Internet Banking News

September 13, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - GAO - To Prevent Examiners From Treating Banks Lightly In Hopes Of Better Paying Jobs, Says GAO - The Federal Deposit Insurance Corporation (FDIC) should do more to prevent examiners from treating the banks they oversee lightly in hopes of getting better paying jobs at them, the Government Accountability Office urged today. https://www.forbes.com/sites/tedknutson/2020/09/04/fdic-should-do-more-to-prevent-examiners-from-treating-banks-lightly-in-hopes-of-better-paying-jobs-says-gao/#ec81d78502ff
https://www.gao.gov/products/GAO-20-519

Whether a police officer "exceeds authorized access" under the Computer Fraud & Abuse Act when they use their authorization to access personal information in a government database for an improper purpose. EPIC to Supreme Court: Government Insiders Who Improperly Access Personal Data Violate Computer Crime Statute. https://epic.org/amicus/cfaa/van-buren/

CISA orders agencies to set up vulnerability disclosure programs - Out of scores of federal civilian agencies, only a handful of them have official programs to work with outside security researchers to find and fix software bugs - a process that is commonplace in the private sector. https://www.cyberscoop.com/cisa-vulnerability-disclosure-directive-omb/

National Guard plans all-virtual cyber exercise - The National Guard is moving its massive annual cyber exercise, Cyber Shield 2020, completely online for the first time due to the ongoing COVID-19 pandemic with a renewed focus on information operations. https://fcw.com/articles/2020/09/03/williams-guard-cyber-shield-virtual.aspx

Combat data breaches by using training and technology - Corporate data breaches are a big deal, and as data grows more valuable and regulations become stricter, it’s increasingly important to have the right mechanisms in place to prevent them. https://www.scmagazine.com/perspectives/combat-data-breaches-by-using-training-and-technology-2/

Visa: New Baka Skimmer Designed to Avoid Detection - Visa has issued a warning about new digital skimming malware with a sophisticated design intended to circumvent detection by security tools. https://www.infosecurity-magazine.com/news/visa-new-baka-skimmer-designed/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - European ISPs report mysterious wave of DDoS attacks - Over the past week, multiple ISPs in Belgium, France, and the Netherlands reported DDoS attacks that targeted their DNS infrastructure. More than a dozen internet service providers (ISPs) across Europe have reported DDoS attacks that targeted their DNS infrastructure. https://www.zdnet.com/article/european-isps-report-mysterious-wave-of-ddos-attacks/

Norway is investigating a cyberattack on its parliament - Hackers have struck at the Norwegian parliament, compromising a limited number of email accounts of lawmakers and employees, the parliament’s administrator said Tuesday. https://www.cyberscoop.com/norway-parliament-cyberattack/

SunCrypt Ransomware shuts down North Carolina school district - A school district in North Carolina has suffered a data breach after having unencrypted files stolen during an attack by the SunCrypt Ransomware operators, BleepingComputer has discovered. https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-shuts-down-north-carolina-school-district/

Northumbria Uni Campus Closed After Serious Cyber-Attack - Northumbria University is still reeling from a cyber-attack which forced it to reschedule exams and close its entire campus in Newcastle-Upon-Tyne. https://www.infosecurity-magazine.com/news/northumbria-uni-campus-closed/

Chilean bank shuts down all branches following ransomware attack - All BancoEstado branches will remain closed on Monday, September 7, and possibly more days. BancoEstado, one of Chile's three biggest banks, was forced to shut down all branches on Monday following a ransomware attack that took place over the weekend. https://www.zdnet.com/article/chilean-bank-shuts-down-all-branches-following-ransomware-attack/

Israel's Tower Semi halts some operations after cyber attack - Israeli chip manufacturer Tower Semiconductor (TSEM.TA) said on Sunday some of its systems were hit by a cyber attack and as a result it was putting on hold some servers and manufacturing operations. https://www.reuters.com/article/us-towerjazz-cyber/israels-tower-semi-halts-some-operations-after-cyber-attack-idUSKBN25X07T

Return to the top of the newsletter

WEB SITE COMPLIANCE - his week continues our series on the FDIC's Supervisory Policy on Identity Theft. (Part 4 of 6)

   Supervisory Action

   As a result of guidelines issued by the FDIC, together with other federal agencies, financial institutions are required to develop and implement a written program to safeguard customer information, including the proper disposal of consumer information (Security Guidelines).5 The FDIC considers this programmatic requirement to be one of the foundations of identity theft prevention. In guidance that became effective on January 1, 2007, the federal banking agencies made it clear that they expect institutions to use stronger and more reliable methods to authenticate the identity of customers using electronic banking systems. Moreover, the FDIC has also issued guidance stating that financial institutions are expected to notify customers of unauthorized access to sensitive customer information under certain circumstances. The FDIC has issued a number of other supervisory guidance documents articulating its position and expectations concerning identity theft. Industry compliance with these expectations will help to prevent and mitigate the effects of identity theft.

   Risk management examiners trained in information technology (IT) and the requirements of the Bank Secrecy Act (BSA) evaluate a number of aspects of a bank's operations that raise identity theft issues. IT examiners are well-qualified to evaluate whether banks are incorporating emerging IT guidance into their Identity Theft Programs and GLBA 501(b) Information Security Programs; responsibly overseeing service provider arrangements; and taking action when a security breach occurs. In addition, IT examiners will consult with BSA examiners during the course of an examination to ensure that the procedures institutions employ to verify the identity of new customers are consistent with existing laws and regulations to prevent financial fraud, including identity theft.

   The FDIC has also issued revised examination procedures for the Fair Credit Reporting Act (FCRA), through the auspices of the Federal Financial Institutions Examination Council's (FFIEC) Consumer Compliance Task Force. These procedures are used during consumer compliance examinations and include steps to ensure that institutions comply with the FCRA's fraud and active duty alert provisions. These provisions enable consumers to place alerts on their consumer reports that require users, such as banks, to take additional steps to identify the consumer before new credit is extended. The procedures also include reviews of institutions' compliance with requirements governing the accuracy of data provided to consumer reporting agencies. These requirements include the blocking of data that may be the result of an identity theft. Compliance examiners are trained in the various requirements of the FCRA and ensure that institutions have effective programs to comply with the identity theft provisions. Consumers are protected from identity theft through the vigilant enforcement of all the examination programs, including Risk Management, Compliance, IT and BSA.

   The Fair and Accurate Credit Transactions Act directed the FDIC and other federal agencies to jointly promulgate regulations and guidelines that focus on identity theft "red flags" and customer address discrepancies. As proposed, the guidelines would require financial institutions and creditors to establish a program to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The proposed joint regulation would require financial institutions and creditors to establish reasonable policies to implement the guidelines, including a provision requiring debit and credit card issuers to assess the validity of a request for a change of address. In addition, the agencies proposed joint regulations that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when the user receives a notice of address discrepancy. When promulgated in final form, these joint regulations and guidelines will comprise another element of the FDIC's program to prevent and mitigate identity theft.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

  SECURITY MEASURES

  Encryption

  Encryption, or cryptography, is a method of converting information to an unintelligible code. The process can then be reversed, returning the information to an understandable form. The information is encrypted (encoded) and decrypted (decoded) by what are commonly referred to as "cryptographic keys." These "keys" are actually values, used by a mathematical algorithm to transform the data. The effectiveness of encryption technology is determined by the strength of the algorithm, the length of the key, and the appropriateness of the encryption system selected.

  Because encryption renders information unreadable to any party without the ability to decrypt it, the information remains private and confidential, whether being transmitted or stored on a system. Unauthorized parties will see nothing but an unorganized assembly of characters. Furthermore, encryption technology can provide assurance of data integrity as some algorithms offer protection against forgery and tampering. The ability of the technology to protect the information requires that the encryption and decryption keys be properly managed by authorized parties.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

  11.5    Step 5: Implementing the Contingency Strategies

  Once the contingency planning strategies have been selected, it is necessary to make appropriate preparations, document the strategies, and train employees. Many of these tasks are ongoing.

  11.5.1 Implementation

  Much preparation is needed to implement the strategies for protecting critical functions and their supporting resources. For example, one common preparation is to establish procedures for backing up files and applications. Another is to establish contracts and agreements, if the contingency strategy calls for them. Existing service contracts may need to be renegotiated to add contingency services. Another preparation may be to purchase equipment, especially to support a redundant capability.

  It is important to keep preparations, including documentation, up-to-date. Computer systems change rapidly and so should backup services and redundant equipment. Contracts and agreements may also need to reflect the changes. If additional equipment is needed, it must be maintained and periodically replaced when it is no longer dependable or no longer fits the organization's architecture.

  Preparation should also include formally designating people who are responsible for various tasks in the event of a contingency. These people are often referred to as the contingency response team. This team is often composed of people who were a part of the contingency planning team.

  There are many important implementation issues for an organization. Two of the most important are 1) how many plans should be developed? and 2) who prepares each plan? Both of these questions revolve around the organization's overall strategy for contingency planning. The answers should be documented in organization policy and procedures.

  Backing up data files and applications is a critical part of virtually every contingency plan. Backups are used, for example, to restore files after a personal computer virus corrupts the files or after a hurricane destroys a data processing center.

  How many plans?

  Some organizations have just one plan for the entire organization, and others have a plan for every distinct computer system, application, or other resource. Other approaches recommend a plan for each business or mission function, with separate plans, as needed, for critical resources.

  The answer to the question, therefore, depends upon the unique circumstances for each organization. But it is critical to coordinate between resource managers and functional managers who are responsible for the mission or business.

  Who Prepares the Plan?

  If an organization decides on a centralized approach to contingency planning, it may be best to name a contingency planning coordinator. The coordinator prepares the plans in cooperation with various functional and resource managers. Some organizations place responsibility directly with the functional and resource managers.

  Relationship Between Contingency Plans and Computer Security Plans

  For small or less complex systems, the contingency plan may be a part of the computer security plan. For larger or more complex systems, the computer security plan could contain a brief synopsis of the contingency plan, which would be a separate document.

  11.5.2 Documenting

  The contingency plan needs to be written, kept up-to-date as the system and other factors change, and stored in a safe place. A written plan is critical during a contingency, especially if the person who developed the plan is unavailable. It should clearly state in simple language the sequence of tasks to be performed in the event of a contingency so that someone with minimal knowledge could immediately begin to execute the plan. It is generally helpful to store up-to-date copies of the contingency plan in several locations, including any off-site locations, such as alternate processing sites or backup data storage facilities.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.