Internet Banking News

November 28, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT/AIO audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - November 23, 2021 - Computer-Security Incident Notification: Final Rule - The Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation published a final rule to establish computer-security incident notification requirements for banking organizations and their bank service providers. https://www.occ.gov/news-issuances/bulletins/2021/bulletin-2021-55.html

New rule says banks now have 36 hours to report a security incident to the FDIC - Banks regulated by the Federal Deposit Insurance Corporation will have 36 hours to report a computer security incident to the FDIC, according to a joint final ruling issued Thursday. https://www.scmagazine.com/news/breach/new-rule-says-banks-now-have-36-hours-to-report-a-security-incident-to-the-fdic

UK government publishes guidance on security rules for tech takeovers - The UK government has published guidance describing what technologies may be caught within the National Security and Investment Act 2021, which is set to give ministers the power to halt mergers and acquisitions. https://www.theregister.com/2021/11/17/uk_government_publishes_guidance_national/

Financial firms falling further behind in breach battle - In the past two years, the pandemic-related branch closures and lockdowns as well as a general focus on doing virtually everything remotely, has boosted digital banking, even among tech laggards. But it’s also increased the target size for bad actors - and banks can’t keep up. https://www.scmagazine.com/analysis/mobile/financial-firms-falling-further-behind-in-breach-battle

CISA releases cybersecurity response plans for federal agencies - The Cybersecurity and Infrastructure Security Agency (CISA) has released new cybersecurity response plans (known as playbooks) for federal civilian executive branch (FCEB) agencies. https://www.bleepingcomputer.com/news/security/cisa-releases-cybersecurity-response-plans-for-federal-agencies/

40% of healthcare lack designated CISO - Forty percent of healthcare organizations still don’t have a dedicated chief information security officer, down 12% from last year, according to the College of Healthcare Information Management Executives (CHIME) Digital Health Most Wired Survey. https://www.scmagazine.com/analysis/leadership/chime-40-of-healthcare-lack-designated-ciso

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Oversight finds 'small lapses' in security led to Colonial Pipeline, JBS hacks - A series of “small lapses” in cybersecurity led to several recent successful ransomware attacks, the House Oversight and Reform Committee concluded in a staff memo released Tuesday. https://thehill.com/policy/cybersecurity/581800-house-oversight-panel-finds-that-small-lapses-in-security-led-to-recent

Strategic web compromises in the Middle East with a pinch of Candiru - Back in 2018, ESET researchers developed a custom in-house system to uncover watering hole attacks (aka strategic web compromises) on high-profile websiteS. https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/

Over 1 million GoDaddy WordPress accounts breached - GoDaddy on Monday disclosed that its Managed WordPress hosting environment was breached by an unauthorized third-party using a compromised password. https://www.scmagazine.com/news/breach/over-1-million-godaddy-wordpress-accounts-breached

Months-long hack, theft of Sea Mar healthcare data impacts 688K patients - All covered entities and relevant business associates are required to inform patients of breaches to their protected health information within 60 days and without delay to comply with The Health Insurance Portability and Accountability Act, regardless of whether an investigation into a hack, data theft, or other security incident is ongoing. https://www.scmagazine.com/analysis/breach/months-long-hack-theft-of-sea-mar-healthcare-data-impacts-688k-patients

Wind turbine giant Vestas' data compromised in cyberattack - Vestas Wind Systems, a leader in wind turbine manufacturing, has shut down its IT systems after suffering a cyberattack. https://www.bleepingcomputer.com/news/security/wind-turbine-giant-vestas-data-compromised-in-cyberattack/

Utah medical center hit by data breach affecting 582k patients - Utah Imaging Associates (UIA), a Utah-based radiology center, has announced a data breach affecting 582,170 people after their personal information was exposed. https://www.bleepingcomputer.com/news/security/utah-medical-center-hit-by-data-breach-affecting-582k-patients/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

  Board and Management Oversight - Principle 7: Banks should ensure that proper authorization controls and access privileges are in place for e-banking systems, databases and applications.

    In order to maintain segregation of duties, banks need to strictly control authorization and access privileges. Failure to provide adequate authorization control could allow individuals to alter their authority, circumvent segregation and gain access to e-banking systems, databases or applications to which they are not privileged.

    In e-banking systems, the authorizations and access rights can be established in either a centralized or distributed manner within a bank and are generally stored in databases. The protection of those databases from tampering or corruption is therefore essential for effective authorization control.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

   Protocols and Ports (Part 1 of 3)

   Network communications rely on software protocols to ensure the proper flow of information. A protocol is a set of rules that allows communication between two points in a telecommunications connection. Different types of networks use different protocols. The Internet and most intranets and extranets, however, are based on the TCP/IP layered model of protocols. That model has four layers, and different protocols within each layer. The layers, from bottom to top, are the network access layer, the Internet layer, the host-to-host layer, and the application layer. Vulnerabilities and corresponding attack strategies exist at each layer. This becomes an important consideration in evaluating the necessary controls. Hardware and software can use the protocols to restrict network access. Likewise, attackers can use weaknesses in the protocols to attack networks.

   The primary TCP/IP protocols are the Internet protocol (IP) and the transmission control protocol (TCP). IP is used to route messages between devices on a network, and operates at the Internet layer. TCP operates at the host-to-host layer, and provides a connection-oriented, full - duplex, virtual circuit between hosts. Different protocols support different services for the network. The different services often introduce additional vulnerabilities. For example, a third protocol, the user datagram protocol (UDP) is also used at the host-to-host layer. Unlike TCP, UDP is not connection - oriented, which makes it faster and a better protocol for supporting broadcast and streaming services. Since UDP is not connection-oriented, however, firewalls often do not effectively filter it. To provide additional safeguards, it is often blocked entirely from inbound traffic or additional controls are added to verify and authenticate inbound UDP packets as coming

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 17 - LOGICAL ACCESS CONTROL

  17.2 Policy: The Impetus for Access Controls

  Logical access controls are a technical means of implementing policy decisions. Policy is made by a management official responsible for a particular system, application, subsystem, or group of systems. The development of an access control policy may not be an easy endeavor. It requires balancing the often-competing interests of security, operational requirements, and user-friendliness. In addition, technical constraints have to be considered.

  This chapter discusses issues relating to the technical implementation of logical access controls - not the actual policy decisions as to who should have what type of access. These decisions are typically included in system-specific policy.

  Once these policy decisions have been made, they will be implemented (or enforced) through logical access controls. In doing so, it is important to realize that the capabilities of various types of technical mechanisms (for logical access control) vary greatly.

  A few simple examples of specific policy issues are provided below; it is important to recognize, however, that comprehensive system-specific policy is significantly more complex.

  1. The director of an organization's personnel office could decide that all clerks can update all files, to increase the efficiency of the office. Or the director could decide that clerks can only view and update specific files, to help prevent information browsing.

  2. In a disbursing office, a single individual is usually prohibited from both requesting and authorizing that a particular payment be made. This is a policy decision taken to reduce the likelihood of embezzlement and fraud.

  3. Decisions may also be made regarding access to the system itself. In the government, for example, the senior information resources management official may decide that agency systems that process information protected by the Privacy Act may not be used to process public-access database applications.

  17.3 Technical Implementation Mechanisms

  Many mechanisms have been developed to provide internal and external access controls, and they vary significantly in terms of precision, sophistication, and cost. These methods are not mutually exclusive and are often employed in combination. Managers need to analyze their organization's protection requirements to select the most appropriate, cost-effective logical access controls.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.