R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of November 17, 2019

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content IT Security IT Security Checklist
Web Site Compliance Internet Privacy Pen Testing Auditing


FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for financial institutions in Texas, New Mexico, Colorado, and Oklahoma. 

FYI
- The FFIEC members revised and renamed the Business Continuity Planning booklet to Business Continuity Management (BCM) to reflect updated information technology risk practices and frameworks and the increased focus on ongoing, enterprise-wide business continuity and resilience. The new Handbook can be found at: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx  (A side note - the word test is used more than 90 times.)

Google will offer checking accounts next year, report says - The tech giant is reportedly partnering with Citigroup and a credit union at Stanford University. Google reportedly plans to start offering checking accounts to consumers next year. The accounts will be run by Citigroup and a credit union at Stanford University, according to a report Wednesday from The Wall Street Journal. https://www.cnet.com/news/walmart-black-friday-2019-the-best-deals-right-now/?ftag=CAD-04-10aae9d&bhid=21042800436046731107236282841599

The Growth and Challenges of Cyber Insurance - Cyberattacks have grown in frequency and cost over the past decade, with high-profile cases, such as the 2013 Target data breach, the 2017 Equifax data breach, and the leak of Democratic National Committee emails during the 2016 election making national headlines. https://www.chicagofed.org/publications/chicago-fed-letter/2019/426

Report: Recently breached Capital One reassigns its CISO - Capital One Financial Corporation is reportedly reassigning its chief information security officer to an advisory role, less than four months after the bank holding company disclosed a data breach affecting more than 100 million individuals. https://www.scmagazine.com/home/security-news/data-breach/report-recently-breached-capital-one-reassigns-its-ciso/

Aventura Technologies sold Chinese-made security gear with bugs to govít, feds say - Commack, N.Y.-based Aventura Technologies and seven of its current and former employers were charged in Brooklyn federal court today for defrauding customers. https://www.scmagazine.com/home/security-news/aventura-technologies-sold-chinese-made-security-gear-with-bugs-to-govt-feds-say/

Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks - Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts, a new study posits. https://krebsonsecurity.com/2019/11/study-ransomware-data-breaches-at-hospitals-tied-to-uptick-in-fatal-heart-attacks/

Why weakening COPPA could put children at risk online - Privacy fines have been rolling in by the millions this year and one of the more high-profile fines is the 170 million dollar fine imposed by the FTC for Google violating the Childrenís Online Privacy Protection Act (COPPA). https://www.scmagazine.com/home/opinion/executive-insight/why-weakening-coppa-could-put-children-at-risk-online/

Ransomware forces New Mexico school district to scrub 30,000 devices - A New Mexico school district that had its systems infected by ransomware last month is now having to scrub the hard drives of about 30,000 devices, district officials announced Thursday. https://edscoop.com/ransomware-forces-new-mexico-school-district-scrub-30000-devices/

Texas Health Agency Fined $1.6m for Data Breach - A fine of $1.6m has been meted out to the Texas Health and Human Services Commission for unintentionally exposing the personal health information of thousands of vulnerable people online. https://www.infosecurity-magazine.com/news/texas-health-agency-fined-for-data/

Ransom payments averaging $41,000 per incident - The average ransom payment paid out by victims increased 13 percent, to $41,000, during the last three months, but researchers noted the rate of increase has plateaued. https://www.scmagazine.com/home/security-news/ransomware/ransom-payments-averaging-41000-per-incident/

Pemex claims victory over cyberattack; $4.9 million ransom reportedly demanded - The claim made by the Mexican state-owned petroleum corporation Pemex that it had recovered from a Nov. 10 cyberattack was met with some skepticism, as published reports indicate the attack may be still affecting the company. https://www.scmagazine.com/home/security-news/cyberattack/pemex-claims-victory-over-cyberattack-4-9-million-ransom-reportedly-demanded/


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Maineís InterMed suffers data breach, 30,000 affected - The Portland, Maine healthcare provider InterMed is informing about 30,000 patients that some of their PHI has been involved in a data breach. https://www.scmagazine.com/home/security-news/data-breach/maines-intermed-suffers-data-breach-30000-affected/

Trend Micro hit with insider attack - Trend Micro was the target of an insider threat that saw about 100,000 of its consumer customers have their account information stolen, sold and used to make scam phone calls. https://www.scmagazine.com/home/security-news/insider-threats/trend-micro-hit-with-insider-attack/

Canadian Nunavut government systems crippled by ransomware - The lockdown has impacted medical, legal, and social services. https://www.zdnet.com/article/canadian-nunavut-government-systems-crippled-by-ransomware/

Ransomware attack knocks SmarterASP.net customers knocked offline - SmartASP.net reported it was hit with a ransomware attack over the weekend that encrypted and knocked offline many of the hosting services customer accounts. https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-knocks-smarterasp-net-customers-knocked-offline/

Ransomware attack at Mexico's Pemex halts work, threatens to cripple computers - A ransomware attack hit computer servers and halted administrative work on Monday at Mexican state oil firm Pemex, according to employees and internal emails, in hackersí latest bid to wring ransom from a major company. https://www.reuters.com/article/us-mexico-pemex/ransomware-attack-at-mexicos-pemex-halts-work-threatens-to-cripple-computers-idUSKBN1XM041


Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (8 of 12)
  

  Containment

  
  During the containment phase, the institution should generally implement its predefined procedures for responding to the specific incident (note that containment procedures are a required minimum component). Additional containment-related procedures some banks have successfully incorporated into their IRPs are discussed below.
  
  Establish notification escalation procedures.
  
  
If senior management is not already part of the incident response team, banks may want to consider developing procedures for notifying these individuals when the situation warrants. Providing the appropriate executive staff and senior department managers with information about how containment actions will affect business operations or systems and including these individuals in the decision-making process can help minimize undesirable business disruptions. Institutions that have experienced incidents have generally found that the management escalation process (and resultant communication flow) was not only beneficial during the containment phase, but also proved valuable during the later phases of the incident response process.
  
  Document details, conversations, and actions.
  
  
Retaining documentation is an important component of the incident response process. Documentation can come in a variety of forms, including technical reports generated, actions taken, costs incurred, notifications provided, and conversations held. This information may be useful to external consultants and law enforcement for investigative and legal purposes, as well as to senior management for filing potential insurance claims and for preparing an executive summary of the events for the board of directors or shareholders. In addition, documentation can assist management in responding to questions from its primary Federal regulator. It may be helpful during the incident response process to centralize this documentation for organizational purposes.


Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
  
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
   
  System Patches
   
  
Software support should incorporate a process to update and patch operating system and application software for new vulnerabilities. Frequently, security vulnerabilities are discovered in operating systems and other software after deployment. Vendors often issue software patches to correct those vulnerabilities. Financial institutions should have an effective monitoring process to identify new vulnerabilities in their hardware and software.  Monitoring involves such actions as the receipt and analysis of vendor and governmental alerts and security mailing lists. Once identified, secure installation of those patches requires a process for obtaining, testing, and installing the patch.
   
   Patches make direct changes to the software and configuration of each system to which they are applied. They may degrade system performance. Also, patches may introduce new vulnerabilities, or reintroduce old vulnerabilities. The following considerations can help ensure patches do not compromise the security of systems:
   
   ! Obtain the patch from a known, trusted source;
   ! Verify the integrity of the patch through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch;
   ! Apply the patch to an isolated test system and verify that the patch (1) is compatible with other software used on systems to which the patch will be applied, (2) does not alter the system's security posture in unexpected ways, such as altering log settings, and (3) corrects the pertinent vulnerability;
   ! Back up production systems prior to applying the patch;
   ! Apply the patch to production systems using secure methods, and update the cryptographic checksums of key files as well as that system's software archive;
   ! Test the resulting system for known vulnerabilities;
   ! Update the master configurations used to build new systems;
   ! Create and document an audit trail of all changes; and
   ! Seek additional expertise as necessary to maintain a secure computing environment.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 2 - ELEMENTS OF COMPUTER SECURITY
 
 2.1 Computer Security Supports the Mission of the Organization.
 
 The purpose of computer security is to protect an organization's valuable resources, such as information, hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization's mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. Unfortunately, security is sometimes viewed as thwarting the mission of the organization by imposing poorly selected, bothersome rules and procedures on users, managers, and systems. On the contrary, well-chosen security rules and procedures do not exist for their own sake -- they are put in place to protect important assets and thereby support the overall organizational mission.
 
 Security, therefore, is a means to an end and not an end in itself. For example, in a private- sector business, having good security is usually secondary to the need to make a profit. Security, then, ought to increase the firm's ability to make a profit. In a public-sector agency, security is usually secondary to the agency's service provided to citizens. Security, then, ought to help improve the service provided to the citizen.
 
 To act on this, managers need to understand both their organizational mission and how each information system supports that mission. After a system's role has been defined, the security requirements implicit in that role can be defined. Security can then be explicitly stated in terms of the organization's mission.
 
 The roles and functions of a system may not be constrained to a single organization. In an interorganizational system, each organization benefits from securing the system. For example, for electronic commerce to be successful, each of the participants requires security controls to protect their resources. However, good security on the buyer's system also benefits the seller; the buyer's system is less likely to be used for fraud or to be unavailable or otherwise negatively affect the seller. (The reverse is also true.)


Please don't hesitate to email me (examiner@yennik.com) if you have any questions.  Have a great week,

R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Yennik, Inc.

Independent Pen-test Audits
Our pen-test firewall audit  meets the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The audit focuses on a hacker's perspective, which will help your IT staff identify real-world weaknesses.  For more information, please call R. Kinney Williams at Office/Cell 806-535-8300, send an email to examiner@yennik.com, or visit http://www.internetbankingaudits.com/

 

You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright Yennik, Inc.
Our logo above is registered with the United States Patent and Trademark Office.