Internet Banking News

November 7, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Roger Grimes says ‘quintuple extortion’ is the new ransomware reality. And it’s getting worse - In early 2020, the cybersecurity community began warning the public of the latest ransomware trend: double extortion. Extortionists would not only encrypt your data, but also steal it and threaten to publish it online. https://www.scmagazine.com/analysis/leadership/roger-grimes-says-quintuple-extortion-is-the-new-ransomware-reality-and-its-getting-worse

How can healthcare securely employ telehealth without a uniform standard? - A recent Department of Health and Human Services’ Office of the Inspector General audit revealed a number of challenges providers are facing when attempting to employ telehealth for behavioral health services, which directly impacted the providers’ ability to effectively use the platform to support patient care. https://www.scmagazine.com/feature/critical-infrastructure/how-can-healthcare-securely-employ-telehealth-without-a-uniform-standard

Launching a collaborative minimum security baseline - According to an institute study, 59% of companies have experienced a data breach caused by one of their vendors or third parties. https://security.googleblog.com/2021/10/launching-collaborative-minimum.html

Were you duped into working for a cybercriminal gang? Here’s how to tell. - It seems the actors behind the FIN7 cybercriminal group are up to their old tricks, creating the fraudulent pentesting company Bastion Secure as a front to conceal their malicious operations. https://www.scmagazine.com/analysis/cybercrime/were-you-duped-into-working-for-a-cybercriminal-gang-heres-how-to-tell

CISA starts identifying targets most necessary to protect from hacking - The Cybersecurity and Infrastructure Security Agency has begun working to map out the U.S. critical infrastructure that, if hacked, could result in serious consequences for national security and economic interests, CISA Director Jen Easterly said Friday. https://www.cyberscoop.com/sici-easterly-katko-psies-csis-cisa/

CISA warns malware could be injected into emergency comms - As state and local law enforcement agencies and public safety organizations continue to implement FirstNet, a dedicated nationwide wireless broadband network for first responders, federal agencies like the Cybersecurity and Infrastructure Security Agency are warning about the possibility of malware being injected into the information sharing process. https://www.scmagazine.com/analysis/malware/cisa-warns-15-states-that-malware-could-be-injected-into-their-emergency-comms

Mental health patients using telehealth share security, HIPAA concerns - Patients who accessed mental health services in the last year are concerned about the security of those sessions and the safety of their sensitive personal information, according to a recent survey by healthcare technology vendor DrFirst. https://www.scmagazine.com/analysis/application-security/mental-health-patients-using-telehealth-share-security-hipaa-concerns

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 'Cyber event' knocks dairy giant Schreiber Foods offline amid industry ransomware outbreak - A “cyber event” knocked plants and distribution centers offline at Schreiber Foods, a multibillion-dollar dairy company, a spokesperson told CyberScoop Wednesday. https://www.cyberscoop.com/schreiber-foods-cyber-event-ransomware-agriculture-food/

Iran Struggles to Relaunch Petrol Stations After Cyberattack - Iran struggled Wednesday to restart its petrol distribution system after it was hit by an unprecedented cyber-attack which security officials said was launched from abroad. https://www.securityweek.com/iran-struggles-relaunch-petrol-stations-after-cyberattack

UMass Memorial notifies 209K patients 8 months after data breach discovery - Nearly eight months after discovering the hack of multiple employee email accounts, UMass Memorial Health is notifying about 209,000 patients that their personal and health information was potentially compromised. https://www.scmagazine.com/analysis/breach/umass-memorial-notifies-209k-patients-8-months-after-data-breach-discovery

Police Arrest Suspected Ransomware Hackers Behind 1,800 Attacks Worldwide - 12 people have been detained as part of an international law enforcement operation for orchestrating ransomware attacks on critical infrastructure and large organizations that hit over 1,800 victims across 71 countries since 2019, marking the latest action against cybercrime groups. https://thehackernews.com/2021/10/police-arrest-suspected-ransomware.html

Ransomware strikes Toronto transit system, disrupting some services - A ransomware attack on Toronto’s transit agency knocked some systems offline over the weekend, an incident that occurred days after another hack disrupted a Michigan transportation agency. https://www.cyberscoop.com/toronto-transit-commission-ann-arbor-theride-ransomware/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

   Board and Management Oversight - Principle 4: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet. (Part 2 of 2)

    The bank must determine which authentication methods to use based on management's assessment of the risk posed by the e-banking system as a whole or by the various sub-components. This risk analysis should evaluate the transactional capabilities of the e-banking system (e.g. funds transfer, bill payment, loan origination, account aggregation etc.), the sensitivity and value of the stored e-banking data, and the customer's ease of using the authentication method.

    Robust customer identification and authentication processes are particularly important in the cross-border e-banking context given the additional difficulties that may arise from doing business electronically with customers across national borders, including the greater risk of identity impersonation and the greater difficulty in conducting effective credit checks on potential customers.

    As authentication methods continue to evolve, banks are encouraged to monitor and adopt industry sound practice in this area such as ensuring that:

    1) Authentication databases that provide access to e-banking customer accounts or sensitive systems are protected from tampering and corruption. Any such tampering should be detectable and audit trails should be in place to document such attempts.

    2) Any addition, deletion or change of an individual, agent or system to an authentication database is duly authorized by an authenticated source.

    3) Appropriate measures are in place to control the e-banking system connection such that unknown third parties cannot displace known customers.

    4) Authenticated e-banking sessions remain secure throughout the full duration of the session or in the event of a security lapse the session should require re-authentication.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

   Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 2 of 2)

   Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset, or a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.

   Client attacks are an area of vulnerability common to all authentication mechanisms. Passwords, for instance, can be captured by hardware - or software - based keystroke capture mechanisms. PKI private keys could be captured or reverse - engineered from their tokens. Protection against these attacks primarily consists of physically securing the client systems, and, if a shared secret is used, changing the secret on a frequency commensurate with risk. While physically securing the client system is possible within areas under the financial institution's control, client systems outside the institution may not be similarly protected.

   Replay attacks occur when an attacker eavesdrops and records the authentication as it is communicated between a client and the financial institution system, then later uses that recording to establish a new session with the system and masquerade as the true user. Protections against replay attacks include changing cryptographic keys for each session, using dynamic passwords, expiring sessions through the use of time stamps, expiring PKI certificates based on dates or number of uses, and implementing liveness tests for biometric systems.

   Hijacking is an attacker's use of an authenticated user's session to communicate with system components. Controls against hijacking include encryption of the user's session and the use of encrypted cookies or other devices to authenticate each communication between the client and the server.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 17 - LOGICAL ACCESS CONTROL

17.1.1 Identity

It is probably fair to say that the majority of access controls are based upon the identity of the user (either human or process), which is usually obtained through identification and authentication (I&A). The identity is usually unique, to support individual accountability, but can be a group identification or can even be anonymous. For example, public information dissemination systems may serve a large group called "researchers" in which the individual researchers are not known.

17.1.2 Roles

Access to information may also be controlled by the job assignment or function (i.e., the role) of the user who is seeking access. Examples of roles include data entry clerk, purchase officer, project leader, programmer, and technical editor. Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. An individual may be authorized for more than one role, but may be required to act in only a single role at a time. Changing roles may require logging out and then in again, or entering a role-changing command. Note that use of roles is not the same as shared-use accounts. An individual may be assigned a standard set of rights of a shipping department data entry clerk, for example, but the account would still be tied to that individual's identity to allow for auditing.

The use of roles can be a very effective way of providing access control. The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.

Many systems already support a small number of special-purpose roles, such as System Administrator or Operator. For example, an individual who is logged on in the role of a System Administrator can perform operations that would be denied to the same individual acting in the role of an ordinary user.

Recently, the use of roles has been expanded beyond system tasks to application-oriented activities. For example, a user in a company could have an Order Taking role, and would be able to collect and enter customer-billing information, check on availability of particular items, request shipment of items, and issue invoices. In addition, there could be an Accounts Receivable role, which would receive payments and credit them to particular invoices. A Shipping role could then be responsible for shipping products and updating the inventory. To provide additional security, constraints could be imposed so a single user would never be simultaneously authorized to assume all three roles. Constraints of this kind are sometimes referred to as separation of duty constraints.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.