R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of March 17
, 2024

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content FFIEC IT Security Virtual IT Audits - Gold Standard Pen-Testing Auditing
Web Site Compliance NIST Handbook Internet Banking News archives
🍀 Happy St. Patrick's Day 🍀


MISCELLANEOUS CYBERSECURITY NEWS:

FBI: Cybercrime cost Americans over $12.5B in 2023 - The cost of reported cybercrime in the U.S. jumped 22% last year to more than $12.5 billion, according to the FBI’s Internet Crime Complaint Center (IC3) 2023 annual report (PDF). https://www.scmagazine.com/news/fbi-cybercrime-cost-americans-over-12-5b-in-2023

Fidelity Investments Life Insurance says customer data breach linked to third-party hack - Fidelity Investments Life Insurance Co. said the personal data of more than 28,000 customers was accessed through a hack at Infosys McCamish Systems, a third-party service provider, according to a notification filed with the Maine Attorney General’s office. https://www.cybersecuritydive.com/news/fidelity-investments-data-breach-third-party/709743/

Uncle Sam intervenes as Change Healthcare ransomware fiasco creates mayhem - The US government has stepped in to help hospitals and other healthcare providers affected by the Change Healthcare ransomware infection, offering more relaxed Medicare rules and urging advanced funding to providers. https://www.theregister.com/2024/03/06/us_government_change_ransomware_intervention/

Survey: IAM experts share best practices and lessons learned - This line, gifted to us by the English poet and cleric John Donne, still resonates centuries later in a digital economy where identity is everything - the key to the office, the password to an employee’s computer, or the credentials to access sensitive corporate data. https://www.scmagazine.com/resource/survey-iam-experts-share-best-practices-and-lessons-learned

Change Healthcare registers pulse after crippling ransomware attack - Change Healthcare has taken the first steps toward a full recovery from the ransomware attack in February by bringing its electronic prescription services back online. https://www.theregister.com/2024/03/08/change_healthcare_restores_first_system/

NSA Launches Top 10 Cloud Security Mitigation Strategies - As businesses migrate their services to hybrid and multi-cloud environments, cloud misconfigurations and security flaws are becoming critical points of failure. https://www.infosecurity-magazine.com/news/nsa-top-10-cloud-security/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Canada's anti-money laundering agency offline after cyberattack - The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has announced that a "cyber incident" forced it to take its corporate systems offline as a precaution. https://www.bleepingcomputer.com/news/security/canadas-anti-money-laundering-agency-offline-after-cyberattack/

Canadian city says timeline for recovery from ransomware attack ‘unknown’ - The city of Hamilton, Canada, is still recovering from a ransomware attack that has affected nearly every facet of government functions. https://therecord.media/canadian-city-hamilton-ransomware-recovery

Lurie Children’s Restores Key Systems Following Cyberattack - Lurie Children's Hospital in Chicago has restored its Epic EHR platform and other key systems following a cyberattack that began on January 31st, the hospital stated. MyChart remains unavailable as the hospital works to reactivate the remaining systems. https://healthitsecurity.com/news/lurie-childrens-restores-key-systems-following-cyberattack

CISA breached by hackers exploiting Ivanti bugs - Systems run by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) were breached last month by hackers exploiting bugs in Ivanti products. https://www.scmagazine.com/news/cisa-breached-by-hackers-exploiting-ivanti-bugs

Russian hackers accessed Microsoft source code - In January, Microsoft disclosed that Russian hackers had breached the company’s systems and managed to read emails belonging to senior executives. Now, the company has revealed that the breach was worse than initially understood and that the Russian hackers accessed Microsoft source code. https://cyberscoop.com/microsoft-cozy-bear-russia/

CISA breached by hackers exploiting Ivanti bugs - Systems run by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) were breached last month by hackers exploiting bugs in Ivanti products. https://www.scmagazine.com/news/cisa-breached-by-hackers-exploiting-ivanti-bugs

Third-Party Breach and Missing MFA Contributed to British Library Cyber-Attack - The British Library ransomware attack was likely caused by the compromise of third-party credentials coupled with no multifactor authentication (MFA) in place to stop the attackers, despite previous warnings about these risks. https://www.infosecurity-magazine.com/news/third-party-mfa-british-library/

The French Government Says It’s Being Targeted by Unusual Intense Cyberattacks - Prime Minister Gabriel Attal’s office said in a statement that the attacks started Sunday night and hit multiple government ministries, without providing details. By Monday afternoon, it said, “the impact of the attacks has been reduced for most services and access to government sites restored.” https://www.securityweek.com/the-french-government-says-its-being-targeted-by-unusual-intense-cyberattacks/

Stanford University failed to detect ransomware intruders for 4 months - Stanford University says the cybersecurity incident it dealt with last year was indeed ransomware, which it failed to spot for more than four months. https://www.theregister.com/2024/03/13/stanford_university_ransomware/

Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
  
Board and Management Oversight Principle 6: Banks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems, databases and applications.
    
    
Segregation of duties is a basic internal control measure designed to reduce the risk of fraud in operational processes and systems and ensure that transactions and company assets are properly authorized, recorded and safeguarded. Segregation of duties is critical to ensuring the accuracy and integrity of data and is used to prevent the perpetration of fraud by an individual. If duties are adequately separated, fraud can only be committed through collusion.
    
    E-banking services may necessitate modifying the ways in which segregation of duties are established and maintained because transactions take place over electronic systems where identities can be more readily masked or faked. In addition, operational and transaction-based functions have in many cases become more compressed and integrated in e-banking applications. Therefore, the controls traditionally required to maintain segregation of duties need to be reviewed and adapted to ensure an appropriate level of control is maintained. Because access to poorly secured databases can be more easily gained through internal or external networks, strict authorization and identification procedures, safe and sound architecture of the straight-through processes, and adequate audit trails should be emphasized.
    
    Common practices used to establish and maintain segregation of duties within an e-banking environment include the following:
    
    1)  Transaction processes and systems should be designed to ensure that no single employee/outsourced service provider could enter, authorize and complete a transaction.
    
    2)  Segregation should be maintained between those initiating static data (including web page content) and those responsible for verifying its integrity.
    
    3)  E-banking systems should be tested to ensure that segregation of duties cannot be bypassed.
    
    4)  Segregation should be maintained between those developing and those administrating e-banking systems.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   

   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   AUTHENTICATION - 
Shared Secret Systems (Part 1 of 2)
   
   Shared secret systems uniquely identify the user by matching knowledge on the system to knowledge that only the system and user are expected to share. Examples are passwords, pass phrases, or current transaction knowledge. A password is one string of characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string of words or characters (e.g., "My car is a shepherd") that the system may shorten to a smaller password by means of an algorithm. Current transaction knowledge could be the account balance on the last statement mailed to the user/customer. The strength of shared secret systems is related to the lack of disclosure of and about the secret, the difficulty in guessing or discovering the secret, and the length of time that the secret exists before it is changed.
   
   A strong shared secret system only involves the user and the system in the generation of the shared secret. In the case of passwords and pass phrases, the user should select them without any assistance from any other user, such as the help desk. One exception is in the creation of new accounts, where a temporary shared secret could be given to the user for the first login, after which the system prompts the user to create a different password. Controls should prevent any user from re - using shared secrets that may have been compromised or were recently used by them.
   
   Passwords are the most common authentication mechanism. Passwords are generally made difficult to guess when they are composed from a large character set, contain a large number of characters, and are frequently changed. However, since hard - to - guess passwords may be difficult to remember, users may take actions that weaken security, such as writing the passwords down. Any password system must balance the password strength with the user's ability to maintain the password as a shared secret. When the balancing produces a password that is not sufficiently strong for the application, a different authentication mechanism should be considered. Pass phrases are one alternative to consider. Due to their length, pass phrases are generally more resistant to attack than passwords. The length, character set, and time before enforced change are important controls for pass phrases as well as passwords.
   
   Shared secret strength is typically assured through the use of automated tools that enforce the password selection policy. Authentication systems should force changes to shared secrets on a schedule commensurate with risk.
   
   Passwords can also be dynamic. Dynamic passwords typically use seeds, or starting points, and algorithms to calculate a new - shared secret for each access. Because each password is used for only one access, dynamic passwords can provide significantly more authentication strength than static passwords. In most cases, dynamic passwords are implemented through tokens. A token is a physical device, such as an ATM card, smart card, or other device that contains information used in the authentication process.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE

 

 
8.4.4 Operation and Maintenance
 

 Many security activities take place during the operational phase of a system's life. In general these fall into three areas: (1) security operations and administration; (2) operational assurance; and (3) periodic re-analysis of the security.
 
 8.4.4.1 Security Operations and Administration
 
 Operation of a system involves many security activities discussed throughout this handbook. Performing backups, holding training classes, managing cryptographic keys, keeping up with user administration and access privileges, and updating security software are some examples. 
 
 8.4.4.2 Operational Assurance
 
 Security is never perfect when a system is implemented. In addition, system users and operators discover new ways to intentionally or unintentionally bypass or subvert security. Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare over time, and procedures become outdated. Thinking risk is minimal, users may tend to bypass security measures and procedures.
 
 During the operational phase of a system life cycle, major and minor changes will occur. Operational assurance is one way of becoming aware of these changes whether they are new vulnerabilities (or old vulnerabilities that have not been corrected), system changes, or environmental changes. Operational assurance is the process of reviewing an operational system to see that security controls, both automated and manual, are functioning correctly and effectively.
 
 To maintain operational assurance, organizations use two basic methods: system audits and monitoring. These terms are used loosely within the computer security community and often overlap. A system audit is a one-time or periodic event to evaluate security. Monitoring refers to an ongoing activity that examines either the system or the users. In general, the more "real-time" an activity is, the more it falls into the category of monitoring.
 
 Operational assurance examines whether a system is operated according to its current security requirements. This includes both the actions of people who operate or use the system and the functioning of technical controls.


You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright 2024 Yennik, Inc.
R. Kinney Williams 806-535-8300 or email examiner@yennik.com

Our logo above is registered with the United States Patent and Trademark Office.