FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - It's back! The CyberFirst Girls Competition 2018 - I think it’s fair to say I did not expect to be running another CyberFirst Girls Competition, but given the overwhelming response and unprecedented amount of positive feedback we received following last year’s competition, we really couldn't not run it again. https://www.ncsc.gov.uk/blog-post/its-back-cyberfirst-girls-competition-2018

Ethical hackers can earn 16 times a software engineers' salary in some countries - A recent HackerOne survey found that some bug bounties bounty hunters are earning more than 16 times what they would have earned as a software engineer in their own country. https://www.scmagazine.com/on-average-however-the-top-earning-researchers-make-27-times-the-median-salary-of-a-software-engineer-in-their-home-country/article/737649/

House passes Cyber Diplomacy Act - A bipartisan group of Congressmen cheered the passing of the Cyber Diplomacy Act (H.R. 3776) yesterday by the House of Representatives. https://www.scmagazine.com/house-passes-cyber-diplomacy-act/article/737776/

Defense Dept. warns staffers against using personal email for official business - Warning that the use of “non-official messaging accounts” is illegal and runs counter to the Department of Defense's (DoD's) official policy, Deputy Defense Secretary Patrick Shanahan instructed agency employees to use their government email accounts for government business. https://www.scmagazine.com/defense-dept-warns-staffers-against-using-personal-email-for-official-business/article/737777/

Post-it with password spotted in online photo of Hawaii Emergency Management Agency HQ - The Hawaii Emergency Management Agency has had a lot of explaining to do after an employee pushed the wrong button during a test and pushed out an alert warning residents that a ballistic missile was headed their way, but now, the agency is now catching heat after eagle-eyed internet users noticed a Post-It note with a password stuck on a computer in a July photo taken at the agency's Diamond Head headquarters. https://www.scmagazine.com/post-it-with-password-spotted-in-online-photo-of-hawaii-emergency-management-agency-hq/article/737661/

Defense Dept. blocks 36M malicious emails daily, fends off 600 Gbps DDoS attacks - That the Defense Department blocks 36 million malicious emails daily aimed at accessing U.S. military systems, as Defense Information Systems Agency Director of Operations David Bennett recently said, underscores that attackers continue to consider email an attractive attack vector and highlights the stresses that security pros face daily trying to sort through threats. https://www.scmagazine.com/defense-dept-blocks-36m-malicious-emails-daily-fends-off-600-gbps-ddos-attacks/article/738292/

Aetna agrees to $17M to settle data breach - Aetna will pay a $17.1 million as part of a settlement for a July 2017 data breach that may have compromised the personal health information of thousands of HIV patients. https://www.scmagazine.com/aetna-agrees-to-17m-to-settle-data-breach/article/738091/

Complexity of DDoS attacks is rising says new report - DDoS attacks plotted over the last year have stepped back from the headline-grabbing events of 2016, but have become more stealthy and intelligent, according to a new report. https://www.scmagazine.com/complexity-of-ddos-attacks-is-rising-says-new-report/article/738756/

Social engineering penetration testing: an overview - Social engineering has proved to be extremely efficient hacking technique, as it exploits both human weaknesses (greed, vanity, authority worship) and virtues (compassion, willingness to help others). https://www.scmagazine.com/social-engineering-penetration-testing-an-overview/article/734276/

South Dakota government advances data breach notification bill - The South Dakota State Judiciary committee voted unanimously to advance a bill that would require companies to inform state residents if their PII was involved in a data breach. https://www.scmagazine.com/south-dakota-government-advances-data-breach-notification-bill/article/739082/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hospital injects $60,000 into crims' coffers to cure malware infection - Medics say they couldn't wait for backups to be pulled as ransomware ransacked kit - A US hospital paid extortionists roughly $60,000 to end a ransomware outbreak that forced staff to use pencil-and-paper records. http://www.theregister.co.uk/2018/01/16/us_hospital_ransomware_bitcoin/

Separate ransomware attacks strike New Mexico city, Indiana health care provider - A New Mexican city of roughly 45,000 people and an Indianan hospital operator have fallen victim to separate ransomware attacks this month. https://www.scmagazine.com/separate-ransomware-attacks-strike-new-mexico-city-indiana-health-care-provider/article/738087/

OnePlus breach may have compromised 40K users - An attack on OnePlus.net may have affected up to 40,000 users, who the company has notified by email. https://www.scmagazine.com/oneplus-breach-may-have-compromised-40k-users/article/738295/

Turkish hacktivist group hijacks ex-sheriff David Clarke Jr.'s Twitter account - The same Turkish hacktivist group that last week took over the Twitter accounts of conservative media figures Greta Van Susteren, Eric Bolling, and Brit Hume. https://www.scmagazine.com/turkish-hacktivist-group-hijacks-ex-sheriff-david-clarke-jrs-twitter-account/article/738760/

Florida makes info on 1K Kansas voters public, lawmakers ask DHS to clarify role regarding election integrity commission - Florida released partial social security numbers for close to 1,000 Kansas voters after receiving data from Kansas Secretary of State Kris Kobach as part of the Crosscheck program that identifies double voter registration. https://www.scmagazine.com/florida-makes-info-on-1k-kansas-voters-public-lawmakers-ask-dhs-to-clarify-role-regarding-election-integrity-commission/article/738989/

Oh, baby! Infants' Social Security numbers spotted for sale on dark web - Apparently, you're never too young to be on the dark web -- or at least for your data to be hawked there. The personal identifiable information (PII) of infants, including Social Security numbers, were recently found advertised for sale on the dark web under the sales pitch "get em befor tax seson [sic]." https://www.scmagazine.com/infants-social-security-numbers-sold-on-dark-web-in-time-for-tax-season/article/738958/

Hacking initial coin offerings leading to the loss of millions in cryptocurency - Initial coin offerings (ICO) are losing about 10 percent of all ICO funds generated to cyberattack due to poor cybersecurity as malicious actors take advantage of the absence of a centralized authority, blockchain transaction irreversibility and information chaos that presides over this sector. https://www.scmagazine.com/hacking-initial-coin-offerings-leading-to-the-loss-of-millions-in-cryptocurency/article/738762/

Bell Canada breach exposes names, emails of 100K customers - For the second time in less than a year, Bell Canada has experienced a data breach that exposed customer records. https://www.scmagazine.com/bell-canada-breach-exposes-names-emails-of-100k-customers/article/739274/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Assess Quality of Service and Support

• Regularly review reports documenting the service provider’s performance. Determine if the reports are accurate and allow for a meaningful assessment of the service provider’s performance.
• Document and follow up on any problem in service in a timely manner. Assess service provider plans to enhance service levels.
• Review system update procedures to ensure appropriate change controls are in effect, and ensure authorization is established for significant system changes.
• Evaluate the provider’s ability to support and enhance the institution’s strategic direction including anticipated business development goals and objectives, service delivery requirements, and technology initiatives.
• Determine adequacy of training provided to financial institution employees.
• Review customer complaints on the products and services provided by the service provider.
• Periodically meet with contract parties to discuss performance and operational issues.
• Participate in user groups and other forums.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  System Architecture and Design
  
  The Internet can facilitate unchecked and/or undesired access to internal systems, unless systems are appropriately designed and controlled. Unwelcome system access could be achieved through IP spoofing techniques, where an intruder may impersonate a local or internal system and be granted access without a password. If access to the system is based only on an IP address, any user could gain access by masquerading as a legitimate, authorized user by "spoofing" the user's address. Not only could any user of that system gain access to the targeted system, but so could any system that it trusts. 
  
  Improper access can also result from other technically permissible activities that have not been properly restricted or secured. For example, application layer protocols are the standard sets of rules that determine how computers communicate across the Internet. Numerous application layer protocols, each with different functions and a wide array of data exchange capabilities, are utilized on the Internet. The most familiar, Hyper Text Transfer Protocol (HTTP), facilitates the movement of text and images. But other types of protocols, such as File Transfer Protocol (FTP), permit the transfer, copying, and deleting of files between computers. Telnet protocol actually enables one computer to log in to another. Protocols such as FTP and Telnet exemplify activities which may be improper for a given system, even though the activities are within the scope of the protocol architecture. 
  
  The open architecture of the Internet also makes it easy for system attacks to be launched  against systems from anywhere in the world. Systems can even be accessed and then used to launch attacks against other systems. A typical attack would be a denial of service attack, which is intended to bring down a server, system, or application. This might be done by overwhelming a system with so many requests that it shuts down. Or, an attack could be as simple as accessing and altering a Web site, such as changing advertised rates on certificates of deposit. 
  
  Security Scanning Products 
  
  A number of software programs exist which run automated security scans against Web servers, firewalls, and internal networks. These programs are generally very effective at identifying weaknesses that may allow unauthorized system access or other attacks against the system. Although these products are marketed as security tools to system administrators and information systems personnel, they are available to anyone and may be used with malicious intent. In some cases, the products are freely available on the Internet.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

14.5.3 Integrity Verification

When electronically stored information is read into a computer system, it may be necessary to determine whether it has been read correctly or subject to any modification. The integrity of electronic information can be verified using error detection and correction or, if intentional modifications are a threat, cryptographic-based technologies.

14.5.4 Physical Access Protection

Media can be stolen, destroyed, replaced with a look-alike copy, or lost. Physical access controls, which can limit these problems, include locked doors, desks, file cabinets, or safes.

If the media requires protection at all times, it may be necessary to actually output data to the media in a secure location (e.g., printing to a printer in a locked room instead of to a general-purpose printer in a common area).

Physical protection of media should be extended to backup copies stored offsite. They generally should be accorded an equivalent level of protection to media containing the same information stored onsite. (Equivalent protection does not mean that the security measures need to be exactly the same. The controls at the off-site location are quite likely to be different from the controls at the regular site.)

14.5.5 Environmental Protection

Magnetic media, such as diskettes or magnetic tape, require environmental protection, since they are sensitive to temperature, liquids, magnetism, smoke, and dust. Other media (e.g., paper and optical storage) may have different sensitivities to environmental factors.