FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - HHS releases cyber guides for healthcare orgs - The Department of Health and Human Services rolled out new guidance to protect organizations in the health care sector from cyberattacks. https://fcw.com/articles/2019/01/02/hhs-cyber-johnson.aspx

FCC investigating major CenturyLink outage and 911 disruptions - A nationwide CenturyLink outage has knocked out 911 voice calls in parts of the US and affected everything from Verizon mobile data to ATM withdrawals, lottery drawings, and hospital patient records. https://www.theverge.com/2018/12/28/18159110/centurylink-internet-911-outage-fcc-investigating

Former Phillips 66 employee charged with trade secret theft - Research engineer reportedly caught by energy firm following a review of his computer activity - Phillips 66 spokesman Dennis Nuff confirmed Monday that the company is cooperating with the Federal Bureau of Investigation in an case involving a former Bartlesville employee. https://www.securityinfowatch.com/security-executives/news/21039172/trade-secret-theft-charge-filed

Hacking for the holidays: Healthcare Ransomware Edition - When ransomware hits a hospital, lives are on the line. Ed Tittel looks at how to deal with cyberattacks when lives are at stake. https://www.scmagazine.com/home/security-news/hacking-for-the-holidays-healthcare-ransomware-edition/

NSA to demo open-source malware reverse engineer tool at RSA 2019 - The National Security Agency (NSA) will demonstrate a free and open-source tool for reverse engineering malware with the hopes of improving security rather than undermining it. https://www.scmagazine.com/home/security-news/nsa-will-demonstrate-a-free-and-open-source-tool-for-reverse-engineering-malware-with-the-hopes-of-improving-security-rather-than-undermining-it/

National security center launches program to help US firms guard against foreign hackers - The National Counterintelligence and Security Center (NCSC) on Monday launched a program aimed at helping U.S. companies protect themselves from cyber attacks or other threats from foreign nation-state actors. https://thehill.com/policy/cybersecurity/424166-national-security-center-launches-program-to-help-us-firms-guard-against

U.S. Supreme Court declines to hear Fiat Chrysler appeal in car hacking case - The U.S. Supreme court Monday declined to hear Fiat Chrysler’s appeal in a class action lawsuit claiming the automaker knew its vehicles were vulnerable to cyberattacks as early as 2011. https://www.scmagazine.com/home/security-news/the-u-s-supreme-court-monday-declined-to-hear-fiat-chryslers-appeal-in-a-class-action-lawsuit-claiming-the-automaker-knew-its-vehicles-were-vulnerable-to-cyberattacks-as-early-as-2011/

Bridgeport, Conn., schools hit with ransomware - The Bridgeport, Conn., school district was hit with a ransomware attack last weekend. https://www.scmagazine.com/home/security-news/bridgeport-conn-schools-hit-with-ransomware/

Neiman Marcus reaches $1.5M settlement over 2013 breach - Neiman Marcus settled a class action lawsuit for $1.5 million that was brought after the department store suffered a data breach in 2014. https://www.scmagazine.com/home/security-news/neiman-marcus-reaches-1-5m-settlement-over-2013-breach/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Cybercriminals compromise website for Dublin tram system, post ransom demand - Malicious hackers on Thursday defaced the website for Luas, a public tram system based in Dublin Ireland, posting a ransom demand that threatened to publish data they claim to have stolen from the transport service. https://www.scmagazine.com/home/security-news/cybercrime/cybercriminals-compromise-website-for-dublin-tram-system-post-ransom-demand/

Online security firm Abine suffers breach - The online privacy and password management firm Abine reported a data breach that exposed users names, emails and portions of their login credentials of those using its Blur product. https://www.scmagazine.com/home/security-news/online-security-firm-abine-suffers-breach/

Dental Center of NW Ohio feels bite of ransomware attack on IT vendor - The Toledo-based Dental Center of Northwest Ohio has disclosed that a ransomware attack affecting its local third-party IT vendor may be endangered personal data belonging to current and former patients and employees. https://www.scmagazine.com/home/security-news/dental-center-of-nw-ohio-feels-bite-of-ransomware-attack-on-it-vendor/

Cloud Hosting Provider DataResolution.net Battling Christmas Eve Ransomware Attack - Cloud hosting provider Dataresolution.net is struggling to bring its systems back online after suffering a ransomware infestation on Christmas Eve, KrebsOnSecurity has learned. https://krebsonsecurity.com/2019/01/cloud-hosting-provider-dataresolution-net-battling-christmas-eve-ransomware-attack/

A list of employee names, work phone numbers and job titles available to government employees through the Victorian Government directory was reportedly accessed by an unauthorized third party. According to the Australian Broadcasting Corporation (ABC), information on approximately 30,000 Victorian public servants was stolen in a data breach, after an unknown party downloaded a portion of the directory. https://www.infosecurity-magazine.com/news/third-party-accessed-victorian/

Malware suspected of hobbling several newspapers' production - Virus interferes with publishing at Southern California printing plant. A malware attack is suspected of preventing production on Saturday of several newspapers, including the Wall Street Journal and Los Angeles Times. https://www.cnet.com/news/samsung-in-2019-ces-get-ready-for-foldable-phones-5g-and-more/

Humana says Bankers Life breach exposed PII on insurance policy applicants - Managed health care provider Humana said an unauthorized third party accessed system credentials of some employees at health insurance company Bankers Life, exposing “limited, personal information” of people who had applied for a Humana policy. https://www.scmagazine.com/home/security-news/humana-says-bankers-life-breach-exposed-pii-on-insurance-policy-applicants/

5M passports accessed in Marriott breach were unencrypted - Marriott International may have bumped down the number of records affected by a breach of its Starwood division to 383 million, but the hotel chain admitted that five million passport numbers stolen in the incident by an unknown hacker were unencrypted. https://www.scmagazine.com/home/security-news/5m-passports-accessed-in-marriott-breach-were-unecrypted/

German politicians and other high profile citizens targeted in massive data breach - Several German politicians, journalists, and entertainers were targeted in a massive data breach that emerged on Twitter in the form of an advent calendar last month. https://www.scmagazine.com/home/security-news/several-german-politicians-journalists-and-entertainers-were-targeted-in-a-massive-data-breach-that-emerged-on-twitter-in-the-form-of-an-advent-calendar-last-month/

Singapore Airlines ‘glitch’ exposes personal data on 285 frequent flyers - The data on about 285 Singapore Airlines’ Krisflyer frequent flyer program members was exposed after a software glitch following a website update allowed frequent flyers see the data of others. https://www.scmagazine.com/home/security-news/singapore-airlines-glitch-exposes-personal-data-on-285-frequent-flyers/ 

Emergency warning system compromised as hackers send text and email messages to thousands - Hackers have infiltrated and used an emergency warning system designed to alert thousands of Australians to imminent dangers. https://www.news.com.au/technology/online/hacking/emergency-warning-system-compromised-as-hackers-send-text-and-email-messages-to-thousands/news-story/ebc22b8080dd2af7d4102803b61f0097

DePaul University group email exposes employees’ info - A group email recently sent by DePaul University reportedly exposed the names and email addresses of 656 employees who had completed the school’s wellness program. https://www.scmagazine.com/home/security-news/data-breach/depaul-university-group-email-exposes-employees-info/

Kitchenware companies breached in dual attacks - A pair of recent cyberattacks against kitchen product companies may bring forth visions of microwave ovens being set to expel X-rays or Wi-Fi enabled refrigerators being hacked and set to 100 degrees, but instead, in each case, the result was a data breach. https://www.scmagazine.com/home/security-news/kitchenware-companies-breached-in-dual-attacks/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
  
  INTRUSION DETECTION SYSTEMS
  
  Vulnerability assessments and penetration analyses help ensure that appropriate security precautions have been implemented and that system security configurations are appropriate. The next step is to monitor the system for intrusions and unusual activities. Intrusion detection systems (IDS) may be useful because they act as a burglar alarm, reporting potential intrusions to appropriate personnel. By analyzing the information generated by the systems being guarded, IDS help determine if necessary safeguards are in place and are protecting the system as intended. In addition, they can be configured to automatically respond to intrusions.
  
  Computer system components or applications can generate detailed, lengthy logs or audit trails that system administrators can manually review for unusual events. IDS automate the review of logs and audit data, which increases the reviews' overall efficiency by reducing costs and the time and level of skill necessary to review the logs.
  
  Typically, there are three components to an IDS. First is an agent, which is the component that actually collects the information. Second is a manager, which processes the information collected by the agents. Third is a console, which allows authorized information systems personnel to remotely install and upgrade agents, define intrusion detection scenarios across agents, and track intrusions as they occur. Depending on the complexity of the IDS, there can be multiple agent and manager components.
  
  Generally, IDS products use three different methods to detect intrusions. First, they can look for identified attack signatures, which are streams or patterns of data previously identified as an attack. Second, they can look for system misuse such as unauthorized attempts to access files or disallowed traffic inside the firewall. Third, they can look for activities that are different from the users or systems normal pattern. These "anomaly-based" products (which use artificial intelligence) are designed to detect subtle changes or new attack patterns, and then notify appropriate personnel that an intrusion may be occurring. Some anomaly-based products are created to update normal use patterns on a regular basis. Poorly designed anomaly-based products can trigger frequent false-positive responses.
  
  Although IDS may be an integral part of an institutions overall system security, they will not protect a system from previously unknown threats or vulnerabilities. They are not self-sufficient and do not compensate for weak authentication procedures (e.g., when an intruder already knows a password to access the system). Also, IDS often have overlapping features with other security products, such as firewalls. IDS provide additional protections by helping to determine if the firewall programs are working properly and by helping to detect internal abuses. Both firewalls and IDS need to be properly configured and updated to combat new types of attacks. In addition, management should be aware that the state of these products is highly dynamic and IDS capabilities are evolving.
  
  IDS tools can generate both technical and management reports, including text, charts, and graphs. The IDS reports can provide background information on the type of attack and recommend courses of action. When an intrusion is detected, the IDS can automatically begin to collect additional information on the attacker, which may be needed later for documentation purposes.
  
  FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  
  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
  
  AUTHENTICATION - Public Key Infrastructure (Part 3 of 3)
  
  When utilizing PKI policies and controls, financial institutions need to consider the following:
  
  ! Defining within the certificate issuance policy the methods of initial verification that are appropriate for different types of certificate applicants and the controls for issuing digital certificates and key pairs;
  
  ! Selecting an appropriate certificate validity period to minimize transactional and reputation risk exposure - expiration provides an opportunity to evaluate the continuing adequacy of key lengths and encryption algorithms, which can be changed as needed before issuing a new certificate;
  
  ! Ensuring that the digital certificate is valid by such means as checking a certificate revocation list before accepting transactions accompanied by a certificate;
  
  ! Defining the circumstances for authorizing a certificate's revocation, such as the compromise of a user's private key or the closure of user accounts;
  
  ! Updating the database of revoked certificates frequently, ideally in real - time mode;
  
  ! Employing stringent measures to protect the root key including limited physical access to CA facilities, tamper - resistant security modules, dual control over private keys and the process of signing certificates, as well as the storage of original and back - up keys on computers that do not connect with outside networks;
  
  ! Requiring regular independent audits to ensure controls are in place, public and private key lengths remain appropriate, cryptographic modules conform to industry standards, and procedures are followed to safeguard the CA system;
  
  ! Recording in a secure audit log all significant events performed by the CA system, including the use of the root key, where each entry is time/date stamped and signed;
  
  ! Regularly reviewing exception reports and system activity by the CA's employees to detect malfunctions and unauthorized activities; and
  
  ! Ensuring the institution's certificates and authentication systems comply with widely accepted PKI standards to retain the flexibility to participate in ventures that require the acceptance of the financial institution's certificates by other CAs.
  
  The encryption components of PKI are addressed more fully under "Encryption."

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 18.4 Interdependencies
 
 The ability to audit supports many of the controls presented in this handbook. The following paragraphs describe some of the most important interdependencies.
 
 Policy. The most fundamental interdependency of audit trails is with policy. Policy dictates who is authorized access to what system resources. Therefore it specifies, directly or indirectly, what violations of policy should be identified through audit trails.
 
 Assurance. System auditing is an important aspect of operational assurance. The data recorded into an audit trail is used to support a system audit. The analysis of audit trail data and the process of auditing systems are closely linked; in some cases, they may even be the same thing. In most cases, the analysis of audit trail data is a critical part of maintaining operational assurance.
 
 Identification and Authentication. Audit trails are tools often used to help hold users accountable for their actions. To be held accountable, the users must be known to the system (usually accomplished through the identification and authentication process). However, as mentioned earlier, audit trails record events and associate them with the perceived user (i.e., the user ID). If a user is impersonated, the audit trail will establish events but not the identity of the user.
 
 Logical Access Control. Logical access controls restrict the use of system resources to authorized users. Audit trails complement this activity in two ways. First, they may be used to identify breakdowns in logical access controls or to verify that access control restrictions are behaving as expected, for example, if a particular user is erroneously included in a group permitted access to a file. Second, audit trails are used to audit use of resources by those who have legitimate access. Additionally, to protect audit trail files, access controls are used to ensure that audit trails are not modified.
 
 Contingency Planning. Audit trails assist in contingency planning by leaving a record of activities performed on the system or within a specific application. In the event of a technical malfunction, this log can be used to help reconstruct the state of the system (or specific files).
 
 Incident Response. If a security incident occurs, such as hacking, audit records and other intrusion detection methods can be used to help determine the extent of the incident. For example, was just one file browsed, or was a Trojan horse planted to collect passwords?
 
 Cryptography. Digital signatures can be used to protect audit trails from undetected modification. (This does not prevent deletion or modification of the audit trail, but will provide an alert that the audit trail has been altered.) Digital signatures can also be used in conjunction with adding secure time stamps to audit records. Encryption can be used if confidentiality of audit trail information is important.