Internet Banking News

December 29, 2019

wsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - The FFIEC members revised and renamed the Business Continuity Planning booklet to Business Continuity Management (BCM) to reflect updated information technology risk practices and frameworks and the increased focus on ongoing, enterprise-wide business continuity and resilience. The new Handbook can be found at: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx

PHONE NUMBER CHANGE - Because of the never-ending increasing fees, I am going to stop using my AT&T business landline in January 2020. If you have not already done so, please change our phone number to my cell phone 806-535-8300.

FYI - The Year 2019 in Review: Same Threats, More Targets - In 2019, almost ten years after the discovery of Stuxnet, the United States fell victim to the first cyberattack that disrupted operations in the electrical grid. https://www.cfr.org/blog/year-2019-review-same-threats-more-targets

2019 Data breaches - n October 92 million Brazilians had their name, birth date, mother’s name, gender and tax details including taxpayer IDs exposed contained in a Brazilian government 16GB SQL database was found for sale on a dark web forum. https://www.scmagazine.com/home/security-news/features/2019-data-breaches/

LifeLabs pays ransom to regain stolen data, 15 million affected - The Canadian health diagnostics firm LifeLabs reported it payed cybercriminals an undisclosed amount of money to retrieve customer data stolen in a recent cyberattack. https://www.scmagazine.com/home/security-news/ransomware/lifelabs-pays-ransom-to-regain-stolen-data-15-million-affected/

Doxed credit card data has two hours max before it’s nabbed - Sure, we all know that ripped-off payment card details – like these! – sell like hot potatoes on the dark web, where carders snap them up, slap them onto new cards, and go on mad spending sprees on somebody else’s dime. https://nakedsecurity.sophos.com/2019/12/18/doxed-credit-card-data-has-two-hours-max-before-its-nabbed/

123456 still a popular password - Among the banes of existence for any human living in the 21st century is the need to periodically choose, change and remember numerous passwords, which partly explains why nearly 3 percent of computer users chose 123456 in 2019. https://www.scmagazine.com/home/security-news/privacy-compliance/123456-still-a-popular-password/

California Consumer Privacy Act: Challenge and Opportunity - Next year will bring a new data privacy regulation in California, and it’ll pose a big challenge — and a big opportunity — for companies in and outside of the state. https://www.scmagazine.com/home/opinion/executive-insight/california-consumper-privacy-act-challenge-and-opportunity/

Phishing operation picking on Canadian banks since at least 2017 - Researchers recently discovered a large-scale phishing email operation that has been targeting primarily customers of Canadian banking chains since at least 2017. https://www.scmagazine.com/home/security-news/phishing/phishing-operation-picks-on-canadian-banks-since-at-least-2017/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Open dark web database exposes info on 267 million Facebook - An unsecured database on the dark web left the personal information of more than 267 million Facebook users, mostly in the U.S., exposed. https://www.scmagazine.com/home/security-news/database-security/open-dark-web-database-exposes-info-on-267-million-facebook/

Open database exposes 26,000 Honda Motors customers - A Honda Motor Company Elasticsearch cluster containing 976 million records affecting about 26,000 customers and containing information on Honda vehicle owners was found exposed. https://www.scmagazine.com/home/security-news/database-security/open-database-exposes-26000-honda-motors-customers/

218M ‘Words with Friends’ players’ data reportedly stolen in Zynga hack (Updated) - Popular social game developer Zynga has reportedly become the latest victim of a massive data breach impacting some 218 million Words with Friends accounts. https://thenextweb.com/security/2019/10/01/218m-words-with-friends-players-data-reportedly-stolen-in-zynga-hack/

Frankfurt shuts down IT network following Emotet infection - Frankfurt city officials take down IT network to prevent Emotet to be used as a staging point to launch a ransomware attack. https://www.zdnet.com/article/frankfurt-shuts-down-it-network-following-emotet-infection/

5 things you need to know about the cyberattack on the city of Galt - A Sacramento County community is the victim of a cyberattack after hackers got into Galt's computer system, shutting down its network and phone lines. https://www.kcra.com/article/cyber-attack-galt-sacramento-county-california/30262868#

More than 38,000 people will stand in line this week to get a new password - A non-standard and somewhat weird password reset operation is currently underway at a German university, where more than 38,000 students and staff were asked this week to stand in line with their ID card and a piece of paper to receive new passwords for their email accounts. https://www.zdnet.com/article/more-than-38000-people-will-stand-in-line-this-week-to-get-a-new-password/

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 2 of 5)

  PROCEDURES TO ADDRESS SPOOFING - Detection

  Banks can improve their ability to detect spoofing by monitoring appropriate information available inside the bank and by searching the Internet for illegal or unauthorized use of bank names and trademarks. The following is a list of possible indicators of Web-site spoofing:

  * E-mail messages returned to bank mail servers that were not originally sent by the bank. In some cases, these e-mails may contain links to spoofed Web sites;
  * Reviews of Web-server logs can reveal links to suspect Web addresses indicating that the bank's Web site is being copied or that other malicious activity is taking place;
  * An increase in customer calls to call centers or other bank personnel, or direct communications from consumer reporting spoofing activity.

  Banks can also detect spoofing by searching the Internet for identifiers associated with the bank such as the name of a company or bank. Banks can use available search engines and other tools to monitor Web sites, bulletin boards, news reports, chat rooms, newsgroups, and other forums to identify usage of a specific company or bank name. The searches may uncover recent registrations of domain names similar to the bank's domain name before they are used to spoof the bank's Web site. Banks can conduct this monitoring in-house or can contract with third parties who provide monitoring services.

  Banks can encourage customers and consumers to assist in the identification process by providing prominent links on their Web pages or telephone contact numbers through which customers and consumers can report phishing or other fraudulent activities.

  Banks can also train customer-service personnel to identify and report customer calls that may stem from potential Web-site attacks.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

   LOGGING AND DATA COLLECTION (Part 2 of 2)

   When evaluating whether and what data to log, institutions should consider the importance of the related system or information, the importance of monitoring the access controls, the value of logged data in restoring a compromised system, and the means to effectively analyze the data. Generally, logs should capture source identification information; session ID; terminal ID; and the date, time, and the nature of the access attempt, service request, or process. Many hardware and software products come with logging disabled and may have inadequate log analysis and reporting capabilities. Institutions may have to enable the logging capabilities and then verify that logging remains enabled after rebooting. In some cases, additional software will provide the only means to analyze the log files effectively.

   Many products such as firewall and intrusion detection software can simplify the security monitoring by automating the analysis of the logs and alerting the appropriate personnel of suspicious activity. Log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information. Intruders will often attempt to conceal any unauthorized access by editing or deleting log files. Therefore, institutions should strictly control and monitor access to log files. Some considerations for securing the integrity of log files include:

   ! Encrypting log files that contain sensitive data or that are transmitting over the network,
   ! Ensuring adequate storage capacity to avoid gaps in data gathering,
   ! Securing backup and disposal of log files,
   ! Logging the data to a separate, isolated computer,
   ! Logging the data to write - only media like a write - once/read - many (WORM) disk or drive,
   ! Utilizing centralized logging, such as the UNIX "SYSLOG" utility, and
   ! Setting logging parameters to disallow any modification to previously written data.

   The financial institution should have an effective means of tracing a security event through their system. Synchronized time stamps on network devices may be necessary to gather consistent logs and a consistent audit trail. Additionally, logs should be available, when needed, for incident detection, analysis and response.

   When using logs to support personnel actions, management should consult with counsel about whether the logs are sufficiently reliable to support the action.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

3.4 Technology Providers

System Management/System Administrators. These personnel are the managers and technicians who design and operate computer systems. They are responsible for implementing technical security on computer systems and for being familiar with security technology that relates to their system. They also need to ensure the continuity of their services to meet the needs of functional managers as well as analyzing technical vulnerabilities in their systems (and their security implications). They are often a part of a larger Information Resources Management (IRM) organization.

Communications / Telecommunications Staff. This office is normally responsible for providing communications services, including voice, data, video, and fax service. Their responsibilities for communication systems are similar to those that systems management officials have for their systems. The staff may not be separate from other technology service providers or the IRM office.

System Security Manager/Officers. Often assisting system management officials in this effort is a system security manager/officer responsible for day-to-day security implementation / administration duties. Although not normally part of the computer security program management office, this officer is responsible for coordinating the security efforts of a particular system(s). This person works closely with system management personnel, the computer security program manager, and the program or functional manager's security officer. In fact, depending upon the organization, this may be the same individual as the program or functional manager's security officer. This person may or may not be a part of the organization's overall security office.

Help Desk. Whether or not a Help Desk is tasked with incident handling, it needs to be able to recognize security incidents and refer the caller to the appropriate person or organization for a response.

Who Should Be the Accrediting Official? (Note that accreditation is a formality unique to the government.)

The Accrediting Officials are agency officials who have authority to accept an application's security safeguards and approve a system for operation. The Accrediting Officials must also be authorized to allocate resources to achieve acceptable security and to remedy security deficiencies. Without this authority, they cannot realistically take responsibility for the accreditation decision. In general, Accreditors are senior officials, who may be the Program or Function Manager/Application Owner. For some very sensitive applications, the Senior Executive Officer is appropriate as an Accrediting Official. In general, the more sensitive the application, the higher the Accrediting Officials are in the organization.

Where privacy is a concern, federal managers can be held personally liable for security inadequacies. The issuing of the accreditation statement fixes security responsibility, thus making explicit a responsibility that might otherwise be implicit. Accreditors should consult the agency general counsel to determine their personal security liabilities.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.