R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and Onsite FFIEC IT Audits

December 26, 2021

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.


Virtual/remote IT audits - I am performing virtual/remote FFIEC IT/AIO audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.

 FYI - Japan draws a LINE: web giants must reveal where they store user data - Looks a lot like a response to messaging services passing data through China - Social media and search engine operators in Japan will be required to specify the countries in which users' data is physically stored, under a planned tweak to local laws. https://www.theregister.com/2021/12/16/japan_data_location_requirement/

Industrial cybersecurity requires unique skills. A new apprenticeship program aims to hone them. - For all the effort that’s been put into developing new generations of IT security experts to help fill the cyber skills gap, there is still much work to done when it comes to exposing up-and-coming infosec pros to the kind of hybrid IT, OT and IoT environments that one would find in an industrial or critical infrastructure setting. https://www.scmagazine.com/analysis/careers/industrial-cybersecurity-requires-unique-skills-a-new-apprenticeship-program-aims-to-hone-them

CISA warns critical infrastructure to stay vigilant for ongoing threats - The Cybersecurity and Infrastructure Security Agency (CISA) warned critical infrastructure organizations today to strengthen their cybersecurity defenses against potential and ongoing threats. https://www.bleepingcomputer.com/news/security/cisa-warns-critical-infrastructure-to-stay-vigilant-for-ongoing-threats/

How to address the risks of removable devices for remote workers - A removable media policy dictates the acceptable use of USB flash drives and other portable storage devices. When used in tandem with USB restriction tools, these policies serve as a critical administrative safeguard for mitigating the data security risks of portable storage. https://www.scmagazine.com/perspective/hardware-security/how-to-address-the-risks-of-removable-devices-for-remote-workers

Amid a digital banking boom, banks struggle to identify compliance risks - Financial services institutions are beholden to a wide array of regulatory rules. But in recent months, with an unprecedented number of customers embracing digital access in the face of closed limited-access branches, there are new threats and risks to consider for customers. https://www.scmagazine.com/analysis/compliance/amid-a-digital-banking-boom-banks-struggle-to-identify-compliance-risks

10 biggest healthcare data breaches of 2021 impact over 22.6M patients - The biggest healthcare data breaches reported in 2021 each impacted more than 1 million patients, with more than 22.64 million patients affected overall. https://www.scmagazine.com/feature/breach/10-biggest-healthcare-data-breaches-of-2021-impact-over-22-6m-patients

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Regional Cancer Care to pay $425K to New Jersey over 2019 data breach, HIPAA violations - The New Jersey Division of Consumer Affairs reached a settlement with Regional Cancer Care Associates over a 2019 data breach that impacted 105,200 patients. https://www.scmagazine.com/analysis/breach/regional-cancer-care-to-pay-425k-to-new-jersey-over-2019-data-breach-hipaa-violations

Billion-dollar natural gas supplier Superior Plus hit with ransomware - Superior Plus becomes the latest oil & gas company to suffer from a ransomware attack after Colonial Pipeline - Major natural gas supplier Superior Plus announced on Tuesday that it is suffering from a ransomware attack. https://www.zdnet.com/article/billion-dollar-natural-gas-supplier-superior-plus-hit-with-ransomware/

Western Digital tells its customers to update their My Cloud OS 5 NAS devices - Storage manufacturer Western Digital last week notified its customers that they needed to upgrade to My Cloud OS 5 to access their network-attached storage (NAS) devices remotely. https://www.scmagazine.com/news/cloud-security/western-digital-tells-its-customer-to-update-their-my-cloud-os-5-nas-devices

Belgian Defense Ministry confirms cyberattack through Log4j exploitation - The Defense Ministry said it first discovered the attack on Thursday. The Belgian Ministry of Defense has confirmed a cyberattack on its networks that involved the Log4j vulnerability. https://www.zdnet.com/article/belgian-defense-ministry-confirms-cyberattack-through-log4j-exploitation/

Cybersecurity company identifies months-long attack on US federal commission - Both CISA and USCIRF refused to engage with the company after being notified repeatedly of the attack. https://www.zdnet.com/article/cybersecurity-company-identifies-months-long-attack-on-us-federal-commission/

Capital Region Medical Center reports system-wide network outage - Although the cause has yet to be disclosed, Capital Region Medical Center is currently experiencing a network telephone outage across its systems affecting its telephone and computers, according to a Friday social media post. https://www.scmagazine.com/analysis/breach/capital-region-medical-center-reports-system-wide-network-outage

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
  Board and Management Oversight - Principle 11: Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the bank's identity and regulatory status of the bank prior to entering into e-banking transactions.
    
    To minimize legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should ensure that adequate information is provided on their websites to allow customers to make informed conclusions about the identity and regulatory status of the bank before they enter into e-banking transactions.
    
    Examples of such information that a bank could provide on its own website include:
    
    1)  The name of the bank and the location of its head office (and local offices if applicable).
    
    2)  The identity of the primary bank supervisory authority(ies) responsible for the supervision of the bank's head office.
    
    3)  How customers can contact the bank's customer service center regarding service problems, complaints, suspected misuse of accounts, etc.
    
    4)  How customers can access and use applicable Ombudsman or consumer complaint schemes.
    
    5)  How customers can obtain access to information on applicable national compensation or deposit insurance coverage and the level of protection that they afford (or links to websites that provide such information).
    
    6)  Other information that may be appropriate or required by specific jurisdictions.
Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
   
   Routing (Part 1 of 2)
   
   Packets are moved through networks using routers, switches, and hubs. The unique IP address is commonly used in routing. Since users typically use text names instead of IP addresses for their addressing, the user's software must obtain the numeric IP address before sending the message. The IP addresses are obtained from the Domain Naming System (DNS), a distributed database of text names (e.g., anybank.com) and their associated IP addresses. For example, financial institution customers might enter the URL of the Web site in their Web browser. The user's browser queries the domain name server for the IP associated with anybank.com. Once the IP is obtained, the message is sent. Although the example depicts an external address, DNS can also function on internal addresses.
   
   A router directs where data packets will go based on a table that links the destination IP address with the IP address of the next machine that should receive the packet. Packets are forwarded from router to router in that manner until they arrive at their destination.  Since the router reads the packet header and uses a table for routing, logic can be included that provides an initial means of access control by filtering the IP address and port information contained in the message header. Simply put, the router can refuse to forward, or forward to a quarantine or other restricted area, any packets that contain IP addresses or ports that the institution deems undesirable. Security policies should define the filtering required by the router, including the type of access permitted between sensitive source and destination IP addresses. Network administrators implement these policies by configuring an access configuration table, which creates a filtering router or a basic firewall.
   
   A switch directs the path a message will take within the network. Switching works faster than IP routing because the switch only looks at the network address for each message and directs the message to the appropriate computer. Unlike routers, switches do not support packet filtering. Switches, however, are designed to send messages only to the device for which they were intended. The security benefits from that design can be defeated and traffic through a switch can be sniffed.

 Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 17 - LOGICAL ACCESS CONTROL
  
  17.3.1.5 Security Labels
  
  A security label is a designation assigned to a resource (such as a file). Labels can be used for a variety of purposes, including controlling access, specifying protective measures, or indicating additional handling instructions. In many implementations, once this designator has been set, it cannot be changed (except perhaps under carefully controlled conditions that are subject to auditing).
  
  When used for access control, labels are also assigned to user sessions. Users are permitted to initiate sessions with specific labels only. For example, a file bearing the label "Organization Proprietary Information" would not be accessible (readable) except during user sessions with the corresponding label. Moreover, only a restricted set of users would be able to initiate such sessions. The labels of the session and those of the files accessed during the session are used, in turn, to label output from the session. This ensures that information is uniformly protected throughout its life on the system.
  
  Data Categorization - One tool that is used to increase the ease of security labeling is categorizing data by similar protection requirements. For example, a label could be developed for "organization proprietary data." This label would mark information that can be disclosed only to the organization's employees. Another label, "public data" could be used to mark information that is available to anyone.
  
  Labels are a very strong form of acacias control; however, they are often inflexible and can be expensive to administer. Unlike permission bits or access control lists, labels cannot ordinarily be changed. Since labels are permanently linked to specific information, data cannot be disclosed by a user copying information and changing the access to that file so that the information is more accessible than the original owner intended. By removing users' ability to arbitrarily designate the accessibility of files they own, opportunities for certain kinds of human errors and malicious software problems are eliminated. In the example above, it would not be possible to copy Organization Proprietary Information into a file with a different label. This prevents inappropriate disclosure, but can interfere with legitimate extraction of some information.
  
  Labels are well suited for consistently and uniformly enforcing access restrictions, although their administration and inflexibility can be a significant deterrent to their use.
  
  For systems with stringent security requirements (such as those processing national security information), labels may be useful in access control.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.