Internet Banking News

October 10, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI- Wireless device users under attack, using ‘SSID Stripping’ phishing techniques - Special text characters can be weaponized by malicious attackers, allowing them to set up malicious WiFi networks with names that appear to perfectly match the Service Set Identifiers (SSIDs) of legitimate networks, but are actually different. https://www.scmagazine.com/analysis/phishing/wireless-network-communications-are-under-attack-using-ssid-stripping

The simple, yet complex nature of social engineering - Cyberattacks and data breaches are increasing, highlighting and exploiting the most crucial corporate vulnerabilities. Hackers often make use of major world events, and the pandemic has become a case in point. https://www.scmagazine.com/perspective/phishing/the-simple-yet-complex-nature-of-social-engineering

NSA, CISA partner for guide on safe VPNs amid widespread exploitation by nation-states - The US agencies released the guides as threats targeting VPNs continue to grow. The NSA and CISA have released a detailed guide on how people and organizations should choose virtual private networks (VPN) as both nation-states and cybercriminals ramp up their exploitation of the tools amid a global shift to remote work and schooling. https://www.zdnet.com/article/nsa-cisa-partner-for-guide-on-safe-vpns-amid-widespread-exploitation-by-nation-states/

CISA releases tool to help orgs fend off insider threat risks - The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool that allows public and private sector organizations to assess their vulnerability to insider threats and devise their own defense plans against such risks. https://www.bleepingcomputer.com/news/security/cisa-releases-tool-to-help-orgs-fend-off-insider-threat-risks/

Cybersecurity is No. 2 global threat in new survey – ahead of pandemics - Cybersecurity risks ranked only behind climate change in a survey released this week on challenges facing the world. https://www.scmagazine.com/news/security-awareness/cybersecurity-is-no-2-global-threat-in-new-survey-ahead-of-pandemics

Eight ways to boost the results of cybersecurity training - The value of cybersecurity training has been universally recognized by most organizations, in much the same way baseball and apple pie exemplify American culture. https://www.scmagazine.com/perspective/leadership/eight-ways-to-boost-the-results-of-cybersecurity-training

Vulnerability scanners: Overview | Security Weekly Labs - In the beginning, there were network vulnerability scanners. These early security tools would scan the network for active hosts, would then scan for listening services, and would finally check for vulnerabilities. https://www.scmagazine.com/product-test/vulnerability-management/sw-labs-overview-vulnerability-scanners

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Indiana hospital suspends IT systems in response to ongoing cyberattack - Late Wednesday night, Schneck Medical Center in Indiana was hit with a cyberattack that impacted operations, leading the security team to suspend access to all IT applications across the hospital network, according to a posting on the hospital’s website. https://www.scmagazine.com/analysis/incident-response/indiana-hospital-suspends-it-systems-in-response-to-ongoing-cyberattack

Baby’s Death Alleged to Be Linked to Ransomware - Access to heart monitors disabled by the attack allegedly kept staff from spotting blood & oxygen deprivation that led to the baby’s death. https://threatpost.com/babys-death-linked-ransomware/175232/

Indiana hospital suspends IT systems in response to ongoing cyberattack - Late Wednesday night, Schneck Medical Center in Indiana was hit with a cyberattack that impacted operations, leading the security team to suspend access to all IT applications across the hospital network, according to a posting on the hospital’s website. https://www.scmagazine.com/analysis/incident-response/indiana-hospital-suspends-it-systems-in-response-to-ongoing-cyberattack

Cyberattack drives Johnson Memorial into EHR downtime procedures - Johnson Memorial Health is currently operating under electronic health record downtime procedures, after a cyberattack struck its computer network on Oct. 2. https://www.scmagazine.com/news/incident-response/cyberattack-drives-johnson-memorial-into-ehr-downtime-procedures

Misconfigured Apache Airflow instances expose credentials on AWS, PayPal and Slack - Researchers on Monday reported that misconfigured instances of the open-source workflow management platform Apache Airflow exposed credentials for popular platforms and services such as Amazon Web Services, PayPal, and Slack. https://www.scmagazine.com/news/application-security/misconfigured-apache-airflow-instances-expose-credentials-on-aws-paypal-and-slack

Facebook has finally given a reason for the six-hour outage Monday - Facebook said in a blog post Monday night that the six-hour outage that took it offline, along with Instagram, Messenger, Whatsapp, and OculusVR, was the result of a configuration change to its routers — not of a hack or attempt to get at user data. https://www.theverge.com/2021/10/4/22709806/facebook-says-the-six-hour-outage

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

   Routing (Part 2 of 2)

   Routers and switches are sometimes difficult to locate. Users may install their own devices and create their own unauthorized subnets. Any unrecognized or unauthorized network devices pose security risks. Financial institutions should periodically audit network equipment to ensure that only authorized and maintained equipment resides on their network.

   DNS hosts, routers and switches are computers with their own operating system. If successfully attacked, they can allow traffic to be monitored or redirected. Financial institutions must restrict, log, and monitor administrative access to these devices. Remote administration typically warrants an encrypted session, strong authentication, and a secure client. The devices should also be appropriately patched and hardened.

   Packets are sent and received by devices using a network interface card (NIC) for each network to which they connect. Internal computers would typically have one NIC card for the corporate network or a subnet. Firewalls, proxy servers, and gateway servers are typically dual-homed with two NIC cards that allow them to communicate securely both internally and externally while limiting access to the internal network.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

   AUTHENTICATION - Biometrics (Part 1 of 2)

   Biometrics can be implemented in many forms, including tokens. Biometrics verifies the identity of the user by reference to unique physical or behavioral characteristics. A physical characteristic can be a thumbprint or iris pattern. A behavioral characteristic is the unique pattern of key depression strength and pauses made on a keyboard when a user types a phrase. The strength of biometrics is related to the uniqueness of the physical characteristic selected for verification. Biometric technologies assign data values to the particular characteristics associated with a certain feature. For example, the iris typically provides many more characteristics to store and compare, making it more unique than facial characteristics. Unlike other authentication mechanisms, a biometric authenticator does not rely on a user's memory or possession of a token to be effective. Additional strengths are that biometrics do not rely on people to keep their biometric secret or physically secure their biometric. Biometrics is the only authentication methodology with these advantages.

   Enrollment is a critical process for the use of biometric authentication. The user's physical characteristics must be reliably recorded. Reliability may require several samples of the characteristic and a recording device free of lint, dirt, or other interference. The enrollment device must be physically secure from tampering and unauthorized use.

   When enrolled, the user's biometric is stored as a template. Subsequent authentication is accomplished by comparing a submitted biometric against the template, with results based on probability and statistical confidence levels. Practical usage of biometric solutions requires consideration of how precise systems must be for positive identification and authentication. More precise solutions increase the chances a person is falsely rejected. Conversely, less precise solutions can result in the wrong person being identified or authenticated as a valid user (i.e., false acceptance rate). The equal error rate (EER) is a composite rating that considers the false rejection and false acceptance rates. Lower EERs mean more consistent operations. However, EER is typically based upon laboratory testing and may not be indicative of actual results due to factors that can include the consistency of biometric readers to capture data over time, variations in how a user presents their biometric sample (e.g., occasionally pressing harder on a finger scanner), and environmental factors.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION

  16.4.2 Maintaining Authentication

  So far, this chapter has discussed initial authentication only. It is also possible for someone to use a legitimate user's account after log-in. Many computer systems handle this problem by logging a user out or locking their display or session after a certain period of inactivity. However, these methods can affect productivity and can make the computer less user-friendly.

  16.4.3 Single Log-in

  From an efficiency viewpoint, it is desirable for users to authenticate themselves only once and then to be able to access a wide variety of applications and data available on local and remote systems, even if those systems require users to authenticate themselves. This is known as single log-in. If the access is within the same host computer, then the use of a modern access control system (such as an access control list) should allow for a single log-in. If the access is across multiple platforms, then the issue is more complicated, as discussed below. There are three main techniques that can provide single log-in across multiple computers: host-to-host authentication, authentication servers, and user-to-host authentication.

  Host-to-Host Authentication. Under a host-to-host authentication approach, users authenticate themselves once to a host computer. That computer then authenticates itself to other computers and vouches for the specific user. Host-to-host authentication can be done by passing an identification, a password, or by a challenge-response mechanism or other one-time password scheme. Under this approach, it is necessary for the computers to recognize each other and to trust each other.

  Authentication Servers. When using authentication server, the users authenticate themselves to a special host computer (the authentication server). This computer then authenticates the user to other host computers the user wants to access. Under this approach, it is necessary for the computers to trust the authentication server. (The authentication server need not be a separate computer, although in some environments this may be a cost-effective way to increase the security of the server.) Authentication servers can be distributed geographically or logically, as needed, to reduce workload.

  User-to-Host. A user-to-host authentication approach requires the user to log-in to each host computer. However, a smart token (such as a smart card) can contain all authentication data and perform that service for the user. To users, it looks as though they were only authenticated once.

  Kerberos and SPX are examples of network authentication server protocols. They both use cryptography to authenticate users to computers on networks.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.