R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of October 13, 2019

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content IT Security IT Security Checklist
Web Site Compliance Internet Privacy Pen Testing Auditing


FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for financial institutions in Texas, New Mexico, Colorado, and Oklahoma. 

FYI
- FBI alert: Ransomware attacks becoming increasingly targeted and costly - The FBI yesterday issued a new public service announcement regarding the ongoing ransomware epidemic, emphasizing that attacks are becoming more targeted since early 2018, with losses increasingly significantly in that time. https://www.scmagazine.com/home/security-news/ransomware/fbi-alert-ransomware-attacks-becoming-increasingly-targeted-and-costly/

State of Ransomware in the U.S.: 2019 Report for Q1 to Q3 - In the first nine months of 2019, at least 621 government entities, healthcare service providers and school districts, colleges and universities were affected by ransomware. https://blog.emsisoft.com/en/34193/state-of-ransomware-in-the-u-s-2019-report-for-q1-to-q3/

ANU incident report on massive data breach is a must-read - The Australian National University has set a new standard for transparent data breach reporting. They didn't lose all 19 years of data, but they're no closer to understanding the attacker's motives. https://www.zdnet.com/article/anu-incident-report-on-massive-data-breach-a-must-read/

Feds to boost scrutiny of airliner cybersecurity vulnerabilities - The Department of Homeland Security, Pentagon and Department of Transportation plan to bolster an established program that investigates airliner cybersecurity vulnerabilities. https://www.scmagazine.com/home/security-news/vulnerabilities/feds-to-boost-scrutiny-of-airliner-cybersecurity-vulnerabilities/

DCH Health System pays ransomware attackers in bid to restore operations - Forced to turn away certain patients following a ransomware infection, West Alabaman medical center operator DCH Health System announced this past weekend that it has purchased a decryption key from the attackers in order to expedite recovery. https://www.scmagazine.com/home/security-news/ransomware/dch-health-system-pays-ransomware-attackers-in-bid-to-restore-operations/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ransomware attack forces DCH Health Systems to turn away patients - DCH Health Systems is turning away all but the most critical patients from its three hospitals in response to its computer network being rendered unusable by a ransomware attack. https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-forces-dch-health-systems-to-turn-away-patients/

Some Victorian hospitals are offline after ransomware hit - The incident uncovered on Monday has hit Gippsland Health Alliance and South West Alliance of Rural Health. https://www.zdnet.com/article/some-victorian-hospitals-are-offline-after-ransomware-hit/

Hy-Vee details 2019 POS data breach incident - Mid-Western supermarket chain Hy-Vee issued an update regarding the POS data breach it reported in August, including when it happened on the locations involved. https://www.scmagazine.com/home/security-news/data-breach/hy-vee-details-2019-pos-data-breach-incident/

1,600 Electronic Arts FIFA 20 players’ reg data compromised - An Electronic Arts website for its EA Sports FIFA 20 Global Series operated for about 30 minutes with a glitch during which time 1,600 users had their personal information exposed. https://www.scmagazine.com/home/security-news/privacy-compliance/1600-electronic-arts-fifa-20-players-reg-data-compromised/

Data on 92M Brazilians found for sale on underground forums - Several members-only dark web forums are reportedly auctioning what appears to be a stolen government database featuring the personal information of 92 million Brazilian citizens. https://www.scmagazine.com/home/security-news/data-breach/data-on-92m-brazilians-found-for-sale-on-underground-forums/

Stolen credentials used to access TransUnion Canada’s consumer credit files - A malicious actor used stolen credentials to access a web portal operated by credit reporting agency TransUnion Canada and then used that portal to access consumer files. https://www.scmagazine.com/home/security-news/stolen-credentials-used-to-access-transunion-canadas-consumer-credit-files/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (4 of 12)
  
  
Reaction Procedures
  

  Assessing security incidents and identifying the unauthorized access to or misuse of customer information essentially involve organizing and developing a documented risk assessment process for determining the nature and scope of the security event. The goal is to efficiently determine the scope and magnitude of the security incident and identify whether customer information has been compromised.
  
  Containing and controlling the security incident involves preventing any further access to or misuse of customer information or customer information systems. As there are a variety of potential threats to customer information, organizations should anticipate the ones that are more likely to occur and develop response and containment procedures commensurate with the likelihood of and the potential damage from such threats. An institution's information security risk assessment can be useful in identifying some of these potential threats. The containment procedures developed should focus on responding to and minimizing potential damage from the threats identified. Not every incident can be anticipated, but institutions should at least develop containment procedures for reasonably foreseeable incidents.


Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION
  
  Security Controls in Application Software

  
  Application development should incorporate appropriate security controls, audit trails, and activity logs. Typical application access controls are addressed in earlier sections. Application security controls should also include validation controls for data entry and data processing. Data entry validation controls include access controls over entry and changes to data, error checks, review of suspicious or unusual data, and dual entry or additional review and authorization for highly sensitive transactions or data. Data processing controls include: batch control totals; hash totals of data for comparison after processing; identification of any changes made to data outside the application (e.g., data-altering utilities); and job control checks to ensure programs run in correct sequence (see the booklet "Computer Operations" for additional considerations).
  
  Some applications will require the integration of additional authentication and encryption controls to ensure integrity and confidentiality of the data. As customers and merchants originate an increasing number of transactions, authentication and encryption become increasingly important to ensure non-repudiation of transactions.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.6.5 Mitigating Network-Related Threats

The assessment recommended that HGA:

  • require stronger I&A for dial-in access or, alternatively, that a restricted version of the mail utility be provided for dial-in, which would prevent a user from including files in outgoing mail messages;
  • replace its current modem pool with encrypting modems, and provide each dial-in user with such a modem; and
  • work with the mainframe agency to install a similar encryption capability for server-to-mainframe communications over the WAN.

As with previous risk assessment recommendations, HGA's management tasked COG to analyze the costs, benefits, and impacts of addressing the vulnerabilities identified in the risk assessment. HGA eventually adopted some of the risk assessment's recommendations, while declining others. In addition, HGA decided that its policy on handling time and attendance information needed to be clarified, strengthened, and elaborated, with the belief that implementing such a policy would help reduce risks of Internet and dial-in eavesdropping. Thus, HGA developed and issued a revised policy, stating that users are individually responsible for ensuring that they do not transmit disclosure-sensitive information outside of HGA's facilities via e-mail or other means. It also prohibited them from examining or transmitting e-mail containing such information during dial-in sessions and developed and promulgated penalties for noncompliance.


Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Yennik, Inc.

Independent Pen-test Audits
Our pen-test firewall audit  meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  For more information, please call R. Kinney Williams at Office/Cell 806-535-8300, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/

 

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.