R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

December 22, 2019

wsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.


FYI - The FFIEC members revised and renamed the Business Continuity Planning booklet to Business Continuity Management (BCM) to reflect updated information technology risk practices and frameworks and the increased focus on ongoing, enterprise-wide business continuity and resilience. The new Handbook can be found at: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx

 PHONE NUMBER CHANGE - Because of the never-ending increasing fees, I am going to stop using my AT&T business landline in January 2020.  If you have not already done so, please change our phone number to my cell phone 806-535-8300.

 FYI - Mobile devices blur work and personal privacy raising cyber risks - Date: December 5, 2019 Source:Queensland University of Technology Summary:Organizations aren't moving quickly enough on cyber security threats linked to the drive toward using personal mobile devices in the workplace. https://www.sciencedaily.com/releases/2019/12/191205141759.htm

Dread Zeppelin: Ransomware targets health care and IT sectors in U.S., Europe - Cybercriminals have spun off a ransomware that was originally known to target Russian organizations into a new malicious encryptor used in targeted campaigns against strategically selected health care and IT companies in America and Europe. https://www.scmagazine.com/home/security-news/ransomware/dread-zeppelin-ransomware-targets-health-care-and-it-sectors-in-u-s-europe/

IoT gear is generating easy-to-crack keys - Poor entropy in embedded devices leading to weaker certificates - A preponderance of weak keys is leaving IoT devices at risk of being hacked, and the problem won't be an easy one to solve. https://www.theregister.co.uk/2019/12/16/internet_of_crap_encryption/

Blue Cross Blue Shield scrambling to improve cybersecurity - Blue Cross Blue Shield of Minnesota is scrambling to improve its cybersecurity after an internal whistleblower raised concerns that the state's largest health insurer has neglected thousands of important updates to its computer system. https://kstp.com/medical/blue-cross-blue-shield-scrambling-to-improve-cybersecurity/5580976/

Hardware-based Password Managers Store Credentials in Plaintext - A security researcher has analyzed three hardware-based password vaults and discovered that credentials are stored in plaintext and survive hardware resets. https://www.securityweek.com/hardware-based-password-managers-store-credentials-plaintext

Hackensack Meridian Health pays undisclosed ransom payment - Hackensack Meridian Health was forced to pay cyberattackers a ransom in order to regain access to its network. https://www.scmagazine.com/home/security-news/ransomware/hackensack-meridian-health-pays-undisclosed-ransom-payment/

Ring camera hacks show the need for better IoT security - Ring camera doorbells gained fame for catching porch pirates steal packages but after several high-profile cases where hackers gained control of them they are being held up by the cybersecurity industry as a prime example why companies and homeowners need to take IoT security seriously. https://www.scmagazine.com/home/security-news/iot/ring-camera-hacks-show-the-need-for-better-iot-security/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - New Orleans hamstrung by ransomware attack - The mayor of New Orleans Friday declared a state of emergency after the city detected what is now believed to be a Ryuk ransomware attack. https://www.scmagazine.com/home/security-news/ransomware/new-orleans-hamstrung-by-ransomware-attack/

Thousands of iPR Software Users Exposed on Amazon S3 Bucket - A publicly accessible Amazon S3 storage bucket originating from iPR Software was found exposing information on thousands of users, UpGuard’s security researchers reveal. https://www.securityweek.com/thousands-ipr-software-users-exposed-amazon-s3-bucket

Waco water bill attack just the latest in a wave of Click2Gov breaches - The City of Waco has warned residents that their online payments for water services may have been intercepted by hackers who stole credit card details. https://securityboulevard.com/2019/12/waco-water-bill-attack-just-the-latest-in-a-wave-of-click2gov-breaches/

1.6 billion LightInTheBox customer records left exposed - An unsecured database operated by the online retailer LightInTheBox left 1.3TB of data containing 1.6 billion shopper records exposed for a three-month period this year. https://www.scmagazine.com/home/security-news/data-breach/1-6-billion-lightinthebox-customer-records-left-exposed/

NJ’s largest hospital system forced to pay ransom in cyber attack - New Jersey’s largest hospital system said Friday that a ransomware attack last week disrupted its computer network and that it paid a ransom to stop it. https://nj1015.com/nj-largest-hospital-system-forced-to-pay-ransom-in-cyber-attack/

Thief Stole Payroll Data for Thousands of Facebook Employees - Personal banking information for tens of thousands of Facebook Inc. workers in the U.S. was compromised last month when a thief stole several corporate hard drives from an employee’s car. https://www.bloomberg.com/news/articles/2019-12-13/thief-stole-payroll-data-for-thousands-of-facebook-employees

LifeLabs pays ransom to regain stolen data, 15 million affected - The Canadian health diagnostics firm LifeLabs reported it payed cybercriminals an undisclosed amount of money to retrieve customer data stolen in a recent cyberattack. https://www.scmagazine.com/home/security-news/ransomware/lifelabs-pays-ransom-to-regain-stolen-data-15-million-affected/

Galt city hall, St. Lucie police hit with ransomware - Just days after New Orleans revealed it was victimized by a ransomware attack, smaller municipalities in Florida and California reported being hit. https://www.scmagazine.com/home/security-news/ransomware/galt-st-lucie-police-hit-with-ransomware/

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents  (Part 1 of 5)
  
  BACKGROUND
  
  Web-site spoofing is a method of creating fraudulent Web sites that look similar, if not identical, to an actual site, such as that of a bank.  Customers are typically directed to these spoofed Web sites through phishing schemes or pharming techniques.  Once at the spoofed Web site, the customers are enticed to enter information such as their Internet banking username and password, credit card information, or other information that could enable a criminal to use the customers' accounts to commit fraud or steal the customers' identities.  Spoofing exposes a bank to strategic, operational, and reputational risks; jeopardizes the privacy of bank customers; and exposes banks and their customers to the risk of financial fraud.
  
  PROCEDURES TO ADDRESS SPOOFING
  
  Banks can mitigate the risks of Web-site spoofing by implementing the identification and response procedures discussed in this bulletin.  A bank also can help minimize the impact of a spoofing incident by assigning certain bank employees responsibility for responding to such incidents and training them in the steps necessary to respond effectively.  If a bank's Internet activities are outsourced, the bank can address spoofing risks by ensuring that its contracts with its technology service providers stipulate appropriate procedures for detecting and reporting spoofing incidents, and that the service provider's process for responding to such incidents is integrated with the bank's own internal procedures.
  
  Banks can improve the effectiveness of their response procedures by establishing contacts with the Federal Bureau of Investigation (FBI) and local law enforcement authorities in advance of any spoofing incident.  These contacts should involve the appropriate departments and officials responsible for investigating computer security incidents.  Effective procedures should also include appropriate time frames to seek law enforcement involvement, taking note of the nature and type of information and resources that may be available to the bank, as well as the ability of law enforcement authorities to act rapidly to protect the bank and its customers.
  
  Additionally, banks can use customer education programs to mitigate some of the risks associated with spoofing attacks. Education efforts can include statement stuffers and Web-site alerts explaining various Internet-related scams, including the use of fraudulent e-mails and Web-sites in phishing attacks.  In addition, because the attacks can exploit vulnerabilities in Web browsers and/or operating systems, banks should consider reminding their customers of the importance of safe computing practices.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   LOGGING AND DATA COLLECTION (Part 1 of 2)
   
   Financial institutions should take reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance. Appropriate logging controls ensure that security personnel can review and analyze log data to identify unauthorized access attempts and security violations, provide support for personnel actions, and aid in reconstructing compromised systems.
   
   An institution's ongoing security risk assessment process should evaluate the adequacy of the system logging and the type of information collected. Security policies should address the proper handling and analysis of log files. Institutions have to make risk-based decisions on where and when to log activity. The following data are typically logged to some extent including
   
   ! Inbound and outbound Internet traffic,
   ! Internal network traffic,
   ! Firewall events,
   ! Intrusion detection system events,
   ! Network and host performance,
   ! Operating system access (especially high - level administrative or root access),
   ! Application access (especially users and objects with write - and execute privileges), and
   ! Remote access.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 3.2 Computer Security Management
 
 The Computer Security Program Manager (and support staff) directs the organization's day-to-day management of its computer security program. This individual is also responsible for coordinating all security-related interactions among organizational elements involved in the computer security program -- as well as those external to the organization.
 
 3.3 Program and Functional Managers/Application Owners
 
 Program or Functional Managers/Application Owners are responsible for a program or function (e.g., procurement or payroll) including the supporting computer system.16 Their responsibilities include providing for appropriate security, including management, operational, and technical controls. These officials are usually assisted by a technical staff that oversees the actual workings of the system. This kind of support is no different for other staff members who work on other program implementation issues.
 
 Also, the program or functional manager/application owner is often aided by a Security Officer (frequently dedicated to that system, particularly if it is large or critical to the organization) in developing and implementing security requirements.
 
 What is a Program/Functional Manager?
 
 The term program/functional manager or application owner may not be familiar or immediately apparent to all readers. The examples provided below should help the reader better understand this important concept. In reviewing these examples, note that computer systems often serve more than one group or function.
 
 Example 1. A personnel system serves an entire organization. However, the Personnel Manager would normally be the application owner. This applies even if the application is distributed so that supervisors and clerks throughout the organization use and update the system.
 
 Example 2. A federal benefits system provides monthly benefit checks to 500,000 citizens. The processing is done on a mainframe data center. The Benefits Program Manager is the application owner.
 
 Example 3. A mainframe data processing organization supports several large applications. The mainframe director is not the Functional Manager for any of the applications.
 
 Example 4. A 100-person division has a diverse collection of personal computers, work stations, and minicomputers used for general office support, Internet connectivity, and computer-oriented research. The division director would normally be the Functional Manager responsible for the system.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.