Internet Banking News

August 29, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - Yes to patching, but companies need to finally embrace zero-trust - We may be two months away from Halloween, but the slew of cyberattacks that we’ve seen over the past six months are as bad as any horror story we’ve ever seen. https://www.scmagazine.com/perspective/critical-infrastructure/yes-to-patching-but-companies-need-to-finally-embrace-zero-trust

Critical Cisco Bug in Small Business Routers to Remain Unpatched - The issue affects a range of Cisco Wireless-N and Wireless-AC VPN routers that have reached end-of-life. https://threatpost.com/critical-cisco-bug-routers-unpatched/168831/

Patch management in the age of work-from-home - Organizations face a number of difficulties regarding patch management of endpoint devices, especially as employees use their own devices from home during the pandemic. https://www.scmagazine.com/video/endpoint-security/patch-management-in-the-age-of-work-from-home

New assessment tool helps convey ransomware resiliency status to board of directors - A consortium of cybersecurity vendors on Tuesday officially launched “R-Score,” a free cyber resilience assessment tool that’s exclusively focused on scoring a company's ability to recover from ransomware attacks. https://www.scmagazine.com/analysis/cloud/new-assessment-tool-helps-convey-ransomware-resiliency-status-to-board-of-directors

How to bridge communication gap between CISOs and the executive board - A new book seeks to act as a translation guide between chief information security officers and the board of directors – with helpful suggestions for how both sides of the equation can see eye to eye. https://www.scmagazine.com/analysis/leadership/book-explores-how-to-bridge-communication-gap-between-cisos-and-the-executive-board

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - T-Mobile says information of more than 48 million customers leaked in breach - T-Mobile has released an update on the recent claims that a hacker gained access to the names, addresses, PIN numbers, social security numbers and more of millions of T-Mobile customers. https://www.zdnet.com/article/t-mobile-said-information-of-more-than-8-million-customers-leaked-in-breach/

US Census Bureau stopped 2020 cyberattack but faces criticism for security lapses - An OIG report said the Bureau routinely used end-of-life systems and wasted time in responding to the attack before it was stopped. The Office of Inspector General (OIG) has released a report this week saying the US Census Bureau dealt with a cyberattack on January 11, 2020. https://www.zdnet.com/article/us-census-bureau-stopped-202-cyberattack-but-faces-criticism-for-security-lapses/

38 million records exposed by misconfigured Microsoft Power Apps. Redmond's advice? RTFM - Forty-seven government entities and privacy companies, including Microsoft, exposed 38 million sensitive data records online by misconfiguring the Windows giant's Power Apps, a low-code service that promises an easy way to build professional applications. https://www.theregister.com/2021/08/23/power_shell_records/

Nokia subsidiary discloses data breach after Conti ransomware attack - SAC Wireless, a US-based Nokia subsidiary, has disclosed a data breach following a ransomware attack where Conti operators were able to successfully breach its network, steal data, and encrypt systems. https://www.bleepingcomputer.com/news/security/nokia-subsidiary-discloses-data-breach-after-conti-ransomware-attack/

U.S. State Department recently hit by a cyber attack -Fox News - The U.S. State Department was recently hit by a cyber attack, and notifications of a possible serious breach were made by the Department of Defense Cyber Command, a Fox News reporter tweeted on Saturday. https://www.reuters.com/world/us/us-state-department-recently-hit-by-cyber-attack-fox-news-2021-08-21/

Eskenazi Health confirms patient data stolen prior to ransomware, EHR downtime - Eskenazi Health confirmed the threat actors behind the ransomware attack launched on Aug. 4 exfiltrated patient data prior to the deployment and leaked the stolen information online in the days following the attack and subsequent network outage. https://www.scmagazine.com/analysis/breach/eskenazi-health-confirms-patient-data-stolen-prior-to-ransomware-ehr-downtime

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

   Risk management challenges

   The Electronic Banking Group (EBG) noted that the fundamental characteristics of e-banking (and e-commerce more generally) posed a number of risk management challenges:

   1.   The speed of change relating to technological and customer service innovation in e-banking is unprecedented. Historically, new banking applications were implemented over relatively long periods of time and only after in-depth testing. Today, however, banks are experiencing competitive pressure to roll out new business applications in very compressed time frames - often only a few months from concept to production. This competition intensifies the management challenge to ensure that adequate strategic assessment, risk analysis and security reviews are conducted prior to implementing new e-banking applications.

   2. Transactional e-banking web sites and associated retail and wholesale business applications are typically integrated as much as possible with legacy computer systems to allow more straight-through processing of electronic transactions. Such straight-through automated processing reduces opportunities for human error and fraud inherent in manual processes, but it also increases dependence on sound systems design and architecture as well as system interoperability and operational scalability.

   3. E-banking increases banks' dependence on information technology, thereby increasing the technical complexity of many operational and security issues and furthering a trend towards more partnerships, alliances and outsourcing arrangements with third parties, many of whom are unregulated. This development has been leading to the creation of new business models involving banks and non-bank entities, such as Internet service providers, telecommunication companies and other technology firms.

   4) The Internet is ubiquitous and global by nature. It is an open network accessible from anywhere in the world by unknown parties, with routing of messages through unknown locations and via fast evolving wireless devices. Therefore, it significantly magnifies the importance of security controls, customer authentication techniques, data protection, audit trail procedures, and customer privacy standards.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

   AUTHENTICATION - Shared Secret Systems (Part 2 of 2)

   Weaknesses in shared secret mechanisms generally relate to the ease with which an attacker can discover the secret. Attack methods vary.

   ! A dictionary attack is one common and successful way to discover passwords. In a dictionary attack, the attacker obtains the system password file, and compares the password hashes against hashes of commonly used passwords.

   Controls against dictionary attacks include securing the password file from compromise, detection mechanisms to identify a compromise, heuristic intrusion detection to detect differences in user behavior, and rapid reissuance of passwords should the password file ever be compromised. While extensive character sets and storing passwords as one - way hashes can slow down a dictionary attack, those defensive mechanisms primarily buy the financial institution time to identify and react to the password file compromises.

   ! An additional attack method targets a specific account and submits passwords until the correct password is discovered.

   Controls against those attacks are account lockout mechanisms, which commonly lock out access to the account after a risk - based number of failed login attempts.

   ! A variation of the previous attack uses a popular password, and tries it against a wide range of usernames.

   Controls against this attack on the server are a high ratio of possible passwords to usernames, randomly generated passwords, and scanning the IP addresses of authentication requests and client cookies for submission patterns.

   ! Password guessing attacks also exist. These attacks generally consist of an attacker gaining knowledge about the account holder and password policies and using that knowledge to guess the password.

   Controls include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, length of the password, character set, prohibition against using well - known user identifiers, and length of time before the password must be changed. Users with greater authorization or privileges, such as root users or administrators, should have longer, more complex passwords than other users.

   ! Some attacks depend on patience, waiting until the logged - in workstation is unattended.

   Controls include automatically logging the workstation out after a period of inactivity (Existing industry practice is no more than 20 - 30 minutes) and heuristic intrusion detection.

   ! Attacks can take advantage of automatic login features, allowing the attacker to assume an authorized user's identity merely by using a workstation.

   Controls include prohibiting and disabling automatic login features, and heuristic intrusion detection.

   ! User's inadvertent or unthinking actions can compromise passwords. For instance, when a password is too complex to readily memorize, the user could write the password down but not secure the paper. Frequently, written - down passwords are readily accessible to an attacker under mouse pads or in other places close to the user's machines. Additionally, attackers frequently are successful in obtaining passwords by using social engineering and tricking the user into giving up their password.

   Controls include user training, heuristic intrusion detection, and simpler passwords combined with another authentication mechanism.

   ! Attacks can also become much more effective or damaging if different network devices share the same or a similar password.

   Controls include a policy that forbids the same or similar password on particular network devices.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION

  16.1.2 Cryptographic Keys

  Although the authentication derived from the knowledge of a cryptographic key may be based entirely on something the user knows, it is necessary for the user to also possess (or have access to) something that can perform the cryptographic computations, such as a PC or a smart card. For this reason, the protocols used are discussed in the Smart Tokens section of this chapter. However, it is possible to implement these types of protocols without using a smart token. Additional discussion is also provided under the Single Log-in section.

  16.2 I&A Based on Something the User Possesses

  Although some techniques are based solely on something the user possesses, most of the techniques described in this section are combined with something the user knows. This combination can provide significantly stronger security than either something the user knows or possesses alone.

  Objects that a user possesses for the purpose of I&A are called tokens. This section divides tokens into two categories: memory tokens and smart tokens, which we will cover in the next two issues.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.