R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 17, 2019

wsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.


FYI - The FFIEC members revised and renamed the Business Continuity Planning booklet to Business Continuity Management (BCM) to reflect updated information technology risk practices and frameworks and the increased focus on ongoing, enterprise-wide business continuity and resilience. The new Handbook can be found at: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx

Google will offer checking accounts next year, report says - The tech giant is reportedly partnering with Citigroup and a credit union at Stanford University. Google reportedly plans to start offering checking accounts to consumers next year. The accounts will be run by Citigroup and a credit union at Stanford University, according to a report Wednesday from The Wall Street Journal. https://www.cnet.com/news/walmart-black-friday-2019-the-best-deals-right-now/?ftag=CAD-04-10aae9d&bhid=21042800436046731107236282841599

The Growth and Challenges of Cyber Insurance - Cyberattacks have grown in frequency and cost over the past decade, with high-profile cases, such as the 2013 Target data breach, the 2017 Equifax data breach, and the leak of Democratic National Committee emails during the 2016 election making national headlines. https://www.chicagofed.org/publications/chicago-fed-letter/2019/426

Report: Recently breached Capital One reassigns its CISO - Capital One Financial Corporation is reportedly reassigning its chief information security officer to an advisory role, less than four months after the bank holding company disclosed a data breach affecting more than 100 million individuals. https://www.scmagazine.com/home/security-news/data-breach/report-recently-breached-capital-one-reassigns-its-ciso/

Aventura Technologies sold Chinese-made security gear with bugs to gov’t, feds say - Commack, N.Y.-based Aventura Technologies and seven of its current and former employers were charged in Brooklyn federal court today for defrauding customers. https://www.scmagazine.com/home/security-news/aventura-technologies-sold-chinese-made-security-gear-with-bugs-to-govt-feds-say/

Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks - Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts, a new study posits. https://krebsonsecurity.com/2019/11/study-ransomware-data-breaches-at-hospitals-tied-to-uptick-in-fatal-heart-attacks/

Why weakening COPPA could put children at risk online - Privacy fines have been rolling in by the millions this year and one of the more high-profile fines is the 170 million dollar fine imposed by the FTC for Google violating the Children’s Online Privacy Protection Act (COPPA). https://www.scmagazine.com/home/opinion/executive-insight/why-weakening-coppa-could-put-children-at-risk-online/

Ransomware forces New Mexico school district to scrub 30,000 devices - A New Mexico school district that had its systems infected by ransomware last month is now having to scrub the hard drives of about 30,000 devices, district officials announced Thursday. https://edscoop.com/ransomware-forces-new-mexico-school-district-scrub-30000-devices/

Texas Health Agency Fined $1.6m for Data Breach - A fine of $1.6m has been meted out to the Texas Health and Human Services Commission for unintentionally exposing the personal health information of thousands of vulnerable people online. https://www.infosecurity-magazine.com/news/texas-health-agency-fined-for-data/

Ransom payments averaging $41,000 per incident - The average ransom payment paid out by victims increased 13 percent, to $41,000, during the last three months, but researchers noted the rate of increase has plateaued. https://www.scmagazine.com/home/security-news/ransomware/ransom-payments-averaging-41000-per-incident/

Pemex claims victory over cyberattack; $4.9 million ransom reportedly demanded - The claim made by the Mexican state-owned petroleum corporation Pemex that it had recovered from a Nov. 10 cyberattack was met with some skepticism, as published reports indicate the attack may be still affecting the company. https://www.scmagazine.com/home/security-news/cyberattack/pemex-claims-victory-over-cyberattack-4-9-million-ransom-reportedly-demanded/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Maine’s InterMed suffers data breach, 30,000 affected - The Portland, Maine healthcare provider InterMed is informing about 30,000 patients that some of their PHI has been involved in a data breach. https://www.scmagazine.com/home/security-news/data-breach/maines-intermed-suffers-data-breach-30000-affected/

Trend Micro hit with insider attack - Trend Micro was the target of an insider threat that saw about 100,000 of its consumer customers have their account information stolen, sold and used to make scam phone calls. https://www.scmagazine.com/home/security-news/insider-threats/trend-micro-hit-with-insider-attack/

Canadian Nunavut government systems crippled by ransomware - The lockdown has impacted medical, legal, and social services. https://www.zdnet.com/article/canadian-nunavut-government-systems-crippled-by-ransomware/

Ransomware attack knocks SmarterASP.net customers knocked offline - SmartASP.net reported it was hit with a ransomware attack over the weekend that encrypted and knocked offline many of the hosting services customer accounts. https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-knocks-smarterasp-net-customers-knocked-offline/

Ransomware attack at Mexico's Pemex halts work, threatens to cripple computers - A ransomware attack hit computer servers and halted administrative work on Monday at Mexican state oil firm Pemex, according to employees and internal emails, in hackers’ latest bid to wring ransom from a major company. https://www.reuters.com/article/us-mexico-pemex/ransomware-attack-at-mexicos-pemex-halts-work-threatens-to-cripple-computers-idUSKBN1XM041

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (8 of 12)
  
  Containment
  
  During the containment phase, the institution should generally implement its predefined procedures for responding to the specific incident (note that containment procedures are a required minimum component). Additional containment-related procedures some banks have successfully incorporated into their IRPs are discussed below.
  
  Establish notification escalation procedures.
  
  If senior management is not already part of the incident response team, banks may want to consider developing procedures for notifying these individuals when the situation warrants. Providing the appropriate executive staff and senior department managers with information about how containment actions will affect business operations or systems and including these individuals in the decision-making process can help minimize undesirable business disruptions. Institutions that have experienced incidents have generally found that the management escalation process (and resultant communication flow) was not only beneficial during the containment phase, but also proved valuable during the later phases of the incident response process.
  
  Document details, conversations, and actions.
  
  Retaining documentation is an important component of the incident response process. Documentation can come in a variety of forms, including technical reports generated, actions taken, costs incurred, notifications provided, and conversations held. This information may be useful to external consultants and law enforcement for investigative and legal purposes, as well as to senior management for filing potential insurance claims and for preparing an executive summary of the events for the board of directors or shareholders. In addition, documentation can assist management in responding to questions from its primary Federal regulator. It may be helpful during the incident response process to centralize this documentation for organizational purposes.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
  SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
   
  System Patches
   
  Software support should incorporate a process to update and patch operating system and application software for new vulnerabilities. Frequently, security vulnerabilities are discovered in operating systems and other software after deployment. Vendors often issue software patches to correct those vulnerabilities. Financial institutions should have an effective monitoring process to identify new vulnerabilities in their hardware and software.  Monitoring involves such actions as the receipt and analysis of vendor and governmental alerts and security mailing lists. Once identified, secure installation of those patches requires a process for obtaining, testing, and installing the patch.
   
   Patches make direct changes to the software and configuration of each system to which they are applied. They may degrade system performance. Also, patches may introduce new vulnerabilities, or reintroduce old vulnerabilities. The following considerations can help ensure patches do not compromise the security of systems:
   
   ! Obtain the patch from a known, trusted source;
   ! Verify the integrity of the patch through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch;
   ! Apply the patch to an isolated test system and verify that the patch (1) is compatible with other software used on systems to which the patch will be applied, (2) does not alter the system's security posture in unexpected ways, such as altering log settings, and (3) corrects the pertinent vulnerability;
   ! Back up production systems prior to applying the patch;
   ! Apply the patch to production systems using secure methods, and update the cryptographic checksums of key files as well as that system's software archive;
   ! Test the resulting system for known vulnerabilities;
   ! Update the master configurations used to build new systems;
   ! Create and document an audit trail of all changes; and
   ! Seek additional expertise as necessary to maintain a secure computing environment.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 2 - ELEMENTS OF COMPUTER SECURITY
 
 2.1 Computer Security Supports the Mission of the Organization.
 
 The purpose of computer security is to protect an organization's valuable resources, such as information, hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization's mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. Unfortunately, security is sometimes viewed as thwarting the mission of the organization by imposing poorly selected, bothersome rules and procedures on users, managers, and systems. On the contrary, well-chosen security rules and procedures do not exist for their own sake -- they are put in place to protect important assets and thereby support the overall organizational mission.
 
 Security, therefore, is a means to an end and not an end in itself. For example, in a private- sector business, having good security is usually secondary to the need to make a profit. Security, then, ought to increase the firm's ability to make a profit. In a public-sector agency, security is usually secondary to the agency's service provided to citizens. Security, then, ought to help improve the service provided to the citizen.
 
 To act on this, managers need to understand both their organizational mission and how each information system supports that mission. After a system's role has been defined, the security requirements implicit in that role can be defined. Security can then be explicitly stated in terms of the organization's mission.
 
 The roles and functions of a system may not be constrained to a single organization. In an interorganizational system, each organization benefits from securing the system. For example, for electronic commerce to be successful, each of the participants requires security controls to protect their resources. However, good security on the buyer's system also benefits the seller; the buyer's system is less likely to be used for fraud or to be unavailable or otherwise negatively affect the seller. (The reverse is also true.)

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.