Internet Banking News

September 19, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - Younger remote workers see security as a hindrance - The hybrid workplace model that many organizations undertook during the COVID-19 pandemic isn’t going away anytime soon. https://www.scmagazine.com/news/training/younger-remote-workers-see-security-as-a-hindrance

SEC sanctions financial firms for cybersecurity failures - The U.S. Securities and Exchange Commission charged three financial services companies for failing to uphold cybersecurity procedures, which resulted in the exposure of thousands of customers' personal information. https://searchsecurity.techtarget.com/news/252506068/SEC-sanctions-financial-firms-for-cybersecurity-failures

ProtonMail CEO says services must comply with laws unless based 15 miles offshore - After ProtoMail gave a climate activist's IP address to French authorities under court order, the individual was identified and arrested shortly after. https://www.zdnet.com/article/protonmail-ceo-says-services-must-comply-with-laws-unless-based-15-miles-offshore/

How the Biden administration is structured to respond to threats in cyberspace - The onset of the Biden administration has brought big changes to the way cybersecurity roles and authorities are dispersed and coordinated throughout the federal government, and not just because of the usual turnover that happens when the White House switches parties. https://www.scmagazine.com/analysis/policy/how-the-biden-administration-is-structured-to-respond-to-threats-in-cyberspace

Nebraska pediatric provider to pay OCR $80K for HIPAA Right of Access failure - The Department of Health and Human Services Office for Civil Rights announced it reached a settlement with Children's Hospital & Medical Center to resolve potential violations of The Health Insurance Portability and Accountability Act Privacy Rule’s Right of Access standard. https://www.scmagazine.com/analysis/privacy/nebraska-pediatric-provider-to-pay-ocr-80k-for-hipaa-right-of-access-failure

Why ransomware attacks in healthcare remain a problem – and how to stop them - If data has value, then electronic health records are a treasure trove. Today’s emboldened and ever-more-sophisticated cyber criminals know this. https://www.scmagazine.com/perspective/phishing/why-ransomware-attacks-in-healthcare-remains-a-problem-and-how-to-stop-them

University of Minnesota launches Center for Medical Device Cybersecurity - The University of Minnesota is proud to announce its new Center for Medical Device Cybersecurity (CMDC). The center will foster university-industry-government collaborations to ensure that medical devices are both safe and secure from the growing number of cybersecurity threats. https://twin-cities.umn.edu/news-events/university-minnesota-launches-center-medical-device-cybersecurity

New online marketplace helps companies improve their eligibility for cyber insurance - Cyber insurance firm Cowbell Cyber today launched what it is billing as the first-ever cyber risk exchange marketplace, designed to help companies find solutions that reduce their risk and thus make them more easily insurable. https://www.scmagazine.com/analysis/network-security/new-online-marketplace-helps-companies-improve-their-eligibility-for-cyber-insurance

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Malicious Actor Discloses FortiGate SSL-VPN Credentials - Fortinet has become aware that a malicious actor has recently disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN devices. While they may have since been patched, if the passwords were not reset, they remain vulnerable. https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials

ANZ New Zealand back online after outage from DDoS attack - ANZ New Zealand's website is still facing an outage while other affected websites have slowly come back online. https://www.zdnet.com/article/anz-new-zealand-back-online-after-outage-from-ddos-attack/

UN Computer Networks Breached by Hackers Earlier This Year - Hackers breached the United Nations’ computer networks earlier this year and made off with a trove of data that could be used to target agencies within the intergovernmental organization. https://www.bloomberg.com/news/articles/2021-09-09/united-nations-computers-breached-by-hackers-earlier-this-year

LifeLong Medical informs 115K patients of Netgain data breach 6 months later - Approximately 115,448 patients of LifeLong Medical are just now being notified that their data was accessed and stolen during a series of ransomware-related intrusions at one of its third-party vendors, Netgain. However, the Netgain incident occurred in September 2020 and providers were notified in February, more than six months ago. https://www.scmagazine.com/analysis/breach/lifelong-medical-informs-115k-patients-of-netgain-data-breach-6-months-later

Olympus investigating reported ransomware attack with BlackMatter hallmarks - A Japanese technology manufacturer confirmed it is investigating a reported ransomware attack affecting business units in Europe, the Middle East and Africa dating back to Sept. 8. https://www.cyberscoop.com/olympus-ransomware-blackmatter-attack-camera/

KrebsOnSecurity Hit By Huge New IoT Botnet “Meris” - On Thursday evening, KrebsOnSecurity was the subject of a rather massive (and mercifully brief) distributed denial-of-service (DDoS) attack. https://krebsonsecurity.com/2021/09/krebsonsecurity-hit-by-huge-new-iot-botnet-meris/

Unsecured fitness app database leaks 61M records, highlights health app privacy risks - An unsecured database containing IoT health and fitness tracking device data was found exposing more than 61 million records tied to fitness app users from across the globe. https://www.scmagazine.com/analysis/application-security/unsecured-fitness-app-database-leaks-61m-records-highlights-health-app-privacy-risks

Lubbock lawyers warned sealed records revealed - Lubbock County defense attorneys are saying hundreds of criminal records that were supposed to be sealed have been made public after the county switched to a new electronic records system last month. https://www.lubbockonline.com/story/news/2021/09/14/lubbock-defense-lawyers-say-countys-new-court-records-system-revealing-sealed-records/8338261002/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

   Risk Management Principles for Electronic Banking

   The e-banking risk management principles identified in this Report fall into three broad, and often overlapping, categories of issues. However, these principles are not weighted by order of preference or importance. If only because such weighting might change over time, it is preferable to remain neutral and avoid such prioritization.

   A. Board and Management Oversight (Principles 1 to 3):

   1. Effective management oversight of e-banking activities.
   2. Establishment of a comprehensive security control process.
   3. Comprehensive due diligence and management oversight process for outsourcing relationships and other third-party dependencies.

   B. Security Controls (Principles 4 to 10):

   4. Authentication of e-banking customers.
   5. Non-repudiation and accountability for e-banking transactions.
   6. Appropriate measures to ensure segregation of duties.
   7. Proper authorization controls within e-banking systems, databases and applications.
   8. Data integrity of e-banking transactions, records, and information.
   9. Establishment of clear audit trails for e-banking transactions.
   10. Confidentiality of key bank information.

   C. Legal and Reputational Risk Management (Principles 11 to 14):

   11. Appropriate disclosures for e-banking services.
   12. Privacy of customer information.
   13. Capacity, business continuity and contingency planning to ensure availability of e-banking systems and services.
   14. Incident response planning.

   Each of the above principles will be cover over the next few weeks, as they relate to e-banking and the underlying risk management principles that should be considered by banks to address these issues.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

   AUTHENTICATION - Public Key Infrastructure (Part 1 of 3)

   Public key infrastructure (PKI), if properly implemented and maintained, may provide a strong means of authentication. By combining a variety of hardware components, system software, policies, practices, and standards, PKI can provide for authentication, data integrity, defenses against customer repudiation, and confidentiality. The system is based on public key cryptography in which each user has a key pair - a unique electronic value called a public key and a mathematically related private key. The public key is made available to those who need to verify the user's identity.

   The private key is stored on the user's computer or a separate device such as a smart card. When the key pair is created with strong encryption algorithms and input variables, the probability of deriving the private key from the public key is extremely remote. The private key must be stored in encrypted text and protected with a password or PIN to avoid compromise or disclosure. The private key is used to create an electronic identifier called a digital signature that uniquely identifies the holder of the private key and can only be authenticated with the corresponding public key.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION

  16.2.2 Smart Tokens (2 of 2)

  There are other types of protocols, some more sophisticated and some less so. The three types described above are the most common.

  Benefits of Smart Tokens

  Smart tokens offer great flexibility and can be used to solve many authentication problems. The benefits of smart tokens vary, depending on the type used. In general, they provide greater security than memory cards. Smart tokens can solve the problem of electronic monitoring even if the authentication is done across an open network by using one-time passwords.

  1) One-time passwords. Smart tokens that use either dynamic password generation or challenge-response protocols can create one-time passwords. Electronic monitoring is not a problem with one-time passwords because each time the user is authenticated to the computer, a different "password" is used. (A hacker could learn the one-time password through electronic monitoring, but would be of no value.)

  2) Reduced risk of forgery. Generally, the memory on a smart token is not readable unless the PIN is entered. In addition, the tokens are more complex and, therefore, more difficult to forge.

  3) Multi-application. Smart tokens with electronic interfaces, such as smart cards, provide a way for users to access many computers using many networks with only one log-in. This is further discussed in the Single Log-in section of this chapter. In addition, a single smart card can be used for multiple functions, such as physical access or as a debit card.

  Problems with Smart Tokens

  Like memory tokens, most of the problems associated with smart tokens relate to their cost, the administration of the system, and user dissatisfaction. Smart tokens are generally less vulnerable to the compromise of PINs because authentication usually takes place on the card. (It is possible, of course, for someone to watch a PIN being entered and steal that card.) Smart tokens cost more than memory cards because they are more complex, particularly challenge-response calculators.

  Need reader/writers or human intervention. Smart tokens can use either an electronic or a human interface. An electronic interface requires a reader, which creates additional expense. Human interfaces require more actions from the user. This is especially true for challenge-response tokens with a manual interface, which require the user to type the challenge into the smart token and the response into the computer. This can increase user dissatisfaction.

  Substantial Administration. Smart tokens, like passwords and memory tokens, require strong administration. For tokens that use cryptography, this includes key management.

  Electronic reader/writers can take many forms, such as a slot in a PC or a separate external device. Most human interfaces consist of a keypad and display.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.