Internet Banking News

December 5, 2021

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

Virtual/remote IT audits - I am performing virtual/remote FFIEC IT/AIO audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

FYI - Cyberattacks often come after working hours. Here’s how to prepare. CISA on Monday issued a warning to businesses and especially critical infrastructure organizations, reminding them that cybercriminals often like to launch attacks over weekends and holidays like Thanksgiving because the employees who must respond are out of the office and not immediately available. https://www.scmagazine.com/analysis/incident-response/cyberattacks-often-come-after-working-hours-heres-how-to-prepare

Auditors want to know if CISA programs for the communications sector work - The Cybersecurity and Infrastructure Security Agency lacks the ability to assess whether cybersecurity programs for the communications sector are effective and should update its plans to account for threats to the supply chain and GPS network, according to government auditors. https://www.scmagazine.com/analysis/critical-infrastructure/auditors-want-to-know-if-cisa-programs-for-the-communications-sector-work

GAO - DOD Should Take Additional Actions to Improve How It Approaches Intellectual Property - The Department of Defense uses intellectual property (IP) to operate and maintain its weapons systems. https://www.gao.gov/products/gao-22-104752

CISA Releases Guidance on Securing Enterprise Mobile Devices - The United States Cybersecurity and Infrastructure Security Agency (CISA) last week published a Capacity Enhancement Guide (CEG) to help organizations secure mobile devices and their access to enterprise resources. https://www.securityweek.com/cisa-releases-guidance-securing-enterprise-mobile-devices

New 36-hour reporting rule for cyber incidents puts more pressure on banks - The U.S. banking industry has long been concerned with the seemingly unstoppable growing spike in online intrusions. https://www.scmagazine.com/analysis/cybercrime/new-36-hour-reporting-rule-for-cyber-incidents-puts-more-pressure-on-banks

Meet the 23 cyber experts just named to CISA’s new advisory committee - The Cybersecurity and Infrastructure Security Agency announced 23 individuals who will serve as on its newly established Cybersecurity Advisory Committee, pulling in experts on cyber policy from government, industry, academia and the media. https://www.scmagazine.com/analysis/policy/meet-the-23-cyber-experts-just-named-to-cisas-new-advisory-committee

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Wind turbine maker Vestas confirms recent security incident was ransomware - Wind turbine maker Vestas says "almost all" of its IT systems are finally up and running 10 days after a security attack by criminals, confirming that it had indeed fallen victim to ransomware. https://www.theregister.com/2021/11/29/wind_turbine_maker_vestas_confirms/

DBS Bank blames 'access control servers' for two-day service disruption - Singapore bank says a problem with its access control servers caused the glitch that left customers unable to log into their accounts and access its digital services for two days, adding that it has worked with its "third-party engineering providers" on a resolution. https://www.zdnet.com/article/dbs-bank-blames-access-control-servers-for-two-day-service-disruption/

Marine services provider Swire Pacific Offshore hit by ransomware - Marine services giant Swire Pacific Offshore (SPO) has suffered a Clop ransomware attack that allowed threat actors to steal company data. https://www.bleepingcomputer.com/news/security/marine-services-provider-swire-pacific-offshore-hit-by-ransomware/

Quest’s ReproSource faces patient lawsuit over data breach impacting 350K patients - One month after notifying 350,000 patients of a potential theft of their protected health information, ReproSource Fertility Diagnostics has been sued by a patient over alleged security failings. ReproSource is a clinical laboratory for fertility specialists and a subsidiary of Quest Diagnostics. https://www.scmagazine.com/analysis/breach/quests-reprosource-faces-patient-lawsuit-over-data-breach-impacting-350k-patients

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

  Board and Management Oversight - Principle 8: Banks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions, records and information.

    Data integrity refers to the assurance that information that is in-transit or in storage is not altered without authorization. Failure to maintain the data integrity of transactions, records and information can expose banks to financial losses as well as to substantial legal and reputational risk.

    The inherent nature of straight-through processes for e-banking may make programming errors or fraudulent activities more difficult to detect at an early stage. Therefore, it is important that banks implement straight-through processing in a manner that ensures safety and soundness and data integrity.

    As e-banking is transacted over public networks, transactions are exposed to the added threat of data corruption, fraud and the tampering of records. Accordingly, banks should ensure that appropriate measures are in place to ascertain the accuracy, completeness and reliability of e-banking transactions, records and information that is either transmitted over Internet, resident on internal bank databases, or transmitted/stored by third-party service providers on behalf of the bank. Common practices used to maintain data integrity within an e-banking environment include the following:

    1) E-banking transactions should be conducted in a manner that makes them highly resistant to tampering throughout the entire process.

    2) E-banking records should be stored, accessed and modified in a manner that makes them highly resistant to tampering.

    3) E-banking transaction and record-keeping processes should be designed in a manner as to make it virtually impossible to circumvent detection of unauthorized changes.

    4) Adequate change control policies, including monitoring and testing procedures, should be in place to protect against any e-banking system changes that may erroneously or unintentionally compromise controls or data reliability.

    5) Any tampering with e-banking transactions or records should be detected by transaction processing, monitoring and record keeping functions.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

   Protocols and Ports (Part 2 of 3)

   Other common protocols in a TCP/IP network include the following types.

   ! Address resolution protocol (ARP) - Obtains the hardware address of connected devices and matches that address with the IP address for that device. The hardware address is the Ethernet card's address, technically referred to as the "media access control" (MAC) address. Ethernet systems route messages by the MAC address, requiring a router to obtain both the IP address and the MAC address of connected devices. Reverse ARP (RARP) also exists as a protocol.

   ! Internet control message protocol (ICMP) - Used to send messages about network health between devices, provides alternate routing information if trouble is detected, and helps to identify problems with a routing.

   ! File transfer protocol (FTP) - Used to browse directories and transfer files. Although access can be authenticated or anonymous, FTP does not support encrypted authentication. Conducting FTP within encrypted channels, such as a Virtual Private Network (VPN), secure shell (SSH) or secure sockets layer (SSL) sessions can improve security.

   ! Trivial file transfer protocol (TFTP) - A file transfer protocol with no file - browsing ability, and no support for authentication.

   ! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail systems to send mail.

   ! Post office protocol (POP) - Commonly used to receive e-mail.

   ! Hypertext transport protocol (HTTP) - Used for Web browsing.

   ! Secure shell (SSH) - Encrypts communications sessions, typically used for remote administration of servers.

   ! Secure sockets layer (SSL) - Typically used to encrypt Webbrowsing sessions, sometimes used to secure e-mail transfers and FTP sessions.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Chapter 17 - LOGICAL ACCESS CONTROL

  17.3.1 Internal Access Controls

  Internal access controls are a logical means of separating what defined users (or user groups) can or cannot do with system resources. Five methods of internal access control are discussed in this section: passwords, encryption, access control lists, constrained user interfaces, and labels.

  17.3.1.1 Passwords

  Passwords are most often associated with user authentication. However, they are also used to protect data and applications on many systems, including PCs. For instance, an accounting application may require a password to access certain financial data or to invoke a restricted application (or function of an application).

  Password-based access control is often inexpensive because it is already included in a large variety of applications. However, users may find it difficult to remember additional application passwords, which, if written down or poorly chosen, can lead to their compromise. Password-based access controls for PC applications are often easy to circumvent if the user has access to the operating system (and knowledge of what to do). There are other disadvantages to using passwords.

  The use of passwords as a means of access control can result in a proliferation of passwords that can reduce overall security.

  17.3.1.2 Encryption

  Another mechanism that can be used for logical access control is encryption. Encrypted information can only be decrypted by those possessing the appropriate cryptographic key. This is especially useful if strong physical access controls cannot be provided, such as for laptops or floppy diskettes. Thus, for example, if information is encrypted on a laptop computer, and the laptop is stolen, the information cannot be accessed. While encryption can provide strong access control, it is accompanied by the need for strong key management. Use of encryption may also affect availability. For example, lost or stolen keys or read/write errors may prevent the decryption of the information.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.