Internet Banking News

October 24, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - Ransomware warranties offer user community another form of cyber insurance - Cyber insurance has become a key risk management service for organizations bedeviled by the constant prospect of a crippling ransomware attack. And in a similar vein, some businesses may also now be able to further cover themselves by engaging in a warranty agreement with cybersecurity vendors. https://www.scmagazine.com/analysis/cloud-security/ransomware-warranties-offer-user-community-another-form-of-cyber-insurance

Supply chain breaches negatively affect 97% of study respondents - Nearly every company in a new survey said they were negatively impacted by a breach in their supply chain or suffered a direct breach as a result of supply chain weaknesses. https://www.scmagazine.com/news/breach/supply-chain-breaches-negatively-affect-97-of-study-respondents

Ongoing Cyber Threats to U.S. Water and Wastewater Systems - This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. https://us-cert.cisa.gov/ncas/alerts/aa21-287a

Thirty nations, including US, agree on principles to fight ransomware - The 30 nations participating in a two-day White House virtual summit on ransomware wrapped up on Thursday, producing a joint statement on cooperation moving forward. While many of the ideas are not new, the growing international consensus is. https://www.scmagazine.com/analysis/policy/thirty-nations-including-us-agree-on-principles-to-fight-ransomware

Legal, procurement experts question DoJ plan to sue contractors for cyber reporting failures - Among the flurry of cybersecurity news to come out last week was an announcement by the Department of Justice that it would start using the False Claims Act to go after contractors and recipients of federal grant money who fail to report breaches in a timely manner or knowingly misrepresent their cybersecurity protections. https://www.scmagazine.com/feature/breach/legal-procurement-experts-punch-holes-in-doj-plan-to-sue-contractors-for-cyber-reporting-failures

Ransomware Attack on Israeli Medical Center Raises Alarm - Government authorities in Israel are warning healthcare sector entities in the country of potential cyberattacks after a ransomware attack this week on Hillel Yaffe Medical Center in the city of Hadera. https://www.govinfosecurity.com/ransomware-attack-on-israeli-medical-center-raises-alarm-a-17740

Sinclair Broadcast Group suffers ransomware attack, the latest affecting media - Sinclair Broadcast Group, a major television news and media provider, confirmed Monday that it was the victim of a ransomware attack that “disrupted” some office and operational networks. https://www.cyberscoop.com/sinclair-broadcast-group-suffers-ransomware-attack-the-latest-affecting-media/

Acer hit with second cyberattack in less than a week, Taiwanese authorities notified - The same hacker group claimed responsibility for an attack on the company's offices in Taiwan. Acer has confirmed yet another cyberattack on its servers in Taiwan after their offices in India were hit less than a week ago by the same group. https://www.zdnet.com/article/acer-hit-with-second-cyberattack-in-less-than-a-week-this-time-in-taiwan-offices/

Most health providers suffered a security incident in last year, surveyed CISOs say - The majority of healthcare entities faced a security incident in the last year, driven by successful phishing attacks, malware, ransomware, hacking, and insider threats, according to a survey of chief information security officers who are members of The College of Healthcare Information Management Executives and Association for Executives in Healthcare Information Security. https://www.scmagazine.com/analysis/critical-infrastructure/most-health-providers-suffered-a-security-incident-in-last-year-surveyed-cisos-say

Banks cautiously consider expanding automation’s role in incident response - Banks and other financial institutions are leaning on automation for the ingesting of voluminous data and identification of potential threat activity, but many are still shying away from automating actual network responses to these events - instead relying on analysts to make those key decisions. https://www.scmagazine.com/analysis/network-security/banks-cautiously-consider-expanding-automations-role-in-incident-response

Online financial customers slowly moving beyond passwords, report says - The passage from passwords to other alternative or additional forms of identity verification, especially in financial services, has been a slow one. https://www.scmagazine.com/analysis/data-security/online-financial-customers-slowly-moving-beyond-passwords-report-says

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Woman Allegedly Hacked Flight School, Cleared Planes With Maintenance Issues to Fly - A 26-year-old allegedly hacked into an app used by a flight school to manage airplanes in an attempt to get back at her former employer. https://www.vice.com/en/article/bvzwv5/woman-allegedly-hacked-flight-school-cleared-planes-with-maintenance-issues-to-fly

The inside job: financial institution struggle to address bad actors inside their ranks - Earlier this month, a federal grand jury indicted three men for their alleged role in a business email compromise scam. One of these men, charged with money laundering and “aggravated identity theft” committed between January 2018 and March 2020 was a former employee of both TD Bank and Bank of America. https://www.scmagazine.com/analysis/cybercrime/the-inside-job-financial-institution-struggle-to-address-bad-actors-inside-their-ranks

Passengers couldn’t fly after NHS vaccine passport went offline - England's COVID Pass system went offline for hours on Wednesday, causing British travelers to remain stranded at airports. https://arstechnica.com/information-technology/2021/10/passengers-couldnt-fly-after-nhs-vaccine-passport-went-offline/

OVH hosting provider goes down during planned maintenance - OVH, the largest hosting provider in Europe and the third-largest in the world, went down earlier today following what looks like routing configuration issues during planned maintenance. https://www.bleepingcomputer.com/news/technology/ovh-hosting-provider-goes-down-during-planned-maintenance/

Trump website reportedly defaced by Turkish hacker - Multiple news outlets reported Monday that former President Donald Trump's website was defaced by a Turkish hacker. https://www.scmagazine.com/news/breach/trump-website-reportedly-defaced-by-turkish-hacker

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

    Board and Management Oversight - Principle 3: The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the bank's outsourcing relationships and other third-party dependencies supporting e-banking.

    Increased reliance upon partners and third party service providers to perform critical e-banking functions lessens bank management's direct control. Accordingly, a comprehensive process for managing the risks associated with outsourcing and other third-party dependencies is necessary. This process should encompass the third-party activities of partners and service providers, including the sub-contracting of outsourced activities that may have a material impact on the bank.

    Historically, outsourcing was often limited to a single service provider for a given functionality. However, in recent years, banks' outsourcing relationships have increased in scale and complexity as a direct result of advances in information technology and the emergence of e-banking. Adding to the complexity is the fact that outsourced e-banking services can be sub-contracted to additional service providers and/or conducted in a foreign country. Further, as e-banking applications and services have become more technologically advanced and have grown in strategic importance, certain e-banking functional areas are dependent upon a small number of specialized third-party vendors and service providers. These developments may lead to increased risk concentrations that warrant attention both from an individual bank as well as a systemic industry standpoint.

    Together, these factors underscore the need for a comprehensive and ongoing evaluation of outsourcing relationships and other external dependencies, including the associated implications for the bank's risk profile and risk management oversight abilities. Board and senior management oversight of outsourcing relationships and third-party dependencies should specifically focus on ensuring that:

    1) The bank fully understands the risks associated with entering into an outsourcing or partnership arrangement for its e-banking systems or applications.

    2) An appropriate due diligence review of the competency and financial viability of any third-party service provider or partner is conducted prior to entering into any contract for e-banking services.

    3) The contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined. For instance, responsibilities for providing information to and receiving information from the service provider should be clearly defined.

    4) All outsourced e-banking systems and operations are subject to risk management, security and privacy policies that meet the bank's own standards.

    5) Periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.

    This is the last of three principles regarding Board and Management Oversight. Next week we will begin the series on the principles of security controls, which include Authentication, Non-repudiation, Data and transaction integrity, Segregation of duties, Authorization controls, Maintenance of audit trails, and Confidentiality of key bank information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

  INFORMATION SECURITY PROGRAM

  A financial institution's board of directors and senior management should be aware of information security issues and be involved in developing an appropriate information security program. A comprehensive information security policy should outline a proactive and ongoing program incorporating three components:

  1) Prevention
  2) Detection
  3) Response

  Prevention measures include sound security policies, well-designed system architecture, properly configured firewalls, and strong authentication programs. This paper discusses two additional prevention measures: vulnerability assessment tools and penetration analyses. Vulnerability assessment tools generally involve running scans on a system to proactively detect known vulnerabilities such as security flaws and bugs in software and hardware. These tools can also detect holes allowing unauthorized access to a network, or insiders to misuse the system. Penetration analysis involves an independent party (internal or external) testing an institution's information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes. Using vulnerability assessment tools and performing regular penetration analyses will assist an institution in determining what security weaknesses exist in its information systems.

  Detection measures involve analyzing available information to determine if an information system has been compromised, misused, or accessed by unauthorized individuals. Detection measures may be enhanced by the use of intrusion detection systems (IDSs) that act as a burglar alarm, alerting the bank or service provider to potential external break-ins or internal misuse of the system(s) being monitored.

  Another key area involves preparing a response program to handle suspected intrusions and system misuse once they are detected. Institutions should have an effective incident response program outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents, and establishes reporting requirements

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 17 - LOGICAL ACCESS CONTROL

On many multiuser systems, requirements for using (and prohibitions against the use of) various computer resources vary considerably. Typically, for example, some information must be accessible to all users, some may be needed by several groups or departments, and some should be accessed by only a few individuals. While it is obvious that users must have access to the information they need to do their jobs, it may also be required to deny access to non-job-related information. It may also be important to control the kind of access that is afforded (e.g., the ability for the average user to execute, but not change, system programs). These types of access restrictions enforce policy and help ensure that unauthorized actions are not taken.

Logical access controls provide a technical means of controlling what information users can utilize, the programs they can run, and the modifications they can make.

Access is the ability to do something with a computer resource (e.g., use, change, or view). Access control is the means by which the ability is explicitly enabled or restricted in some way (usually through physical and system-based controls). Computer-based access controls are called logical access controls. Logical access controls can prescribe not only who or what (e.g., in the case of a process) is to have access to a specific system resource but also the type of access that is permitted. These controls may be built into the operating system, may be incorporated into applications programs or major utilities (e.g., database management systems or communications systems), or may be implemented through add-on security packages. Logical access controls may be implemented internally to the computer system being protected or may be implemented in external devices.

The term access is often confused with authorization and authentication.

! Access is the ability to do something with a computer resource. This usually refers to a technical ability (e.g., read, create, modify, or delete a file, execute a program, or use an external connection).
! Authorization is the permission to use a computer resource. Permission is granted, directly or indirectly, by the application or system owner.
! Authentication is proving (to some reasonable degree) that users are who they claim to be.

Logical access controls can help protect:

! operating systems and other system software from unauthorized modification or manipulation (and thereby help ensure the system's integrity and availability);

! the integrity and availability of information by restricting the number of users and processes with access; and

! confidential information from being disclosed to unauthorized individuals.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.