Internet Banking News

October 17, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - DHS to impose new cyber requirements on railway, subway and aviation operators - The Transportation Security Administration is developing a security directive that would impose a series of new cybersecurity requirements on “high risk” rail and subway entities as well as the aviation sector. https://www.scmagazine.com/analysis/critical-infrastructure/dhs-to-impose-new-cyber-requirements-on-railway-subway-and-aviation-operators

NIST seeks industry help to smooth transition to quantum-resistant encryption - Government agencies and the private sector have been patiently waiting for the National Institute of Standards and Technology to approve its new “post-quantum” cryptographic algorithms so they can begin the long, arduous process of switching out their classical encryption for new protocols that can better protect against future quantum codebreaking. https://www.scmagazine.com/analysis/encryption/nist-seeks-industry-help-to-smooth-transition-to-quantum-resistant-encryption

Lawsuits allege death, morbidity from cyberattacks: Is this the next phase of medical malpractice? - Last week, a headline caught mainstream media’s attention: a lawsuit claimed a ransomware attack led to the death of her newborn. A lawsuit filed in the same timeframe alleged a patient’s care was diminished due to network outages at a hospital’s vendor. https://www.scmagazine.com/feature/incident-response/lawsuits-allege-death-morbidity-from-cyberattacks-is-this-the-next-phase-of-medical-malpractice

DoJ announces new efforts to shore up cryptocurrency, contractor security - New initiatives from the Department of Justice will focus on cryptocurrency enforcement and federal contractor cybersecurity, Deputy Attorney General Lisa Monaco announced at the Aspen Cybersecurity Summit Wednesday. https://www.scmagazine.com/analysis/cryptocurrency/doj-announces-new-efforts-to-shore-up-cryptocurrency-contractor-security

Five practical tips for preventing insider threats - Most security teams focus on threats that come from the outside: Hackers, malware and nation-states. Organizations don’t always realize that much of their potential security risk stems from insiders. https://www.scmagazine.com/perspective/insider-threat/five-practical-tips-for-preventing-insider-threats

Fertility clinic reaches $495K settlement over lax cybersecurity, 2017 data breach - Diamond Institute for Infertility and Menopause reached a settlement with the New Jersey acting attorney general and the state’s Division of Consumer Affairs for $495,000 to resolve an investigation into the fertility clinic’s cybersecurity practices following a health care data breach reported in 2017. https://www.scmagazine.com/analysis/breach/fertility-clinic-reaches-495k-settlement-over-lax-cybersecurity-2017-data-breach

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Apache leak spotlights dangers of misconfigured workflow management platforms - The recent disclosure of misconfigurations in Apache Airflow instances that exposed thousands of credentials for Slack, PayPal and AWS and other services underscored the potential dangers associated with misconfigured cloud-based workflow management platforms. https://www.scmagazine.com/analysis/cloud-security/apache-leak-spotlights-dangers-of-misconfigured-workflow-management-platforms

Medtronic urgently recalls insulin pump controllers over hacking concerns - Medtronic is urgently recalling remote controllers for insulin pumps belonging to the ‘MiniMed Paradigm’ family of products, due to severe cybersecurity risks. https://www.bleepingcomputer.com/news/security/medtronic-urgently-recalls-insulin-pump-controllers-over-hacking-concerns/

US gov’t will slap contractors with civil lawsuits for hiding breaches - In a groundbreaking initiative announced by the Department of Justice this week, federal contractors will be sued if they fail to report a cyber attack or data breaches. https://arstechnica.com/information-technology/2021/10/us-govt-will-slap-contractors-with-civil-lawsuits-for-hiding-breaches/

Company that routes SMS for all major US carriers was hacked for five years - Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years. https://arstechnica.com/information-technology/2021/10/company-that-routes-sms-for-all-major-us-carriers-was-hacked-for-five-years/

Quest-owned fertility clinic announces data breach after August ransomware attack - 350,000 patients of ReproSource had their medical data leaked, and some even had SSNs and credit card numbers exposed as well. https://www.zdnet.com/article/quest-owned-fertility-clinic-announces-data-breach-after-august-ransomware-attack/

Ransomware attack on Quest’s ReproSource impacts data of 350K patients - Approximately 350,000 patients were recently notified that their data was potentially accessed or acquired during a ransomware attack on ReproSource Fertility Diagnostics, a clinical laboratory for fertility specialists and a subsidiary of Quest Diagnostics. https://www.scmagazine.com/analysis/breach/ransomware-attack-on-quests-reprosource-impacts-data-of-350k-patients

Microsoft Azure customer hit by record DDoS attack in August - Microsoft on Monday reported an Azure customer in Europe was hit with a 2.4 terabits-per-second (Tbps) distributed denial of service (DDoS) attack in early August, making the summer attack even larger than the one detected by Amazon Web Services in Q1 2020. https://www.scmagazine.com/news/ddos/microsoft-azure-customer-hit-by-record-ddos-attack-in-august

Iran-sponsored campaign infiltrated aerospace firms and telecoms using RAT, DropBox - Researchers on Wednesday reported on a highly targeted cyber espionage campaign sponsored by the Iranians that has targeted global aerospace and telecommunications companies in the Middle East, Russia, Europe, and the United States. https://www.scmagazine.com/news/cloud-security/iran-sponsored-campaign-infiltrated-aerospace-firms-and-telecoms-using-rat-dropbox

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

   Board and Management Oversight - Principle 2: The Board of Directors and senior management should review and approve the key aspects of the bank's security control process.

   The Board of Directors and senior management should oversee the development and continued maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. This should include establishing appropriate authorization privileges, logical and physical access controls, and adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities.

   Safeguarding of bank assets is one of the Board's fiduciary duties and one of senior management's fundamental responsibilities. However, it is a challenging task in a rapidly evolving e-banking environment because of the complex security risks associated with operating over the public Internet network and using innovative technology.

   To ensure proper security controls for e-banking activities, the Board and senior management need to ascertain whether the bank has a comprehensive security process, including policies and procedures, that addresses potential internal and external security threats both in terms of incident prevention and response. Key elements of an effective e-banking security process include:

   1) Assignment of explicit management/staff responsibility for overseeing the establishment and maintenance of corporate security policies.

   2) Sufficient physical controls to prevent unauthorized physical access to the computing environment.

   3) Sufficient logical controls and monitoring processes to prevent unauthorized internal and external access to e-banking applications and databases.

   4) Regular review and testing of security measures and controls, including the continuous tracking of current industry security developments and installation of appropriate software upgrades, service packs and other required measures.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

   AUTHENTICATION - Biometrics (Part 2 of 2)

   Weaknesses in biometric systems relate to the ability of an attacker to submit false physical characteristics, or to take advantage of system flaws to make the system erroneously report a match between the characteristic submitted and the one stored in the system. In the first situation, an attacker might submit to a thumbprint recognition system a copy of a valid user's thumbprint. The control against this attack involves ensuring a live thumb was used for the submission. That can be done by physically controlling the thumb reader, for instance having a guard at the reader to make sure no tampering or fake thumbs are used. In remote entry situations, logical liveness tests can be performed to verify that the submitted data is from a live subject.

   Attacks that involve making the system falsely deny or accept a request take advantage of either the low degrees of freedom in the characteristic being tested, or improper system tuning. Degrees of freedom relate to measurable differences between biometric readings, with more degrees of freedom indicating a more unique biometric. Facial recognition systems, for instance, may have only nine degrees of freedom while other biometric systems have over one hundred. Similar faces may be used to fool the system into improperly authenticating an individual. Similar irises, however, are difficult to find and even more difficult to fool a system into improperly authenticating.

   Attacks against system tuning also exist. Any biometric system has rates at which it will falsely accept a reading and falsely reject a reading. The two rates are inseparable; for any given system improving one worsens the other. Systems that are tuned to maximize user convenience typically have low rates of false rejection and high rates of false acceptance. Those systems may be more open to successful attack.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION

16.4.2 Maintaining Authentication 16.5 Interdependencies

There are many interdependencies among I&A and other controls. Several of them have been discussed in the chapter.

Logical Access Controls. Access controls are needed to protect the authentication database. I&A is often the basis for access controls. Dial-back modems and firewalls, discussed in Chapter 17, can help prevent hackers from trying to log-in.

Audit. I&A is necessary if an audit log is going to be used for individual accountability.

Cryptography. Cryptography provides two basic services to I&A: it protects the confidentiality of authentication data, and it provides protocols for proving knowledge and/or possession of a token without having to transmit data that could be replayed to gain access to a computer system.

16.6 Cost Considerations

In general, passwords are the least expensive authentication technique and generally the least secure. They are already embedded in many systems. Memory tokens are less expensive than smart tokens, but have less functionality. Smart tokens with a human interface do not require readers, but are more inconvenient to use. Biometrics tends to be the most expensive.

For I&A systems, the cost of administration is often underestimated. Just because a system comes with a password system does not mean that using it is free. For example, there is significant overhead to administering the I&A system

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.