach - Bank regulators dropped the hammer on Capital One, with the Office of the Comptroller of the Currency (OCC) levying an $80 million fine and the Federal Reserve filing a cease and desist order that specified what the steps the bank needed to take to redeem itself after a massive data breach in 2019 that compromised the personal data of more than 100 million of its customers. https://www.scmagazine.com/home/security-news/regulators-levy-80-million-fine-hammer-capital-one-for-massive-breach/

Stricken electronics firms weigh reward, cost of paying ransom - Garmin reportedly paid cyber extortionists millions of dollars for access to a decryptor so that the company could restore its services to customers following a July 23 WastedLocker ransomware attack. https://www.scmagazine.com/home/security-news/ransomware/stricken-electronics-firms-weigh-reward-cost-of-paying-ransom/

Lesson learned: Failure to patch led to password leak of 900 VPN enterprise servers - Applying a security update to a CVE released more than a year ago could have prevented a hacker from publishing plaintext usernames and passwords, as well as IP addresses, for more than 900 Pulse Secure VPN enterprise servers. https://www.scmagazine.com/home/security-news/patch-fail-led-to-password-leak-of-900-vpn-enterprise-servers/

Whatever the cause, Intel leak still stings - Depending on whose version of the story is correct, a 20 GB data leak affecting Intel presents an important lesson on either the perils of default credentials and insecure server misconfigurations, or the risks of sharing proprietary secrets with third-party business partners and customers. https://www.scmagazine.com/home/security-news/data-breach/whatever-the-cause-intel-leak-still-stings/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Garmin Reportedly Paid a Ransom - Garmin, a fitness tracker and navigation device firm, apparently paid a ransom to recover from a July 23 security incident that encrypted several of its systems, according to two news reports as well as expert analysis. https://www.bankinfosecurity.com/garmin-reportedly-paid-ransom-a-14773

Canon confirms ransomware attack in internal memo - Canon has suffered a ransomware attack that impacts numerous services, including Canon's email, Microsoft Teams, USA website, and other internal applications. In an internal alert sent to employees, Canon has disclosed the ransomware attack and working to address the issue. https://www.bleepingcomputer.com/news/security/canon-confirms-ransomware-attack-in-internal-memo/

Colorado City Pays $45,000 Ransom After Cyber-Attack - Lafayette, Colorado, officials announced Tuesday the city�s computer systems were hacked and they were forced to pay a ransom to regain access. https://www.securityweek.com/colorado-city-pays-45000-ransom-after-cyber-attack

Travelex driven into financial straits by ransomware attack - The double-whammy of getting hit with a ransomware attack last New Year�s Eve that sidelined its global operations for two-and-a-half weeks coupled with COVID-19�s toll on air travel, put currency exchange provider Travelex into administration, the U.K. equivalent of bankruptcy, late last week, serving, if internal assessments are correct, as an example of the economic impact of ransomware and other cyberattacks. https://www.scmagazine.com/home/security-news/travelex-driven-into-financial-straits-by-ransomware-attack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We finish our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 10 of 10)

   B. RISK MANAGEMENT TECHNIQUES

   Managing Service Providers

   Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.

   When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.

   Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

Non-repudiation

Non-repudiation involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. To ensure that a transaction is enforceable, steps must be taken to prohibit parties from disputing the validity of, or refusing to acknowledge, legitimate communications or transactions.

Access Control / System Design

Establishing a link between a bank's internal network and the Internet can create a number of additional access points into the internal operating system. Furthermore, because the Internet is global, unauthorized access attempts might be initiated from anywhere in the world. These factors present a heightened risk to systems and data, necessitating strong security measures to control access. Because the security of any network is only as strong as its weakest link, the functionality of all related systems must be protected from attack and unauthorized access. Specific risks include the destruction, altering, or theft of data or funds; compromised data confidentiality; denial of service (system failures); a damaged public image; and resulting legal implications. Perpetrators may include hackers, unscrupulous vendors, former or disgruntled employees, or even agents of espionage.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

  11.3 Step 3: Anticipating Potential Contingencies or Disasters

  Although it is impossible to think of all the things that can go wrong, the next step is to identify a likely range of problems. The development of scenarios will help an organization develop a plan to address the wide range of things that can go wrong.

  Scenarios should include small and large contingencies. While some general classes of contingency scenarios are obvious, imagination and creativity, as well as research, can point to other possible, but less obvious, contingencies. The contingency scenarios should address each of the resources described above. The following are examples of some of the types of questions that contingency scenarios may address:

  Human Resources: Can people get to work? Are key personnel willing to cross a picket line? Are there critical skills and knowledge possessed by one person? Can people easily get to an alternative site?

  Processing Capability: Are the computers harmed? What happens if some of the computers are inoperable, but not all?

  Automated Applications and Data: Has data integrity been affected? Is an application sabotaged? Can an application run on a different processing platform?

  Computer-Based Services: Can the computers communicate? To where? Can people communicate? Are information services down? For how long?

  Infrastructure: Do people have a place to sit? Do they have equipment to do their jobs? Can they occupy the building?

  Documents/Paper: Can needed records be found? Are they readable?

  Examples of Some Less Obvious Contingencies

  1. A computer center in the basement of a building had a minor problem with rats. Exterminators killed the rats, but the bodies were not retrieved because they were hidden under the raised flooring and in the pipe conduits. Employees could only enter the data center with gas masks because of the decomposing rats.

  2. After the World Trade Center explosion when people reentered the building, they turned on their computer systems to check for problems. Dust and smoke damaged many systems when they were turned on. If the systems had been cleaned first, there would not have been significant damage.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.