Internet Banking News

September 12, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - CISA urges hospitals to remediate flaws in Philips patient monitoring devices - A number of vulnerabilities found in certain Philips patient monitoring devices could enable an attacker with either access to the medical device network or physical access to perform a number of malicious activities, including accessing patient data, according to a Department of Homeland Security Cybersecurity and Infrastructure Security Agency alert. https://www.scmagazine.com/analysis/asset-management/cisa-urges-hospitals-to-remediate-flaws-in-philips-patient-monitoring-devices

ISAC group unveils pragmatic, attainable cyber standards for school districts - With the understanding that many school districts lack the resources to realistically meet every single cybersecurity best practice, the ISAC group K12 SIX has released its own set of pragmatic infosec standards for the education sector - with each security measure divided into four distinct levels of implementation. https://www.scmagazine.com/analysis/leadership/isac-group-unveils-pragmatic-attainable-cyber-standards-for-school-districts

Rethinking the approach to health care’s reliance on IT as security leaders - A chief information security officer bears the responsibility of driving a culture of security across the enterprise from gaining board and financial support for key initiatives, to implementing tech and processes that will keep the network safe or online after a cyberattack. https://www.scmagazine.com/feature/strategy/rethinking-the-approach-to-health-cares-reliance-on-it-as-security-leaders

House bill would create new cyber training and apprentice programs at DHS - A bill introduced in the House this week would create a program within the Cybersecurity and Infrastructure Security Agency to retrain military veterans and members of the armed forces. https://www.scmagazine.com/analysis/careers/house-bill-would-create-new-cyber-training-and-apprentice-programs-at-dhs

Why companies need to practice due diligence for cybersecurity - For years, cybersecurity was considered the business of the IT department. In the corporate structure, it made sense. IT was in charge of the computers and the network, cybersecurity was a computer issue, thus cybersecurity was an IT issue. https://www.scmagazine.com/perspective/strategy/why-companies-need-to-practice-due-diligence-for-cybersecurity

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - UK VoIP telco receives 'colossal ransom demand', reveals REvil cybercrooks suspected of 'organised' DDoS attacks on UK VoIP companies - Two UK VoIP operators have had their services disrupted over the last couple of days by ongoing, aggressive DDoS attacks. https://www.theregister.com/2021/09/02/uk_voip_telcos_revil_ransom/

Fired NY credit union employee nukes 21GB of data in revenge - A former employee of a New York credit union, pleaded guilty to accessing the financial institution's computer systems without authorization and destroying over 21 gigabytes of data in revenge after being fired. https://www.bleepingcomputer.com/news/security/fired-ny-credit-union-employee-nukes-21gb-of-data-in-revenge/

Dallas Terminates Worker Who Deleted 22.5 TB of Police Data - The Dallas Police Department employee responsible for deleting 22.5 terabytes of police data was fired by city officials Friday. The worker had been employed for nine years and showed a history of errors. https://www.govtech.com/security/dallas-terminates-worker-who-deleted-22-5-tb-of-police-data

Dallas school district admits SSNs and more of all employees and students since 2010 accessed during security incident - The Dallas Independent School District said if you were a student, employee or contractor between 2010 and the present, your personal data was likely downloaded by an "unauthorized third party." https://www.zdnet.com/article/dallas-school-district-admits-ssns-and-more-of-all-employees-and-students-since-2010-accessed-during-security-incident/

New Zealand internet outage blamed on DDoS attack on nation's third largest internet provider - Here in the UK, Sky broadband users back online - Parts of New Zealand were cut off from the digital world today after a major local ISP was hit by an aggressive DDoS attack. https://www.theregister.com/2021/09/03/nz_outage/

French government visa website hit by cyber-attack that exposed applicants' personal data - The personal data of visa applicants hoping to visit or emigrate to France has been exposed in a cyber-attack targeting the French government’s ‘France-Visas’ website. https://portswigger.net/daily-swig/french-government-visa-website-hit-by-cyber-attack-that-exposed-applicants-personal-data

Howard University takes a ‘cyber day’ after ransomware attack - Prominent Washington, D.C.- area higher education institution Howard University was forced to cancel classes on Tuesday, after a Sept. 3 ransomware attack forced the HBCU’s Enterprise Technology Services team to shut down its network. https://www.scmagazine.com/analysis/ransomware/howard-university-takes-a-cyber-day-after-ransomware-attack

Dupage Medical, Sturdy Memorial patients file lawsuits after PHI, data breaches - In the last week, the patients impacted by the data breaches reported by Dupage Medical Group and Massachusetts-based Sturdy Memorial Hospital have filed two separate lawsuits, alleging a range of complaints and insecure data practices. https://www.scmagazine.com/analysis/breach/dupage-medical-sturdy-memorial-patients-file-lawsuits-after-phi-data-breaches

Hackers install crypto miner on Jenkins project server via Confluence exploit - The Jenkins project reported Friday that one of its servers was successfully attacked by hackers using a recently warned about Confluence vulnerability to install a cryptocurrency miner. https://www.scmagazine.com/news/breach/hackers-install-crypto-miner-on-jenkins-project-server-via-confluence-exploit

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

   Risk management principles (Part 2 of 2)

   The Committee recognizes that banks will need to develop risk management processes appropriate for their individual risk profile, operational structure and corporate governance culture, as well as in conformance with the specific risk management requirements and policies set forth by the bank supervisors in their particular jurisdiction(s). Further, the numerous e-banking risk management practices identified in this Report, while representative of current industry sound practice, should not be considered to be all-inclusive or definitive, since many security controls and other risk management techniques continue to evolve rapidly to keep pace with new technologies and business applications.

   This Report does not attempt to dictate specific technical solutions to address particular risks or set technical standards relating to e-banking. Technical issues will need to be addressed on an on-going basis by both banking institutions and various standards-setting bodies as technology evolves. Further, as the industry continues to address e-banking technical issues, including security challenges, a variety of innovative and cost efficient risk management solutions are likely to emerge. These solutions are also likely to address issues related to the fact that banks differ in size, complexity and risk management culture and that jurisdictions differ in their legal and regulatory frameworks.

   For these reasons, the Committee does not believe that a "one size fits all" approach to e-banking risk management is appropriate, and it encourages the exchange of good practices and standards to address the additional risk dimensions posed by the e-banking delivery channel. In keeping with this supervisory philosophy, the risk management principles and sound practices identified in this Report are expected to be used as tools by national supervisors and implemented with adaptations to reflect specific national requirements where necessary, to help promote safe and secure e-banking activities and operations.

   The Committee recognizes that each bank's risk profile is different and requires a risk mitigation approach appropriate for the scale of the e-banking operations, the materiality of the risks present, and the willingness and ability of the institution to manage these risks. These differences imply that the risk management principles presented in this Report are intended to be flexible enough to be implemented by all relevant institutions across jurisdictions. National supervisors will assess the materiality of the risks related to e-banking activities present at a given bank and whether, and to what extent, the risk management principles for e-banking have been adequately met by the bank's risk management framework.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

   AUTHENTICATION - Token Systems (2 of 2)

   Weaknesses in token systems relate to theft of the token, ease in guessing any password generating algorithm within the token, ease of successfully forging any authentication credential that unlocks the token, and reverse engineering, or cloning, of the token. Each of these weaknesses can be addressed through additional control mechanisms. Token theft generally is protected against by policies that require prompt reporting and cancellation of the token's ability to allow access to the system. Additionally, the impact of token theft is reduced when the token is used in multi - factor authentication; for instance, the password from the token is paired with a password known only by the user and the system. This pairing reduces the risk posed by token loss, while increasing the strength of the authentication mechanism. Forged credentials are protected against by the same methods that protect credentials in non - token systems. Protection against reverse engineering requires physical and logical security in token design. For instance, token designers can increase the difficulty of opening a token without causing irreparable damage, or obtaining information from the token either by passive scanning or active input/output.

   Token systems can also incorporate public key infrastructure, and biometrics.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION

  16.2.2 Smart Tokens (1 of 2)

  A smart token expands the functionality of a memory token by incorporating one or more integrated circuits into the token itself. When used for authentication, a smart token is another example of authentication based on something a user possesses (i.e., the token itself). A smart token typically requires a user also to provide something the user knows (i.e., a PIN or password) in order to "unlock" the smart token for use.

  There are many different types of smart tokens. In general, smart tokens can be divided three different ways based on physical characteristics, interface, and protocols used. These three divisions are not mutually exclusive.

  Physical Characteristics. Smart tokens can be divided into two groups: smart cards and other types of tokens. A smart card looks like a credit card, but incorporates an embedded microprocessor. Smart cards are defined by an International Standards Organization (ISO) standard. Smart tokens that are not smart cards can look like calculators, keys, or other small portable objects.

  Interface. Smart tokens have either a manual or an electronic interface. Manual or human interface tokens have displays and/or keypads to allow humans to communicate with the card. Smart tokens with electronic interfaces must be read by special reader/writers. Smart cards, described above, have an electronic interface. Smart tokens that look like calculators usually have a manual interface.

  Protocol. There are many possible protocols a smart token can use for authentication. In general, they can be divided into three categories: static password exchange, dynamic password generators, and challenge-response.

  1) Static tokens work similarly to memory tokens, except that the users authenticate themselves to the token and then the token authenticates the user to the computer.

  2) A token that uses a dynamic password generator protocol creates a unique value, for example, an eight-digit number, that changes periodically (e.g., every minute). If the token has a manual interface, the user simply reads the current value and then types it into the computer system for authentication. If the token has an electronic interface, the transfer is done automatically. If the correct value is provided, the log-in is permitted, and the user is granted access to the system.

  3) Tokens that use a challenge-response protocol work by having the computer generate a challenge, such as a random string of numbers. The smart token then generates a response based on the challenge. This is sent back to the computer, which authenticates the user based on the response. The challenge-response protocol is based on cryptography. Challenge-response tokens can use either electronic or manual interfaces.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.