R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of November 10, 2024

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content FFIEC IT Security Virtual IT Audits - Gold Standard Pen-Testing Auditing
Web Site Compliance NIST Handbook Internet Banking News archives


MISCELLANEOUS CYBERSECURITY NEWS:

CISA warns of foreign threat group launching spearphishing campaign using malicious RDP files - Midnight Blizzard has targeted more than 100 organizations across government, IT and academia, in some cases impersonating Microsoft employees. https://www.cybersecuritydive.com/news/cisa-threat-group-spearphishing/731737/

Executives worry over aging IT systems - Despite ongoing modernization efforts, tech debt is still hindering mission-critical infrastructure. https://www.cybersecuritydive.com/news/tech-debt-infrastructure-kyndryl/731732/
 
The story behind the Health Infrastructure Security and Accountability Act - In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group (UHG), was the victim of a significant ransomware attack carried out by the ALPHV/BlackCat ransomware group. https://www.theregister.com/2024/10/29/hold_the_story_behind_the/

Chinese attackers accessed Canadian government networks - for five years - A report by Canada's Communications Security Establishment (CSE) revealed that state-backed actors have collected valuable information from government networks for five years. https://www.theregister.com/2024/10/31/canada_cybersec_threats/

UnitedHealth Group names new CISO 8 months after massive ransomware attack - Longtime security leader Tim McKnight joins the beleaguered healthcare giant, succeeding Steven Martin, who was appointed chief restoration officer. https://www.cybersecuritydive.com/news/unitedhealthgroup-ciso-tim-mcknight/731475/

Three common privilege access mistakes that can lead to a ransomware incident - SolarWinds, Colonial Pipeline, Hafnium Exchange. What do these attacks have in common? Beyond their status as some of the most high-profile attacks of recent years, these breaches signify a shift in the attack path for threat actors. https://www.scworld.com/perspective/three-common-privilege-access-mistakes-that-can-lead-to-a-ransomware-incident

FCC Aims to Boost Undersea Cable Security, Purge Adversary Tech - The Federal Communications Commission (FCC) plans to vote Nov. 21 on a notice of proposed rulemaking that would review the agency’s existing licensing rules for undersea cables with the goal of better protecting that class of critical communications infrastructure by, among other steps, prohibiting the use of equipment and services sold by companies based in adversarial nations including China and Russia. https://www.meritalk.com/articles/fcc-aims-to-boost-undersea-cable-security-purge-adversary-tech/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Midnight Blizzard uses RDP to target 100 organizations in US, Europe - The Russian nation-state threat actor tracked as Midnight Blizzard has been running spear-phishing campaigns to thousands of targets at more than 100 organizations, primarily in the United States and Europe. https://www.scworld.com/news/midnight-blizzard-uses-rdp-to-target-100-organizations-in-us-and-europe

EmeraldWhale steals 15,000 credentials from exposed Git configurations - A bad actor identified as EmeraldWhale was observed running a global operation that targeted exposed Git configurations — a campaign that resulted in more than 15,000 cloud service credentials stolen. https://www.scworld.com/news/emeraldwhale-steals-15000-credentials-from-exposed-git-configurations

Interbank confirms data breach following failed extortion, data leak - ​Interbank, one of Peru's leading financial institutions, has confirmed a data breach after a threat actor who hacked into its systems leaked stolen data online. https://www.bleepingcomputer.com/news/security/interbank-confirms-data-breach-following-failed-extortion-data-leak/

Ex-Disney Employee Charged With Hacking Menu Database - In a vengeful move against the happiest place on Earth, the former employee allegedly used his old credentials to make potentially deadly changes. https://www.darkreading.com/cyberattacks-data-breaches/ex-disney-employee-charged-hacking-menu-database

Schneider Electric investigating cyber intrusion after threat actor gains access to platform - Schneider Electric on Monday said it is investigating a cyber incident following claims by a suspected threat actor that it had gained access to company data. https://www.cybersecuritydive.com/news/schneider-electric-investigating-cyber/732006/

Columbus, Ohio confirms July ransomware attack compromised data of 500K people - The city notified half a million people their personal information was at risk following the attack it attributed to a foreign threat actor. https://www.cybersecuritydive.com/news/columbus-ohio-ransomware-500k/732154/

California court suffering from tech outages after cyberattack - The San Joaquin County Superior Court said nearly all of its digital services have been knocked offline due to a cyberattack that began earlier this week. https://therecord.media/california-court-suffering-from-tech-outages-cyberattack

Cyberattack disrupts classes at Irish technology university - The South East Technological University (SETU) in Ireland has announced experiencing a cybersecurity incident targeting its IT systems. https://therecord.media/cyberattack-disrupts-classes-at-irish-tech-university

Colorado scrambles to change voting-system passwords after accidental leak - The Colorado Department of State said it accidentally posted a spreadsheet containing "partial passwords" for voting systems. https://arstechnica.com/tech-policy/2024/10/colorado-scrambles-to-change-voting-system-passwords-after-accidental-leak/

Rhysida ransomware attack on Columbus claimed 500K victims - The City of Columbus, Ohio, confirmed Nov. 1 that 500,000 people were affected by a July 18 ransomware attack that was claimed by the Rhysida gang. https://www.scworld.com/news/rhysida-ransomware-attack-on-columbus-claimed-500k-victims

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 1 of 3)

E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.

In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, and direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include copied or "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request. Some consumers will mistakenly submit financial and personal information to the perpetrator who will use it to gain access to financial records or accounts, commit identity theft or engage in other illegal acts.

The Federal Deposit Insurance Corporation (FDIC) and other government agencies have also been "spoofed" in the perpetration of e-mail and Internet-related fraudulent schemes. For example, in January 2004, a fictitious e-mail message that appeared to be from the FDIC was widely distributed, and it told recipients that their deposit insurance would be suspended until they verified their identity. The e-mail message included a hyperlink to a fraudulent Web site that looked similar to the FDIC's legitimate Web site and asked for confidential information, including bank account information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  
SECURITY CONTROLS - IMPLEMENTATION - DATA CENTER SECURITY

  
  When selecting a site for the most important information systems components, one major objective is to limit the risk of exposure from internal and external sources. The selection process should include a review of the surrounding area to determine if it is relatively safe from exposure to fire, flood, explosion, or similar environmental hazards. Outside intruders can be deterred through the use of guards, fences, barriers, surveillance equipment, or other similar devices. Since access to key information system hardware and software should be limited, doors and windows must be secure. Additionally, the location should not be identified or advertised by signage or other indicators.
  
  Detection devices, where applicable, should be utilized to prevent theft and safeguard the equipment. They should provide continuous coverage. Detection devices have two purposes - to alarm when a response is necessary and to support subsequent forensics. The alarm capability is only useful when a response will occur. Some intruder detection devices available include:
  
  ! Switches that activate an alarm when an electrical circuit is broken;
  ! Light and laser beams, ultraviolet beams and sound or vibration detectors that are invisible to the intruder, and ultrasonic and radar devices that detect movement in a room; and
  ! Closed-circuit television that allows visual observation and recording of actions.
  
  Risks from environmental threats can be addressed somewhat through devices such as halon gas, smoke alarms, raised flooring, heat sensors, and the like.
  
  Physical security devices frequently need preventive maintenance to function properly. Maintenance logs are one control the institution can use to determine whether the devices are appropriately maintained. Periodic testing of the devices provides assurance that they are operating correctly.
  
  Security guards should be properly instructed about their duties. The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises.
  
  The following security zones should have access restricted to a need basis:
  
  ! Operations center
  ! Uninterrupted power supply
  ! Telecommunications equipment
  ! Media library

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 
11.4 Step 4: Selecting Contingency Planning Strategies
 
 The next step is to plan how to recover needed resources. In evaluating alternatives, it is necessary to consider what controls are in place to prevent and minimize contingencies. Since no set of controls can cost-effectively prevent all contingencies, it is necessary to coordinate prevention and recovery efforts.
 
 A contingency planning strategy normally consists of three parts: emergency response, recovery, and resumption.89 Emergency response encompasses the initial actions taken to protect lives and limit damage. Recovery refers to the steps that are taken to continue support for critical functions. Resumption is the return to normal operations. The relationship between recovery and resumption is important. The longer it takes to resume normal operations, the longer the organization will have to operate in the recovery mode.
 
 The selection of a strategy needs to be based on practical considerations, including feasibility and cost. The different categories of resources should each be considered. Risk assessment can be used to help estimate the cost of options to decide on an optimal strategy. For example, is it more expensive to purchase and maintain a generator or to move processing to an alternate site, considering the likelihood of losing electrical power for various lengths of time? Are the consequences of a loss of computer-related resources sufficiently high to warrant the cost of various recovery strategies? The risk assessment should focus on areas where it is not clear which strategy is the best.
 
 In developing contingency planning strategies, there are many factors to consider in addressing each of the resources that support critical functions. Some examples are:
 
 Example 1: If the system administrator for a LAN has to be out of the office for a long time (due to illness or an accident), arrangements are made for the system administrator of another LAN to perform the duties. Anticipating this, the absent administrator should have taken steps beforehand to keep documentation current. This strategy is inexpensive, but service will probably be significantly reduced on both LANs which may prompt the manager of the loaned administrator to partially renege on the agreement.
 
 Example 2: An organization depends on an on-line information service provided by a commercial vendor. The organization is no longer able to obtain the information manually (e.g., from a reference book) within acceptable time limits and there are no other comparable services. In this case, the organization relies on the contingency plan of the service provider. The organization pays a premium to obtain priority service in case the service provider has to operate at reduced capacity.
 
 Example #3: A large mainframe data center has a contract with a hot site vendor, has a contract with the telecommunications carrier to reroute communications to the hot site, has plans to move people, and stores up-to-date copies of data, applications and needed paper records off-site. The contingency plan is expensive, but management has decided that the expense is fully justified.
 
 Example #4. An organization distributes its processing among two major sites, each of which includes small to medium processors (personal computers and minicomputers). If one site is lost, the other can carry the critical load until more equipment is purchased. Routing of data and voice communications can be performed transparently to redirect traffic. Backup copies are stored at the other site. This plan requires tight control over the architectures used and types of applications that are developed to ensure compatibility. In addition, personnel at both sites must be cross-trained to perform all functions.


You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright 2024 Yennik, Inc.
R. Kinney Williams 806-535-8300 or email examiner@yennik.com

Our logo above is registered with the United States Patent and Trademark Office.