Internet Banking News

September 6, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Nasty code execution vulnerability discovered in Pulse Secure VPN - Security researchers have discovered a code execution vulnerability in Pulse Secure VPN which could be used by attackers to take control of an organization's entire network if left unpatched. https://www.techradar.com/news/nasty-code-execution-vulnerability-discovered-in-pulse-secure-vpn

CISA, TREASURY, FBI AND USCYBERCOM RELEASE CYBER ALERT ON LATEST NORTH KOREA BANK ROBBING SCHEME - The Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM) are issuing a joint technical alert about an ongoing automated teller machine (ATM) cash-out scheme by North Korean government cyber actors – referred to by the U.S. government as “FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks.
https://www.cisa.gov/news/2020/08/26/cisa-treasury-fbi-and-uscybercom-release-cyber-alert-latest-north-korea-bank
https://www.bleepingcomputer.com/news/security/us-govt-warns-of-north-korean-hackers-targeting-banks-worldwide/

Adapt remote security practices to today’s digital reality at home - The coronavirus pandemic has changed the way we work. It’s a new remote reality that will likely have a lasting impact, well beyond when quarantines are lifted. https://www.scmagazine.com/perspectives/adapt-remote-security-practices-to-todays-digital-reality-at-home/

Tesla employee rejected a $1 million bribe to install malware - An indictment released earlier this week detailed a Russian national offering a worker, later confirmed to be a Tesla employee, $1 million to install malware on the corporate machines. https://www.scmagazine.com/home/security-news/tesla-employee-rejected-a-1-million-to-install-malware/

What security pros can learn from space travel - Humans have always been fascinated with space travel, and that’s why more than 10 million people tuned in earlier this year via livestream to watch NASA and SpaceX launch astronauts Robert Behnken and Douglas Hurley to the International Space Station (ISS). https://www.scmagazine.com/perspectives/what-security-pros-can-learn-from-space-travel/

Free program blocks 10 million malicious domains from state and local governments - Akamai announced Wednesday early results of a partnership with the Center for Internet Security and the Department of Homeland Security to offer free malicious domain blocking and reporting services to state, local, tribal and territorial governments. https://www.scmagazine.com/home/security-news/free-program-blocks-10-million-malicious-domains-from-state-and-local-governments/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - NCR confirms malware in lab environment, says clients not at risk - NCR Corporation has confirmed to SC Media that it found malware-infected computers in an isolated non-production lab environment outside of the U.S., but claims its clients were never at risk of a secondary infection. https://www.scmagazine.com/home/security-news/malware/exclusive-trojan-apparently-infects-ncr-posing-possible-supply-chain-risk/

New Zealand stock exchange halted trading after DDoS attacks - New Zealand’s stock exchange (NZX) has been impacted by distributed denial-of-service (DDoS) attacks during the last two days, forcing it to shut down trading until the connectivity issues were resolved. https://www.bleepingcomputer.com/news/security/new-zealand-stock-exchange-halted-trading-after-ddos-attacks/

Medical Data Leaked on GitHub Due to Developer Errors - Developer error caused the leak of 150,000 to 200,000 patient health records stored in productivity apps from Microsoft and Google that were recently found on GitHub. https://threatpost.com/medical-data-leaked-on-github-due-to-developer-errors/158653/

New Zealand bourse website hit by fresh cyberattack, but keeps trading - The New Zealand stock market was hit by a fifth day of cyber attacks on Monday, crashing its website, but maintained trading after switching to a contingency plan for the release of market announcements. https://www.reuters.com/article/us-nzx-cyber/new-zealand-bourse-website-hit-by-fresh-cyberattack-but-keeps-trading-idUSKBN25R004

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft. (Part 3 of 6)

   FDIC Response to Identity Theft

   The FDIC's supervisory programs include many steps to address identity theft. The FDIC acts directly, often in conjunction with other Federal regulators, by promulgating standards that financial institutions are expected to meet to protect customers' sensitive information and accounts. The FDIC enforces these standards against the institutions under its supervision and encourages all financial institutions to educate their customers about steps they can take to reduce the chances of becoming an identity theft victim. The FDIC also sponsors and conducts a variety of consumer education efforts to make consumers more aware of the ways they can protect themselves from identity thieves.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

   Utilization of the Internet presents numerous issues and risks which must be addressed. While many aspects of system performance will present additional challenges to the bank, some will be beyond the bank's control. The reliability of the Internet continues to improve, but situations including delayed or misdirected transmissions and operating problems involving Internet Service Providers (ISPs) could also have an effect on related aspects of the bank's business.

   The risks will not remain static. As technologies evolve, security controls will improve; however, so will the tools and methods used by others to compromise data and systems. Comprehensive security controls must not only be implemented, but also updated to guard against current and emerging threats. Security controls that address the risks will be presented over the next few weeks.

   SECURITY MEASURES

   The FDIC paper discusses the primary interrelated technologies, standards, and controls that presently exist to manage the risks of data privacy and confidentiality, data integrity, authentication, and non-repudiation.

   Encryption, Digital Signatures, and Certificate Authorities

   Encryption techniques directly address the security issues surrounding data privacy, confidentiality, and data integrity. Encryption technology is also employed in digital signature processes, which address the issues of authentication and non-repudiation. Certificate authorities and digital certificates are emerging to address security concerns, particularly in the area of authentication. The function of and the need for encryption, digital signatures, certificate authorities, and digital certificates differ depending on the particular security issues presented by the bank's activities. The technologies, implementation standards, and the necessary legal infrastructure continue to evolve to address the security needs posed by the Internet and electronic commerce.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

  11.4.3 Automated Applications and Data

  Normally, the primary contingency strategy for applications and data is regular backup and secure offsite storage. Important decisions to be addressed include how often the backup is performed, how often it is stored off-site, and how it is transported (to storage, to an alternate processing site, or to support the resumption of normal operations).

  The need for computer security does not go away when an organization is processing in a contingency mode. In some cases, the need may increase due to sharing processing facilities, concentrating resources in fewer sites, or using additional contractors and consultants. Security should be an important consideration when selecting contingency strategies.

  11.4.4 Computer-Based Services

  Service providers may offer contingency services. Voice communications carriers often can reroute calls (transparently to the user) to a new location. Data communications carriers can also reroute traffic. Hot sites are usually capable of receiving data and voice communications. If one service provider is down, it may be possible to use another. However, the type of communications carrier lost, either local or long distance, is important. Local voice service may be carried on cellular. Local data communications, especially for large volumes, is normally more difficult. In addition, resuming normal operations may require another rerouting of communications services.

  11.4.5 Physical Infrastructure

  Hot sites and cold sites may also offer office space in addition to processing capability support. Other types of contractual arrangements can be made for office space, security services, furniture, and more in the event of a contingency. If the contingency plan calls for moving offsite, procedures need to be developed to ensure a smooth transition back to the primary operating facility or to a new facility. Protection of the physical infrastructure is normally an important part of the emergency response plan, such as use of fire extinguishers or protecting equipment from water damage.

  11.4.6 Documents and Papers

  The primary contingency strategy is usually backup onto magnetic, optical, microfiche, paper, or other medium and offsite storage. Paper documents are generally harder to backup than electronic ones. A supply of forms and other needed papers can be stored offsite.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.