|
August 23, 2020
Please stay safe - We will recover.
|
Does Your Financial Institution need an
affordable cybersecurity Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our cybersecurity audits
to ensure proper Internet security settings and
to
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b)
as well as the penetration
test complies with the FFIEC Cybersecurity Assessment Tool
regarding resilience testing.
The cybersecurity penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
focuses on
a hacker's perspective, which will help
you identify real-world cybersecurity weaknesses.
For more information, give R. Kinney Williams a call today at
Office/Cell 806-535-8300 or visit
http://www.internetbankingaudits.com/. |
Virtual/remote IT
audits
-
I am performing
virtual/remote FFIEC IT audits
for banks and credit unions. I am a
former bank examiner with years
of IT auditing experience.
Please contact R. Kinney Williams at
examiner@yennik.com from your bank's email and I will send you information
and fees. All correspondence is
confidential.
FYI
- Five security points CISOs must communicate to the corporate board
- The responsibilities of top security executives are evolving
constantly as most employees now work remotely, creating new
opportunities for cyberattacks and disruption.
https://www.scmagazine.com/perspectives/five-security-points-cisos-must-communicate-to-the-corporate-board/
SANS Institute breach proves anyone can fall victim to a ‘consent
phishing’ scam - The SANS Institute is attributing a data breach
that exposed roughly 28,000 records containing personally
identifiable information to a malicious Office 365 add-on, which
caused an employee’s email account to automatically forward emails
to an attacker’s address.
https://www.scmagazine.com/home/security-news/data-breach/sans-institute-breach-proves-anyone-can-fall-victim-to-a-consent-phishing-scam/
Maze delivers on threat to publish data stolen from Canon - Canon
apparently didn’t pay up as previously believed after it fell victim
to a Maze ransomware attack, because the company’s stolen data has
cropped up online.
https://www.scmagazine.com/home/security-news/ransomware/maze-delivers-on-threat-to-publish-data-stolen-from-canon/
Australian government wants power to run cyber-response for
businesses under attack - Australia’s government has proposed giving
itself the power to take over private enterprises’ response to
cyber-attacks on critical infrastructure.
https://www.theregister.com/2020/08/14/australian_critical_infrastructure_defence_plan/
Six steps for securing smart cities - What do organizations do when
faced with declining revenues and increased costs? Some of them cut
to the bone, stressing their chances at future growth. Smart ones
invest heavily in technology, looking for ways to automate, become
more efficient and use data to drive insight and innovation.
https://www.scmagazine.com/perspectives/six-steps-for-securing-smart-cities/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- ‘Malicious’ cyber actor spoofing SBA’s coronavirus loan relief
webpage - The Cybersecurity and Infrastructure Security Agency is
tracking an “unknown, malicious” cyber actor spoofing the Small
Business Administration’s coronavirus loan relief webpage via
phishing emails, it warned in an alert issued Wednesday.
https://www.fedscoop.com/cisa-spoofing-sba-loan-relief/
Pennsylvania Transit Agency Disrupted by Malware Attack - Technical
disruptions over the weekend were the result of a malware attack
against Southeastern Pennsylvania Transportation Authority servers,
officials say. The FBI and outside experts have been asked to
assist.
https://www.govtech.com/security/Pennsylvania-Transit-Agency-Disrupted-by-Malware-Attack.html
Targeted BEC attacks steal business data in six countries, posing as
HR - A targeted business email compromise (BEC) orchestrated by the
Russian-speaking RedCurl group has successfully stolen information
in 14 successful attacks on a variety of businesses – mostly
construction companies, financial and consulting firms, retailers,
insurance businesses, law firms and travel – in six countries.
https://www.scmagazine.com/home/email-security/targeted-bec-attacks-steal-business-data-in-six-countries/
Cyberattacks targeting CRA, Canadians' COVID-19 benefits have been
brought under control - Total of 11,200 Canada Revenue Agency and
GCKey accounts affected by series of attacks.
https://www.cbc.ca/news/politics/cra-gckey-cyberattack-1.5689106
World's largest cruise line operator Carnival hit by ransomware -
Cruise line operator Carnival Corporation has disclosed that one of
their brands suffered a ransomware attack over the past weekend.
https://www.bleepingcomputer.com/news/security/worlds-largest-cruise-line-operator-carnival-hit-by-ransomware/
Medical Debt Collection Firm R1 RCM Hit in Ransomware Attack -
Formerly known as Accretive Health Inc., Chicago-based R1 RCM
brought in revenues of $1.18 billion in 2019. The company has more
than 19,000 employees and contracts with at least 750 healthcare
organizations nationwide.
https://krebsonsecurity.com/2020/08/medical-debt-collection-firm-r1-rcm-hit-in-ransomware-attack/
U.S. spirits and wine giant hit by cyberattack, 1TB of data stolen -
Brown-Forman, one of the largest U.S. companies in the spirits and
wine business, suffered a cyber attack. The intruders allegedly
copied 1TB of confidential data; they plan on selling to the highest
bidder the most important info and leak the rest.
https://www.bleepingcomputer.com/news/security/us-spirits-and-wine-giant-hit-by-cyberattack-1tb-of-data-stolen/
Ritz London suspects data breach, fraudsters pose as staff in credit
card data scam - Scammers phoned guests to “confirm” their credit
card details for reservations. The Ritz Hotel in London has launched
an investigation into a data breach in which scammers may have posed
as staff members to steal credit card data.
https://www.zdnet.com/article/ritz-london-struck-by-data-breach-fraudsters-pose-as-staff-in-credit-card-data-scam/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week begins our series
on the FDIC's Supervisory Policy on Identity Theft.
(Part
1 of 6)
Supervisory
Policy on Identity Theft
Identity theft is fraud committed or attempted by using the
identifying information of another person without his or her
authority. Identifying information may include such things as a
Social Security number, account number, date of birth, driver's
license number, passport number, biometric data and other unique
electronic identification numbers or codes. As more financial
transactions are done electronically and remotely, and as more
sensitive information is stored in electronic form, the
opportunities for identity theft have increased significantly. This
policy statement describes the characteristics of identity theft and
emphasizes the FDIC's well-defined expectations that institutions
under its supervision detect, prevent and mitigate the effects of
identity theft in order to protect consumers and help ensure safe
and sound operations.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Internet."
System Architecture and
Design
The Internet can facilitate unchecked and/or undesired access to
internal systems, unless systems are appropriately designed and
controlled. Unwelcome system access could be achieved through IP
spoofing techniques, where an intruder may impersonate a local or
internal system and be granted access without a password. If access
to the system is based only on an IP address, any user could gain
access by masquerading as a legitimate, authorized user by
"spoofing" the user's address. Not only could any user of that
system gain access to the targeted system, but so could any system
that it trusts.
Improper access can also result from other technically permissible
activities that have not been properly restricted or secured. For
example, application layer protocols are the standard sets of rules
that determine how computers communicate across the Internet.
Numerous application layer protocols, each with different functions
and a wide array of data exchange capabilities, are utilized on the
Internet. The most familiar, Hyper Text Transfer Protocol (HTTP),
facilitates the movement of text and images. But other types of
protocols, such as File Transfer Protocol (FTP), permit the
transfer, copying, and deleting of files between computers. Telnet
protocol actually enables one computer to log in to another.
Protocols such as FTP and Telnet exemplify activities which may be
improper for a given system, even though the activities are within
the scope of the protocol architecture.
The open architecture of the Internet also makes it easy for system
attacks to be launched against systems from anywhere in the world.
Systems can even be accessed and then used to launch attacks against
other systems. A typical attack would be a denial of service attack,
which is intended to bring down a server, system, or application.
This might be done by overwhelming a system with so many requests
that it shuts down. Or, an attack could be as simple as accessing
and altering a Web site, such as changing advertised rates on
certificates of deposit.
Security Scanning Products
A number of software programs exist which run automated security
scans against Web servers, firewalls, and internal networks. These
programs are generally very effective at identifying weaknesses that
may allow unauthorized system access or other attacks against the
system. Although these products are marketed as security tools to
system administrators and information systems personnel, they are
available to anyone and may be used with malicious intent. In some
cases, the products are freely available on the Internet.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We
continue the series on the National Institute of Standards and
Technology (NIST) Handbook.
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.4 Step 4:
Selecting Contingency Planning Strategies
The next step is to plan how to recover needed resources. In
evaluating alternatives, it is necessary to consider what controls
are in place to prevent and minimize contingencies. Since no set of
controls can cost-effectively prevent all contingencies, it is
necessary to coordinate prevention and recovery efforts.
A contingency planning strategy normally consists of three parts:
emergency response, recovery, and resumption.89 Emergency response
encompasses the initial actions taken to protect lives and limit
damage. Recovery refers to the steps that are taken to continue
support for critical functions. Resumption is the return to normal
operations. The relationship between recovery and resumption is
important. The longer it takes to resume normal operations, the
longer the organization will have to operate in the recovery mode.
The selection of a strategy needs to be based on practical
considerations, including feasibility and cost. The different
categories of resources should each be considered. Risk assessment
can be used to help estimate the cost of options to decide on an
optimal strategy. For example, is it more expensive to purchase and
maintain a generator or to move processing to an alternate site,
considering the likelihood of losing electrical power for various
lengths of time? Are the consequences of a loss of computer-related
resources sufficiently high to warrant the cost of various recovery
strategies? The risk assessment should focus on areas where it is
not clear which strategy is the best.
In developing contingency planning strategies, there are many
factors to consider in addressing each of the resources that support
critical functions. Some examples are:
Example 1: If the system administrator for a LAN has to be out of
the office for a long time (due to illness or an accident),
arrangements are made for the system administrator of another LAN to
perform the duties. Anticipating this, the absent administrator
should have taken steps beforehand to keep documentation current.
This strategy is inexpensive, but service will probably be
significantly reduced on both LANs which may prompt the manager of
the loaned administrator to partially renege on the agreement.
Example 2: An organization depends on an on-line information
service provided by a commercial vendor. The organization is no
longer able to obtain the information manually (e.g., from a
reference book) within acceptable time limits and there are no other
comparable services. In this case, the organization relies on the
contingency plan of the service provider. The organization pays a
premium to obtain priority service in case the service provider has
to operate at reduced capacity.
Example #3: A large mainframe data center has a contract with a
hot site vendor, has a contract with the telecommunications carrier
to reroute communications to the hot site, has plans to move people,
and stores up-to-date copies of data, applications and needed paper
records off-site. The contingency plan is expensive, but management
has decided that the expense is fully justified.
Example #4. An organization distributes its processing among two
major sites, each of which includes small to medium processors
(personal computers and minicomputers). If one site is lost, the
other can carry the critical load until more equipment is purchased.
Routing of data and voice communications can be performed
transparently to redirect traffic. Backup copies are stored at the
other site. This plan requires tight control over the architectures
used and types of applications that are developed to ensure
compatibility. In addition, personnel at both sites must be
cross-trained to perform all functions. |
PLEASE NOTE: Some of the above links may have expired,
especially those from news organizations. We may have a copy of the
article, so please e-mail us at
examiner@yennik.com if we can be of assistance. |
