Internet Banking News

September 29, 2024

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Gold Standard Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Bank regulatory FFIEC IT audits - I perform annual IT audits required by the regulatory agencies for banks and credit unions. I am a former bank examiner over 30 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

MISCELLANEOUS CYBERSECURITY NEWS:

Only 1/3 of businesses have 24/7 security coverage, survey finds - Nearly two-thirds of organizations lack 24/7 cybersecurity coverage throughout the year due to staffing shortages. https://www.scmagazine.com/news/only-1-3-of-businesses-have-24-7-security-coverage-survey-finds

Five question confidence test for CISOs - For most organizations, cyberthreats are too imposing to get bogged down in low-impact exercises. Mandiant’s founder advises executives to look for a security mindset above all else. https://www.cybersecuritydive.com/news/kevin-mandia-ciso-confidence-test/727599/

New NIST program focuses on AI cybersecurity and privacy- The U.S. National Institute of Standards and Technology (NIST) has launched a new program to address the role of AI in cybersecurity and privacy. https://www.scworld.com/news/new-nist-program-focuses-on-ai-cybersecurity-and-privacy

GAO - Challenges in supply chain risk management, testing, contingency planning, and cyber information sharing make it more difficult to mitigate cybersecurity risks to IT systems. GAO’s work in these areas highlights the need to mitigate them. https://www.gao.gov/products/gao-24-107733

Major companies keep hiring North Korean IT workers - Dozens of Fortune 100 organizations have inadvertently hired workers from North Korea applying for remote jobs, Mandiant said. https://www.cybersecuritydive.com/news/north-korea-it-workers-insider-threat/727892/

Kaspersky automatically installs UltraAV, deletes itself on US machines - Kaspersky security software has begun automatically installing UltraAV on nearly 1 million machines in the United States and deleting itself after U.S. officials banned sales of software from the Russia-based company in June. https://www.scworld.com/news/kaspersky-automatically-installs-ultraav-deletes-itself-on-us-machines

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Attackers exploit second Ivanti Cloud Service Appliance flaw for more access - Hackers are exploiting the vulnerability in tandem with a previously disclosed CVE, to bypass authentication measures and take control of an affected system. https://www.cybersecuritydive.com/news/ivanti-critical-cves-exploits/727632/

Hackers breaching construction firms via specialized accounting software - Firms in the construction industry are getting breached by hackers via internet-exposed servers running Foundation accounting software, Huntress researchers are warning. https://www.helpnetsecurity.com/2024/09/18/hackers-breaching-construction-firms/

AT&T settles a 2023 data breach for $13M. Recent incidents are much worse. - elecom cybersecurity remains a challenge with widespread impacts. AT&T is not alone in experiencing a pattern of extensive breaches exposing customer data. https://www.cybersecuritydive.com/news/att-telecom-cybersecurity-breach-fcc/727355/

Suffolk County ransomware attack linked to lack of planning, ignored warnings - A special report blames county officials for ignoring FBI warnings during the 2022 attack and an overall failure of IT and security leadership. https://www.cybersecuritydive.com/news/suffolk-county-ignored-threat-warnings/727352/

Port of Seattle officials pin attack, data theft to Rhysida ransomware group - The port restored most of the systems impacted by the ransomware attack as officials warn their refusal to pay extortion demand could result in data leaks. https://www.cybersecuritydive.com/news/seattle-port-ransomware-attack/727098/

Cyberattack on Kansas water treatment facility investigated by feds - Officials from the FBI and Department of Homeland Security are reportedly investigating a cyberattack on the water treatment facility in the city of Arkansas City, Kansas, roughly an hour drive south of Wichita. https://www.scworld.com/news/cyberattack-on-kansas-water-treatment-facility-investigated-by-feds

Return to the top of the newsletter

WEB SITE COMPLIANCE - We conclude the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (12 of 12)

What the Future Holds

In addition to meeting regulatory requirements and addressing applicable industry best practices, several characteristics tend to differentiate banks. The most successful banks will find a way to integrate incident response planning into normal operations and business processes. Assimilation efforts may include expanding security awareness and training initiatives to reinforce incident response actions, revising business continuity plans to incorporate security incident responses, and implementing additional security monitoring systems and procedures to provide timely incident notification. Ultimately, the adequacy of a bank's IRP reflects on the condition of the information security program along with management's willingness and ability to manage information technology risks. In essence, incident response planning is a management process, the comprehensiveness and success of which provide insight into the quality and attentiveness of management. In this respect, the condition of a bank's IRP, and the results of examiner review of the incident response planning process, fit well within the objectives of the information technology examination as described in the Information Technology-Risk Management Program.

An IRP is a critical component of a well-formed and effective information security program and has the potential to provide tangible value and benefit to a bank. Similar to the importance of a business continuity planning program as it relates to the threat of natural and man-made disasters, sound IRPs will be necessary to combat new and existing data security threats facing the banking community. Given the high value placed on the confidential customer information held within the financial services industry, coupled with the publicized success of known compromises, one can reasonably assume that criminals will continue to probe an organization's defenses in search of weak points. The need for response programs is real and has been recognized as such by not only state and Federal regulatory agencies (through passage of a variety of legal requirements), but by the banking industry itself. The challenges each bank faces are to develop a reasonable IRP providing protections for the bank and the consumer and to incorporate the IRP into a comprehensive, enterprise-wide information security program. The most successful banks will exceed regulatory requirements to leverage the IRP for business advantages and, in turn, improved protection for the banking industry as a whole.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

  SECURITY CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 1 of 2)

  Financial institutions must control access to system software within the various network clients and servers as well as stand-alone systems. System software includes the operating system and system utilities. The computer operating system manages all of the other applications running on the computer. Common operating systems include IBM OS/400 and AIX, LINUX, various versions of Microsoft Windows, and Sun Solaris. Security administrators and IT auditors need to understand the common vulnerabilities and appropriate mitigation strategies for their operating systems. Application programs and data files interface through the operating system. System utilities are programs that perform repetitive functions such as creating, deleting, changing, or copying files. System utilities also could include numerous types of system management software that can supplement operating system functionality by supporting common system tasks such as security, system monitoring, or transaction processing.

  System software can provide high-level access to data and data processing. Unauthorized access could result in significant financial and operational losses. Financial institutions must restrict privileged access to sensitive operating systems. While many operating systems have integrated access control software, third - party security software is available for most operating systems. In the case of many mainframe systems, these programs are essential to ensure effective access control and can often integrate the security management of both the operating system and the applications. Network security software can allow institutions to improve the effectiveness of the administration and security policy compliance for a large number of servers often spanning multiple operating system environments. The critical aspects for access control software, whether included in the operating system or additional security software, are that management has the capability to:

  ! Restrict access to sensitive or critical system resources or processes and have the capability, depending on the sensitivity to extend protection at the program, file, record, or field level;
  ! Log user or program access to sensitive system resources including files, programs, processes, or operating system parameters; and
  ! Filter logs for potential security events and provide adequate reporting and alerting capabilities.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Section III. Operational Controls - Chapter 10

10.5 Interdependencies

User issues are tied to topics throughout this handbook.

Training and Awareness is a critical part of addressing the user issues of computer security.

Identification and Authentication and Access Controls in a computer system can only prevent people from doing what the computer is instructed they are not allowed to do, as stipulated by Policy. The recognition by computer security experts that much more harm comes from people doing what they are allowed to do, but should not do, points to the importance of considering user issues in the computer security picture, and the importance of Auditing.

Policy, particularly its compliance component, is closely linked to personnel issues. A deterrent effect arises among users when they are aware that their misconduct, intentional or unintentional, will be detected.

These controls also depend on manager's (1) selecting the right type and level of access for their employees and (2) informing system managers of which employees need accounts and what type and level of access they require, and (3) promptly informing system managers of changes to access requirements. Otherwise, accounts and accesses can be granted to or maintained for people who should not have them.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.