R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and Onsite FFIEC IT Audits

December 12, 2021

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.


Virtual/remote IT audits - I am performing virtual/remote FFIEC IT/AIO audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.

 FYI - TSA issues security rules for passenger and high-risk freight rail sectors - The TSA issued security directives Thursday that implement new cybersecurity requirements on the passenger rail and high-risk freight rail sectors. https://www.scmagazine.com/analysis/policy/tsa-expected-to-issue-security-rules-for-passenger-and-high-risk-freight-rail-sectors

VA’s IT office used 9 SaaS apps that did not meet federal cloud requirements - The Office of Inspector General (OIG) for the Department of Veterans Affairs last week issued a report that claimed that a division in the VA’s Office of Information Technology (OIT) used SaaS applications and application programming interfaces (APIs) that did not meet federal security requirements.   https://www.scmagazine.com/news/application-security/vas-it-office-used-9-saas-apps-that-did-not-meet-federal-cloud-requirements

HHS Launches New Website to Align Healthcare Cybersecurity - HHS launched a website for the 405(d) Program, which is comprised of a task force focused on aligning healthcare cybersecurity approaches across the sector. https://healthitsecurity.com/news/hhs-launches-new-website-to-align-healthcare-cybersecurity

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Thousands of AT&T customers in the US infected by new data-stealing malware - Thousands of networking devices belonging to AT&T Internet subscribers in the US have been infected with newly discovered malware that allows the devices to be used in denial-of-service attacks and attacks on internal networks, researchers said on Tuesday. https://arstechnica.com/information-technology/2021/12/thousands-of-att-customers-in-the-us-infected-by-new-data-stealing-malware/

Panasonic admits intruders were inside its servers for months - Spotted the crack after it ended – still not sure what was lost - Japanese industrial giant Panasonic has admitted it's been popped, and badly. https://www.theregister.com/2021/11/30/panasonic_breach/

Ubiquiti Developer Charged With Extortion, Causing 2020 “Breach” - In January 2021, technology vendor Ubiquiti Inc. disclosed that a breach at a third party cloud provider had exposed customer account credentials. https://krebsonsecurity.com/2021/12/ubiquiti-developer-charged-with-extortion-causing-2020-breach/

Ransomware actors steal data of 400K patients from LA Planned Parenthood - Planned Parenthood Los Angeles filed a breach notice with the California Attorney General, notifying 400,000 patients that their data was exfiltrated during a weeklong hack launched by ransomware threat actors. https://www.scmagazine.com/analysis/breach/ransomware-actors-steal-data-of-400k-patients-from-la-planned-parenthood

NSO Group Spyware Hits at Least 9 US State Department Phones - The incident lays bare how hollow the surveillance company’s reassurances about the limits of its hacking tools have always been. https://www.wired.com/story/nso-group-spyware-pegasus-state-department/

Hundreds of SPAR stores shut down, switch to cash after cyberattack - Approximately 330 SPAR shops in northern England face severe operational problems following a weekend cyberattack, forcing many stores to close or switch to cash-only payments. https://www.bleepingcomputer.com/news/security/hundreds-of-spar-stores-shut-down-switch-to-cash-after-cyberattack/

Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack - A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest. https://www.theregister.com/2021/12/03/dmea_colorado_cyber_attack_billing_systems/

Cyberattack freezes Maryland health department - A cyberattack took Maryland’s health department offline this weekend, as officials worked to assess the extent of the intrusion. https://www.washingtonpost.com/dc-md-va/2021/12/05/maryland-health-department-cyberattack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
  Board and Management Oversight - Principle 9: Banks should ensure that clear audit trails exist for all e-banking transactions.
    
    Delivery of financial services over the Internet can make it more difficult for banks to apply and enforce internal controls and maintain clear audit trails if these measures are not adapted to an e-banking environment. Banks are not only challenged to ensure that effective internal control can be provided in highly automated environments, but also that the controls can be independently audited, particularly for all critical e-banking events and applications.
    
    A bank's internal control environment may be weakened if it is unable to maintain clear audit trails for its e-banking activities. This is because much, if not all, of its records and evidence supporting e-banking transactions are in an electronic format. In making a determination as to where clear audit trails should be maintained, the following types of e-banking transactions should be considered:
    
    1)  The opening, modification or closing of a customer's account.
    
    2)  Any transaction with financial consequences.
    
    3)  Any authorization granted to a customer to exceed a limit.
    
    4)  Any granting, modification or revocation of systems access rights or privileges.
Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
   
   Protocols and Ports (Part 3 of 3)
   
   Applications are built in conformance with the protocols to provide services from hosts to clients. Because clients must have a standard way of accessing the services, the services are assigned to standard host ports. Ports are logical not physical locations that are either assigned or available for specific network services. Under TCP/IP, 65536 ports are available, and the first 1024 ports are commercially accepted as being assigned to certain services. For instance, Web servers listen for requests on port 80, and secure socket layer Web servers listen on port 443. A complete list of the commercially accepted port assignments is available at www.iana.org.  Ports above 1024 are known as high ports, and are user - assignable. However, users and administrators have the freedom to assign any port to any service, and to use one port for more than one service. Additionally, the service listening on one port may only proxy a connection for a separate service. For example, a Trojan horse keystroke - monitoring program can use the Web browser to send captured keystroke information to port 80 of an attacker's machine. In that case, monitoring of the packet headers from the compromised machine would only show a Web request to port 80 of a certain IP address.

 Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 17 - LOGICAL ACCESS CONTROL
  
  17.3.1.3 Access Control Lists
  
  Access Control Lists (ACLs) refer to a register of: (1) users (including groups, machines, processes) who have been given permission to use a particular system resource, and (2) the types of access they have been permitted.
  
  ACLs vary considerably in their capability and flexibility. Some only allow specifications for certain pre-set groups (e.g., owner, group, and world) while more advanced ACLs allow much more flexibility, such as user-defined groups. Also, more advanced ACLs can be used to explicitly deny access to a particular individual or group. With more advanced ACLs, access can be at the discretion of the policymaker (and implemented by the security administrator) or individual user, depending upon how the controls are technically implemented.
  
  Elementary ACLs. Elementary ACLs (e.g., "permission bits") are a widely available means of providing access control on multiuser systems. In this scheme, a short, predefined list of the access rights to files or other system resources is maintained.
  
  Elementary ACLs are typically based on the concepts of owner, group, and world. For each of these, a set of access modes (typically chosen from read, write, execute, and delete) is specified by the owner (or custodian) of the resource. The owner is usually its creator, though in some cases, ownership of resources may be automatically assigned to project administrators, regardless of the identity of the creator. File owners often have all privileges for their resources.
  
  In addition to the privileges assigned to the owner, each resource is associated with a named group of users. Users who are members of the group can be granted modes of access distinct from nonmembers, who belong to the rest of the "world" that includes all of the system's users. User groups may be arranged according to departments, projects, or other ways appropriate for the particular organization. For example, groups may be established for members of the Personnel and Accounting departments. The system administrator is normally responsible for technically maintaining and changing the membership of a group, based upon input from the owners/custodians of the particular resources to which the groups may be granted access.
  
  As the name implies, however, the technology is not particularly flexible. It may not be possible to explicitly deny access to an individual who is a member of the file's group. Also, it may not be possible for two groups to easily share information (without exposing it to the "world"), since the list is predefined to only include one group. If two groups wish to share information, an owner may make the file available to be read by "world." This may disclose information that should be restricted. Unfortunately, elementary ACLs have no mechanism to easily permit such sharing.
  
  Example of Elementary ACL for the file "payroll":
  Owner: PAYMANAGER
  Access: Read, Write, Execute, Delete
  Group: COMPENSATION-OFFICE
  Access: Read, Write, Execute, Delete
  "World"
  Access: None
  
  Advanced ACLs. Like elementary ACLs, advanced ACLs provide a form of access control based upon a logical registry. They do, however, provide finer precision in control.
  
  Advanced ACLs can be very useful in many complex information sharing situations. They provide a great deal of flexibility in implementing system-specific policy and allow for customization to meet the security requirements of functional managers. Their flexibility also makes them more of a challenge to manage. The rules for determining access in the face of apparently conflicting ACL entries are not uniform across all implementations and can be confusing to security administrators. When such systems are introduced, they should be coupled with training to ensure their correct use.
  
  Since one would presume that no one would have access without being granted access, why would it be desirable to explicitly deny access? Consider a situation in which a group name has already been established for 50 employees. If it were desired to exclude 5 of the individuals from that group, it would be easier for the access control administrator to simply grant access to that group and take it away from the 5 rather than grant access to 45 people. Or, consider the case of a complex application in which many groups of users are defined. It may be desired, for some reason, to prohibit Ms. X from generating a particular report (perhaps she is under investigation). In a situation in which group names are used (and perhaps modified by others), this explicit denial may be a safety check to restrict Ms. X's access -- in case someone were to redefine a group (with access to the report generation function) to include Ms. X. She would still be denied access.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.