|
Remote bank regulatory FFIEC IT audits
- I am performing
virtual/remote bank regality FFIEC IT
audits for banks and credit unions.
I am a former
bank examiner with years of IT auditing experience.
Please contact R. Kinney Williams at
examiner@yennik.com from your bank's email and I will send you
information and fees. All correspondence is confidential.
FYI - Researchers discover new
JNDI-based vulnerability similar to Log4j - A firm disclosed a
vulnerability in the console for H2, a popular Java SQL database
offering, that comes from the same root JNDI problem as Log4j. It is
the first of what will likely be several discoveries as researchers
try to replicate the Log4j problem in similarly structured software.
https://www.cyberscoop.com/ftc-warns-of-action-against-firms-that-fail-to-fix-log4j-software-flaws/
FIN7 cybercrime group sending USB devices to US companies - The FBI
has notified U.S. organizations that the FIN7 cybercrime group is
sending out malicious USB devices with the intent to infect their
systems with malware, according to multiple news outlets.
https://www.scmagazine.com/news/device-security/fin7-cybercrime-group-sending-usb-devices-to-us-companies
FTC warns of potential penalties for firms that fail to fix Log4j
software flaws - The Federal Trade Commission Tuesday warned
companies that if they fail to take action to remedy a major recent
software vulnerability in open-source software tool Log4j, there
could be legal repercussions.
https://www.cyberscoop.com/ftc-warns-of-action-against-firms-that-fail-to-fix-log4j-software-flaws/
Who’s to blame for the Kronos payroll disruptions, post cyberattack?
- Human resource and payroll vendor Kronos has been recovering from
a widespread ransomware attack for more than a month, which has
created major payroll issues at a number of health systems.
https://www.scmagazine.com/feature/cloud/fallout-from-kronos-payroll-disruptions-spurred-by-lack-of-contingency-plans
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - Missouri’s CRMC brings network
back online, 3 weeks after cyberattack - Three weeks after reporting
a network and telephone outage across its care network, Capital
Region Medical Center has brought much of its network back online.
https://www.scmagazine.com/analysis/breach/missouris-crmc-brings-network-back-online-3-weeks-after-cyberattack
US online pharmacy Ravkoo links data breach to AWS portal incidentv
- Ravkoo, a US Internet-based pharmacy service, has disclosed a data
breach after the company's AWS hosted cloud prescription portal was
involved in a security incident that may have led to personal and
health information being accessed.
https://www.bleepingcomputer.com/news/security/us-online-pharmacy-ravkoo-links-data-breach-to-aws-portal-incident/
Counties in New Mexico, Arkansas begin 2022 with ransomware attacks
- Two counties in New Mexico and Arkansas are dealing with
ransomware attacks affecting government services, according to
officials from both states.
https://www.zdnet.com/article/counties-in-new-mexico-arkansas-dealing-with-ransomware-attacks/
213K Florida Digestive Health patients informed of 2020 data
compromise - Florida Digestive Health Specialists recently notified
212,509 patients that their data was potentially compromised one
year ago, during the hack of multiple employee email accounts.
https://www.scmagazine.com/analysis/breach/213k-florida-digestive-health-patients-informed-of-2020-data-compromise
After hack, BioPlus faces class-action lawsuit, allegations into
security measures - BioPlus Specialty Pharmacy Services is facing a
class-action data breach lawsuit, following its recent disclosure of
a weeks-long IT network hack that resulted in the unauthorized
access of former and current patient-related information.
https://www.scmagazine.com/analysis/breach/after-hack-bioplus-faces-class-action-lawsuit-allegations-into-security-measures
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight
- Principle 14:
Banks should develop appropriate incident response plans to manage,
contain and minimize problems arising from unexpected events,
including internal and external attacks, that may hamper the
provision of e-banking systems and services.
Effective incident response mechanisms are critical to minimize
operational, legal and reputational risks arising from unexpected
events such as internal and external attacks that The current and
future capacity of critical e-banking delivery systems should be
assessed on an ongoing basis may affect the provision of e-banking
systems and services. Banks should develop appropriate incident
response plans, including communication strategies, that ensure
business continuity, control reputation risk and limit liability
associated with disruptions in their e-banking services, including
those originating from outsourced systems and operations.
To ensure effective response to unforeseen incidents, banks
should develop:
1) Incident response plans to address recovery of e-banking
systems and services under various scenarios, businesses and
geographic locations. Scenario analysis should include consideration
of the likelihood of the risk occurring and its impact on the bank.
E-banking systems that are outsourced to third-party service
providers should be an integral part of these plans.
2) Mechanisms to identify an incident or crisis as soon as it
occurs, assess its materiality, and control the reputation risk
associated with any disruption in service.
3) A communication strategy to adequately address external
market and media concerns that may arise in the event of security
breaches, online attacks and/or failures of e-banking systems.
4) A clear process for alerting the appropriate regulatory
authorities in the event of material security breaches or disruptive
incidents occur.
5) Incident response teams with the authority to act in an
emergency and sufficiently trained in analyzing incident
detection/response systems and interpreting the significance of
related output.
6) A clear chain of command, encompassing both internal as well
as outsourced operations, to ensure that prompt action is taken
appropriate for the significance of the incident. In addition,
escalation and internal communication procedures should be developed
and include notification of the Board where appropriate.
7) A process to ensure all relevant external parties, including
bank customers, counterparties and the media, are informed in a
timely and appropriate manner of material e-banking disruptions and
business resumption developments.
8) A process for collecting and preserving forensic evidence to
facilitate appropriate post-mortem reviews of any e-banking
incidents as well as to assist in the prosecution of attackers.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION -
NETWORK ACCESS
Packet Filter Firewalls
Basic packet filtering was described in the router section and
does not include stateful inspection. Packet filter firewalls
evaluate the headers of each incoming and outgoing packet to ensure
it has a valid internal address, originates from a permitted
external address, connects to an authorized protocol or service, and
contains valid basic header instructions. If the packet does not
match the pre-defined policy for allowed traffic, then the firewall
drops the packet. Packet filters generally do not analyze the packet
contents beyond the header information. Dynamic packet filtering
incorporates stateful inspection primarily for performance benefits.
Before re-examining every packet, the firewall checks each packet as
it arrives to determine whether it is part of an existing
connection. If it verifies that the packet belongs to an established
connection, then it forwards the packet without subjecting it to the
firewall ruleset.
Weaknesses associated with packet filtering firewalls include the
following:
! The system is unable to prevent attacks that employ application
specific vulnerabilities and functions because the packet filter
cannot examine packet contents.
! Logging functionality is limited to the same information used to
make access control decisions.
! Most do not support advanced user authentication schemes.
! Firewalls are generally vulnerable to attacks and exploitation
that take advantage of problems in the TCP/IP specification.
! The firewalls are easy to misconfigure, which allows traffic to
pass that should be blocked.
Packet filtering offers less security, but faster performance than
application-level firewalls. The former are appropriate in high -
speed environments where logging and user authentication with
network resources are not important. Packet filter firewalls are
also commonly used in small office/home office (SOHO) systems and
default operating system firewalls.
Institutions internally hosting Internet-accessible services
should consider implementing additional firewall components that
include application-level screening.
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 17 - LOGICAL ACCESS CONTROL
17.4 Administration
of Access Controls
One of the most complex and challenging aspects of access control,
administration involves implementing, monitoring, modifying,
testing, and terminating user accesses on the system. These can be
demanding tasks, even though they typically do not include making
the actual decisions as to the type of access each user may have.124
Decisions regarding accesses should be guided by organizational
policy, employee job descriptions and tasks, information
sensitivity, user "need-to-know" determinations, and many other
factors.
There are three basic approaches to administering access controls:
centralized, decentralized, or a combination of these. Each has
relative advantages and disadvantages. Which is most appropriate in
a given situation will depend upon the particular organization and
its circumstances.
System and Security Administration
The administration of systems and security requires access to
advanced functions (such as setting up a user account). The
individuals who technically set up and modify who has access to what
are very powerful users on the system; they are often called system
or security administrators. On some systems, these users are
referred to as having privileged accounts.
The type of access of these accounts varies considerably. Some
administrator privileges, for example, may allow an individual to
administer only one application or subsystem, while a higher level
of privileges may allow for oversight and establishment of subsystem
administrators.
Normally, users who are security administrators have two accounts:
one for regular use and one for security use. This can help protect
the security account from compromise. Furthermore, additional I&A
precautions, such as ensuring that administrator passwords are
robust and changed regularly, are important to minimize
opportunities for unauthorized individuals to gain access to these
functions.
17.4.1 Centralized Administration
Using centralized administration, one office or individual is
responsible for configuring access controls. As users' information
processing needs change, their accesses can be modified only through
the central office, usually after requests have been approved by the
appropriate official. This allows very strict control over
information, because the ability to make changes resides with very
few individuals. Each user's account can be centrally monitored, and
closing all accesses for any user can be easily accomplished if that
individual leaves the organization. Since relatively few individuals
oversee the process, consistent and uniform procedures and criteria
are usually not difficult to enforce. However, when changes are
needed quickly, going through a central administration office can be
frustrating and time-consuming. |
