Internet Banking News

September 27, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - The Interior Department OIG clearly had some fun hacking the agency’s Wi-Fi networks - While multibillion-dollar companies hire expensive outside experts to conduct elaborate mock-raids on their networks, federal agencies tend to rely on their inspectors general for that. https://www.cyberscoop.com/interior-department-inspector-general-wireless-hacking/

Policy compliance: one size does not fit all - How do we get our brains around the arcane topic of policy compliance” Security pros define compliance as adhering to established rules and regulations, codes of conduct, laws, or organizational standards of conduct. https://www.scmagazine.com/perspectives/policy-compliance-one-size-does-not-fit-all/

Security teams strain to complete compliance audits under COVID - COVID-19 may have slowed down business, but it hasn’t slowed down time. Meeting the deadlines to demonstrate compliance with cybersecurity regulations and certification standards under pandemic conditions is proving to be a challenge for some companies. https://www.scmagazine.com/home/security-news/privacy-compliance/security-teams-strain-to-complete-compliance-audits-under-covid/

FERC, NERC Conduct Study on Cyber Incident Response at Electric Utilities - The U.S. Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) last week released a report outlining cyber incident response and recovery best practices for electric utilities. https://www.securityweek.com/ferc-nerc-conduct-study-cyber-incident-response-electric-utilities

US govt orders federal agencies to patch dangerous Zerologon bug by Monday - DHS CISA tells government agencies to patch Zerologon bug by Monday, citing "unacceptable risk" posed to federal networks. The Department of Homeland Security's cybersecurity division has ordered federal civilian agencies to install a security patch for Windows Servers, citing "unacceptable risk" posed by the vulnerability to federal networks. https://www.zdnet.com/article/us-govt-orders-federal-agencies-to-patch-dangerous-zerologon-bug-by-monday/

NSA Issues Cybersecurity Guidance for Remote Workers, System Admins - The National Security Agency (NSA) has published two cybersecurity information sheets (CSIs) with recommendations for National Security System (NSS) and Department of Defense (DoD) workers and system administrators on securing networks and responding to incidents during the work-from-home period. https://www.securityweek.com/nsa-issues-cybersecurity-guidance-remote-workers-system-admins

Lessons from the ransomware death: Prioritize cyber emergency preparedness - The death of a woman at least in part because of a ransomware attack has places security teams on high alert: put in place adequate training for the workforce and ensure network redundancy, or else risk similar tragedy and even potential liability. https://www.scmagazine.com/home/security-news/ransomware/lessons-from-the-ransomware-death-cyber-emergency-preparedness-critical/

Three strategies to defend remote workers from cyberattacks - The COVID-19 pandemic has accelerated digital transformation with remote workers going from 20 percent to more than 80 percent of the employed population. https://www.scmagazine.com/perspectives/three-strategies-to-defend-remote-work-from-cyberattacks/

Supply chain weak security link for 92 percent of U.S. companies - The devastating Target breach – the result of an earlier attack on the retail giant’s HVAC vendor – wasn’t an anomaly. New research from BlueVoyant found that 92 percent of U.S. organizations suffered a breach in the past 12 months as a result of weakness in their supply chain. https://www.scmagazine.com/home/security-news/supply-chain-weak-security-link-for-92-percent-of-u-s-companies/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - First death reported following a ransomware attack on a German hospital - Death occurred after a patient was diverted to a nearby hospital after the Duesseldorf University Hospital suffered a ransomware attack. https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/

GCHQ agency 'strongly urges' Brit universities, colleges to protect themselves after spike in ransomware infections - GCHQ offshoot the National Cyber Security Centre has warned Further and Higher Education institutions in the UK to be on their guard against ransomware attacks as the new academic year (sort of) gets under way. https://www.theregister.com/2020/09/17/ncsc_education_ransomware_warning/

California Elementary Kids Kicked Off Online Learning by Ransomware - The attack on the Newhall District in Valencia is part of a wave of ransomware attacks on the education sector, which shows no sign of dissipating. https://threatpost.com/california-elementary-kids-online-learning-ransomware/159319/

Jekyll Island Authority Targeted by Ransomware Attack - The Georgia entity in charge of the stewardship of Jekyll Island was targeted by a ransomware attack last week. Officials reported that the cyberattack was isolated and systems were restored. https://www.govtech.com/security/Jekyll-Island-Authority-Targeted-by-Ransomware-Attack.html

Details of 540,000 sports referees taken in failed ransomware attack - A company that provides software for sports leagues to manage referees and game officials has disclosed a security incident that impacted around 540,000 of its registered members — consisting of referees, league officials, and school representatives. https://www.zdnet.com/article/details-of-540000-sports-referees-taken-in-failed-ransomware-attack/

Shopify breach: Help center employees are a unique breed of insider threat - A data breach at Shopify perpetrated by two “rogue employees” who worked on the e-commerce platform’s support team illustrates how certain roles within an organization may require more stringent monitoring. https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/

Leaked FinCEN files expose poor data security - Leaked documents, dubbed the “FinCEN Files,” describe global money laundering of $2 trillion processed by many of the world’s biggest banks between 2000 and 2017. The reveal illuminates the struggle for the financial industry and government to provide ironclad data protection. https://www.scmagazine.com/home/security-news/leaked-fincen-files-expose-poor-data-security/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week concludes our series on the FDIC's Supervisory Policy on Identity Theft. (Part 6 of 6)

   President’s Identity Theft Task Force

   On May 10, 2006, the President issued an executive order establishing an Identity Theft Task Force (Task Force). The Chairman of the FDIC is a principal member of the Task Force and the FDIC is an active participant in its work. The Task Force has been charged with delivering a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution. On September 19, 2006, the Task Force adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft. Among other things, these recommendations dealt with data breach guidance to federal agencies, alternative methods of "authenticating" identities, and reducing access of identity thieves to Social Security numbers. The final strategic plan is expected to be publicly released soon.

   Conclusion

   Financial institutions have an affirmative and continuing obligation to protect the privacy of customers' nonpublic personal information. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

   SECURITY MEASURES

   Digital Signatures

   Digital signatures authenticate the identity of a sender, through the private, cryptographic key. In addition, every digital signature is different because it is derived from the content of the message itself. T he combination of identity authentication and singularly unique signatures results in a transmission that cannot be repudiated.

   Digital signatures can be applied to any data transmission, including e-mail. To generate a digital signature, the original, unencrypted message is run through a mathematical algorithm that generates what is known as a message digest (a unique, character representation of the data). This process is known as the "hash." The message digest is then encrypted with a private key, and sent along with the message. The recipient receives both the message and the encrypted message digest. The recipient decrypts the message digest, and then runs the message through the hash function again. If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified. Because the message digest was encrypted with a private key, the sender can be identified and bound to the specific message. The digital signature cannot be reused, because it is unique to the message. In the above example, data privacy and confidentiality could also be achieved by encrypting the message itself. The strength and security of a digital signature system is determined by its implementation, and the management of the cryptographic keys.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  11.7 Interdependencies

  Since all controls help to prevent contingencies, there is an interdependency with all of the controls in the handbook.

  Risk Management provides a tool for analyzing the security costs and benefits of various contingency planning options. In addition, a risk management effort can be used to help identify critical resources needed to support the organization and the likely threat to those resources. It is not necessary, however, to perform a risk assessment prior to contingency planning, since the identification of critical resources can be performed during the contingency planning process itself.

  Physical and Environmental Controls help prevent contingencies. Although many of the other controls, such as logical access controls, also prevent contingencies, the major threats that a contingency plan addresses are physical and environmental threats, such as fires, loss of power, plumbing breaks, or natural disasters.

  Incident Handling can be viewed as a subset of contingency planning. It is the emergency response capability for various technical threats. Incident handling can also help an organization prevent future incidents.

  Support and Operations in most organizations includes the periodic backing up of files. It also includes the prevention and recovery from more common contingencies, such as a disk failure or corrupted data files.

  Policy is needed to create and document the organization's approach to contingency planning. The policy should explicitly assign responsibilities.

  11.8 Cost Considerations

  The cost of developing and implementing contingency planning strategies can be significant, especially if the strategy includes contracts for backup services or duplicate equipment. There are too many options to discuss cost considerations for each type.
  One contingency cost that is often overlooked is the cost of testing a plan. Testing provides many benefits and should be performed, although some of the less expensive methods (such as a review) may be sufficient for less critical resources.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.