Virtual/remote IT audits - I am performing virtual/remote FFIEC IT/AIO audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.

FYI - As New York bank begins minting stablecoins, security concerns ensue - A regional bank based in New York announced earlier this month that it would begin issuing stablecoins, raising the issue of how the traditional banking industry might deal with the security and regulatory concerns of dealing in cryptocurrencies. https://www.scmagazine.com/analysis/cryptocurrency/as-new-york-bank-begins-minting-stablecoins-security-concerns-ensue

Bad actors are following bank customers to mobile - Well before the pandemic, mobile financial services were on their way up. But, in the wake of the digital banking boom, cyber-criminals are upping their own game to take advantage of all the financial customers who are new to the mobile platform or accessing it more frequently. https://www.scmagazine.com/analysis/application-security/bad-actors-are-following-bank-customers-to-mobile

The government is close to picking quantum-resistant encryption standards. Now it must plan for what to do if they fail. - Over the next few months, the National Institute for Standards and Technology will finalize a short list of new encryption algorithms and standards that are designed to withstand the threat of quantum computers, which are expected to one day mature to the point where they are capable of breaking many classical forms of encryption. https://www.scmagazine.com/analysis/encryption/the-government-is-close-to-picking-quantum-resistant-encryption-standards-now-it-must-plan-for-what-to-do-if-they-fail

Medical device security can’t be solved in healthcare: What’s ‘acceptable risk?’ - Healthcare provider organizations face a highly unique challenge: operating patient-connected devices with known vulnerabilities and outdated technology. https://www.scmagazine.com/feature/asset-management/medical-device-security-cant-be-solved-in-healthcare-whats-acceptable-risk

Ransomware groups don’t abide by promises not to target healthcare - That is one implication of a new CyberPeace Institute blog researching ransomware groups whose wares have been used in attacks on healthcare facilities since May 2020. https://www.scmagazine.com/analysis/cybercrime/ransomware-groups-dont-abide-by-promises-not-to-target-healthcare

HHS: Majority of health systems faced cyberattack in last 18 months - Software supply chain attacks increased by 650% in the last year, with 82% of healthcare systems reporting a cyberattack in the last 18 months, according to a recent Department of Health and Human Services Cybersecurity Coordination Center and Healthcare & Public Health Sector Coordinating Council webinar. https://www.scmagazine.com/analysis/incident-response/hhs-majority-of-health-systems-faced-cyberattack-in-last-18-months

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Log4j vulnerability cleanup expected to take months or years - As the reality sets in over implications of the Log4j vulnerability, security staff have hunkered down to quickly remediate the problem. The question now is whether that sprint will be followed by a marathon.
https://www.scmagazine.com/analysis/application-security/log4j-vulnerability-cleanup-expected-to-take-months-or-years
https://www.scmagazine.com/analysis/policy/cisa-adds-log4j-to-critical-vulnerabilities-list-warns-industry-to-follow-similar-guidelines
https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability

Planned Parenthood LA sued over data theft, ransomware attack affecting 409K - A patient has filed a lawsuit against Planned Parenthood Los Angeles, one week after the disclosure of a ransomware attack that led to the theft of health data tied to 409,759 patients. https://www.scmagazine.com/analysis/breach/planned-parenthood-la-sued-over-data-theft-ransomware-attack-affecting-409k

Ransomware attack takes down Kronos Private Cloud for several weeks - The Kronos Private Cloud (KPC), a popular HR platform used by Tesla and many other companies, was hit with a ransomware attack over the weekend, prompting parent company UKG to tell its customers that the service may take several weeks to restore - a grim prospect with so many companies short-staffed because of the holidays. https://www.scmagazine.com/news/cybercrime/ransomware-attack-takes-down-kronos-private-cloud-for-several-weeks

Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability - Cyber attackers are making over a hundred attempts to exploit a critical security vulnerability in Java logging library Apache Log4j every minute, security researchers have warned. https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/

Timekeeping biz Kronos hit by ransomware and warns customers to engage biz continuity plans - Kronos Private Cloud has been hit by a ransomware attack. The company, also known as Ultimate Kronos Group (UKG), provides timekeeping services to companies employing millions of people across the world. https://www.theregister.com/2021/12/13/ultimate_kronos_group_ransomware_attack/

Irish Health Service ransomware attack happened after one staffer opened malware-ridden email - Ireland's Health Service Executive (HSE) was almost paralysed by ransomware after a single user opened a malicious file attached to a phishing email, a consultancy's damning report has revealed. https://www.theregister.com/2021/12/10/ireland_health_conti_ransomware_attack_report/

German logistics giant Hellmann reports cyberattack - Billion-dollar logistics firm Hellmann Worldwide Logistics reported a cyberattack this week that forced them to temporarily remove all connections to their central data center. The company said the shut down was having a "material impact" on their business operations. https://www.zdnet.com/article/german-logistics-giant-hellmann-reports-cyberattack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
  Board and Management Oversight - Principle 10: Banks should take appropriate measures to preserve the confidentiality of key e-banking information. Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases.
    
    Confidentiality is the assurance that key information remains private to the bank and is not viewed or used by those unauthorized to do so. Misuse or unauthorized disclosure of data exposes a bank to both reputation and legal risk. The advent of e-banking presents additional security challenges for banks because it increases the exposure that information transmitted over the public network or stored in databases may be accessible by unauthorized or inappropriate parties or used in ways the customer providing the information did not intend. Additionally, increased use of service providers may expose key bank data to other parties.
    
    To meet these challenges concerning the preservation of confidentiality of key e-banking information, banks need to ensure that:
    
    1)  All confidential bank data and records are only accessible by duly authorized and authenticated individuals, agents or systems.
    
    2)  All confidential bank data are maintained in a secure manner and protected from unauthorized viewing or modification during transmission over public, private or internal networks.
    
    3)  The bank's standards and controls for data use and protection must be met when third parties have access to the data through outsourcing relationships.
    
    4)  All access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
   
   PENETRATION ANALYSIS (Part 1 of 2)
   
   After the initial risk assessment is completed, management may determine that a penetration analysis (test) should be conducted. For the purpose of this paper, "penetration analysis" is broadly defined. Bank management should determine the scope and objectives of the analysis. The scope can range from a specific test of a particular information systems security or a review of multiple information security processes in an institution.
   
   A penetration analysis usually involves a team of experts who identify an information systems vulnerability to a series of attacks. The evaluators may attempt to circumvent the security features of a system by exploiting the identified vulnerabilities. Similar to running vulnerability scanning tools, the objective of a penetration analysis is to locate system vulnerabilities so that appropriate corrective steps can be taken.
   
   The analysis can apply to any institution with a network, but becomes more important if system access is allowed via an external connection such as the Internet. The analysis should be independent and may be conducted by a trusted third party, qualified internal audit team, or a combination of both. The information security policy should address the frequency and scope of the analysis. In determining the scope of the analysis, items to consider include internal vs. external threats, systems to include in the test, testing methods, and system architectures.
   
   A penetration analysis is a snapshot of the security at a point in time and does not provide a complete guaranty that the system(s) being tested is secure. It can test the effectiveness of security controls and preparedness measures. Depending on the scope of the analysis, the evaluators may work under the same constraints applied to ordinary internal or external users. Conversely, the evaluators may use all system design and implementation documentation. It is common for the evaluators to be given just the IP address of the institution and any other public information, such as a listing of officers that is normally available to outside hackers. The evaluators may use vulnerability assessment tools, and employ some of the attack methods discussed in this paper such as social engineering and war dialing. After completing the agreed-upon analysis, the evaluators should provide the institution a detailed written report. The report should identify vulnerabilities, prioritize weaknesses, and provide recommendations for corrective action.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 17 - LOGICAL ACCESS CONTROL
  
  17.3.1.4 Constrained User Interfaces
  
  Often used in conjunction with ACLs are constrained user interfaces, which restrict users' access to specific functions by never allowing them to request the use of information, functions, or other specific system resources for which they do not have access. Three major types exist: (1) menus, (2) database views, and (3) physically constrained user interfaces.
  
  Constrained user interfaces can provide a form of access control that closely models how an organization operates. Many systems allow administrators to restrict users' ability to use the operating system or application system directly. Users can only execute commands that are provided by the administrator, typically in the form of a menu. Another means of restricting users is through restricted shells, which limit the system commands the user can invoke. The use of menus and shells can often make the system easier to use and can help reduce errors.
  
  Menu-driven systems are a common constrained user interface, where different users are provided different menus on the same system. 
  
  Database views is a mechanism for restricting user access to data contained in a database. It may be necessary to allow a user to access a database, but that user may not need access to all the data in the database (e.g., not all fields of a record nor all records in the database). Views can be used to enforce complex access requirements that are often needed in database situations, such as those based on the content of a field. For example, consider the situation where clerks maintain personnel records in a database. Clerks are assigned a range of clients based upon last name (e.g., A-C, D-G). Instead of granting a user access to all records, the view can grant the user access to the record based upon the first letter of the last name field.
  
  Physically constrained user interfaces can also limit a user's abilities. A common example is an ATM machine, which provides only a limited number of physical buttons to select options; no alphabetic keyboard is usually present.