Internet Banking News

October 25, 2020

Please stay safe - We will recover.

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Thanks to all community bankers - On October 6, 2020, the Independent Bankers Association of Texas awards me (R. Kinney Williams) the 2020 President's Award for 57 years of dictated service to the banking industry as a bank examiner, banker, and independent bank auditor. I want to express my sincere gratitude to IBAT and community bankers for this outstanding recognition.

FYI - Phishing fears cause workers to reject genuine business communications - COVID-19 contact tracers are reportedly having difficulties alerting individuals who have been exposed to the coronavirus, because some of the people they are calling refuse to answer out of concern they are being scammed. https://www.scmagazine.com/home/email-security/phishing-fears-cause-workers-to-reject-genuine-business-communications/

State CIOs face same cyber issues as corporate peers, with budget constraints - States must focus more on digital modernization and improve the role of CISOs, and the cyber issues they face mirror those of broad array of industries. https://www.scmagazine.com/home/government/state-cios-face-same-cyber-issues-as-corporate-peers-with-budget-constraints/

Why it’s time to prioritize communications security - Every once in a while, something happens where you throw your hands up and say: “That’s what I’ve been saying!” No, it wasn’t when NFL analysts predicted that my Dallas Cowboys will play well this year. Instead, it was when I read a story about how over the summer, hackers took control of various Twitter accounts and went on an embarrassing joyride. https://www.scmagazine.com/perspectives/why-its-time-to-prioritize-communications-security/

How to use psychology to prevent employee mistakes that lead to breaches - We can all admit that 2020 has been a stressful year. But how have these increased levels of stress impacted cybersecurity at businesses across the country? https://www.scmagazine.com/perspectives/how-companies-can-use-psychology-to-prevent-employee-mistakes-that-lead-to-breaches/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Barnes & Noble confirms cyberattack, suspected customer data breach - The bookseller’s security incident also impacted Nook services. The US bookseller stocks over one million titles at any one time for distribution worldwide. As ebooks emerged as an alternative to traditional literature, in 2009, the company launched the Nook service, an ebook reader and storage platform. https://www.zdnet.com/article/barnes-noble-confirms-cyberattack-customer-data-breach/

Cyber-Attack on Mississippi Schools Costs $300,000 - A Mississippi school district has voted to pay $300,000 to recover files that were encrypted during a suspected ransomware attack. https://www.infosecurity-magazine.com/news/cyberattack-on-mississippi-schools/

B&N cyberattack calls into question the retailer’s business segmentation practices - An apparent ransomware infection at Barnes & Noble, which spread from the retailer’s corporate systems to its stores, has led to speculation over whether a lack of business segmentation could have assisted the malware’s propagation. https://www.scmagazine.com/home/security-news/bn-cyberattack-calls-into-question-the-retailers-business-segmentation-practices/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisement Of Membership

   The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

   Data Transmission and Types of Firewalls

   Data traverses the Internet in units referred to as packets. Each packet has headers which contain information for delivery, such as where the packet is from, where it is going, and what application it contains. The varying firewall techniques examine the headers and either permit or deny access to the system based on the firewall's rule configuration.

   There are different types of firewalls that provide various levels of security. For instance, packet filters, sometimes implemented as screening routers, permit or deny access based solely on the stated source and/or destination IP address and the application (e.g., FTP). However, addresses and applications can be easily falsified, allowing attackers to enter systems. Other types of firewalls, such as circuit-level gateways and application gateways, actually have separate interfaces with the internal and external (Internet) networks, meaning no direct connection is established between the two networks. A relay program copies all data from one interface to another, in each direction. An even stronger firewall, a stateful inspection gateway, not only examines data packets for IP addresses, applications, and specific commands, but also provides security logging and alarm capabilities, in addition to historical comparisons with previous transmissions for deviations from normal context.

   Implementation

   When evaluating the need for firewall technology, the potential costs of system or data compromise, including system failure due to attack, should be considered. For most financial institution applications, a strong firewall system is a necessity. All information into and out of the institution should pass through the firewall. The firewall should also be able to change IP addresses to the firewall IP address, so no inside addresses are passed to the outside. The possibility always exists that security might be circumvented, so there must be procedures in place to detect attacks or system intrusions. Careful consideration should also be given to any data that is stored or placed on the server, especially sensitive or critically important data.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING

  12.1.3 Side Benefits

  Finally, establishing an incident handling capability helps an organization in perhaps unanticipated ways. Three are discussed here.

  Uses of Threat and Vulnerability Data. Incident handling can greatly enhance the risk assessment process. An incident handling capability will allow organizations to collect threat data that may be useful in their risk assessment and safeguard selection processes (e.g., in designing new systems). Incidents can be logged and analyzed to determine whether there is a recurring problem (or if other patterns are present, as are sometimes seen in hacker attacks), which would not be noticed if each incident were only viewed in isolation. Statistics on the numbers and types of incidents in the organization can be used in the risk assessment process as an indication of vulnerabilities and threats.

  Enhancing Internal Communications and Organization Preparedness. Organizations often find that an incident handling capability enhances internal communications and the readiness of the organization to respond to any type of incident, not just computer security incidents. Internal communications will be improved; management will be better organized to receive communications; and contacts within public affairs, legal staff, law enforcement, and other groups will have been preestablished. The structure set up for reporting incidents can also be used for other purposes.

  Enhancing the Training and Awareness Program. The organization's training process can also benefit from incident handling experiences. Based on incidents reported, training personnel will have a better understanding of users' knowledge of security issues. Trainers can use actual incidents to vividly illustrate the importance of computer security. Training that is based on current threats and controls recommended by incident handling staff provides users with information more specifically directed to their current needs -- thereby reducing the risks to the organization from incidents.

  12.2 Characteristics of a Successful Incident Handling Capability

  A successful incident handling capability has several core characteristics:

  1) an understanding of the constituency it will serve;
  2) an educated constituency;
  3) a means for centralized communications;
  4) expertise in the requisite technologies; and
  5) links to other groups to assist in incident handling (as needed)

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.