R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and Onsite FFIEC IT Audits

December 25, 2022

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.
Remote bank regulatory FFIEC IT audits - I am performing virtual/remote bank regality FFIEC IT audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.


MISCELLANEOUS CYBERSECURITY NEWS:

NSA shares tips on mitigating 5G network slicing threats - The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI), have published a joint report that highlights the most likely risks and potential threats in 5G network slicing implementations. https://www.bleepingcomputer.com/news/security/nsa-shares-tips-on-mitigating-5g-network-slicing-threats/

Cybersecurity market for connected cars to grow to $4.14B by 2026 - ResearchAndMarkets.com on Friday estimated that the global external cloud automotive cybersecurity services market will grow from $1.74 billion in 2021 to $2.12 billion in 2022 at a compound annual growth rate (CAGR) of 21.8% - and by 2026, this market will grow to $4.14 billion with a CAGR of 18.3%. https://www.scmagazine.com/analysis/cloud-security/cybersecurity-market-for-connected-cars-to-grow-to-4-14b-by-2026

Average cost of a data breach expected to hit $5 million in 2023 - Acronis on Monday reported that threats from phishing and malicious emails have increased by 60% and the average cost of a data breach could reach $5 million by next year. https://www.scmagazine.com/news/email-security/average-cost-of-a-data-breach-expected-to-hit-5-million-in-2023

NIST Finally Retires SHA-1, Kind Of - It is time to retire SHA-1, or the Secure Hash Algorithm-1, says the US National Institute of Standards and Technology (NIST). NIST has set the date of Dec. 31, 2030 to remove SHA-1 support from all software and hardware devices. https://www.darkreading.com/dr-tech/nist-finally-retires-sha-1

FTC Fines Fortnite Maker Epic Games $275 Million for Violating Children's Privacy Law - Epic Games has reached a $520 million settlement with the U.S. Federal Trade Commission (FTC) over allegations that the Fortnite creator violated online privacy laws for children and tricked users into making unintended purchases in the video game. https://thehackernews.com/2022/12/ftc-fines-fortnite-maker-epic-games-275.html
 

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

HHS reports third-party vendor incident compromised health data of 254K - The Department of Health and Human Services Centers for Medicare and Medicaid Services is currently notifying 254,000 out of its 64 million Medicare beneficiaries that their data was compromised after a ransomware attack on one of its third-party vendors. https://www.scmagazine.com/analysis/third-party-risk/hhs-reports-third-party-vendor-incident-compromised-health-data-of-254k

HIPAA right of access failure costs Florida provider $20K in settlement with feds - For the second time this week, the Office for Civil Rights announced it reached a settlement with a healthcare entity to resolve a potential violation of the Health Insurance Portability and Accountability Act. https://www.scmagazine.com/analysis/privacy/hipaa-right-of-access-failure-costs-florida-provider-20k-in-settlement-with-feds

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked - InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/

Colombian energy supplier EPM hit by BlackCat ransomware attack - Colombian energy company Empresas Públicas de Medellín (EPM) suffered a BlackCat/ALPHV ransomware attack on Monday, disrupting the company's operations and taking down online services. https://www.bleepingcomputer.com/news/security/colombian-energy-supplier-epm-hit-by-blackcat-ransomware-attack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 4 of 10)
    
    A. RISK DISCUSSION
    
    Reputation Risk
    
    Trade Names
    
    If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.
    
    Website Appearance
    
    The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.
    
    Compliance Risk
    
    The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).
    
    The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.

 Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
   
   INSURANCE  (Part 1 of 2)
   
   Insurance coverage is rapidly evolving to meet the growing number of security-related threats. Coverage varies by insurance company, but currently available insurance products may include coverage for the following risks:
   
   ! Vandalism of financial institution Web sites,
   ! Denial - of - service attacks,
   ! Loss of income,
   ! Computer extortion associated with threats of attack or disclosure of data,
   ! Theft of confidential information,
   ! Privacy violations,
   ! Litigation (breach of contract),
   ! Destruction or manipulation of data (including viruses),
   ! Fraudulent electronic signatures on loan agreements,
   ! Fraudulent instructions through e - mail,
   ! Third - party risk from companies responsible for security of financial institution systems or information,
   ! Insiders who exceed system authorization, and
   ! Incident response costs related to the use of negotiators, public relations consultants, security and computer forensic consultants, programmers, replacement systems, etc.
   
   Financial institutions can attempt to insure against these risks through existing blanket bond insurance coverage added on to address specific threats. It is important that financial institutions understand the extent of coverage and the requirements governing the reimbursement of claims. For example, financial institutions should understand the extent of coverage available in the event of security breaches at a third - party service provider. In such a case, the institution may want to consider contractual requirements that require service providers to maintain adequate insurance to cover security incidents.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.5.5 Network-Related Vulnerabilities

The risk assessment concurred with the general approach taken by HGA, but identified several vulnerabilities. It reiterated previous concerns about the lack of assurance associated with the server's access controls and pointed out that these play a critical role in HGA's approach. The assessment noted that the e-mail utility allows a user to include a copy of any otherwise accessible file in an outgoing mail message. If an attacker dialed in to the server and succeeded in logging in as an HGA employee, the attacker could use the mail utility to export copies of all the files accessible to that employee. In fact, copies could be mailed to any host on the Internet.

The assessment also noted that the WAN service provider may rely on microwave stations or satellites as relay points, thereby exposing HGA's information to eavesdropping. Similarly, any information, including passwords and mail messages, transmitted during a dial-in session is subject to eavesdropping.

20.6 Recommendations for Mitigating the Identified Vulnerabilities

The discussions in the following subsections were chosen to illustrate a broad sampling of handbook topics. Risk management and security program management themes are integral throughout, with particular emphasis given to the selection of risk-driven safeguards.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.