R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of January 19, 2020

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.

Newsletter Content IT Security IT Security Checklist
Web Site Compliance Internet Privacy Pen Testing Auditing

FFIEC information technology audit
s - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for financial institutions in Texas, New Mexico, Colorado, and Oklahoma. 

FYI - Chinese Malware Found Preinstalled on US Government-Funded Phones - Researchers found unremovable malware preinstalled in the Unimax U686CL, a budget Android device sold by Assurance Wireless. https://www.darkreading.com/threat-intelligence/chinese-malware-found-preinstalled-on-us-government-funded-phones/d/d-id/1336771

Is a single cybersecurity congressional committee possible? - What if a single Congressional committee in each chamber had oversight for cybersecurity issues? https://www.fifthdomain.com/congress/2020/01/08/is-a-single-cybersecurity-congressional-committee-possible/

Federally funded Unimax smartphone pre-loaded with malware - The Unimax UMX U686CL is a Chinese-made smartphone distributed by the federally funded Assured Wireless by Virgin Mobile has been found to come pre-loaded with two malicious applications. https://www.scmagazine.com/home/security-news/mobile-security/federally-funded-unimax-smartphone-pre-loaded-with-malware/

The psychology of ransomware - While there is some debate over whether the number of ransomware attacks is rising, there is no arguing that the losses suffered by both public and private sector organizations have increased. https://www.scmagazine.com/home/opinion/executive-insight/the-psychology-of-ransomware-2/


FYI - Bahraini oil company reportedly attacked by new ‘Dustman’ disk wiper - Bapco, the national oil company of the Persian Gulf island nation of Bahrain, was reportedly targeted in a Dec. 29 disk wiper attack that officials believe originated from Iran-backed hackers. https://www.scmagazine.com/home/security-news/malware/bahraini-oil-company-reportedly-attacked-by-new-dustman-disk-wiper/

Ransomware hits, but doesn’t stop, the Pittsburgh Unified School District - The Pittsburgh Unified School District is still recovering from a ransomware attack that took place over the holiday recess, but its superintendent says school is open for business. https://www.scmagazine.com/home/security-news/ransomware/ransomware-hits-but-doesnt-stop-the-pittsburgh-unified-school-district/

Bay Area Library System Suffers Ransomware Attack - The Contra Costa County Library System was hit by ransomware Friday, officials have confirmed. The resulting network outages affected services at all 26 library branches. An investigation is underway. https://www.govtech.com/security/Bay-Area-Library-System-Suffers-Ransomware-Attack.html

Breach of email accounts impacts 50,000 patients of Minnesota hospital - Minnesota-based hospital operator Alomere Health this month began notifying patients of a data breach affecting 49,351 individuals, after a malicious actor gained access to two employee email accounts in late October and early November. https://www.scmagazine.com/home/security-news/data-breach/breach-of-email-accounts-impacts-50000-patients-of-minnesota-hospital/

Bahraini oil company reportedly attacked by new ‘Dustman’ disk wiper - Bapco, the national oil company of the Persian Gulf island nation of Bahrain, was reportedly targeted in a Dec. 29 disk wiper attack that officials believe originated from Iran-backed hackers. https://www.scmagazine.com/home/security-news/malware/bahraini-oil-company-reportedly-attacked-by-new-dustman-disk-wiper/

Texas school district phished for $2.3 million - The Manor Independent School District fell victim to an apparent phishing scam to the tune of $2.3 million. https://www.scmagazine.com/home/email-security/texas-school-district-phished-for-2-3-million/

NSA reveals to Microsoft critical Windows 10 flaw - Microsoft reportedly acted on an NSA warning creating and issuing a secret out-of-band patch to the military and other high-value targets fixing CVE-2020-0601, a vulnerability affecting a core cryptographic component present in all versions of Windows. https://www.scmagazine.com/home/security-news/vulnerabilities/nsa-reveals-to-microsoft-critical-windows-10-flaw/


Return to the top of the newsletter

OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 5 of 5)  Next week we will begin our series on the Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes
PROCEDURES TO ADDRESS SPOOFING - Contact the OCC and Law Enforcement Authorities
   If a bank is the target of a spoofing incident, it should promptly notify its OCC supervisory office and report the incident to the FBI and appropriate state and local law enforcement authorities.  Banks can also file complaints with the Internet Fraud Complaint Center (see http://www.ic3.gov), a partnership of the FBI and the National White Collar Crime Center.
   In order for law enforcement authorities to respond effectively to spoofing attacks, they must be provided with information necessary to identify and shut down the fraudulent Web site and to investigate and apprehend the persons responsible for the attack.  The data discussed under the "Information Gathering" section should meet this need.
   In addition to reporting to the bank's supervisory office and law enforcement authorities, there are other less formal mechanisms that a bank can use to report these incidents and help combat fraudulent activities.  For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/), which is a joint initiative of industry and law enforcement designed to support apprehension of perpetrators of phishing-related crimes, including spoofing.  Members of Digital Phishnet include ISPs, online auction services, financial institutions, and financial service providers.  The members work closely with the FBI, Secret Service, U.S. Postal Inspection Service, Federal Trade Commission (FTC), and several electronic crimes task forces around the country to assist in identifying persons involved in phishing-type crimes.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   A maxim of security is "prevention is ideal, but detection is a must."  Security systems must both restrict access and protect against the failure of those access restrictions. When those systems fail, however, an intrusion occurs and the only remaining protection is a detection - and - response capability. The earlier an intrusion is detected, the greater the institution's ability to mitigate the risk posed by the intrusion. Financial institutions should have a capability to detect and react to an intrusion into their information systems.
   Preparation for intrusion detection generally involves identifying data flows to monitor for clues to an intrusion, deciding on the scope and nature of monitoring, implementing that monitoring, and establishing a process to analyze and maintain custody over the resulting information. Additionally, legal requirements may include notifications of users regarding the monitoring and the extent to which monitoring must be performed as an ordinary part of ongoing operations.
   Adequate preparation is a key prerequisite to detection. The best intrusion detection systems will not identify an intrusion if they are not located to collect the relevant data, do not analyze correct data, or are not configured properly. Even if they detect an intrusion, the information gathered may not be usable by law enforcement if proper notification of monitoring and preservation of data integrity has not taken place.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Chapter 4.1 Errors and Omissions

 Errors and omissions are an important threat to data and system integrity. These errors are caused not only by data entry clerks processing hundreds of transactions per day, but also by all types of users who create and edit data. Many programs, especially those designed by users for personal computers, lack quality control measures. However, even the most sophisticated programs cannot detect all types of input errors or omissions. A sound awareness and training program can help an organization reduce the number and severity of errors and omissions.
 Users, data entry clerks, system operators, and programmers frequently make errors that contribute directly or indirectly to security problems. In some cases, the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, the errors create vulnerabilities. Errors can occur during all phases of the systems life cycle. A long-term survey of computer-related economic losses conducted by Robert Courtney, a computer security consultant and former member of the Computer System Security and Privacy Advisory Board, found that 65 percent of losses to organizations were the result of errors and omissions. This figure was relatively consistent between both private and public sector organizations.
 Programming and development errors, often called "bugs," can range in severity from benign to catastrophic. In a 1989 study for the House Committee on Science, Space and Technology, entitled Bugs in the Program, the staff of the Subcommittee on Investigations and Oversight summarized the scope and severity of this problem in terms of government systems as follows:
 a)  As expenditures grow, so do concerns about the reliability, cost and accuracy of ever-larger and more complex software systems. These concerns are heightened as computers perform more critical tasks, where mistakes can cause financial turmoil, accidents, or in extreme cases, death.
 Since the study's publication, the software industry has changed considerably, with measurable improvements in software quality. Yet software "horror stories" still abound, and the basic principles and problems analyzed in the report remain the same. While there have been great improvements in program quality, as reflected in decreasing errors per 1,000 lines of code, the concurrent growth in program size often seriously diminishes the beneficial effects of these program quality enhancements.
 Installation and maintenance errors are another source of security problems. For example, an audit by the President's Council for Integrity and Efficiency (PCIE) in 1988 found that every one of the ten mainframe computer sites studied had installation and maintenance errors that introduced significant security vulnerabilities.

Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
IT Security Auditor
Yennik, Inc.

Independent Pen-test Audits
Our pen-test firewall audit  meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  For more information, please call R. Kinney Williams at Office/Cell 806-535-8300, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/


You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.