R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
for the week of November 17, 2024

Published by Yennik, Inc. the acknowledged leader in independent IT security audits for financial institutions.
 


Newsletter Content FFIEC IT Security Virtual IT Audits - Gold Standard Pen-Testing Auditing
Web Site Compliance NIST Handbook Internet Banking News archives


MISCELLANEOUS CYBERSECURITY NEWS:

The company you keep: your most trusted vendor could be your biggest security risk - Cyber defenses are faltering under the pressure of digital complexity. The interconnected nature of today’s digital world has made it easier for users, third-party vendors, and cyber criminals to compromise organizational security, whether intentionally or unintentionally https://www.cybersecuritydive.com/spons/the-company-you-keep-your-most-trusted-vendor-could-be-your-biggest-securi/732033/

Legal protections for security researchers sought in new German draft law - A German draft law announced this week would protect researchers who discover security vulnerabilities from potential criminal prosecution under the nation’s computer crimes law. https://www.scworld.com/news/legal-protections-for-security-researchers-sought-in-new-german-draft-law

Who should be in the room when purchasing cyber insurance? - Cyber exposure should be treated just as seriously as a fire event, each with a high potential to disrupt business for extended periods of time, Peter Hedberg of Corvus Insurance writes. https://www.cybersecuritydive.com/news/buying-cyber-insurance-ciso/732506/

Why you should deploy modern multi-factor authentication - No right-thinking organization should rely on passwords alone for user authentication. We all know that passwords can be reused, cracked or phished. https://www.scworld.com/resource/why-you-should-deploy-modern-multi-factor-authentication

OpenAI further expands its generative AI work with the federal government - ChatGPT Enterprise is showing up within the Treasury Department and the Air Force Research Laboratory, among other places. https://fedscoop.com/openai-expands-chatgpt-work-federal-government/

TSA floats new rules mandating cyber incident reporting for pipelines, railroads - The Transportation Security Administration proposed new rules this week that would codify existing temporary directives requiring pipeline and railroad operators to report cyber incidents and create cyber risk management (CRM) plans. https://therecord.media/tsa-new-rules-cyber-response

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Halliburton incurs about $35M in expenses related to August cyberattack - The company said the intrusion forced it to delay billing and collections, but the impact is not considered material. https://www.cybersecuritydive.com/news/halliburton-35-million-cyberattack/732397/

Ransomware Attack Disrupts Georgia Hospital’s Access to Health Records - Memorial Hospital and Manor in Bainbridge, Georgia, can no longer access its Electronic Health Record system after falling victim to a ransomware attack. https://www.securityweek.com/ransomware-attack-disrupts-georgia-hospitals-access-to-health-records/

Washington courts' systems offline following weekend cyberattack - ​​Court systems across Washington state have been down since Sunday when officials said "unauthorized activity" was detected on their networks. https://www.bleepingcomputer.com/news/security/washington-courts-systems-offline-following-weekend-cyberattack/

Schneider Electric investigating cyber intrusion after threat actor gains access to platform - Schneider Electric on Monday said it is investigating a cyber incident following claims by a suspected threat actor that it had gained access to company data. https://www.cybersecuritydive.com/news/schneider-electric-investigating-cyber/732006/

Columbus, Ohio confirms July ransomware attack compromised data of 500K people - The city notified half a million people their personal information was at risk following the attack it attributed to a foreign threat actor. https://www.cybersecuritydive.com/news/columbus-ohio-ransomware-500k/732154/

Grocery giant Ahold Delhaize’s US operations disrupted by cyberattack - The parent company said the disruption forced it to take certain systems offline and affected some pharmacies and e-commerce services. https://www.cybersecuritydive.com/news/grocery-ahold-delhaize-cyberattack/732562/

Data BreachesLaw Firm Data Breach Impacts 300,000 Presbyterian Healthcare Patients - The information of over 300,000 Presbyterian Healthcare Services patients was compromised as a result of a data breach at law firm. https://www.securityweek.com/law-firm-data-breach-impacts-300000-presbyterian-healthcare-patients/

Amazon confirms employee data breach after vendor hack - Amazon confirmed a data breach involving employee information after data allegedly stolen during the May 2023 MOVEit attacks was leaked on a hacking forum.
https://www.bleepingcomputer.com/news/security/amazon-confirms-employee-data-breach-after-vendor-hack/
https://www.scworld.com/news/millions-of-records-from-moveit-hack-released-on-dark-web

Cyberattack Cost Oil Giant Halliburton $35 Million - The expenses related to the recent cybersecurity incident suffered by US oil giant Halliburton reached $35 million by the end of September, according to the company’s latest financial report. https://www.securityweek.com/cyberattack-cost-oil-giant-halliburton-35-million/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 2 of 3)

Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
Internet-related fraudulent schemes present a substantial risk to the reputation of any financial institution that is impersonated or spoofed. Financial institution customers and potential customers may mistakenly perceive that weak information security resulted in security breaches that allowed someone to obtain confidential information from the financial institution. Potential negative publicity regarding an institution's business practices may cause a decline in the institution's customer base, a loss in confidence or costly litigation.

In addition, customers who fall prey to e-mail and Internet-related fraudulent schemes face real and immediate risk. Criminals will normally act quickly to gain unauthorized access to financial accounts, commit identity theft, or engage in other illegal acts before the victim realizes the fraud has occurred and takes action to stop it.

Educating Financial Institution Customers About E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating customers about prevalent e-mail and Internet-related fraudulent schemes, such as phishing, and how to avoid them. This may be accomplished by providing customers with clear and bold statement stuffers and posting notices on Web sites that convey the following messages:

! A financial institution's Web page should never be accessed from a link provided by a third party. It should only be accessed by typing the Web site name, or URL address, into the Web browser or by using a "book mark" that directs the Web browser to the financial institution's Web site.
! A financial institution should not be sending e-mail messages that request confidential information, such as account numbers, passwords, or PINs. Financial institution customers should be reminded to report any such requests to the institution.
! Financial institutions should maintain current Web site certificates and describe how the customer can authenticate the institution's Web pages by checking the properties on a secure Web page.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  

  
PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 1 of 2)
  
  Hardware and software located in a user department are often less secure than that located in a computer room. Distributed hardware and software environments (e.g., local area networks or LANs) that offer a full range of applications for small financial institutions as well as larger organizations are commonly housed throughout the organization, without special environmental controls or raised flooring. In such situations, physical security precautions are often less sophisticated than those found in large data centers, and overall building security becomes more important. Internal control procedures are necessary for all hardware and software deployed in distributed, and less secure, environments. The level of security surrounding any IS hardware and software should depend on the sensitivity of the data that can be accessed, the significance of applications processed, the cost of the equipment, and the availability of backup equipment.
  
  Because of their portability and location in distributed environments, PCs often are prime targets for theft and misuse. The location of PCs and the sensitivity of the data and systems they access determine the extent of physical security required. For PCs in unrestricted areas such as a branch lobby, a counter or divider may provide the only barrier to public access. In these cases, institutions should consider securing PCs to workstations, locking or removing disk drives, and using screensaver passwords or automatic timeouts. Employees also should have only the access to PCs and data they need to perform their job. The sensitivity of the data processed or accessed by the computer usually dictates the level of control required. The effectiveness of security measures depends on employee awareness and enforcement of these controls.
  
  An advantage of PCs is that they can operate in an office environment, providing flexible and informal operations. However, as with larger systems, PCs are sensitive to environmental factors such as smoke, dust, heat, humidity, food particles, and liquids. Because they are not usually located within a secure area, policies should be adapted to provide protection from ordinary contaminants.
  
  Other environmental problems to guard against include electrical power surges and static electricity. The electrical power supply in an office environment is sufficient for a PC's requirements. However, periodic fluctuations in power (surges) can cause equipment damage or loss of data. PCs in environments that generate static electricity are susceptible to static electrical discharges that can cause damage to PC components or memory.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.4.1 Human Resources
 
 To ensure an organization has access to workers with the right skills and knowledge, training and documentation of knowledge are needed. During a major contingency, people will be under significant stress and may panic. If the contingency is a regional disaster, their first concerns will probably be their family and property. In addition, many people will be either unwilling or unable to come to work. Additional hiring or temporary services can be used. The use of additional personnel may introduce security vulnerabilities.
 
 Contingency planning, especially for emergency response, normally places the highest emphasis on the protection of human life.
 
 11.4.2 Processing Capability
 
 Strategies for processing capability are normally grouped into five categories: hot site; cold site; redundancy; reciprocal agreements; and hybrids. These terms originated with recovery strategies for data centers but can be applied to other platforms.
 
 1. Hot site -- A building already equipped with processing capability and other services.
 2. Cold site -- A building for housing processors that can be easily adapted for use.
 3. Redundant site -- A site equipped and configured exactly like the primary site. (Some organizations plan on having reduced processing capability after a disaster and use partial redundancy. The stocking of spare personal computers or LAN servers also provides some redundancy.)
 4. Reciprocal agreement -- An agreement that allows two organizations to back each other up. (While this approach often sounds desirable, contingency planning experts note that this alternative has the greatest chance of failure due to problems keeping agreements and plans up-to-date as systems and personnel change.)
 5. Hybrids -- Any combinations of the above such as using having a hot site as a backup in case a redundant or reciprocal agreement site is damaged by a separate contingency.
 
 Recovery may include several stages, perhaps marked by increasing availability of processing capability. Resumption planning may include contracts or the ability to place contracts to replace equipment.


You may also receive this newsletter by email.  Go to https://yennik.com/newletter.htm for more information.  The various category comments may be excerpts from regulatory press releases, which can be found at the respective regulatory web site.  Our privacy statement can be found at http://www.yennik.com/privacy_statement.htm.

Copyright 2024 Yennik, Inc.
R. Kinney Williams 806-535-8300 or email examiner@yennik.com

Our logo above is registered with the United States Patent and Trademark Office.