R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of March 30, 2025

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.


Newsletter Content FFIEC IT Security IT Security Audits - Gold Standard Pen-Testing Auditing
Web Site Compliance NIST Handbook Internet Banking News archives


MISCELLANEOUS CYBERSECURITY NEWS:

We can - and must - do better recovering from ransomware attacks - It’s any IT professional’s worst nightmare: Someone has breached the network, locked users out of their computers, captured company data, and has held it for ransom. https://www.scworld.com/perspective/we-can-and-must-do-better-recovering-from-ransomware-attacks

New Windows zero-day exploited by 11 state hacking groups since 2017 - At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a new Windows vulnerability in data theft and cyber espionage zero-day attacks since 2017. https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exploited-by-11-state-hacking-groups-since-2017/

5 ransomware threats facing the financial sector – and 5 ways to respond - The financial sector remains one of the most targeted industries for ransomware attacks. https://www.scworld.com/perspective/5-ransomware-threats-facing-the-financial-sector-and-5-ways-to-respond

Cybersecurity job market faces disruptions: Hiring declines in key roles amid automation and outsourcing - The cybersecurity job market in the United States is undergoing a transformation, as detailed in the 2025 U.S. Cybersecurity Job Posting Data Report. https://www.scworld.com/analysis/cybersecurity-job-market-faces-disruptions-hiring-declines-in-key-roles-amid-automation-and-outsourcing

Police arrests 300 suspects linked to African cybercrime rings - African law enforcement authorities have arrested 306 suspects as part of 'Operation Red Card,' an INTERPOL-led international crackdown targeting cross-border cybercriminal networks. https://www.bleepingcomputer.com/news/security/police-arrests-300-suspects-linked-to-african-cybercrime-rings/

NIST’s vulnerability database logjam is still growing despite attempts to clear it - Vulnerability submissions increased 32% in 2024, NIST said. The agency is considering machine learning to automate certain vulnerability analysis tasks. https://www.nextgov.com/cybersecurity/2025/03/nists-vulnerability-database-logjam-still-growing-despite-attempts-clear-it/403887/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Half a million people impacted by Pennsylvania State Education Association data breach - More than 500,000 people were impacted by a cyberattack on the Pennsylvania State Education Association (PSEA) that took place in July 2024. https://therecord.media/half-a-million-impacted-pennsylvania-education-data-breach

Researchers back claim of Oracle Cloud breach despite company’s denials - Security researchers provided additional evidence supporting a hacker’s claim to have exfiltrated 6 million records. https://www.cybersecuritydive.com/news/researchers-oracle-cloud-breach/743447/

Canadian provincial police appear to be using advanced commercial spyware - There is evidence suggesting that Canadian provincial police are using powerful advanced commercial spyware, the Citizen Lab said in a report released Wednesday. https://therecord.media/ontario-police-citizen-lab-spyware-report

Fate of DNA data raises privacy, identity issues in 23andMe bankruptcy - News of the troubled DNA testing services company 23andMe filing for Chapter 11 bankruptcy protection set off a spirited debate in the security community this week as experts expressed concern over the fate of the DNA data the company collected on more than 15 million customers for the past two decades. https://www.scworld.com/news/fate-of-dna-data-raises-privacy-identity-issues-in-23andme-bankruptcy

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 
(Part 2 of 10)
    
    A. RISK DISCUSSION
    
    Introduction
    

    Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.
    
    Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties. The amount of risk exposure depends on several factors, including the nature of the link.
    
    Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.


Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   
LOGGING AND DATA COLLECTION (Part 1 of 2)
   
   Financial institutions should take reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance. Appropriate logging controls ensure that security personnel can review and analyze log data to identify unauthorized access attempts and security violations, provide support for personnel actions, and aid in reconstructing compromised systems.
   
   An institution's ongoing security risk assessment process should evaluate the adequacy of the system logging and the type of information collected. Security policies should address the proper handling and analysis of log files. Institutions have to make risk-based decisions on where and when to log activity. The following data are typically logged to some extent including
   
   ! Inbound and outbound Internet traffic,
   ! Internal network traffic,
   ! Firewall events,
   ! Intrusion detection system events,
   ! Network and host performance,
   ! Operating system access (especially high - level administrative or root access),
   ! Application access (especially users and objects with write - and execute privileges), and
   ! Remote access.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 
Chapter 13 - AWARENESS, TRAINING, AND EDUCATION
 
 3.6.3 Identify Target Audiences
 
 Not everyone needs the same degree or type of computer security information to do their jobs. A CSAT program that distinguishes between groups of people, presents only the information needed by the particular audience, and omits irrelevant information will have the best results. Segmenting audiences (e.g., by their function or familiarity with the system) can also improve the effectiveness of a CSAT program. For larger organizations, some individuals will fit into more than one group. For smaller organizations, segmenting may not be needed. The following methods are some examples of ways to do this.
 
 Segment according to level of awareness. Individuals may be separated into groups according to their current level of awareness. This may require research to determine how well employees follow computer security procedures or understand how computer security fits into their jobs.
 Segment according to general job task or function. Individuals may be grouped as data providers, data processors, or data users.
 
 Segment according to specific job category. Many organizations assign individuals to job categories. Since each job category generally has different job responsibilities, training for each will be different. Examples of job categories could be general management, technology management, applications development, or security.
 
 Segment according to level of computer knowledge. Computer experts may be expected to find a program containing highly technical information more valuable than one covering the management issues in computer security. Similarly, a computer novice would benefit more from a training program that presents introductory fundamentals.
 
 Segment according to types of technology or systems used. Security techniques used for each off-the-shelf product or application system will usually vary. The users of major applications will normally require training specific to that application.


You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright 2025 Yennik, Inc.
R. Kinney Williams 806-535-8300 or email examiner@yennik.com

Our logo above is registered with the United States Patent and Trademark Office.