Internet Banking News

November 12, 2023

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Gold Standard Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Bank regulatory FFIEC IT audits - I perform annual IT audits required by the regulatory agencies for banks and credit unions. I am a former bank examiner over 30 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

MISCELLANEOUS CYBERSECURITY NEWS:

North Korea-linked BlueNoroff’s macOS malware variant targets financial firms - A new macOS malware variant attributed to BlueNoroff, a subgroup of the North Korean-backed Lazarus Group, has been observed targeting cryptocurrency exchanges, venture capital firms and banks. https://www.scmagazine.com/news/north-korea-linked-bluenoroffs-macos-malware-variant-targets-financial-firms

How cars have become the biggest threat to privacy - As industries navigate the evolving threat landscape, the need for comprehensive cybersecurity strategies has grown substantial, especially in the transportation industry. https://www.scmagazine.com/perspective/how-cars-have-become-the-biggest-threat-to-privacy

Cybersecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISO - The lawsuit alleges that SolarWinds CISO Timothy Brown failed to disclose critical information regarding the massive cyberattack on the company’s software supply chain that occurred in late 2020. https://www.securityweek.com/cisos-spooked-by-sec-lawsuit-against-solarwinds-ciso/

ICE faces heat after agents install thousands of personal apps, VPNs on official phones - America's immigration cops have pushed back against an official probe that concluded their lax mobile device security potentially put sensitive government information at risk of being stolen by foreign snoops. https://www.theregister.com/2023/11/06/ice_device_security/

Cloud security still a challenge as 1 in 4 companies cite skills gap - Just about every industry today depends on the cloud to get work done, and because most companies depend on Amazon, Google and Microsoft’s cloud services, any disruption of even one of them would have a major economic impact on business and government. https://www.scmagazine.com/research-article/cloud-security-still-a-challenge-as-1-in-4-companies-cite-skills-gap

A $75M glimmer of hope for struggling cybersecurity startups - At any time, a $75 million investment fund earmarked exclusively for cybersecurity startups is impressive. https://www.scmagazine.com/news/a-75m-glimmer-of-hope-for-struggling-cybersecurity-startups

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Okta tells 5,000 of its own staff that their data was accessed in third-party breach - Okta has sent out breach notifications to almost 5,000 current and former employees, warning them that miscreants breached one of its third-party vendors and stole a file containing staff names, social security numbers, and health or medical insurance plan numbers. https://www.theregister.com/2023/11/02/okta_staff_personal_data/

Boeing confirms cyberattack amid LockBit ransomware claims - Aerospace giant Boeing is investigating a cyberattack that impacted its parts and distribution business after the LockBit ransomware gang claimed that they breached the company's network and stole data. https://www.bleepingcomputer.com/news/security/boeing-confirms-cyberattack-amid-lockbit-ransomware-claims/

ServiceNow misconfiguration went unexploited, but still cause for concern - News of a misconfiguration in ServiceNow caused great concern over the past several days because it’s estimated that 80% of Fortune 500 companies deploy ServiceNow. https://www.scmagazine.com/news/servicenow-misconfiguration-went-unexploited-but-still-cause-for-concern

Atlassian warns of exploit for Confluence data wiping bug, get patching - Atlassian warned admins that a public exploit is now available for a critical Confluence security flaw that can be used in data destruction attacks targeting Internet-exposed and unpatched instances. https://www.bleepingcomputer.com/news/security/atlassian-warns-of-exploit-for-confluence-data-wiping-bug-get-patching/

5 Ontario Hospitals Still Reeling From Ransomware Attack - Five regional hospitals in Ontario, Canada are operating under "Code Gray," meaning they still have no access to patients' electronic health records and other critical data nearly two weeks after an attack on their shared IT services provider. https://www.govinfosecurity.com/5-ontario-hospitals-still-reeling-from-ransomware-attack-a-23480

British, Toronto Libraries Struggle After Cyber Incidents - As the national library of the UK, the British Library has a collection of more than 150 million items, including books, films, and manuscripts. https://www.darkreading.com/attacks-breaches/british-toronto-libraries-struggle-after-cyber-incidents

Ace holed: Hardware store empire felled by cyberattack - Ace Hardware appears to have been the latest organization to succumb to a cyberattack, judging by its website and a message from CEO. https://www.theregister.com/2023/10/31/ace_hardware_cyberattack/

Okta breach linked to employee’s personal Google account - Okta said a previously disclosed breach of its backend support case management system allowed attackers to access files relating to 134 of the identity and access management (IAM) provider’s customers. https://www.scmagazine.com/news/okta-breach-linked-to-workers-personal-google-account

DDoS attack revealed as cause of online service outage at public healthcare institutions - A distributed denial-of-service (DDoS) attack has been identified as the cause of an online service outage that affected several public healthcare institutions in Singapore. https://www.zdnet.com/article/ddos-attack-revealed-as-cause-of-online-service-outage-at-public-healthcare-institutions/

RANSOMWAREAmerican Airlines Pilot Union Recovering After Ransomware Attack - The incident, the American Airlines pilot union says, occurred on October 30 and resulted in certain systems being encrypted. https://www.securityweek.com/american-airlines-pilot-union-recovering-after-ransomware-attack

Return to the top of the newsletter

WEB SITE COMPLIANCE - We conclude our review of the FDIC paper "Risk Assessment Tools and Practices of Information System Security." We hope you have found this series useful.

    INCIDENT RESPONSE - Discusses implementing an incident response strategy for the response component of an institution's information security program. After implementing a defense strategy and monitoring for new attacks, hacker activities, and unauthorized insider access, management should develop a response strategy. The sophistication of an incident response plan will vary depending on the risks inherent in each system deployed and the resources available to an institution. In developing a response strategy or plan, management should consider the following:

    1) The plan should provide a platform from which an institution can prepare for, address, and respond to intrusions or unauthorized activity. The beginning point is to assess the systems at risk, as identified in the overall risk assessment, and consider the potential types of security incidents.

    2) The plan should identify what constitutes a break-in or system misuse, and incidents should be prioritized by the seriousness of the attack or system misuse.

    3) Individuals should be appointed and empowered with the latitude and authority to respond to an incident. The plan should include what the appropriate responses may be for potential intrusions or system misuse.

    4) A recovery plan should be established, and in some cases, an incident response team should be identified.

    5) The plan should include procedures to officially report the incidents to senior management, the board of directors, legal counsel, and law enforcement agents as appropriate.

    FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet. This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants. Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm. There is no charge for the e-newsletter.

    ROLES AND RESPONSIBILITIES (1 of 2)

    Information security is the responsibility of everyone at the institution, as well as the institution's service providers and contractors. The board, management, and employees all have different roles in developing and implementing an effective security process. The board of directors is responsible for overseeing the development, implementation, and maintenance of the institution's information security program. Oversight requires the board to provide management with guidance and receive reports on the effectiveness of management's response. The board should approve written information security policies and the information security program at least annually. The board should provide management with its expectations and requirements for:

    1) Central oversight and coordination,
    2) Areas of responsibility,
    3) Risk measurement,
    4) Monitoring and testing,
    5) Reporting, and
    6) Acceptable residual risk.

    Senior management's attitude towards security affects the entire organization's commitment to security. For example, the failure of a financial institution president to comply with security policies could undermine the entire organization's commitment to security.

    Senior management should designate one or more individuals as information security officers. Security officers should be responsible and accountable for security administration. At a minimum, they should directly manage or oversee risk assessment, development of policies, standards, and procedures, testing, and security reporting processes. Security officers should have the authority to respond to a security event by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value. They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

11.2 Step 2: Identifying the Resources That Support Critical Functions

Resources That Support Critical Functions:
! Human Resources
! Processing Capability
! Computer-Based Services
! Data and Applications
! Physical Infrastructure
! Documents and Papers

11.2.1 Human Resources

People are perhaps an organization's most obvious resource. Some functions require the effort of specific individuals, some require specialized expertise, and some only require individuals who can be trained to perform a specific task. Within the information technology field, human resources include both operators (such as technicians or system programmers) and users (such as data entry clerks or information analysts).

11.2.2 Processing Capability

Contingency Planning Teams - To understand what resources are needed from each of the six resource categories and to understand how the resources support critical functions, it is often necessary to establish a contingency planning team. A typical team contains representatives from various organizational elements, and is often headed by a contingency planning coordinator. It has representatives from the following three groups:

1) business-oriented groups , such as representatives from functional areas;

2) facilities management; and

3) technology management.

Various other groups are called on as needed including financial management, personnel, training, safety, computer security, physical security, and public affairs.

Traditionally contingency planning has focused on processing power (i.e., if the data center is down, how can applications dependent on it continue to be processed?). Although the need for data center backup remains vital, today's other processing alternatives are also important. Local area networks (LANs), minicomputers, workstations, and personal computers in all forms of centralized and distributed processing may be performing critical tasks.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.