Internet Banking News

October 4, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - ‘Insensitive’ phishing test stirs debate over ethics of security training - A simulated phishing email that used the false promise of company bonuses as a lure to trick employees has ignited a debate over the ethics of security awareness testing that potentially engender distrust and hard feelings. https://www.scmagazine.com/home/security-news/phishing/insensitive-phishing-test-stirs-debate-over-ethics-of-security-training/

Build security by expanding cyber awareness - Governments and intelligence agencies are engaged in cyberwarfare on an epic scale. As issues discussed on the internet are frequently amplified in the media by organizations with vested interests, it’s become daunting for security pros to unravel the complex and constantly changing web of online allegiances. https://www.scmagazine.com/perspectives/build-security-by-expanding-cyber-awareness/

What one company’s deal with the feds tells us about the long tail of data breaches - It’s no secret that recovering from a data breach can get very expensive, very fast. In addition to lawsuits and legal costs, companies often end up hiring crisis PR firms, setting up call centers to notify affected victims, dealing with insurance costs and taking a big hit to their reputation. https://www.scmagazine.com/home/security-news/what-one-companys-deal-with-the-feds-tells-us-about-the-long-tail-of-data-breaches/

It’s finally time to go passwordless - The death of passwords has been predicted time and again. Not without good reason: passwords are a weak link and a headache from both a security and operational perspective. https://www.scmagazine.com/perspectives/its-finally-time-to-go-passwordless/

Nevada school district refuses to submit to ransomware blackmail, hacker publishes student data - A cybercriminal has published private data belonging to thousands of students following a failed attempt to extort a ransomware payment from a Nevada school district. https://www.zdnet.com/article/nevada-school-district-refuses-to-submit-to-ransomware-blackmail-hacker-responds-by-publishing-student-data/

OCR Imposes $6.85m Penalty Over Data Breach - A health insurance company in Washington state has been slapped with the second-largest ever HIPAA violation penalty. https://www.infosecurity-magazine.com/news/ocr-imposes-685m-penalty-over-data/

IT guy whose job was to stop ex-staff running amok on the network is jailed for running amok on the network - After he was demoted and fired, idiot logged into office PC from home and wiped storage systems - An IT guy, who was tasked with locking out ex-employees from the company network, has been jailed after he logged in after being fired and wiped an office's computer storage drives. https://www.theregister.com/2020/09/25/it_support_jailed_storage/

Anthem to pay $39.5 million to states in latest settlement over 2015 hack - Anthem has agreed to pay $39.5 million in penalties and fees resulting from a sweeping 2015 cyberattack on the health insurer as part of a multi-state settlement, the company announced Wednesday. https://www.cyberscoop.com/anthem-2015-hack-millions-settlement/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Shopify breach: Help center employees are a unique breed of insider threat - A data breach at Shopify perpetrated by two “rogue employees” who worked on the e-commerce platform’s support team illustrates how certain roles within an organization may require more stringent monitoring. https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/

The Twitter hack exposed the need for more effective PAM security - The 2020 Verizon Data Breach Investigations report found that 80 percent of breaches are caused by compromised or weak credentials. This makes privileged access management (PAM) strategies a must have. https://www.scmagazine.com/perspectives/the-the-twitter-hack-exposed-the-need-for-more-effective-pam-security/

CISA says a hacker breached a federal agency - CISA didn't name the attacker but it published an in-depth incident report detailing the hacker's every step. https://www.zdnet.com/article/cisa-says-a-hacker-breached-a-federal-agency/

Cybercriminals Strike Schools Amid Pandemic - A mother walks her child to school on the first day of in-person classes in Orange County, Florida, in August. Cybercriminals have launched ransomware attacks on school districts across the country, forcing some to cancel classes. https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2020/09/22/cybercriminals-strike-schools-amid-pandemic

Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns - The malware attack, which sent fake email replies to voters and businesses, spotlights an overlooked vulnerability in counties that don’t follow best practices for computer security. https://www.propublica.org/article/foreign-hackers-cripple-texas-countys-email-system-raising-election-security-concerns

Tyler Technologies confirms cyberattack was ransomware - Local-government IT services provider Tyler Technologies confirmed Thursday that a cyberattack it reported experiencing Wednesday was the result of a ransomware infection. https://statescoop.com/tyler-technologies-confirms-cyberattack-ransomware/

UHS confirms hospitals hit by cyberattack, some systems down - Universal Health Services and the George Washington University. UHS confirmed that some of its hospitals are dealing with an ongoing, unspecified cyberattack, though it did not specify which. https://www.scmagazine.com/home/security-news/uhs-confirms-hospitals-hit-by-cyber-attack-some-systems-down/

Student Arrested Over Cyber-attacks on Indiana Schools - A 13-year-old boy has been arrested in the United States after allegedly hacking into an Indiana school district's computer system. https://www.infosecurity-magazine.com/news/student-arrested-over-school/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

   Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

   Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

   Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

   Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

   SECURITY MEASURES

   Certificate Authorities and Digital Certificates

   Certificate authorities and digital certificates are emerging to further address the issues of authentication, non‑repudiation, data privacy, and cryptographic key management. A certificate authority (CA) is a trusted third party that verifies the identity of a party to a transaction . To do this, the CA vouches for the identity of a party by attaching the CA's digital signature to any messages, public keys, etc., which are transmitted. Obviously, the CA must be trusted by the parties involved, and identities must have been proven to the CA beforehand. Digital certificates are messages that are signed with the CA's private key. They identify the CA, the represented party, and could even include the represented party's public key.

   The responsibilities of CAs and their position among emerging technologies continue to develop. They are likely to play an important role in key management by issuing, retaining, or distributing public/private key pairs.

   Implementation

   The implementation and use of encryption technologies, digital signatures, certificate authorities, and digital certificates can vary. The technologies and methods can be used individually, or in combination with one another. Some techniques may merely encrypt data in transit from one location to another. While this keeps the data confidential during transmission, it offers little in regard to authentication and non-repudiation. Other techniques may utilize digital signatures, but still require the encrypted submission of sensitive information, like credit card numbers. Although protected during transmission, additional measures would need to be taken to ensure the sensitive information remains protected once received and stored.

   The protection afforded by the above security measures will be governed by the capabilities of the technologies, the appropriateness of the technologies for the intended use, and the administration of the technologies utilized. Care should be taken to ensure the techniques utilized are sufficient to meet the required needs of the institution. All of the technical and implementation differences should be explored when determining the most appropriate package.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING

  Computer systems are subject to a wide range of mishaps -- from corrupted data files, to viruses, to natural disasters. Some of these mishaps can be fixed through standard operating procedures. For example, frequently occurring events (e.g., a mistakenly deleted file) can usually be readily repaired (e.g., by restoration from the backup file). More severe mishaps, such as outages caused by natural disasters, are normally addressed in an organization's contingency plan. Other damaging events result from deliberate malicious technical activity (e.g., the creation of viruses or system hacking).

  A computer security incident can result from a computer virus, other malicious code, or a system intruder, either an insider or an outsider. It is used in this chapter to broadly refer to those incidents resulting from deliberate malicious technical activity. It can more generally refer to those incidents that, without technically expert response, could result in severe damage. This definition of a computer security incident is somewhat flexible and may vary by organization and computing environment.

  Malicious code include viruses as well as Trojan horses and worms. A virus is a code segment that replicates by attaching copies of itself to existing executables. A Trojan horse is a program that performs a desired task, but also includes unexpected functions. A worm is a self-replicating program.

  Although the threats that hackers and malicious code pose to systems and networks are well known, the occurrence of such harmful events remains unpredictable. Security incidents on larger networks (e.g., the Internet), such as break-ins and service disruptions, have harmed various organizations' computing capabilities. When initially confronted with such incidents, most organizations respond in an ad hoc manner. However recurrence of similar incidents often makes it cost-beneficial to develop a standing capability for quick discovery of and response to such events. This is especially true, since incidents can often "spread" when left unchecked thus increasing damage and seriously harming an organization.

  Incident handling is closely related to contingency planning as well as support and operations. An incident handling capability may be viewed as a component of contingency planning, because it provides the ability to react quickly and efficiently to disruptions in normal processing. Broadly speaking, contingency planning addresses events with the potential to interrupt system operations. Incident handling can be considered that portion of contingency planning that responds to malicious technical threats.
  This chapter describes how organizations can address computer security incidents (in the context of their larger computer security program) by developing a computer security incident handling capability.

  Many organizations handle incidents as part of their user support capability or as a part of general system support.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.