|
September 5, 2021
|
Does Your Financial Institution need an
affordable cybersecurity Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our cybersecurity audits
to ensure proper Internet security settings and
to
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b)
as well as the penetration
test complies with the FFIEC Cybersecurity Assessment Tool
regarding resilience testing.
The cybersecurity penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
focuses on
a hacker's perspective, which will help
you identify real-world cybersecurity weaknesses.
For more information, give R. Kinney Williams a call today at
Office/Cell 806-535-8300 or visit
http://www.internetbankingaudits.com/. |
FYI - Size doesn’t matter: All health
care providers are targets - Between ransomware and vendor-related
security incidents, the health care sector has already reported some
of the largest data breaches seen in recent history: the majority of
the 10 largest breaches affected over 1 million patients each.
https://www.scmagazine.com/analysis/breach/size-doesnt-matter-report-shows-all-health-care-providers-are-targets
Why DHS needs a Cyber Talent Management System to lure job
candidates - Even as the federal government has increasingly
prioritized cybersecurity issues internally and with outside
stakeholders like private industry, it still faces the same shortage
of qualified human talent to meet the demand.
https://www.scmagazine.com/analysis/careers/why-dhs-needs-a-cyber-talent-management-system-to-lure-job-candidates
Risk management strategies for cyber resilience in the cloud -
Organizations have become somewhat complacent in their thinking
about risk. They often think of risk as concerning a narrow
definition of security. However, the past two years have shown that
risk management needs to consider a broad set of threats and issues.
https://www.scmagazine.com/perspective/cloud-security/risk-management-strategies-for-cyber-resilience-in-the-cloud
Disrupt lateral movement by eliminating the utility of a stolen
password - Many data breaches are the result of successful lateral
movement. It’s a tactic many adversaries use to get closer to their
objective, and it’s a concern for many organizations.
https://www.scmagazine.com/perspective/identity-and-access/disrupt-lateral-movement-by-eliminating-the-utility-of-a-stolen-password
As decentralized finance and smart contracts catch on, crypto
security must adapt - ns and their use of smart contracts are
examples of where innovation and economic growth in the e-payment
space may be outpacing security capabilities and investments,
according to crypto experts in the aftermath of the massive hack of
Poly Network.
https://www.scmagazine.com/analysis/cryptocurrency/as-decentralized-finance-and-smart-contracts-catch-on-crypto-security-must-adapt
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - Boston Public Library discloses
cyberattack, system-wide technical outage - The Boston Public
Library (BPL) has disclosed today that its network was hit by a
cyberattack on Wednesday, leading to a system-wide technical outage.
https://www.bleepingcomputer.com/news/security/boston-public-library-discloses-cyberattack-system-wide-technical-outage/
Exploitation of Flaws in Delta Energy Management System Could Have
'Dire Consequences' - An industrial energy management system made by
Delta Electronics is affected by several vulnerabilities whose
exploitation could have serious consequences in a real world
environment, according to the researcher who discovered the flaws.
https://www.securityweek.com/exploitation-flaws-delta-energy-management-system-could-have-dire-consequences
After a lucrative year, what will ransomware groups do with newfound
capital? - Larger ransomware groups operate more like small- to
medium-sized businesses than drug dealers. They place help wanted
ads. They have web design teams. They hold conferences.
https://www.scmagazine.com/analysis/cybercrime/after-a-lucrative-year-what-will-ransomware-groups-do-with-newfound-capital
Microsoft Azure breach of customer accounts spotlights DevOps
failures - Microsoft on Thursday confirmed that security researchers
gained access to the accounts and databases of several thousand
Microsoft Azure customers, including many Fortune 500 companies,
such as ExxonMobil and Coca Cola.
https://www.scmagazine.com/analysis/breach/microsoft-azure-breach-of-customer-accounts-spotlights-devops-failures
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision.
Risk management principles (Part 1 of 2)
Based on the early work of the Electronic Banking Group EBG,
the Committee concluded that, while traditional banking risk
management principles are applicable to e-banking activities, the
complex characteristics of the Internet delivery channel dictate
that the application of these principles must be tailored to fit
many online banking activities and their attendant risk management
challenges. To this end, the Committee believes that it is incumbent
upon the Boards of Directors and banks' senior management to take
steps to ensure that their institutions have reviewed and modified
where necessary their existing risk management policies and
processes to cover their current or planned e-banking activities.
Further, as the Committee believes that banks should adopt an
integrated risk management approach for all banking activities, it
is critical that the risk management oversight afforded e-banking
activities becomes an integral part of the banking institution's
overall risk management framework.
To facilitate these developments, the Committee asked the EBG to
identify the key risk management principles that would help banking
institutions expand their existing risk oversight policies and
processes to cover their e-banking activities and, in turn, promote
the safe and sound electronic delivery of banking products and
services.
These Risk Management Principles for Electronic Banking, which
are identified in this Report, are not put forth as absolute
requirements or even "best practice" but rather as guidance to
promote safe and sound e-banking activities. The Committee believes
that setting detailed risk management requirements in the area of
e-banking might be counter-productive, if only because these would
be likely to become rapidly outdated by the speed of change related
to technological and product innovation. Therefore the principles
included in the present Report express supervisory expectations
related to the overall objective of banking supervision to ensure
safety and soundness in the financial system rather than stringent
regulations.
The Committee is of the view that such supervisory expectations
should be tailored and adapted to the e-banking distribution channel
but not be fundamentally different to those applied to banking
activities delivered through other distribution channels.
Consequently, the principles presented below are largely derived and
adapted from supervisory principles that have already been expressed
by the Committee or national supervisors over a number of years. In
some areas, such as the management of outsourcing relationships,
security controls and legal and reputational risk management, the
characteristics and implications of the Internet distribution
channel introduce a need for more detailed principles than those
expressed to date.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION
- Token Systems (1 of 2)
Token systems typically authenticate the token and assume that
the user who was issued the token is the one requesting access. One
example is a token that generates dynamic passwords every X seconds.
When prompted for a password, the user enters the password generated
by the token. The token's password - generating system is identical
and synchronized to that in the system, allowing the system to
recognize the password as valid. The strength of this system of
authentication rests in the frequent changing of the password and
the inability of an attacker to guess the seed and password at any
point in time.
Another example of a token system uses a challenge/response
mechanism. In this case, the user identifies him/herself to the
system, and the system returns a code to enter into the password -
generating token. The token and the system use identical logic and
initial starting points to separately calculate a new password. The
user enters that password into the system. If the system's
calculated password matches that entered by the user, the user is
authenticated. The strengths of this system are the frequency of
password change and the difficulty in guessing the challenge, seed,
and password.
Other token methods involve multi - factor authentication, or the
use of more than one authentication method. For instance, an ATM
card is a token. The magnetic strip on the back of the card contains
a code that is recognized in the authentication process. However,
the user is not authenticated until he or she also provides a PIN,
or shared secret. This method is two - factor, using both something
the user has and something the user knows. Two - factor
authentication is generally stronger than single - factor
authentication. This method can allow the institution to
authenticate the user as well as the token.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND
AUTHENTICATION
16.2.1 Memory Tokens
Memory tokens store, but do not process, information. Special
reader/writer devices control the writing and reading of data to and
from the tokens. The most common type of memory token is a magnetic
striped card, in which a thin stripe of magnetic material is affixed
to the surface of a card (e.g., as on the back of credit cards). A
common application of memory tokens for authentication to computer
systems is the automatic teller machine (ATM) card. This uses a
combination of something the user possesses (the card) with
something the user knows (the PIN).
Some computer systems authentication technologies are based solely
on possession of a token, but they are less common. Token-only
systems are more likely to be used in other applications, such as
for physical access.
Benefits of Memory Token Systems. Memory tokens when used
with PINs provide significantly more security than passwords. In
addition, memory cards are inexpensive to produce. For a hacker or
other would-be masquerader to pretend to be someone else, the hacker
must have both a valid token and the corresponding PIN. This is much
more difficult than obtaining a valid password and user ID
combination (especially since most user IDs are common knowledge).
Another benefit of tokens is that they can be used in support of
log generation without the need for the employee to key in a user ID
for each transaction or other logged event since the token can be
scanned repeatedly. If the token is required for physical entry and
exit, then people will be forced to remove the token when they leave
the computer. This can help maintain authentication.
Problems With Memory Token Systems. Although sophisticated
technical attacks are possible against memory token systems, most of
the problems associated with them relate to their cost,
administration, token loss, user dissatisfaction, and the compromise
of PINs. Most of the techniques for increasing the security of
memory token systems relate to the protection of PINs. Many of the
techniques discussed in the sidebar on Improving Password Security
apply to PINs.
1) Requires special reader. The need for a special reader
increases the cost of using memory tokens. The readers used for
memory tokens must include both the physical unit that reads the
card and a processor that determines whether the card and/or the PIN
entered with the card is valid. If the PIN or token is validated by
a processor that is not physically located with the reader, then the
authentication data is vulnerable to electronic monitoring (although
cryptography can be used to solve this problem).
2) Token loss. A lost token may prevent the user from being
able to log in until a replacement is provided. This can increase
administrative overhead costs.
The lost token could be found by someone who wants to break into
the system, or could be stolen or forged. If the token is also used
with a PIN, any of the methods described above in password problems
can be used to obtain the PIN. Common methods are finding the PIN
taped to the card or observing the PIN being entered by the
legitimate user. In addition, any information stored on the magnetic
stripe that has not been encrypted can be read.
3) User Dissatisfaction. In general, users want computers
to be easy to use. Many users find it inconvenient to carry and
present a token. However, their dissatisfaction may be reduced if
they see the need for increased security.
Attacks on memory-card systems have sometimes been quite creative.
One group stole an ATM machine that they installed at a local
shopping mall. The machine collected valid account numbers and
corresponding PINs, which the thieves used to forge cards. The
forged cards were then used to withdraw money from legitimate ATMs. |
PLEASE NOTE: Some of the above links may have expired,
especially those from news organizations. We may have a copy of the
article, so please e-mail us at
examiner@yennik.com if we can be of assistance. |
