Internet Banking News

October 11, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Thanks to all community bankers - On October 6, 2020, the Independent Bankers Association of Texas awards me (R. Kinney Williams) the 2020 President's Award for 57 years of dictated service to the banking industry as a bank examiner, banker, and independent bank auditor. I want to express my sincere gratitude to IBAT and community bankers for this outstanding recognition.

Paying ransomware groups might violate US sanctions - Companies hit by ransomware could find themselves in the crosshairs of the federal government if the group behind the attack is subject to economic sanctions, the Department of the Treasury warned in a new advisory.
https://www.scmagazine.com/home/security-news/ransomware/paying-ransomware-groups-might-violate-us-sanctions/
https://krebsonsecurity.com/2020/10/ransomware-victims-that-pay-up-could-incur-steep-fines-from-uncle-sam/

Five ways to reduce ransomware risk in OT environments - Ransomware attacks are trendy, and so far, have mostly targeted corporate IT environments, but operational technology (OT) has become collateral damage in many recent cases, including Honda, Garmin, and Maersk. https://www.scmagazine.com/perspectives/five-ways-to-reduce-ransomware-risk-in-ot-environments/

Microsoft Exchange Servers Still Open to Actively Exploited Flaw - Over half of exposed Exchange servers are still vulnerable to a severe bug that allows authenticated attackers to execute code remotely with system privileges – even eight months after Microsoft issued a fix. https://threatpost.com/microsoft-exchange-exploited-flaw/159669/

Attacks on authentication turn ransomware from disruption to disaster - Ransomware has become an endemic problem in both the public and private sectors globally. And, let’s be honest: it has been for years. https://www.scmagazine.com/perspectives/attacks-on-authentication-turn-ransomware-from-disruption-to-disaster/

Ransomware victims aren't reporting attacks to police. That's causing a big problem - Europol's annual cybercrime report says ransomware is under-reported by victims - and some casualties appear to be simply hoping that nobody finds out they were a target. https://www.zdnet.com/article/ransomware-victims-arent-reporting-attacks-to-police-thats-causing-a-big-problem/

Visa Warns of Attack Involving Mix of POS Malware - A North American merchant’s point-of-sale (POS) terminals were infected with a mix of POS malware earlier this year, Visa reports. https://www.securityweek.com/visa-warns-attack-involving-mix-pos-malware

NIST launches privacy tech challenge with a $276,000 payout - The National Institute of Standards and Technology launched a quarter-million dollar privacy technology competition this month aimed at making it more difficult to trace large data sets back to individual users. https://www.scmagazine.com/home/security-news/nist-launches-privacy-tech-challenge-with-a-276000-payout/

Common bugs make anti-virus solutions vulnerable to exploitation - The very anti-malware solutions meant to protect organizations for things like increasing privilege can be exploited to do just that. https://www.scmagazine.com/home/security-news/common-bugs-make-anti-virus-solutions-vulnerable-to-exploitation/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Massachusetts Hospital Investigates ‘Data Security Incident’ - Lawrence General Hospital officials are working through the details of exactly what happened during a disruptive cybersecurity incident earlier this month. The 36-hour disruptions forced ambulances to be diverted. https://www.govtech.com/security/Massachusetts-Hospital-Investigates-Data-Security-Incident.html

Hackers leak files stolen in Pakistan's K-Electric ransomware attack - The Netwalker ransomware operators have published the stolen data for K-Electric, Pakistan's largest private power company, after a ransom was not paid. https://www.bleepingcomputer.com/news/security/hackers-leak-files-stolen-in-pakistans-k-electric-ransomware-attack/

Swiss watchmaker Swatch shuts down IT systems to stop cyberattack - Swiss watchmaker Swatch Group shut down its IT systems over the weekend after identifying a cyberattack targeting its organization. https://www.bleepingcomputer.com/news/security/swiss-watchmaker-swatch-shuts-down-it-systems-to-stop-cyberattack/

Cloud biz Blackbaud admits ransomware crims may have captured folks' bank info, months after saying that everything's fine - Comment Blackbaud, the cloud CRM provider whose execs bought off ransomware crooks in exchange for a pinky promise that stolen data would not be misused, has now confessed that customers' bank account information may have been taken from its servers by the criminals. https://www.theregister.com/2020/10/01/blackbaud_ransomeware_data/

New Jersey hospital paid ransomware gang $670K to prevent data leak - University Hospital New Jersey in Newark, New Jersey, paid a $670,000 ransomware demand this month to prevent the publishing of 240 GB of stolen data, including patient info. https://www.bleepingcomputer.com/news/security/new-jersey-hospital-paid-ransomware-gang-670k-to-prevent-data-leak/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

   The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

   Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.

   Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

   Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

   SECURITY MEASURES

   System Architecture and Design

   Measures to address access control and system security start with the appropriate system architecture. Ideally, if an Internet connection is to be provided from within the institution, or a Web site established, the connection should be entirely separate from the core processing system. If the Web site is placed on its own server, there is no direct connection to the internal computer system. However, appropriate firewall technology may be necessary to protect Web servers and/or internal systems.

   Placing a "screening router" between the firewall and other servers provides an added measure of protection, because requests could be segregated and routed to a particular server (such as a financial information server or a public information server). However, some systems may be considered so critical, they should be completely isolated from all other systems or networks. Security can also be enhanced by sending electronic transmissions from external sources to a machine that is not connected to the main operating system.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING

  12.1 Benefits of an Incident Handling Capability

  The primary benefits of an incident handling capability are containing and repairing damage from incidents, and preventing future damage. In addition, there are less obvious side benefits related to establishing an incident handling capability.

  12.1.1 Containing and Repairing Damage from Incidents

  When left unchecked, malicious software can significantly harm an organization's computing, depending on the technology and its connectivity. An incident handling capability provides a way for users to report incidents and the appropriate response and assistance to be provided to aid in recovery. Technical capabilities (e.g., trained personnel and virus identification software) are prepositioned, ready to be used as necessary. Moreover, the organization will have already made important contacts with other supportive sources (e.g., legal, technical, and managerial) to aid in containment and recovery efforts.

  Without an incident handling capability, certain responses -- although well intentioned -- can actually make matters worse. In some cases, individuals have unknowingly infected anti-virus software with viruses and then spread them to other systems. When viruses spread to local area networks (LANs), most or all of the connected computers can be infected within hours. Moreover, uncoordinated efforts to rid LANs of viruses can prevent their eradication.

  Many organizations use large LANs internally and also connect to public networks, such as the Internet. By doing so, organizations increase their exposure to threats from intruder activity, especially if the organization has a high profile (e.g., perhaps it is involved in a controversial program). An incident handling capability can provide enormous benefits by responding quickly to suspicious activity and coordinating incident handling with responsible offices and individuals, as necessary. Intruder activity, whether hackers or malicious code, can often affect many systems located at many different network sites; thus, handling the incidents can be logistically complex and can require information from outside the organization. By planning ahead, such contacts can be preestablished and the speed of response improved, thereby containing and minimizing damage. Other organizations may have already dealt with similar situations and may have very useful guidance to offer in speeding recovery and minimizing damage.

  Some organizations suffer repeated outbreaks of viruses because the viruses are never completely eradicated. For example suppose two LANs, Personnel and Budget, are connected, and a virus has spread within each. The administrators of each LAN detect the virus and decide to eliminate it on their LAN. The Personnel LAN administrator first eradicates the virus, but since the Budget LAN is not yet virus-free, the Personnel LAN is reinfected. Somewhat later, the Budget LAN administrator eradicates the virus. However, the virus reinfects the Budget LAN from the Personnel LAN. Both administrators may think all is well, but both are reinfected. An incident handling capability allows organizations to address recovery and containment of such incidents in a skilled, coordinated manner.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.