Internet Banking News

September 26, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - OCC Issues Cease and Desist Order Against MUFG Union Bank for Deficiencies Relating to Technology and Operational Risk Governance - The OCC took this action based on the bank’s unsafe or unsound practices regarding technology and operational risk management and the bank’s noncompliance with the Interagency Guidelines Establishing Information Security Standards contained in Appendix B to 12 CFR Part 30. https://www.occ.gov/news-issuances/news-releases/2021/nr-occ-2021-100.html

Health app developers be warned: FTC ready to hand down fines for failure to report breaches - The Federal Trade Commission is reminding developers and vendors of health apps and connected devices that collect consumer health data of its Health Breach Notification Rule, which requires those entities to report any breaches of consumer health information to the FTC. https://www.scmagazine.com/analysis/application-security/health-app-developers-be-warned-ftc-ready-to-hand-down-fines-for-failure-to-report-breaches

You Can Now Ditch the Password on Your Microsoft Account - THOUGH A COMPLETELY passwordless future is still a ways off, you'll soon be able to take a big step in that direction by nuking the password on your Microsoft account. The company announced today that the password-free features it already offers to corporate customers will now be available to everyone. https://www.wired.com/story/passwordless-microsoft-account/

Researchers compile list of vulnerabilities abused by ransomware gangs - Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims' networks. https://www.bleepingcomputer.com/news/security/researchers-compile-list-of-vulnerabilities-abused-by-ransomware-gangs/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - DOJ fines NSA hackers who assisted UAE in attacks on dissidents - Three former US intelligence will pay a total of $1,685,000 after creating multiple smartphone exploits that were used to target opponents of the UAE government. The Justice Department announced a controversial deal with three former US intelligence operatives that allows them to pay a fine after breaking multiple laws through their offensive hacking for the repressive government of the United Arab Emirates. https://www.zdnet.com/article/doj-fines-nsa-hackers-who-assisted-uae-in-attacks-on-dissidents/

Ransomware encrypts South Africa's entire Dept of Justice network - The justice ministry of the South African government is working on restoring its operations after a recent ransomware attack encrypted all its systems, making all electronic services unavailable both internally and to the public. https://www.bleepingcomputer.com/news/security/ransomware-encrypts-south-africas-entire-dept-of-justice-network/

180K patients affected by USV Optical systems hack, health data theft - USV Optical notified 180,000 patients and employees that their health information was accessed and potentially stolen during a near monthlong systems hack in April and May 2021. https://www.scmagazine.com/analysis/breach/180k-patients-affected-by-usv-optical-systems-hack-health-data-theft

Thousands of sensitive event records potentially leaked via misconfigured EventBuilder app - Researchers on Monday reported that a misconfiguration caused thousands of personal records to leak of people who registered for events on Microsoft Teams via the EventBuilder event management application. https://www.scmagazine.com/news/application-security/thousands-of-sensitive-event-records-potentially-leaked-via-misconfigured-eventbuilder-app

Ransomware gang strikes Iowa agriculture business New Cooperative, the latest hack on food supply chain - The BlackMatter ransomware gang has struck an Iowa agricultural business, New Cooperative, and is demanding a $5.9 million ransom. https://www.cyberscoop.com/blackmatter-new-cooperative-ransomware-iowa/

Customer Care Giant TTEC Hit By Ransomware - TTEC, a company used by some of the world’s largest brands to help manage customer support and sales online and over the phone, is dealing with disruptions from a network security incident resulting from a ransomware attack, KrebsOnSecurity has learned. https://krebsonsecurity.com/2021/09/customer-care-giant-ttec-hit-by-ransomware/

Thousands of sensitive event records potentially leaked via misconfigured EventBuilder app - Researchers on Monday reported that a misconfiguration caused thousands of personal records to leak of people who registered for events on Microsoft Teams via the EventBuilder event management application. https://www.scmagazine.com/news/application-security/thousands-of-sensitive-event-records-potentially-leaked-via-misconfigured-eventbuilder-app

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC interagency Information Security Booklet.

   CONTROLS TO PROTECT AGAINST MALICIOUS CODE

   Typical controls to protect against malicious code use technology, policies and procedures, and training. Prevention and detection of malicious code typically involves anti-virus and other detection products at gateways, mail servers, and workstations. Those products generally scan messages for known signatures of a variety of malicious code, or potentially dangerous behavioral characteristics. Differences between products exist in detection capabilities and the range of malicious code included in their signatures. Detection products should not be relied upon to detect all malicious code. Additionally, anti-virus and other products that rely on signatures generally are ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and encrypted e-mail will all shield malicious code from detection.

   Signature-based anti-virus products scan for unique components of certain known malicious code. Since new malicious code is created daily, the signatures need to be updated continually. Different vendors of anti-virus products update their signatures on different frequencies. When an update appears, installing the update on all of an institution's computers may involve automatically pushing the update to the computers, or requesting users to manually obtain the update.

   Heuristic anti - virus products generally execute code in a protected area of the host to analyze and detect any hostile intent. Heuristic products are meant to defend against previously unknown or disguised malicious code.

   Malicious code may be blocked at the firewall or gateway. For example, a general strategy might be to block all executable e-mail attachments, as well as any Active-X or Java applets. A more refined strategy might block based on certain characteristics of known code.

   Protection of servers involves examining input from users and only accepting that input which is expected. This activity is called filtering. If filtering is not employed, a Web site visitor, for instance, could employ an attack that inserts code into a response form, causing the server to perform certain actions. Those actions could include changing or deleting data and initiating fund transfers.

   Protection from malicious code also involves limiting the capabilities of the servers and Web applications to only include functions necessary to support operations. See "Systems Development, Acquisition, and Maintenance."

   Anti-virus tools and code blocking are not comprehensive solutions. New malicious code could have different signatures, and bypass other controls. Protection against newly developed malicious code typically comes in the form of policies, procedures, and user awareness and training. For example, policies could prohibit the installation of software by unauthorized employees, and regular reviews for unauthorized software could take place. System users could be trained not to open unexpected messages, not to open any executables, and not to allow or accept file transfers in P2P communications. Additional protection may come from disconnecting and isolating networks from each other or from the Internet in the face of a fast-moving malicious code attack.

   An additional detection control involves network and host intrusion detection devices. Network intrusion detection devices can be tuned to alert when known malicious code attacks occur. Host intrusion detection can be tuned to alert when they recognize abnormal system behavior, the presence of unexpected files, and changes to other files.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

   AUTHENTICATION - Public Key Infrastructure (Part 2 of 3)

   The certificate authority (CA), which may be the financial institution or its service provider, plays a key role by attesting with a digital certificate that a particular public key and the corresponding private key belongs to a specific user or system. It is important when issuing a digital certificate that the registration process for initially verifying the identity of users is adequately controlled. The CA attests to the individual user's identity by signing the digital certificate with its own private key, known as the root key. Each time the user establishes a communication link with the financial institution's systems, a digital signature is transmitted with a digital certificate. These electronic credentials enable the institution to determine that the digital certificate is valid, identify the individual as a user, and confirm that transactions entered into the institution's computer system were performed by that user.

   The user's private key exists electronically and is susceptible to being copied over a network as easily as any other electronic file. If it is lost or compromised, the user can no longer be assured that messages will remain private or that fraudulent or erroneous transactions would not be performed. User AUPs and training should emphasize the importance of safeguarding a private key and promptly reporting its compromise.

   PKI minimizes many of the vulnerabilities associated with passwords because it does not rely on shared secrets to authenticate customers, its electronic credentials are difficult to compromise, and user credentials cannot be stolen from a central server. The primary drawback of a PKI authentication system is that it is more complicated and costly to implement than user names and passwords. Whether the financial institution acts as its own CA or relies on a third party, the institution should ensure its certificate issuance and revocation policies and other controls discussed below are followed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION

  16.3 I&A Based on Something the User Is

  Biometric authentication technologies use the unique characteristics (or attributes) of an individual to authenticate that person's identity. These include physiological attributes (such as fingerprints, hand geometry, or retina patterns) or behavioral attributes (such as voice patterns and hand-written signatures). Biometric authentication technologies based upon these attributes have been developed for computer log-in applications.

  Biometric authentication is technically complex and expensive, and user acceptance can be difficult. However, advances continue to be made to make the technology more reliable, less costly, and more user-friendly.

  Biometric systems can provide an increased level of security for computer systems, but the technology is still less mature than that of memory tokens or smart tokens. Imperfections in biometric authentication devices arise from technical difficulties in measuring and profiling physical attributes as well as from the somewhat variable nature of physical attributes. These may change, depending on various conditions. For example, a person's speech pattern may change under stressful conditions or when suffering from a sore throat or cold.

  Due to their relatively high cost, biometric systems are typically used with other authentication means in environments requiring high security.

  Biometric authentication generally operates in the following manner:

  Before any authentication attempts, a user is "enrolled" by creating a reference profile (or template) based on the desired physical attribute. The resulting template is associated with the identity of the user and stored for later use.

  When attempting authentication, the user's biometric attribute is measured. The previously stored reference profile of the biometric attribute is compared with the measured profile of the attribute taken from the user. The result of the comparison is then used to either accept or reject the user.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.