Internet Banking News

October 18, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Thanks to all community bankers - On October 6, 2020, the Independent Bankers Association of Texas awards me (R. Kinney Williams) the 2020 President's Award for 57 years of dictated service to the banking industry as a bank examiner, banker, and independent bank auditor. I want to express my sincere gratitude to IBAT and community bankers for this outstanding recognition.

FYI - Negligent data center shutdowns bring $60 million fine for Morgan Stanley - Investment bank Morgan Stanley is paying a $60 million fine to the U.S. government for mishandling the decommissioning of two data centers in 2016, and potentially exposing customer information. https://www.cyberscoop.com/morgan-stanley-data-center-fine/

Companies opting out of DHS threat-sharing platform call for better data - Since its inception in 2016, the Department of Homeland Security’s threat-sharing platform has been plagued by a lack of participation from public and private organizations alike. https://www.scmagazine.com/home/security-news/companies-that-opt-out-of-dhs-threat-sharing-platform-call-for-better-data/

H&M not alone: Companies often fall short in privacy protections for employees - German regulators fined Swedish apparel retailer H&M Group roughly $41.5 million for gratuitously collecting personal data on its employees at a company service center in Nuremberg – sending a clear message to all businesses that privacy guidelines extend to their own workforce. https://www.scmagazine.com/home/security-news/hm-not-alone-companies-often-fall-short-in-privacy-protections-to-employees/

Maryland to Bridge Cybersecurity Workforce Gap with Groundbreaking Bachelor's Degree Program - The Maryland Higher Education Commission has approved a groundbreaking professional cybersecurity bachelor's degree – the Bachelor of Professional Studies in Applied Cybersecurity (BACS) to be granted by the SANS Technology Institute (SANS.edu), a regionally accredited college in Maryland. https://www.prnewswire.com/news-releases/maryland-to-bridge-cybersecurity-workforce-gap-with-groundbreaking-bachelors-degree-program-301143792.html

Here are the questions Congress asks after a ransomware attack - Such is the case for Universal Health Services. In a letter today, Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., wrote to UHS Chairman and CEO Alan B. Miller to express “grave concerns” about a ransomware attack late last month and request more information on the company’s cybersecurity posture prior to the breach. https://www.scmagazine.com/home/security-news/here-are-the-questions-congress-asks-after-a-ransomware-attack/

Security Automation: when, why, and how - IT automation started out with administrators making simple tools that would help them accomplish the same task again and again. Today, IT automation has grown into its own industry, as there has been an increasing need to meet the growth of IT itself. https://www.scmagazine.com/perspectives/security-automation-when-why-and-how/

APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations - CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application. https://us-cert.cisa.gov/ncas/alerts/aa20-283a

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Massachusetts school district shut down by ransomware attack - The Springfield Public Schools district in Massachusetts has become the victim of a ransomware attack that has caused the closure of schools while they investigate the cyberattack. https://www.bleepingcomputer.com/news/security/massachusetts-school-district-shut-down-by-ransomware-attack/

Wisepay 'outage' is actually the school meal payments biz trying to stop an intruder from stealing customer card details - We pulled entire website to halt attack, says spokesman - UK cashless school payments firm Wisepay has pulled its website offline after spotting a miscreant trying to spoof its card payment page. https://www.theregister.com/2020/10/07/wisepay_outage_was_cyber_attack/

UHS RECOVERING FROM MALWARE INFECTION - A week after a malware infection hit the networks of Universal Health Services, which operates more than 400 facilities in the U.S., the company has restored much of its network operations and in the process of reconnecting many of its applications. https://duo.com/decipher/uhs-recovering-from-malware-infection

Largest cruise line operator Carnival confirms ransomware data theft - Carnival Corporation, the world's largest cruise line operator, has confirmed that the personal information of customers, employees, and ship crews was stolen during an August ransomware attack. https://www.bleepingcomputer.com/news/security/largest-cruise-line-operator-carnival-confirms-ransomware-data-theft/

Hackers post stolen information from Fairfax school district - Hackers who launched a ransomware attack on the Fairfax County Public Schools computer system last month obtained personal information about students and employees and posted it on the Internet, school district officials acknowledged Friday in a letter emailed to parents and employees and posted on the district’s website. https://www.washingtonpost.com/local/education/hackers-post-stolen-information-from-fairfax-school-district/2020/10/10/edf5f050-0b1a-11eb-859b-f9c27abe638d_story.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Equal Credit Opportunity Act (Regulation B)

   The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

   The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

   SECURITY MEASURES

   Firewalls - Description, Configuration, and Placement

   A firewall is a combination of hardware and software placed between two networks which all traffic, regardless of the direction, must pass through. When employed properly, it is a primary security measure in governing access control and protecting the internal system from compromise.

   The key to a firewall's ability to protect the network is its configuration and its location within the system. Firewall products do not afford adequate security protection as purchased. They must be set up, or configured, to permit or deny the appropriate traffic. To provide the most security, the underlying rule should be to deny all traffic unless expressly permitted. This requires system administrators to review and evaluate the need for all permitted activities, as well as who may need to use them. For example, to protect against Internet protocol (IP) spoofing, data arriving from an outside network that claims to be originating from an internal computer should be denied access. Alternatively, systems could be denied access based on their IP address, regardless of the origination point. Such requests could then be evaluated based on what information was requested and where in the internal system it was requested from. For instance, incoming FTP requests may be permitted, but outgoing FTP requests denied.

   Often, there is a delicate balance between what is necessary to perform business operations and the need for security. Due to the intricate details of firewall programming, the configuration should be reassessed after every system change or software update. Even if the system or application base does not change, the threats to the system do. Evolving risks and threats should be routinely monitored and considered to ensure the firewall remains an adequate security measure. If the firewall system should ever fail, the default should deny all access rather than permit the information flow to continue. Ideally, firewalls should be installed at any point where a computer system comes into contact with another network. The firewall system should also include alerting mechanisms to identify and record successful and attempted attacks and intrusions. In addition, detection mechanisms and procedures should include the generation and routine review of security logs.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING

  12.1.2 Preventing Future Damage

  An incident handling capability also assists an organization in preventing (or at least minimizing) damage from future incidents. Incidents can be studied internally to gain a better understanding of the organization's threats and vulnerabilities so more effective safeguards can be implemented. Additionally, through outside contacts (established by the incident handling capability) early warnings of threats and vulnerabilities can be provided. Mechanisms will already be in place to warn users of these risks.

  The incident handling capability allows an organization to learn from the incidents that it has experienced. Data about past incidents (and the corrective measures taken) can be collected. The data can be analyzed for patterns -- for example, which viruses are most prevalent, which corrective actions are most successful, and which systems and information are being targeted by hackers. Vulnerabilities can also be identified in this process -- for example, whether damage is occurring to systems when a new software package or patch is used. Knowledge about the types of threats that are occurring and the presence of vulnerabilities can aid in identifying security solutions. This information will also prove useful in creating a more effective training and awareness program -- and thus help reduce the potential for losses. The incident handling capability assists the training and awareness program by providing information to users as to (1) measures that can help avoid incidents (e.g., virus scanning) and (2) what should be done in case an incident does occur.

  Of course, the organization's attempts to prevent future losses does not occur in a vacuum. With a sound incident handling capability, contacts will have been established with counterparts outside the organization. This allows for early warning of threats and vulnerabilities that the organization may have not yet experienced. Early preventative measures (generally more cost-effective than repairing damage) can then be taken to reduce future losses. Data is also shared outside the organization to allow others to learn from the organization's experiences.

  The sharing of incident data among organizations can help at both the national and the international levels to prevent and respond to breaches of security in a timely, coordinated manner.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.