FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Top Security Challenges for 2018 - In 2018, we anticipate that cybercriminals will look to target and exploit more security software. By targeting trusted programs and the software and hardware supply chain, attackers can take control of devices and wholeheartedly manipulate users. https://www.scmagazine.com/top-security-challenges-for-2018--part-1/article/733808/

Gov't agencies adopting DMARC more quickly, but still have a ways to go - With less than two weeks left until federal agencies must adopt the Domain-based Message Authentication, Reporting, and Conformance (DMARC) tool per the Binding Operational Directive (BOD) 18-01 issued by the Department of Homeland Security (DHS) in October, 47 percent of agencies have already adopted a DMARC policy and many more are expected to follow. https://www.scmagazine.com/govt-agencies-adopting-dmarc-more-quickly-but-still-have-a-ways-to-go/article/734282/

Source code for Apple’s historic Lisa OS to be made available in 2018 - Apple is reviewing the code thanks to the Computer History Museum. If you've ever been curious to test out Apple's original Lisa operating system, you'll get the chance to do so next year using the original source code. https://arstechnica.com/gadgets/2017/12/source-code-for-apples-historic-lisa-os-to-be-made-available-in-2018/

Vulnerability Affects Hundreds of Thousands of IoT Devices - Here's something to be cheery on Christmas Day - a vulnerability affecting a web server that's been embedded in hundreds of thousands of IoT devices. https://www.bleepingcomputer.com/news/security/vulnerability-affects-hundreds-of-thousands-of-iot-devices/

Man Threatened Company with Cyber Attack to Fire Employee and Hire Him Instead - A North Carolina judge sentenced a Washington man this week to 37 months in prison for threatening a company with attacks unless they fire one of their employees and hire him instead. https://www.bleepingcomputer.com/news/security/man-threatened-company-with-cyber-attack-to-fire-employee-and-hire-him-instead/

Ukraine a "training ground" for Russian hacking attacks on west - Ukraine has become a "training ground" for Russian hackers wishing to perpetrate cyber-attacks on the west, a Kyiv security expert has claimed. https://www.scmagazine.com/ukraine-a-training-ground-for-russian-hacking-attacks-on-west/article/734267/

Cybercriminals favored non-malware attacks in 2017 - Non-malware-based cyberattacks were behind the majority of cyber incidents reported in 2017, despite proliferation of malware available to both the professional and amateur hacker. https://www.scmagazine.com/cybercriminals-favored-non-malware-attacks-in-2017-report/article/734266/

Consumers worry about their data, but don't bother much with security - A recent worldwide consumer survey found a major disconnect between general fears about cybersecurity and the actions taken to protect not only their personal information, but their families from cyberattacks. https://www.scmagazine.com/consumers-worry-about-their-data-but-dont-bother-much-with-security/article/734644/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Major Intel, Arm chip security flaw puts your PCs, phones at risk - Security researchers say a common processor design used by Intel and mobile chip tech designer Arm may leave the door open to exposing sensitive system data. https://www.cnet.com/news/chips-exploit-meltdown-spectre-security-flaws-afflict-arm-phones-and-intel-pcs/

Ancestry.com's RootsWeb forum breached, 300,000 records compromised - About 300,000 Ancestry.com members that use its RootsWeb genealogical community had their email/usernames and passwords compromised. https://www.scmagazine.com/ancestrycoms-rootsweb-forum-breached-300000-records-compromised/article/733478/

Australian loses $1 million in 'catphish' whaling scam - A London court heard a case earlier this month in which one of Australia's richest people tried to recover $1 million scammed from him in a convoluted ruse that combined traditional phishing with the “Catfish” online phenomenon preying on lonely people looking for love. https://www.scmagazine.com/australian-loses-1-million-in-catphish-whaling-scam/article/733483/

Cyberattack forces New York State hospital to run on downtime procedures - A cyberattack disrupted computer systems at Jones Memorial Hospital (JMH) in Wellsville, N.Y. on Thursday, the Buffalo-area health care facility has announced on its website. https://www.scmagazine.com/cyberattack-forces-new-york-state-hospital-to-run-on-downtime-procedures/article/733482/

Migos' Offset iCloud hacked, images of fiancé Cardi B leaked - Rapper Cardi B is threatening legal action after hackers broke into her fiancé Offset's iCloud account and posted videos of the female MC along with video of the Migos' rapper with a separate unidentified woman. https://www.scmagazine.com/cardi-b-threatens-legal-action-against-offsets-icloud-hackers/article/733179/

Forever 21 blames POS malware, lapses in encryption, for payment card data compromise - A point-of-sale malware infection was responsible for compromising payment card data collected at certain Forever 21 stores last year – an attack that was exacerbated by a lack of encryption on some devices, the apparel retailer stated last week in its update to a previous incident disclosure. https://www.scmagazine.com/forever-21-blames-pos-malware-lapses-in-encryption-for-payment-card-data-compromise/article/734241/

SSM Health call center agent with access to records allegedly violated patient privacy - A one-time employee of Midwestern health care system SSM Health with legitimate access to thousands of patients' records allegedly violated HIPAA privacy regulations in a data breach incident, the St. Louis-based company disclosed on Dec. 29. https://www.scmagazine.com/ssm-health-call-center-agent-with-access-to-records-allegedly-violated-patient-privacy/article/733822/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
  
  Due Diligence in Selecting a Service Provider - Contract Issues
  
  Dispute Resolution
  
  The institution should consider including in the contract a provision for a dispute resolution process that attempts to resolve problems in an expeditious manner as well as provide for continuation of services during the dispute resolution period.
  
  Indemnification
  
  Indemnification provisions generally require the financial institution to hold the service provider harmless from liability for the negligence of the institution, and vice versa. These provisions should be reviewed to reduce the likelihood of potential situations in which the institution may be liable for claims arising as a result of the negligence of the service provider.
  
  Limitation of Liability
  
  Some service provider standard contracts may contain clauses limiting the amount of liability that can be incurred by the service provider. If the institution is considering such a contract, consideration should be given to whether the damage limitation bears an adequate relationship to the amount of loss the financial institution might reasonably experience as a result of the service provider’s failure to perform its obligations.

Return to the top of the newsletter

FFIEC IT SECURITY - We begin a new series from the FDIC "Security Risks Associated with the Internet." 

This FDIC paper alerts financial institutions to the fundamental technological risks presented by use of the Internet. Regardless of whether systems are maintained in?house or services are outsourced, bank management is responsible for protecting systems and data from compromise.

Security Risks 

The Internet is inherently insecure. By design, it is an open network which facilitates the flow of information between computers. Technologies are being developed so the Internet may be used for secure electronic commerce transactions, but failure to review and address the inherent risk factors increases the likelihood of system or data compromise. Five areas of concern relating to both transactional and system security issues, as discussed below, are: Data Privacy and Confidentiality, Data Integrity, Authentication, Non-repudiation, and Access Control/System Design. 

Data Privacy and Confidentiality 

Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be monitored or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, or loans) or passwords. 

Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken. 

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

14.1 User Support

In many organizations, user support takes place through a Help Desk. Help Desks can support an entire organization, a subunit, a specific system, or a combination of these. For smaller systems, the system administrator normally provides direct user support. Experienced users provide informal user support on most systems.

User support should be closely linked to the organization's incident handling capability. In many cases, the same personnel perform these functions.

An important security consideration for user support personnel is being able to recognize which problems (brought to their attention by users) are security-related. For example, users' inability to log onto a computer system may result from the disabling of their accounts due to too many failed access attempts. This could indicate the presence of hackers trying to guess users' passwords.

In general, system support and operations staff need to be able to identify security problems, respond appropriately, and inform appropriate individuals. A wide range of possible security problems exist. Some will be internal to custom applications, while others apply to off-the-shelf products. Additionally, problems can be software- or hardware-based.

The more responsive and knowledgeable system support and operation staff personnel are, the less user support will be provided informally. The support other users provide is important, but they may not be aware of the "whole picture."

Small systems are especially susceptible to viruses, while networks are particularly susceptible to hacker attacks, which can be targeted at multiple systems. System support personnel should be able to recognize attacks and know how to respond.