Internet Banking News

October 3, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - Senators aim to bolster CISA’s role in FISMA update - Leaders on the Senate Homeland Security and Governmental Affairs committee said they are developing legislation that would update federal laws on internal cybersecurity to better account for today’s threats and further clarify the quarterbacking role that the Cybersecurity and Infrastructure Security Agency’s should play helping agencies raise their internal security. https://www.scmagazine.com/analysis/critical-infrastructure/senators-aim-to-bolster-cisas-role-in-fisma-update

GAO - Selected Agencies Overcame Technology Challenges to Support Telework but Need to Fully Assess Security Controls - Telework is essential to the continuity of federal operations in emergencies - but it also brings added cybersecurity risks. We examined federal agencies' preparedness to support expanded telework during the COVID-19 pandemic. https://www.gao.gov/products/gao-21-583

Suex to be you: Feds sanction cryptocurrency exchange for handling payments from 8+ ransomware variants - The US Treasury on Tuesday sanctioned virtual cryptocurrency exchange Suex OTC for handling financial transactions for ransomware operators, an intervention that's part of a broad US government effort to disrupt online extortion and related cyber-crime. https://www.theregister.com/2021/09/21/feds_sanction_suex/

Wisconsin Law Imposes Cybersecurity Rules for Insurance Industry - Starting Nov. 1, a Wisconsin bill will go into effect requiring insurance companies to meet specific requirements to protect residents' private information, including social security numbers and health information. https://www.govtech.com/security/wisconsin-law-imposes-cybersecurity-rules-for-insurance-industry

Why security matters when testing and validating microprocessors - Security teams continue to focus on supply chain incidents as attacks get more complex and varied. In fact, the Identity Theft Resource Center has found that supply chain attacks impacted 694 entities in 2020, which ultimately affected more than 42 million individuals. https://www.scmagazine.com/perspective/hardware-security/why-security-when-testing-and-validating-microprocessors-matters-to-enterprises

Food and agriculture industry needs more threat intel as ransomware attacks crop up - Ransomware attacks launched this month against farm co-ops NEW Cooperative and Crystal Valley highlighted the need among organizations within the food and agriculture industry for additional representation among the threat-sharing community. https://www.scmagazine.com/analysis/ransomware/food-and-agriculture-industry-needs-more-threat-intel-as-ransomware-attacks-crop-up

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Major US port target of attempted cyber attack - The Port of Houston, a major U.S. port, was targeted in an attempted cyber attack last month, the Port shared in a statement on Thursday. https://thehill.com/homenews/state-watch/573749-major-us-port-target-of-attempted-cyber-attack

Second farming cooperative shut down by ransomware this week - Minnesota farming supply cooperative Crystal Valley has suffered a ransomware attack, making it the second farming cooperative attacked this weekend. https://www.bleepingcomputer.com/news/security/second-farming-cooperative-shut-down-by-ransomware-this-week/

UCSD Health sued by breach victims after undetected email hack - The University of California San Diego Health is facing two breach lawsuits filed in the U.S. District Court of Southern California by two patients impacted by an undetected email hack. The suit makes a number of allegations around UCSD Health's security failings, including negligence. https://www.scmagazine.com/analysis/breach/ucsd-health-sued-by-breach-victims-after-undetected-email-hack

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

   Board and Management Oversight - Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. (Part 1 of 2)

   Vigilant management oversight is essential for the provision of effective internal controls over e-banking activities. In addition to the specific characteristics of the Internet distribution channel discussed in the Introduction, the following aspects of e-banking may pose considerable challenge to traditional risk management processes:

   1) Major elements of the delivery channel (the Internet and related technologies) are outside of the bank's direct control.

   2) The Internet facilitates delivery of services across multiple national jurisdictions, including those not currently served by the institution through physical locations.

   3) The complexity of issues that are associated with e-banking and that involve highly technical language and concepts are in many cases outside the traditional experience of the Board and senior management.

   In light of the unique characteristics of e-banking, new e-banking projects that may have a significant impact on the bank's risk profile and strategy should be reviewed by the Board of Directors and senior management and undergo appropriate strategic and cost/reward analysis. Without adequate up-front strategic review and ongoing performance to plan assessments, banks are at risk of underestimating the cost and/or overestimating the payback of their e-banking initiatives.

   In addition, the Board and senior management should ensure that the bank does not enter into new e-banking businesses or adopt new technologies unless it has the necessary expertise to provide competent risk management oversight. Management and staff expertise should be commensurate with the technical nature and complexity of the bank's e-banking applications and underlying technologies. Adequate expertise is essential regardless of whether the bank's e-banking systems and services are managed in-house or outsourced to third parties. Senior management oversight processes should operate on a dynamic basis in order to effectively intervene and correct any material e-banking systems problems or security breaches that may occur. The increased reputational risk associated with e-banking necessitates vigilant monitoring of systems operability and customer satisfaction as well as appropriate incident reporting to the Board and senior management.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

   AUTHENTICATION - Public Key Infrastructure (Part 3 of 3)

   When utilizing PKI policies and controls, financial institutions need to consider the following:

   ! Defining within the certificate issuance policy the methods of initial verification that are appropriate for different types of certificate applicants and the controls for issuing digital certificates and key pairs;

   ! Selecting an appropriate certificate validity period to minimize transactional and reputation risk exposure - expiration provides an opportunity to evaluate the continuing adequacy of key lengths and encryption algorithms, which can be changed as needed before issuing a new certificate;

   ! Ensuring that the digital certificate is valid by such means as checking a certificate revocation list before accepting transactions accompanied by a certificate;

   ! Defining the circumstances for authorizing a certificate's revocation, such as the compromise of a user's private key or the closure of user accounts;

   ! Updating the database of revoked certificates frequently, ideally in real - time mode;

   ! Employing stringent measures to protect the root key including limited physical access to CA facilities, tamper - resistant security modules, dual control over private keys and the process of signing certificates, as well as the storage of original and back - up keys on computers that do not connect with outside networks;

   ! Requiring regular independent audits to ensure controls are in place, public and private key lengths remain appropriate, cryptographic modules conform to industry standards, and procedures are followed to safeguard the CA system;

   ! Recording in a secure audit log all significant events performed by the CA system, including the use of the root key, where each entry is time/date stamped and signed;

   ! Regularly reviewing exception reports and system activity by the CA's employees to detect malfunctions and unauthorized activities; and

   ! Ensuring the institution's certificates and authentication systems comply with widely accepted PKI standards to retain the flexibility to participate in ventures that require the acceptance of the financial institution's certificates by other CAs.

   The encryption components of PKI are addressed more fully under "Encryption."

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION

  16.4 Implementing I&A Systems

  Some of the important implementation issues for I&A systems include administration, maintaining authentication, and single log-in.

  16.4.1 Administration

  Administration of authentication data is a critical element for all types of authentication systems. The administrative overhead associated with I&A can be significant. I&A systems need to create, distribute, and store authentication data. For passwords, this includes creating passwords, issuing them to users, and maintaining a password file. Token systems involve the creation and distribution of tokens/PINs and data that tell the computer how to recognize valid tokens/PINs. For biometric systems, this includes creating and storing profiles.

  The administrative tasks of creating and distributing authentication data and tokens can be a substantial. Identification data has to be kept current by adding new users and deleting former users. If the distribution of passwords or tokens is not controlled, system administrators will not know if they have been given to someone other than the legitimate user. It is critical that the distribution system ensure that authentication data is firmly linked with a given individual.

  In addition, I&A administrative tasks should address lost or stolen passwords or tokens. It is often necessary to monitor systems to look for stolen or shared accounts.

  Authentication data needs to be stored securely, as discussed with regard to accessing password files. The value of authentication data lies in the data's confidentiality, integrity, and availability. If confidentiality is compromised, someone may be able to use the information to masquerade as a legitimate user. If system administrators can read the authentication file, they can masquerade as another user. Many systems use encryption to hide the authentication data from the system administrators.111 If integrity is compromised, authentication data can be added or the system can be disrupted. If availability is compromised, the system cannot authenticate users, and the users may not be able to work.

  One method of looking for improperly used accounts is for the computer to inform users when they last logged on. This allows users to check if someone else used their account.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.