Internet Banking News

November 10, 2019

wsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - At least 13 managed service providers were used to push ransomware this year - Once hackers compromise an MSP's network, they can use its remote access tools to deploy ransomware to hundreds of companies and thousands of computers. https://www.zdnet.com/article/at-least-13-managed-service-providers-were-used-to-push-ransomware-this-year/

Ransomware attack on TrialWorks is one of 13 on MSPs and cloud-service providers in 2019 - Law firms using case management software from TrialWorks found themselves unable to access their legal documents after the third-party service provider was hit with a ransomware attack earlier this month. https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-on-trialworks-is-one-of-13-on-msps-and-cloud-service-providers-in-2019/

This woman who delivered flowers to your office was a hacker. Did you let her in? - She may have cheerfully strolled into your company’s reception area holding a gift basket and a USB drive with a special message from the sender. https://www.scmagazine.com/home/security-news/podcasts/this-woman-who-delivered-flowers-to-your-office-was-a-hacker-did-you-let-her-in/

Selecting a managed security service - Increasingly complex IT infrastructures, higher cloud adoption rates, and a myriad of endpoints resulting from an onslaught of connected devices and sensors are driving the need for managed security services. https://www.scmagazine.com/home/opinion/executive-insight/selecting-a-managed-security-service/

NCR blocked Mint, Quickbooks after attackers take over, drain accounts - For a short while starting late last month NCR Corp. blocked Mint and QuickBooks from its Digital Insight banking platform after cybercriminals used the financial data aggregators sites to take over and tap consumer bank accounts. https://www.scmagazine.com/home/security-news/ncr-blocked-mint-quickbooks-after-attackers-take-over-drain-accounts/

Canadian Public-Private Partnership Launches National Cyber Manpower Program - The Accelerated Cybersecurity Training Program - Our Program is a 20-week intensive cybersecurity training and certification program designed to give promising learners from diverse backgrounds the skills they need to launch careers in the cybersecurity sector. https://www.ryerson.ca/cybersecure-catalyst/training-program/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Web.com discloses breach affecting customer account info - Domain name registration and web development services provider Web.com has disclosed a recent data breach that impacts users’ account information, and apparently also affects customers of its Network Solutions and Register.com brands. https://www.scmagazine.com/home/security-news/data-breach/web-com-discloses-breach-affecting-customer-account-info/

Ontario Science Centre’s marking firm hit with breach, 174K affected - A third-party email vendor for the Ontario Science Centre suffered a data breach exposing some PII of 174,000 of the Centre’s members, donors and customers. https://www.scmagazine.com/home/security-news/data-breach/ontario-science-centres-marking-firm-hit-with-breach-174k-affected/

Bed Bath & Beyond declares data incident - Home goods retailer Bed Bath & Beyond yesterday disclosed in a Securities & Exchange Commission 8-K filing that an unauthorized third party illegally accessed one percent of its online customers’ accounts. https://www.scmagazine.com/home/security-news/cybercrime/bed-bath-beyond-declares-data-incident/

Indian nuclear power plant’s network was hacked, officials confirm - The Nuclear Power Corporation of India Limited (NPCIL) has acknowledged today that malware attributed by others to North Korean state actors had been found on the administrative network of the Kudankulam Nuclear Power Plant (KKNPP). https://arstechnica.com/information-technology/2019/10/indian-nuclear-power-company-confirms-north-korean-malware-attack/

Cyber-attack hits Utah wind and solar energy provider - First-of-its kind attack to hit a renewable energy provider. Also first cyber-attack to disconnect a US power grid operator from its power generation station. https://www.zdnet.com/article/cyber-attack-hits-utah-wind-and-solar-energy-provider/

Energy company hit with DoS attack last spring identified as sPower - Utah-based wind and solar energy developer sPower has been identified as the utilities company that suffered a previously reported denial of service attack that disrupted its normal business activity last March 5. https://www.scmagazine.com/home/network-security/energy-company-hit-with-dos-attack-last-spring-identified-as-spower/

Every Desjardins customer impacted by June data incident - The Canadian financial services company Desjardins now believes all 4.2 million of its members were affected by a data incident that took place earlier this year. https://www.scmagazine.com/home/security-news/insider-threats/every-desjardins-customer-impacted-by-june-data-incident/

Global Registrar Web.com Suffers Major Breach - A global internet registrar with millions of customers has admitted suffering a data breach in August which exposed user account information. https://www.infosecurity-magazine.com/news/global-registrar-webcom-suffers/

Ransomware attack delays government services in Nunavut, Canada - A ransomware attack last weekend struck the network of the Canadian territory Nunavut, severely impeding a bevy of government services that rely on access to systems and electronic files. https://www.scmagazine.com/home/government/ransomware-attack-delays-government-services-in-nunavut-canada/

Ransomware hits Spanish companies sparking WannaCry panic - Two victims reported so far: IT consultancy firm Everis and leading radio network Cadena SER. https://www.zdnet.com/article/ransomware-hits-spanish-companies-sparking-wannacry-panic/

Trend Micro hit with insider attack - Trend Micro was the target of an insider threat that saw about 100,000 of its consumer customers have their account information stolen, sold and used to make scam phone calls. https://www.scmagazine.com/home/security-news/insider-threats/trend-micro-hit-with-insider-attack/

California DMV exposed drivers’ SSN details to federal gov’t officials - For at least the last four years, the California Department of Motor Vehicles had mistakenly given seven government entities access to Social Security number information pertaining to roughly 3,200 drivers and license applicants, the state agency has admitted in a data breach notification. https://www.scmagazine.com/home/security-news/privacy-compliance/california-dmv-exposed-drivers-ssn-details-to-federal-govt-officials/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (8 of 12)

  Containment

  During the containment phase, the institution should generally implement its predefined procedures for responding to the specific incident (note that containment procedures are a required minimum component). Additional containment-related procedures some banks have successfully incorporated into their IRPs are discussed below.

  Establish notification escalation procedures.

  If senior management is not already part of the incident response team, banks may want to consider developing procedures for notifying these individuals when the situation warrants. Providing the appropriate executive staff and senior department managers with information about how containment actions will affect business operations or systems and including these individuals in the decision-making process can help minimize undesirable business disruptions. Institutions that have experienced incidents have generally found that the management escalation process (and resultant communication flow) was not only beneficial during the containment phase, but also proved valuable during the later phases of the incident response process.

  Document details, conversations, and actions.

  Retaining documentation is an important component of the incident response process. Documentation can come in a variety of forms, including technical reports generated, actions taken, costs incurred, notifications provided, and conversations held. This information may be useful to external consultants and law enforcement for investigative and legal purposes, as well as to senior management for filing potential insurance claims and for preparing an executive summary of the events for the board of directors or shareholders. In addition, documentation can assist management in responding to questions from its primary Federal regulator. It may be helpful during the incident response process to centralize this documentation for organizational purposes.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE

   Hardening Systems

   Many financial institutions use commercial off-the-shelf (COTS) software for operating systems and applications. COTS systems generally provide more functions than are required for the specific purposes for which it is employed. For example, a default installation of a server operating system may install mail, Web, and file-sharing services on a system whose sole function is a DNS server. Unnecessary software and services represent a potential security weakness. Their presence increases the potential number of discovered and undiscovered vulnerabilities present in the system. Additionally, system administrators may not install patches or monitor the unused software and services to the same degree as operational software and services. Protection against those risks begins when the systems are constructed and software installed through a process that is referred to as hardening a system.

   When deploying off-the-shelf software, management should harden the resulting system. Hardening includes the following actions:

   ! Determining the purpose of the system and minimum software and hardware requirements;
   ! Documenting the minimum hardware, software and services to be included on the system;
   ! Installing the minimum hardware, software, and services necessary to meet the requirements using a documented installation procedure;
   ! Installing necessary patches;
   ! Installing the most secure and up-to-date versions of applications;
   ! Configuring privilege and access controls by first denying all, then granting back the minimum necessary to each user;
   ! Configuring security settings as appropriate, enabling allowed activity, and disallowing other activity;
   ! Enabling logging;
   ! Creating cryptographic hashes of key files;
   ! Archiving the configuration and checksums in secure storage prior to system deployment;
   ! Testing the system to ensure a secure configuration;
   ! Using secure replication procedures for additional, identically configured systems, making configuration changes on a case-by-case basis;
   ! Changing all default passwords; and
   ! Testing the resulting systems.

   After deployment, the COTS systems may need updating with current security patches. Additionally, the systems should be periodically audited to ensure that the software present on the systems is authorized and properly configured.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Section I. Introduction & Overview
Chapter 1

INTRODUCTION - 1.4 Important Terminology

To understand the rest of the handbook, the reader must be familiar with the following key terms and definitions as used in this handbook. In the handbook, the terms computers and computer systems are used to refer to the entire spectrum of information technology, including application and support systems. Other key terms include:

Computer Security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).

Integrity: In lay usage, information has integrity when it is timely, accurate, complete, and consistent. However, computers are unable to provide or protect all of these qualities. Therefore, in the computer security field, integrity is often discussed more narrowly as having two facets: data integrity and system integrity. "Data integrity is a requirement that information and programs are changed only in a specified and authorized manner."6 System integrity is a requirement that a system "performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system." The definition of integrity has been, and continues to be, the subject of much debate among computer security experts.

Availability: A "requirement intended to assure that systems work promptly and service is not denied to authorized users."

Confidentiality: A requirement that private or confidential information not be disclosed to unauthorized individuals.

1.5 Legal Foundation for Federal Computer Security Programs

The executive principles discussed in the next chapter explain the need for computer security. In addition, within the federal government, a number of laws and regulations mandate that agencies protect their computers, the information they process, and related technology resources (e.g., telecommunications).9The most important are listed below.

! The Computer Security Act of 1987 requires agencies to identify sensitive systems, conduct computer security training, and develop computer security plans.

! The Federal Information Resources Management Regulation (FIRMR) is the primary regulation for the use, management, and acquisition of computer resources in the federal government.

! OMB Circular A-130 (specifically Appendix III) requires that federal agencies establish security programs containing specified elements.

Note that many more specific requirements, many of which are agency specific, also exist.

Federal managers are responsible for familiarity and compliance with applicable legal requirements. However, laws and regulations do not normally provide detailed instructions for protecting computer-related assets. Instead, they specify requirements -- such as restricting the availability of personal data to authorized users. This handbook aids the reader in developing an effective, overall security approach and in selecting cost-effective controls to meet such requirements.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.