Internet Banking News

August 22, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - Reality of health care threats disconnected from cybersecurity investments - Despite the health care sector remaining a prime target for threat actors, many provider organizations don’t see cybersecurity investment as a priority and few name cyber as a high priority spend, according to a new report from CyberMDX in collaboration with Philips. https://www.scmagazine.com/analysis/asset-management/reality-of-health-care-threats-disconnected-from-cybersecurity-investments

GitHub deprecates account passwords for authenticating Git operations - GitHub has announced today that account passwords will no longer be accepted for authenticating Git operations starting tomorrow. https://www.bleepingcomputer.com/news/security/github-deprecates-account-passwords-for-authenticating-git-operations/

Hacker is returning $600M in crypto, claiming theft was just “for fun” - The hacker who breached the Poly Network crypto platform says the theft was just "for fun :)” and that the hacker is now returning the stolen coins. The hacker also claimed that the tokens had been transferred to the hacker's own wallets to “keep it safe.” https://arstechnica.com/tech-policy/2021/08/hacker-is-returning-600m-in-crypto-claiming-theft-was-just-for-fun/

A 5G Shortcut Leaves Phones Exposed to Stingray Surveillance - You may not have the full story about what network you're on - and how well you're protected. Even if your phone says it's connected to the next-generation wireless standard, you may not actually be getting all of the features 5G promises—including defense against so-called stingray surveillance devices. https://www.wired.com/story/5g-network-stingray-surveillance-non-standalone/

OMB gives agencies 60 days to identify critical software and begin securing it - The Office of Management and Budget has given federal agencies 60 days to identify all their critical software in use or being acquired and a year to secure it, according to a memo issued Tuesday. https://www.fedscoop.com/white-house-gives-agencies-60-days-to-identify-critical-software-and-begin-securing-it/

‘The new normal is that nothing is normal’: Risk management, collaboration key tools for COVID-19 health system success - COVID-19 was a shock to the health care sector that required provider organizations to quickly support the influx and sudden shift to remote work, as well as swift adoption of remote care technologies. https://www.scmagazine.com/feature/backup-and-recovery/risk-management-collaboration-key-tools-for-covid-19-health-system-success

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Scripps Health cyberattack, EHR downtime caused $112.7M in lost revenue, recovery - The ransomware attack against Scripps Health that led to more than four weeks of electronic health record (EHR) downtime procedures and the theft of some patient data, resulted in $112.7 million in estimated revenue loss and incremental expenses, according to an Aug. 10 financial report form the San Diego-based health system. https://www.scmagazine.com/analysis/backup-and-recovery/scripps-health-cyberattack-ehr-downtime-caused-112-7m-in-lost-revenue-recovery

S3 misconfiguration exposes sensitive data on more than 3 million senior citizens - Researchers reported earlier this week that a misconfigured Amazon S3 bucket exposed the surnames, emails, and phones numbers of more than 3 million senior citizens. https://www.scmagazine.com/news/cloud-security/s3-misconfiguration-exposes-sensitive-data-on-more-than-3-million-senior-citizens

T-Mobile Investigating Claims of Data Breach on Online Forum - T-Mobile USA Inc. is investigating the validity of claims of a data breach that is said to involve personal data from more than 100 million people, some of which is up for sale in exchange for bitcoin.
https://www.msn.com/en-us/money/companies/t-mobile-investigating-claims-of-data-breach-on-online-forum/ar-AANlDJU
https://www.scmagazine.com/news/cybercrime/t-mobile-investigating-claims-that-100-million-of-its-customers-were-hacked

Surgeries canceled, care diverted as Memorial Health responds to cyberattack - Memorial Health System in Ohio is currently operating under electronic health record (EHR) downtime procedures and diverting emergency care patients, after a cyberattack struck its network during the early hours of Sunday, Aug. 15. All radiology exams and urgent surgical cases scheduled for Aug. 16 have also been canceled as a result. https://www.scmagazine.com/analysis/backup-and-recovery/surgeries-canceled-care-diverted-as-memorial-health-responds-to-cyberattack

Dallas cops lost 8TB of criminal case data during bungled migration, says the DA... four months later - A bungled data migration of a network drive caused the deletion of 22 terabytes of information from a US police force's systems – including case files in a murder trial, according to local reports. https://www.theregister.com/2021/08/16/dallas_data_migration_8tb_deletion/

637K UNM Health patients impacted by two-month network hack, data theft - An EMT worker cleans a gurney after transporting a suspected Covid patient outside of a Brooklyn hospital on March, 29 2021, in New York City. Incidents at several hospitals nationwide have led to breaches of patient data. https://www.scmagazine.com/analysis/breach/637k-unm-health-patients-impacted-by-two-month-network-hack-data-theft

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

   Introduction

   Banking organizations have been delivering electronic services to consumers and businesses remotely for years. Electronic funds transfer, including small payments and corporate cash management systems, as well as publicly accessible automated machines for currency withdrawal and retail account management, are global fixtures. However, the increased world-wide acceptance of the Internet as a delivery channel for banking products and services provides new business opportunities for banks as well as service benefits for their customers.

   Continuing technological innovation and competition among existing banking organizations and new market entrants has allowed for a much wider array of electronic banking products and services for retail and wholesale banking customers. These include traditional activities such as accessing financial information, obtaining loans and opening deposit accounts, as well as relatively new products and services such as electronic bill payment services, personalized financial "portals," account aggregation and business-to-business market places and exchanges.

   Notwithstanding the significant benefits of technological innovation, the rapid development of e-banking capabilities carries risks as well as benefits and it is important that these risks are recognized and managed by banking institutions in a prudent manner. These developments led the Basel Committee on Banking Supervision to conduct a preliminary study of the risk management implications of e-banking and e-money in 1998. This early study demonstrated a clear need for more work in the area of e-banking risk management and that mission was entrusted to a working group comprised of bank supervisors and central banks, the Electronic Banking Group (EBG), which was formed in November 1999.

   The Basel Committee released the EBG's Report on risk management and supervisory issues arising from e-banking developments in October 2000. This Report inventoried and assessed the major risks associated with e-banking, namely strategic risk, reputational risk, operational risk (including security and legal risks), and credit, market, and liquidity risks. The EBG concluded that e-banking activities did not raise risks that were not already identified by the previous work of the Basel Committee. However, it noted that e-banking increase and modifies some of these traditional risks, thereby influencing the overall risk profile of banking. In particular, strategic risk, operational risk, and reputational risk are certainly heightened by the rapid introduction and underlying technological complexity of e-banking activities.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

   AUTHENTICATION - Shared Secret Systems (Part 1 of 2)

   Shared secret systems uniquely identify the user by matching knowledge on the system to knowledge that only the system and user are expected to share. Examples are passwords, pass phrases, or current transaction knowledge. A password is one string of characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string of words or characters (e.g., "My car is a shepherd") that the system may shorten to a smaller password by means of an algorithm. Current transaction knowledge could be the account balance on the last statement mailed to the user/customer. The strength of shared secret systems is related to the lack of disclosure of and about the secret, the difficulty in guessing or discovering the secret, and the length of time that the secret exists before it is changed.

   A strong shared secret system only involves the user and the system in the generation of the shared secret. In the case of passwords and pass phrases, the user should select them without any assistance from any other user, such as the help desk. One exception is in the creation of new accounts, where a temporary shared secret could be given to the user for the first login, after which the system prompts the user to create a different password. Controls should prevent any user from re - using shared secrets that may have been compromised or were recently used by them.

   Passwords are the most common authentication mechanism. Passwords are generally made difficult to guess when they are composed from a large character set, contain a large number of characters, and are frequently changed. However, since hard - to - guess passwords may be difficult to remember, users may take actions that weaken security, such as writing the passwords down. Any password system must balance the password strength with the user's ability to maintain the password as a shared secret. When the balancing produces a password that is not sufficiently strong for the application, a different authentication mechanism should be considered. Pass phrases are one alternative to consider. Due to their length, pass phrases are generally more resistant to attack than passwords. The length, character set, and time before enforced change are important controls for pass phrases as well as passwords.

   Shared secret strength is typically assured through the use of automated tools that enforce the password selection policy. Authentication systems should force changes to shared secrets on a schedule commensurate with risk.

   Passwords can also be dynamic. Dynamic passwords typically use seeds, or starting points, and algorithms to calculate a new - shared secret for each access. Because each password is used for only one access, dynamic passwords can provide significantly more authentication strength than static passwords. In most cases, dynamic passwords are implemented through tokens. A token is a physical device, such as an ATM card, smart card, or other device that contains information used in the authentication process.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION

16.1.1 Passwords

Problems With Passwords. The security of a password system is dependent upon keeping passwords secret. Unfortunately, there are many ways that the secret may be divulged. All of the problems discussed below can be significantly mitigated by improving password security, as discussed in the sidebar. However, there is no fix for the problem of electronic monitoring, except to use more advanced authentication (e.g., based on cryptographic techniques or tokens).

Guessing or finding passwords. If users select their own passwords, they tend to make them easy to remember. That often makes them easy to guess. The names of people's children, pets, or favorite sports teams are common examples. On the other hand, assigned passwords may be difficult to remember, so users are more likely to write them down. Many computer systems are shipped with administrative accounts that have preset passwords. Because these passwords are standard, they are easily "guessed." Although security practitioners have been warning about this problem for years, many system administrators still do not change default passwords. Another method of learning passwords is to observe someone entering a password or PIN. The observation can be done by someone in the same room or by someone some distance away using binoculars. This is often referred to as shoulder surfing.

Giving passwords away. Users may share their passwords. They may give their password to a co-worker in order to share files. In addition, people can be tricked into divulging their passwords. This process is referred to as social engineering.

Electronic monitoring. When passwords are transmitted to a computer system, they can be electronically monitored. This can happen on the network used to transmit the password or on the computer system itself. Simple encryption of a password that will be used again does not solve this problem because encrypting the same password will create the same ciphertext; the ciphertext becomes the password.

Accessing the password file. If the password file is not protected by strong access controls, the file can be downloaded. Password files are often protected with one-way encryption so that plain-text passwords are not available to system administrators or hackers (if they successfully bypass access controls). Even if the file is encrypted, brute force can be used to learn passwords if the file is downloaded (e.g., by encrypting English words and comparing them to the file).

Passwords Used as Access Control. Some mainframe operating systems and many PC applications use passwords as a means of restricting access to specific resources within a system. Instead of using mechanisms such as access control lists, access is granted by entering a password. The result is a proliferation of passwords that can reduce the overall security of a system. While the use of passwords as a means of access control is common, it is an approach that is often less than optimal and not cost-effective.

Improving Password Security

Password generators. If users are not allowed to generate their own passwords, they cannot pick easy-to-guess passwords. Some generators create only pronounceable nonwords to help users remember them. However, users tend to write down hard-to-remember passwords.
Limits on log-in attempts. Many operating systems can be configured to lock a user ID after a set number of failed log-in attempts. This helps to prevent guessing of passwords.

Password attributes. Users can be instructed, or the system can force them, to select passwords (1) with a certain minimum length, (2) with special characters, (3) that are unrelated to their user ID, or (4) to pick passwords, which are not in an on-line dictionary. This makes passwords more difficult to guess (but more likely to be written down).

Changing passwords. Periodic changing of passwords can reduce the damage done by stolen passwords and can make brute-force attempts to break into systems more difficult. Too frequent changes, however, can be irritating to users.

Technical protection of the password file. Access control and one-way encryption can be used to protect the password file itself.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.