R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and Onsite FFIEC IT Audits

November 14, 2021

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.


Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.

 FYI - Mobile banking boom presents new risk, security concerns - Already on the rise, mobile-based financial services have spiked in the past 18 months due to the COVID-19-related lockdowns and service limitations. https://www.scmagazine.com/analysis/mobile/mobile-banking-boom-presents-new-risk-security-concerns

CMMC overhaul to change cybersecurity requirements for defense contractors - A pair of new federal regulations that were posted — and then withdrawn — from the Federal Register Thursday could bring significant changes to the Department of Defense’s Cybersecurity Maturity Model Certification program. https://www.scmagazine.com/analysis/policy/cmmc-overhaul-to-change-cybersecurity-requirements-for-defense-contractors

Qualys CEO explains how infrastructure-as-code may be the key to tackling cloud misconfigurations - Looking to make it easier for security teams to detect and remediate misconfigurations early in the development cycle, Qualys this week announced that it would add infrastructure as code (IaC) scanning to its CloudView app. https://www.scmagazine.com/analysis/cloud-security/qualys-ceo-explains-how-infrastructure-as-code-may-be-the-key-to-tackling-cloud-misconfigurations

CSA Medical Device Incident Response Playbook - This document presents a best-practices medical device incident response playbook that incorporates clinical aspects of medical device IR. https://cloudsecurityalliance.org/artifacts/csa-medical-device-incident-response-playbook/

Should companies subject employees to ransomware-specific security training? - A ransomware attack represents one the most serious cyberthreat scenarios an organization can face, with its own unique set of prevention and response challenges. And yet, a new survey suggests that ransomware-specific security awareness training programs remain relatively uncommon. https://www.scmagazine.com/analysis/ransomware/should-companies-subject-employees-to-ransomware-specific-security-training

The fight against ransomware calls for a new backup strategy - When ransomware shut down Colonial Pipeline in May, after a week of deliberating the company finally gave in and paid the ransom. https://www.scmagazine.com/perspective/backup-and-recovery/the-fight-against-ransomware-calls-for-a-new-backup-strategy

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Popular 'coa' NPM library hijacked to steal user passwords - Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world. https://www.bleepingcomputer.com/news/security/popular-coa-npm-library-hijacked-to-steal-user-passwords/

US defense contractor Electronic Warfare hit by data breach - US defense contractor Electronic Warfare Associates (EWA) has disclosed a data breach after threat actors hacked their email system and stole files containing personal information. https://www.bleepingcomputer.com/news/security/us-defense-contractor-electronic-warfare-hit-by-data-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
   Board and Management Oversight - Principle 5: Banks should use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactions.
    
    Non-repudiation involves creating proof of the origin or delivery of electronic information to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent. Risk of transaction repudiation is already an issue with conventional transactions such as credit cards or securities transactions. However, e-banking heightens this risk because of the difficulties of positively authenticating the identities and authority of parties initiating transactions, the potential for altering or hijacking electronic transactions, and the potential for e-banking users to claim that transactions were fraudulently altered.
    
    To address these heightened concerns, banks need to make reasonable efforts, commensurate with the materiality and type of the e-banking transaction, to ensure that: 
    
    1)  E-banking systems are designed to reduce the likelihood that authorized users will initiate unintended transactions and that customers fully understand the risks associated with any transactions they initiate.
    2)  All parties to the transaction are positively authenticated and control is maintained over the authenticated channel.
    3)  Financial transaction data are protected from alteration and any alteration is detectable.
    
   Banking organizations have begun to employ various techniques that help establish non-repudiation and ensure confidentiality and integrity of e-banking transactions, such as digital certificates using public key infrastructure (PKI).  A bank may issue a digital certificate to a customer or counterparty to allow for their unique identification/authentication and reduce the risk of transaction repudiation. Although in some countries customers' rights to disclaim transactions is provided in specific legal provisions, legislation has been passed in certain national jurisdictions making digital signatures legally enforceable. Wider global legal acceptance of such techniques is likely as technology continues to evolve.
Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
   
   Network security requires effective implementation of several control mechanisms to adequately secure access to systems and data. Financial institutions must evaluate and appropriately implement those controls relative to the complexity of their network.  Many institutions have increasingly complex and dynamic networks stemming from the growth of distributed computing.
   
   Security personnel and network administrators have related but distinct responsibilities for ensuring secure network access across a diverse deployment of interconnecting network servers, file servers, routers, gateways, and local and remote client workstations.  Security personnel typically lead or assist in the development of policies, standards, and procedures, and monitor compliance. They also lead or assist in incident-response efforts.  Network administrators implement the policies, standards, and procedures in their day-to-day operational role.
   
   Internally, networks can host or provide centralized access to mission-critical applications and information, making secure access an organizational priority. Externally, networks integrate institution and third-party applications that grant customers and insiders access to their financial information and Web-based services. Financial institutions that fail to restrict access properly expose themselves to increased transaction, reputation, and compliance risk from threats including the theft of customer information, data alteration, system misuse, or denial-of-service attacks.

 Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 17 - LOGICAL ACCESS CONTROL
  
  17.1.3 Location
  
  Access to particular system resources may also be based upon physical or logical location. For example, in a prison, all users in areas to which prisoners are physically permitted may be limited to read-only access. Changing or deleting is limited to areas to which prisoners are denied physical access. The same authorized users (e.g., prison guards) would operate under significantly different logical access controls, depending upon their physical location. Similarly, users can be restricted based upon network addresses (e.g., users from sites within a given organization may be permitted greater access than those from outside).
  
  17.1.4 Time
  
  Time-of-day or day-of-week restrictions are common limitations on access. For example, use of confidential personnel files may be allowed only during normal working hours -- and maybe denied before 8:00 a.m. and after 6:00 p.m. and all day during weekends and holidays.
  
  17.1.5 Transaction
  
  Another approach to access control can be used by organizations handling transactions (e.g., account inquiries). Phone calls may first be answered by a computer that requests that callers key in their account number and perhaps a PIN. Some routine transactions can then be made directly, but more complex ones may require human intervention. In such cases, the computer, which already knows the account number, can grant a clerk, for example, access to a particular account for the duration of the transaction. When completed, the access authorization is terminated. This means that users have no choice in which accounts they have access to, and can reduce the potential for mischief. It also eliminates employee browsing of accounts (e.g., those of celebrities or their neighbors) and can thereby heighten privacy.
  
  17.1.6 Service Constraints
  
  Service constraints refer to those restrictions that depend upon the parameters that may arise during use of the application or that are preestablished by the resource owner/manager. For example, a particular software package may only be licensed by the organization for five users at a time. Access would be denied for a sixth user, even if the user were otherwise authorized to use the application. Another type of service constraint is based upon application content or numerical thresholds. For example, an ATM machine may restrict transfers of money between accounts to certain dollar limits or may limit maximum ATM withdrawals to $500 per day. Access may also be selectively permitted based on the type of service requested. For example, users of computers on a network may be permitted to exchange electronic mail but may not be allowed to log in to each others' computers.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.