Internet Banking News

September 20, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - What’s really changed three years after Equifax breach? - Are organizations better off today than they were three years ago when a devastating breach at Equifax exposed sensitive customer data and poor security practices in equal measure? https://www.scmagazine.com/home/security-news/whats-really-changed-three-years-after-equifax-breach/

12 checklist items for defeating Magecart attacks - Magecart groups have made many successful attacks on high-profile companies over the past two years. In a Magecart attack, attackers covertly inject credit card skimming code into the checkout pages of e-commerce websites to exfiltrate data on thousands of customers. https://www.scmagazine.com/perspectives/12-checklist-items-for-defeating-magecart-attacks/

Privacy concerns prompt Irish regulators to ask Facebook to stop sending EU user data to the US - Facebook says that Irish regulators believe current user data exchange methods between the US and EU "cannot in practice be used," leading to an inquiry into the data transfer practices employed by the company. https://www.zdnet.com/article/irish-regulators-demand-facebook-stops-sending-european-user-data-to-the-us/

History shows, transparency can ease the fallout from a cyberattack - Cybersecurity firms have a responsibility to keep their clients safe from digital attacks. But when they end up the victims, they potentially risk losing credibility with these customers, especially if their operations are disrupted. https://www.scmagazine.com/home/security-news/ransomware/attacks-on-cyber-firms-are-embarrassing-but-transparency-can-ease-the-fallout/

Five tips for controlling insider threats during the work-from-home era - The internet was rocked by a very public breach on Twitter during July in which dozens of celebrity accounts were compromised. https://www.scmagazine.com/perspectives/five-tips-for-controlling-insider-threats-during-the-work-from-home-era/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ransomware Attacks Disrupt School Reopenings - A flurry of recent attacks is complicating attempts to deliver classes online at some schools in different parts of the country. School reopenings - already bogged down by concerns over the COVID-19 pandemic - are being further complicated by targeted ransomware and denial-of-service attacks. https://www.darkreading.com/attacks-breaches/ransomware-attacks-disrupt-school-reopenings/d/d-id/1338877

Netwalker ransomware hits Pakistan's largest private power utility - K-Electric, the sole electricity provider for Karachi, Pakistan, has suffered a Netwalker ransomware attack that led to the disruption of billing and online services. https://www.bleepingcomputer.com/news/security/netwalker-ransomware-hits-pakistans-largest-private-power-utility/

Phishing attack targeted top financial pro at large company - Attackers using a novel credential phishing attack that leverages Active Directory to verify a victim’s password and gain access to an Office 365 account targeted a top financial person in a division of a large American corporation. https://www.scmagazine.com/home/security-news/phishing-attack-targeted-top-financial-pro-at-large-company/

Magecart Attack Impacts More Than 10K Online Shoppers - Close to 2,000 e-commerce sites were infected over the weekend with a payment-card skimmer, maybe the result of a zero-day exploit. https://threatpost.com/magecart-campaign-10k-online-shoppers/159216/

Postal Service left vulnerable IT applications unaddressed for years, inspector general finds - Officials at the U.S. Postal Service let multiple vulnerable applications languish on the agency’s IT network for years - flaws that could have been exploited by hackers to steal sensitive data, an inspector general audit has found. https://www.cyberscoop.com/postal-service-inspector-general-cyber-vulnerabilities/

VA hit by data breach impacting 46,000 veterans - The Department of Veterans Affairs (VA) announced Monday that the personal information of around 46,000 veterans was accessed in a recent data breach. https://thehill.com/policy/cybersecurity/516331-veterans-affairs-hit-by-data-breach-impacting-46000-veterans

Virginia's Largest School System Hit With Ransomware - Fairfax County Public Schools (FCPS), the largest school system in Virginia, is investigating a cyberattack on its technology systems. Ransomware group Maze has claimed responsibility. https://www.darkreading.com/attacks-breaches/virginias-largest-school-system-hit-with-ransomware/d/d-id/1338906

US staffing firm Artech discloses ransomware attack, data breach - Artech Information Systems, one of the largest US IT staffing companies, has disclosed a data breach caused by a ransomware attack that affected some of its systems during early January 2020. https://www.bleepingcomputer.com/news/security/us-staffing-firm-artech-discloses-ransomware-attack-data-breach/

Sorry we shut you out, says Tutanota: Encrypted email service weathers latest of ongoing DDoS storms - Encrypted email biz Tutanota has apologised for accidentally shutting its own users out while fending off the latest of a series of distributed denial-of-service (DDoS) attacks. https://www.theregister.com/2020/09/14/tutanota_ddos_storms_ongoing/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft. (Part 5 of 6)

   Consumer Education

   The FDIC believes that consumers have an important role to play in protecting themselves from identity theft. As identity thieves become more sophisticated, consumers can benefit from accurate, up-to-date information designed to educate them concerning steps they should take to reduce their vulnerability to this type of fraud. The financial services industry, the FDIC and other federal regulators have made significant efforts to raise consumers' awareness of this type of fraud and what they can do to protect themselves.

   In 2005, the FDIC sponsored four identity theft symposia entitled Fighting Back Against Phishing and Account-Hijacking. At each symposium (held in Washington, D.C., Atlanta, Los Angeles and Chicago), panels of experts from government, the banking industry, consumer organizations and law enforcement discussed efforts to combat phishing and account hijacking, and to educate consumers on avoiding scams that can lead to account hijacking and other forms of identity theft. Also in 2006, the FDIC sponsored a symposia series entitled Building Confidence in an E-Commerce World. Sessions were held in San Francisco, Phoenix and Miami. Further consumer education efforts are planned for 2007.

   In 2006, the FDIC released a multi-media educational tool, Don't Be an On-line Victim, to help online banking customers avoid common scams. It discusses how consumers can secure their computer, how they can protect themselves from electronic scams that can lead to identity theft, and what they can do if they become the victim of identity theft. The tool is being distributed through the FDIC's web site and via CD-ROM. Many financial institutions also now display anti-fraud tips for consumers in a prominent place on their public web site and send customers informational brochures discussing ways to avoid identity theft along with their account statements. Financial institutions are also redistributing excellent educational materials from the Federal Trade Commission, the federal government's lead agency for combating identity theft.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

   SECURITY MEASURES

   Symmetric and Asymmetric Key Systems

   There are two types of cryptographic key systems, symmetric and asymmetric. With a symmetric key system (also known as secret key or private key systems), all parties have the same key. The keys can be used to encrypt and decrypt messages, and must be kept secret or the security is compromised. For the parties to get the same key, there has to be a way to securely distribute the key to each party. While this can be done, the security controls necessary make this system impractical for widespread and commercial use on an open network like the Internet. Asymmetric key systems can solve this problem.

   In an asymmetric key system (also known as a public key system), two keys are used. One key is kept secret, and therefore is referred to as the "private key." The other key is made widely available to anyone who wants it, and is referred to as the "public key." The private and public keys are mathematically related so that information encrypted with the private key can only be decrypted by the corresponding public key. Similarly, information encrypted with the public key can only be decrypted by the corresponding private key. The private key, regardless of the key system utilized, is typically specific to a party or computer system. Therefore, the sender of a message can be authenticated as the private key holder by anyone decrypting the message with a public key. Importantly, it is mathematically impossible for the holder of any public key to use it to figure out what the private key is. The keys can be stored either on a computer or on a physically separate medium such as a smart card.

   Regardless of the key system utilized, physical controls must exist to protect the confidentiality and access to the key(s). In addition, the key itself must be strong enough for the intended application. The appropriate encryption key may vary depending on how sensitive the transmitted or stored data is, with stronger keys utilized for highly confidential or sensitive data. Stronger encryption may also be necessary to protect data that is in an open environment, such as on a Web server, for long time periods. Because the strength of the key is determined by its length, the longer the key, the harder it is for high-speed computers to break the code.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

  11.5.3 Training

  All personnel should be trained in their contingency-related duties. New personnel should be trained as they join the organization, refresher training may be needed, and personnel will need to practice their skills.

  Training is particularly important for effective employee response during emergencies. There is no time to check a manual to determine correct procedures if there is a fire. Depending on the nature of the emergency, there may or may not be time to protect equipment and other assets. Practice is necessary in order to react correctly, especially when human safety is involved.

  11.6    Step 6: Testing and Revising

  A contingency plan should be tested periodically because there will undoubtedly be flaws in the plan and in its implementation. The plan will become dated as time passes and as the resources used to support critical functions change. Responsibility for keeping the contingency plan current should be specifically assigned. The extent and frequency of testing will vary between organizations and among systems. There are several types of testing, including reviews, analyses, and simulations of disasters.

  Contingency plan maintenance can be incorporated into procedures for change management so that upgrades to hardware and software are reflected in the plan.

  A review can be a simple test to check the accuracy of contingency plan documentation. For instance, a reviewer could check if individuals listed are still in the organization and still have the responsibilities that caused them to be included in the plan. This test can check home and work telephone numbers, organizational codes, and building and room numbers. The review can determine if files can be restored from backup tapes or if employees know emergency procedures.

  An analysis may be performed on the entire plan or portions of it, such as emergency response procedures. It is beneficial if the analysis is performed by someone who did not help develop the contingency plan but has a good working knowledge of the critical function and supporting resources. The analyst(s) may mentally follow the strategies in the contingency plan, looking for flaws in the logic or process used by the plan's developers. The analyst may also interview functional managers, resource managers, and their staff to uncover missing or unworkable pieces of the plan.

  Organizations may also arrange disaster simulations. These tests provide valuable information about flaws in the contingency plan and provide practice for a real emergency. While they can be expensive, these tests can also provide critical information that can be used to ensure the continuity of important functions. In general, the more critical the functions and the resources addressed in the contingency plan, the more cost-beneficial it is to perform a disaster simulation.

  The results of a "test" often implies a grade assigned for a specific level of performance, or simply pass or fail. However, in the case of contingency planning, a test should be used to improve the plan. If organizations do not use this approach, flaws in the plan may remain hidden and uncorrected.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.