R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and Onsite FFIEC IT Audits

September 11, 2022

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.
Remote bank regulatory FFIEC IT audits - I am performing virtual/remote bank regality FFIEC IT audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.


MISCELLANEOUS CYBERSECURITY NEWS:

How financial institutions can mitigate business email compromise risks - As financial institutions have become a greater target for cybercriminals, business email compromise (BEC) has become a more significant issue for banks, investment firms and other financial firms. https://www.scmagazine.com/analysis/email-security/how-financial-institutions-can-mitigate-business-email-compromise-risks

Phishing-as-a-service platform ‘Robin Banks’ targets financial firms - Financial institutions have recently been targeted by the so-called “Robin Banks” phishing-as-a-service attack platform (PhaaS), which has aimed its payload at text and emails. https://www.scmagazine.com/analysis/email-security/phishing-as-a-service-platform-robin-banks-targets-financial-firms

For security awareness, give workers the tools they need to change their behavior - The awareness challenges faced by modern organizations are similar to humanity's job of saving our own planet: a seemingly enormous and impossible task which requires the support of nearly every individual and will get done on a shoestring budget. https://www.scmagazine.com/perspective/security-awareness/for-security-awareness-give-workers-the-tools-they-need-to-change-their-behavior%ef%bf%bc

White House to give aviation executives classified cyberthreat briefing, latest in series of industry meetings - The White House has been conducting classified cybersecurity briefings with executives from select critical infrastructure sectors as part of an ongoing effort to compel industry leaders to invest more in their digital defenses. https://www.cyberscoop.com/white-house-classified-threat-briefings-critical-infrastructure/

NSA and CISA share tips to secure the software supply chain - The U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released tips today on securing the software supply chain. https://www.bleepingcomputer.com/news/security/nsa-and-cisa-share-tips-to-secure-the-software-supply-chain/

Japan Declares 'War' on the Humble Floppy Disk in New Digitization Push - Japan’s digital minister, who’s vowed to rid the bureaucracy of outdated tools from the hanko stamp to the fax machine, has now declared “war” on a technology many haven’t seen for decades -- the floppy disk. https://www.bloomberg.com/news/articles/2022-08-31/japan-s-digital-chief-vows-to-purge-floppy-disks-from-government

Many companies lack full confidence in their backup solutions - Backup-as-a-service company HYCU on Wednesday released a report that said some 65% of companies surveyed lack full confidence in their backup solutions, leaving them vulnerable to ransomware attacks that occur on average every 11 seconds. https://www.scmagazine.com/news/cloud-security/many-companies-lack-full-confidence-in-their-backup-solutions

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Credential phishing attack targeted 16,000 emails at nonprofit agency - Researchers detailed a sophisticated phishing attack that targeted employees at a large international nonprofit involving the American Express credit card brand. https://www.scmagazine.com/analysis/email-security/credential-phishing-attack-targeted-16000-emails-at-nonprofit-agency

New ransomware hits Windows, Linux servers of Chile govt agency - Chile's national computer security and incident response team (CSIRT) has announced that a ransomware attack has impacted operations and online services of a government agency in the country. https://www.bleepingcomputer.com/news/security/new-ransomware-hits-windows-linux-servers-of-chile-govt-agency/

Los Angeles school district to remain open despite ransomware attack - The Los Angeles Unified School District, the second largest school district in the country, is reporting it has been victimized in a ransomware attack. https://www.scmagazine.com/analysis/ransomware/los-angeles-school-district-to-remain-open-despite-ransomware-attack

Credential phishing attack targeted 16,000 emails at nonprofit agency - Researchers have uncovered an effective recent phishing attack where the fraudster claims to be the prominent charge card brand American Express, and demands that cardholders open an attachment and contact the card company immediately regarding the cardholder’s account. https://www.scmagazine.com/analysis/email-security/credential-phishing-attack-targeted-16000-emails-at-nonprofit-agency

Return to the top of the newsletter

WEB SITE COMPLIANCE -

Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Technical and Industry Expertise

• Assess the service provider’s experience and ability to provide the necessary services and supporting technology for current and anticipated needs.
• Identify areas where the institution would have to supplement the service provider’s expertise to fully manage risk.
• Evaluate the service provider’s use of third parties or partners that would be used to support the outsourced operations.
• Evaluate the experience of the service provider in providing services in the anticipated operating environment.
• Consider whether additional systems, data conversions, and work are necessary.
• Evaluate the service provider’s ability to respond to service disruptions.
• Contact references and user groups to learn about the service provider’s reputation and performance.
• Evaluate key service provider personnel that would be assigned to support the institution.
• Perform on-site visits, where necessary, to better understand how the service provider operates and supports its services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   LOGGING AND DATA COLLECTION (Part 1 of 2)
   
   Financial institutions should take reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance. Appropriate logging controls ensure that security personnel can review and analyze log data to identify unauthorized access attempts and security violations, provide support for personnel actions, and aid in reconstructing compromised systems.
   
   An institution's ongoing security risk assessment process should evaluate the adequacy of the system logging and the type of information collected. Security policies should address the proper handling and analysis of log files. Institutions have to make risk-based decisions on where and when to log activity. The following data are typically logged to some extent including
   
   ! Inbound and outbound Internet traffic,
   ! Internal network traffic,
   ! Firewall events,
   ! Intrusion detection system events,
   ! Network and host performance,
   ! Operating system access (especially high - level administrative or root access),
   ! Application access (especially users and objects with write - and execute privileges), and
   ! Remote access.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.3.1 Payroll Fraud

As for most large organizations that control financial assets, attempts at fraud and embezzlement are likely to occur. Historically, attempts at payroll fraud have almost always come from within HGA or the other agencies that operate systems on which HGA depends. Although HGA has thwarted many of these attempts, and some have involved relatively small sums of money, it considers preventing financial fraud to be a critical computer security priority, particularly in light of the potential financial losses and the risks of damage to its reputation with Congress, the public, and other federal agencies.

Attempts to defraud HGA have included the following:

  • Submitting fraudulent time sheets for hours or days not worked, or for pay periods following termination or transfer of employment. The former may take the form of overreporting compensatory or overtime hours worked, or underreporting vacation or sick leave taken. Alternatively, attempts have been made to modify time sheet data after being entered and approved for submission to payroll.
  • Falsifying or modifying dates or data on which one's "years of service" computations are based, thereby becoming eligible for retirement earlier than allowed, or increasing one's pension amount.
  • Creating employee records and time sheets for fictitious personnel, and attempting to obtain their paychecks, particularly after arranging for direct deposit.

20.3.2 Payroll Errors

Of greater likelihood, but of perhaps lesser potential impact on HGA, are errors in the entry of time and attendance data; failure to enter information describing new employees, terminations, and transfers in a timely manner; accidental corruption or loss of time and attendance data; or errors in interagency coordination and processing of personnel transfers.

Errors of these kinds can cause financial difficulties for employees and accounting problems for HGA. If an employee's vacation or sick leave balance became negative erroneously during the last pay period of the year, the employee's last paycheck would be automatically reduced. An individual who transfers between HGA and another agency may risk receiving duplicate paychecks or no paychecks for the pay periods immediately following the transfer. Errors of this sort that occur near the end of the year can lead to errors in W-2 forms and subsequent difficulties with the tax collection agencies,

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.