Internet Banking News

August 30, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - ATM makers Diebold and NCR deploy fixes for 'deposit forgery' attacks - ATMs from the two companies had bugs that could have allowed card fraudsters to modify the amount of money they deposited on their card, and then abuse the new account balance for illegal cash withdrawals. https://www.zdnet.com/article/atm-makers-diebold-and-ncr-deploy-fixes-for-deposit-forgery-attacks/

Australia the latest to push digital sovereignty, shake up cyber world order - On Wednesday, former Australian Prime Minister Malcolm Turnbull expressed regrets he had not done a better job encouraging Australian governments and businesses to purchase Australian cybersecurity products. https://www.scmagazine.com/home/security-news/australia-the-latest-to-push-digital-sovereignty-shake-up-cyber-world-order/

Former Uber chief security officer charged for hacker ‘hush money’ - Federal prosecutors charged the former chief security officer for Uber, with crimes related to an alleged cover-up of the company’s massive 2016 hack. https://www.scmagazine.com/home/security-news/former-uber-chief-security-officer-charged-for-hacker-hush-money/

Lessons from 15 years of bug bounties - It is increasingly hard to remember a time when bug bounty programs, let alone disclosure programs, weren’t so universally accepted. These days, you’ll find bounties for everything from branches of the military to your toaster. https://www.scmagazine.com/home/security-news/lessons-from-15-years-of-bug-bounties/

Federal cyber agency releases strategy to secure 5G networks - The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a strategy Monday to defend U.S. 5G networks against threats.
https://thehill.com/policy/cybersecurity/513449-federal-cyber-agency-releases-strategy-to-secure-us-5g-networks
https://www.cisa.gov/sites/default/files/publications/cisa_5g_strategy_508.pdf

FBI, CISA Echo Warnings on ‘Vishing’ Threat - The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint alert to warn about the growing threat from voice phishing or “vishing” attacks targeting companies. https://krebsonsecurity.com/2020/08/fbi-cisa-echo-warnings-on-vishing-threat/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - University of Utah pays $457,000 to ransomware gang - University officials restored from backups, but they had to pay the ransomware gang to prevent them from leaking student data.
https://www.zdnet.com/article/university-of-utah-pays-457000-to-ransomware-gang/
https://attheu.utah.edu/facultystaff/university-of-utah-update-on-data-security-incident/

WannaRen ransomware author contacts security firm to share decryption key - A major ransomware outbreak hit Chinese internet users earlier this year in April. For about a week, a ransomware strain known as WannaRen made tens of thousands of victims among both home consumers and local Chinese and Taiwanese companies. https://www.zdnet.com/article/wannaren-ransomware-author-contacts-security-firm-to-share-decryption-key/

Weeks after malware disruption, New York hospital is getting back online - For three weeks, a 290-bed medical facility in upstate New York has been grappling with a cybersecurity incident that prevented doctors from accessing patients’ electronic medical records (EMRs). https://www.cyberscoop.com/samaritan-medical-center-new-york-malware-recovery/

Carnival left to right the ship after breaches threaten travelers’ trust - After falling victim to two confirmed cyberattacks, and a possible third, since 2019, Carnival Corporation & plc has experts suggesting that the cruise operator – already imperiled by COVID-19’s impact on the travel industry – may need to institute major reforms to its security program and policies before suffering further damage to its reputation. https://www.scmagazine.com/home/security-news/data-breach/carnival-must-right-the-ship-after-breaches-threaten-travelers-trust/

Files from TFI’s Canpar leak after ransomware attack - Files purportedly stolen from TFI International’s Canpar Express leaked onto the dark web on Monday after a ransomware attack targeted the Canadian trucking and logistics company’s parcel and courier subsidiaries last week. https://www.freightwaves.com/news/files-from-tfis-canpar-leak-after-ransomware-attack

Free photos, graphics site Freepik discloses data breach impacting 8.3M users - Freepik is one of the most popular websites on the internet, currently ranked No. 97 on the Alexa Top 100 sites list. https://www.zdnet.com/article/free-photos-graphics-site-freepik-discloses-data-breach-impacting-8-3m-users/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft. (Part 2 of 6)

   Characteristics of Identity Theft

   At this time, the majority of identity theft is committed using hard-copy identification or other documents obtained from the victim without his or her permission. A smaller, but significant, amount of identity theft is committed electronically via phishing, spyware, hacking and computer viruses. Financial institutions are among the most frequent targets of identity thieves since they store sensitive information about their customers and hold customer funds in accounts that can be accessed remotely and transferred electronically.

   Identity theft may harm consumers in several ways. First, an identity thief may gain access to existing accounts maintained by consumers and either transfer funds out of deposit accounts or incur charges to credit card accounts. Identity thieves may also open new accounts in the consumer's name, incur expenses, and then fail to pay. This is likely to prompt creditors to attempt to collect payment from the consumer for debts the consumer did not incur. In addition, inaccurate adverse information about the consumer's payment history may prevent the consumer from obtaining legitimate credit when he or she needs it. An identity theft victim can spend months or years attempting to correct errors in his or her credit record.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

  Logical Access Controls

  A primary concern in controlling system access is the safeguarding of user IDs and passwords. The Internet presents numerous issues to consider in this regard. Passwords can be obtained through deceptive "spoofing" techniques such as redirecting users to false Web sites where passwords or user names are entered, or creating shadow copies of Web sites where attackers can monitor all activities of a user. Many "spoofing" techniques are hard to identify and guard against, especially for an average user, making authentication processes an important defense mechanism.

  The unauthorized or unsuspected acquisition of data such as passwords, user IDs, e-mail addresses, phone numbers, names, and addresses, can facilitate an attempt at unauthorized access to a system or application. If passwords and user IDs are a derivative of someone's personal information, malicious parties could use the information in software programs specifically designed to generate possible passwords. Default files on a computer, sometimes called "cache" files, can automatically retain images of such data received or sent over the Internet, making them a potential target for a system intruder.

  Security Flaws and Bugs / Active Content Languages

  Vulnerabilities in software and hardware design also represent an area of concern. Security problems are often identified after the release of a new product, and solutions to correct security flaws commonly contain flaws themselves. Such vulnerabilities are usually widely publicized, and the identification of new bugs is constant. These bugs and flaws are often serious enough to compromise system integrity. Security flaws and exploitation guidelines are also frequently available on hacker Web sites. Furthermore, software marketed to the general public may not contain sufficient security controls for financial institution applications.

  Newly developed languages and technologies present similar security concerns, especially when dealing with network software or active content languages which allow computer programs to be attached to Web pages (e.g., Java, ActiveX). Security flaws identified in Web browsers (i.e., application software used to navigate the Internet) have included bugs which, theoretically, may allow the installation of programs on a Web server, which could then be used to back into the bank's system. Even if new technologies are regarded as secure, they must be managed properly. For example, if controls over active content languages are inadequate, potentially hostile and malicious programs could be automatically downloaded from the Internet and executed on a system.

  Viruses / Malicious Programs

  Viruses and other malicious programs pose a threat to systems or networks that are connected to the Internet, because they may be downloaded directly. Aside from causing destruction or damage to data, these programs could open a communication link with an external network, allowing unauthorized system access, or even initiating the transmission of data.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

  11.4.1 Human Resources

  To ensure an organization has access to workers with the right skills and knowledge, training and documentation of knowledge are needed. During a major contingency, people will be under significant stress and may panic. If the contingency is a regional disaster, their first concerns will probably be their family and property. In addition, many people will be either unwilling or unable to come to work. Additional hiring or temporary services can be used. The use of additional personnel may introduce security vulnerabilities.

  Contingency planning, especially for emergency response, normally places the highest emphasis on the protection of human life.

  11.4.2 Processing Capability

  Strategies for processing capability are normally grouped into five categories: hot site; cold site; redundancy; reciprocal agreements; and hybrids. These terms originated with recovery strategies for data centers but can be applied to other platforms.

  1. Hot site -- A building already equipped with processing capability and other services.
  2. Cold site -- A building for housing processors that can be easily adapted for use.
  3. Redundant site -- A site equipped and configured exactly like the primary site. (Some organizations plan on having reduced processing capability after a disaster and use partial redundancy. The stocking of spare personal computers or LAN servers also provides some redundancy.)
  4. Reciprocal agreement -- An agreement that allows two organizations to back each other up. (While this approach often sounds desirable, contingency planning experts note that this alternative has the greatest chance of failure due to problems keeping agreements and plans up-to-date as systems and personnel change.)
  5. Hybrids -- Any combinations of the above such as using having a hot site as a backup in case a redundant or reciprocal agreement site is damaged by a separate contingency.

  Recovery may include several stages, perhaps marked by increasing availability of processing capability. Resumption planning may include contracts or the ability to place contracts to replace equipment.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.