Internet Banking News

November 24, 2019

wsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - The FFIEC members revised and renamed the Business Continuity Planning booklet to Business Continuity Management (BCM) to reflect updated information technology risk practices and frameworks and the increased focus on ongoing, enterprise-wide business continuity and resilience. The new Handbook can be found at: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx

PHONE NUMBER CHANGE - Because of the never-ending increasing fees, I am going to stop using my AT&T business landline in January 2020. If you have not already done so, please change our phone number to my cell phone 806-535-8300.

FYI - Arkansas AG reiterates need to report medical data breaches - Arkansas Attorney General (AG) Leslie Rutledge has advised the state’s medical practitioners of their responsibilities regarding when to report a data breach under the federal state’s Personal Information Protection Act (PIPA). https://www.scmagazine.com/home/security-news/data-breach/arkansas-ag-reiterates-need-to-report-medical-data-breaches/

Pemex claims victory over cyberattack; $4.9 million ransom reportedly demanded - The claim made by the Mexican state-owned petroleum corporation Pemex that it had recovered from a Nov. 10 cyberattack was met with some skepticism, as published reports indicate the attack may be still affecting the company. https://www.scmagazine.com/home/security-news/cyberattack/pemex-claims-victory-over-cyberattack-4-9-million-ransom-reportedly-demanded/

Louisiana spurns attempted ransomware attack, governor says - Louisiana activated its cybersecurity team after the state was targeted in an attempted ransomware attack similar to those aimed at government organizations and local school districts during the summer, newly re-elected Governor John Bel Edwards tweeted Monday. https://www.scmagazine.com/home/security-news/ransomware/louisiana-spurns-attempted-ransomware-attack-governor-says/

Burglars Really Do Use Bluetooth Scanners to Find Laptops and Phones - Bluetooth scanners are readily available and easy to use - which means that smash-and-grab car break-in might not have been pure chance. https://www.wired.com/story/bluetooth-scanner-car-thefts/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Open database exposes 93M files on patients of substance abuse facilities - A misconfigured AWS s3 storage bucket reportedly exposed roughly 93 million billing files that contain information on patients of three drug and alcohol addiction facilities operated by San Juan Capistrano, California-based Sunshine Behavioral Health, LLC. https://www.scmagazine.com/home/health-care/open-database-exposes-93m-files-on-patients-of-substance-abuse-facilities/

Open database exposes 93M files on patients of substance abuse facilities - A misconfigured AWS s3 storage bucket reportedly exposed roughly 93 million billing files that contain information on patients of three drug and alcohol addiction facilities operated by San Juan Capistrano, California-based Sunshine Behavioral Health, LLC. https://www.scmagazine.com/home/health-care/open-database-exposes-93m-files-on-patients-of-substance-abuse-facilities/

Indiana School District Restoring Computers After Ransomware - The Penn-Harris-Madison School Corp. is continuing to work this week to bring its computer network servers back online after a hack that knocked out “all internal network systems” district wide. https://www.govtech.com/security/Indiana-School-District-Restoring-Computers-After-Ransomware.html

Extensive personal health information exposed in Solara Medical data breach - Solara Medical Supplies reported on November 13 that its system was exposed for several months earlier this year after several employees fell for a phishing scam giving access to their Office 365 accounts to an unauthorized person. https://www.scmagazine.com/home/security-news/data-breach/extensive-personal-health-information-exposed-in-solara-medical-data-breach/

Open database exposes 93M files on patients of substance abuse facilities - A misconfigured AWS s3 storage bucket reportedly exposed roughly 93 million billing files that contain information on patients of three drug and alcohol addiction facilities operated by San Juan Capistrano, California-based Sunshine Behavioral Health, LLC. https://www.scmagazine.com/home/health-care/open-database-exposes-93m-files-on-patients-of-substance-abuse-facilities/

Disney+ not the happiest place on Earth, accounts stolen found on sale - The huge marketing campaign behind the launch of Disney’s new streaming service and the massive response it elicited from consumers was too much of a temptation for cybercriminals as they flocked to decipher and then resell the user accounts. https://www.scmagazine.com/home/network-security/disney-not-the-happiest-place-on-earth-accounts-stolen-found-on-sale/

Data breach potentially endangers Fairfax, Va. police officers - About 1,800 people, including 500 Fairfax, Va., county police department employees, had their PII possibly exposed when a USB drive carrying the information went missing. https://www.scmagazine.com/home/security-news/data-breach-potentially-endangers-fairfax-va-police-officers/

PayMyTab database leaked PII on diners - An exposed database belonging to PayMyTab leaked PII on customers who dined at restaurants using the mobile payment system. https://www.scmagazine.com/home/security-news/paymytab-database-leaked-pii-on-diners/

Leave.EU chairman’s Twitter account hacked, private messages leaked - A hacker hijacked the Twitter account of Arron Banks, chairman of the pro-Brexit UK political campaign organization Leave.EU, and leaked his private message history online earlier this week. https://www.scmagazine.com/home/security-news/cybercrime/leave-eu-chairmans-twitter-account-hacked-private-messages-leaked/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (9 of 12)

  Organize a public relations program.

  Whether a bank is a local, national, or global firm, negative publicity about a security compromise is a distinct possibility. To address potential reputation risks associated with a given incident, some banks have organized public relations programs and designated specific points of contact to oversee the program. A well-defined public relations program can provide a specific avenue for open communications with both the media and the institution's customers.

  Recovery

  Recovering from an incident essentially involves restoring systems to a known good state or returning processes and procedures to a functional state. Some banks have incorporated the following best practices related to the recovery process in their IRPs.

  Determine whether configurations or processes should be changed.

  If an institution is the subject of a security compromise, the goals in the recovery process are to eliminate the cause of the incident and ensure that the possibility of a repeat event is minimized. A key component of this process is determining whether system configurations or other processes should be changed. In the case of technical compromises, such as a successful network intrusion, the IRP can prompt management to update or modify system configurations to help prevent further incidents. Part of this process may include implementing an effective, ongoing patch management program, which can reduce exposure to identified technical vulnerabilities. In terms of non-technical compromises, the IRP can direct management to review operational procedures or processes and implement changes designed to prevent a repeat incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   PERSONNEL SECURITY

   Security personnel allow legitimate users to have system access necessary to perform their duties. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third - party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems. Risk exposures from internal users include:

   ! Altering data,
   ! Deleting production and back up data,
   ! Crashing systems,
   ! Destroying systems,
   ! Misusing systems for personal gain or to damage the institution,
   ! Holding data hostage, and
   ! Stealing strategic or customer data for corporate espionage or fraud schemes.

   BACKGROUND CHECKS AND SCREENING

   Financial institutions should verify job application information on all new employees. The sensitivity of a particular job or access level may warrant additional criminal background and credit checks. Institutions should verify that contractors are subject to similar screening procedures. Typically, the minimum verification considerations include:

   ! Character references;
   ! Confirmation of prior experience, academic record, and professional qualifications; and
   ! Confirmation of identity from government issued identification.

   After employment, managers should remain alert to changes in employees' personal circumstances that could increase incentives for system misuse or fraud.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 2 - ELEMENTS OF COMPUTER SECURITY

2.2 Computer Security is an Integral Element of Sound Management.

Information and computer systems are often critical assets that support the mission of an organization. Protecting them can be as critical as protecting other organizational resources, such as money, physical assets, or employees.

However, including security considerations in the management of information and computers does not completely eliminate the possibility that these assets will be harmed. Ultimately, organization managers have to decide what the level of risk they are willing to accept, taking into account the cost of security controls.

As with many other resources, the management of information and computers may transcend organizational boundaries. When an organization's information and computer systems are linked with external systems, management's responsibilities also extend beyond the organization. This may require that management (1) know what general level or type of security is employed on the external system(s) or (2) seek assurance that the external system provides adequate security for the using organization's needs.

2.3 Computer Security Should Be Cost-Effective.

The costs and benefits of security should be carefully examined in both monetary and non-monetary terms to ensure that the cost of controls does not exceed expected benefits. Security should be appropriate and proportionate to the value of and degree of reliance on the computer systems and to the severity, probability and extent of potential harm. Requirements for security vary, depending upon the particular computer system.

In general, security is a smart business practice. By investing in security measures, an organization can reduce the frequency and severity of computer security-related losses. For example, an organization may estimate that it is experiencing significant losses per year in inventory through fraudulent manipulation of its computer system. Security measures, such as an improved access control system, may significantly reduce the loss.

Moreover, a sound security program can thwart hackers and can reduce the frequency of viruses. Elimination of these kinds of threats can reduce unfavorable publicity as well as increase morale and productivity.

Security benefits, however, do have both direct and indirect costs. Direct costs include purchasing, installing, and administering security measures, such as access control software or fire-suppression systems. Additionally, security measures can sometimes affect system performance, employee morale, or retraining requirements. All of these have to be considered in addition to the basic cost of the control itself. In many cases, these additional costs may well exceed the initial cost of the control (as is often seen, for example, in the costs of administering an access control package). Solutions to security problems should not be chosen if they cost more, directly or indirectly, than simply tolerating the problem.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.