FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Number of cyber incidents doubled in 2017, yet 93 percent could easily have been prevented - Out of nearly 160,000 reported cyber incidents affecting businesses in 2017, 93 percent could have been prevented by following basic security measures such as regularly updating software, blocking fake email messages, using email authentication, and training employees, a new report claims. https://www.scmagazine.com/report-number-of-cyber-incidents-doubled-in-2017-yet-93-percent-could-easily-have-been-prevented/article/739932/

Tech firms let Russia probe software widely used by U.S. government - Major global technology providers SAP (SAPG.DE), Symantec (SYMC.O) and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, a Reuters investigation has found. https://www.reuters.com/article/us-usa-cyber-russia/tech-firms-let-russia-probe-software-widely-used-by-u-s-government-idUSKBN1FE1DT

On this episode of Women of Washington, host Gigi Schumm welcomed Donna Dodson, chief cybersecurity officer at the National Institute of Standards and Technology. Dodson also serves as associate director of the Information Technology Laboratory and director of the National Cybersecurity Center of Excellence.  https://federalnewsradio.com/women-of-washington/2018/01/you-dont-want-need-to-be-just-like-everyone-else/

Baby boomers more cybersecurity savvy than Gen-Z, study - Generation Z are the least ransomware savvy generation while baby boomers were more likely to accurately define ransomware and were the savviest when it comes to not forwarding emails from unknown senders. https://www.scmagazine.com/a-recent-webroot-survey-found-237-percent-of-gen-z-were-able-to-accurately-define-ransomware-compared-to-476-percent-of-baby-boomers/article/739925/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Millions of machines download XMRig cryptominer after users click on devious links - A newly discovered malicious URL redirection campaign that infects users with the XMRig Monero cryptocurrency miner has already victimized users between 15 and 30 million times, researchers have reported. https://www.scmagazine.com/millions-of-machines-download-xmrig-cryptominer-after-users-click-on-devious-links/article/739594/

Bell Canada Canucks it up again: Second hack in just eight months - Subscriber database plundered by miscreants once again - Executives at Bell Canada have been left with faces redder than their nation's flag – after their subscriber database was hacked for the second time in eight months. http://www.theregister.co.uk/2018/01/24/bell_canada_security_hack/

Report: In a U.S. first, jackpotting attacks are forcing ATMs to 'make it rain' - Organized criminals are physically accessing ATM machines and infecting them with malware that makes them spit out cash, in what reports are calling the first-ever confirmed case of "jackpotting" attacks in the U.S. https://www.scmagazine.com/report-in-a-us-first-jackpotting-attacks-are-forcing-atms-to-make-it-rain/article/740236/

Texas county nearly duped out of $888,000 in Hurricane Harvey phishing scam - The most populous county in Texas nearly lost $888,000 last year, after a local government employee fell for a spear phishing campaign that used Hurricane Harvey as a lure, the Houston Chronicle has reported. https://www.scmagazine.com/texas-county-nearly-duped-out-of-888000-in-hurricane-harvey-phishing-scam/article/740054/

Data from soldiers' fitness trackers reveal sensitive locations, routines - A heatmap of two years' worth of fitness tracker Strava's global data, released last November but discovered more recently by an Australian student, inadvertently revealed the location of U.S. military facilities in war zones. https://www.scmagazine.com/data-from-soldiers-fitness-trackers-reveal-sensitive-locations-routines/article/740245/

More than 2,000 WordPress websites are infected with a keylogger - Malicious script logs passwords and just about anything else admins or visitors type. More than 2,000 websites running the open source WordPress content management system are infected with malware, researchers warned late last week. The malware in question logs passwords and just about anything else an administrator or visitor types. https://arstechnica.com/information-technology/2018/01/more-than-2000-wordpress-websites-are-infected-with-a-keylogger/

Charlotte Housing Authority hit with W-2 tax breach - The Charlotte, N.C., Housing Authority was hit with one of the tax season's earlier W-2 breaches, which was identified 10-days before the Federal Trade Commission's Tax Identity Theft Awareness Week kicked off. https://www.scmagazine.com/charlotte-housing-authority-hit-with-w-2-tax-breach/article/740570/

Security experts play script doctor, as Grey's Anatomy resolves hospital hacker plot - Previously on Grey's Anatomy… Grey Sloan Memorial Hospital's network was taken over by a hacker who demanded millions in Bitcoin, in what was essentially a ransomware attack. https://www.scmagazine.com/security-experts-play-script-doctor-as-greys-anatomy-resolves-hospital-hacker-plot/article/740694/

Spartanburg, S.C., library system hit with ransomware attack - The Spartanburg, S.C., Public Library system was shut down earlier this week after it was hit with a ransomware attack. https://www.scmagazine.com/spartanburg-sc-library-system-hit-with-ransomware-attack/article/740721/

Return to the top of the newsletter

WEB SITE COMPLIANCE - \Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Monitor Contract Compliance and Revision Needs

• Review invoices to assure proper charges for services rendered, the appropriateness of rate changes and new service charges.
• Periodically, review the service provider’s performance relative to service level agreements, determine whether other contractual terms and conditions are being met, and whether any revisions to service level expectations or other terms are needed given changes in the institution’s needs and technological developments.
• Maintain documents and records regarding contract compliance, revision and dispute resolution.

Maintain Business Resumption Contingency Plans

• Review the service provider’s business resumption contingency plans to ensure that any services considered mission critical for the institution can be restored within an acceptable timeframe.
• Review the service provider’s program for contingency plan testing. For many critical services, annual or more frequent tests of the contingency plan are typical.
• Ensure service provider interdependencies are considered for mission critical services and applications.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  Logical Access Controls 
  
  A primary concern in controlling system access is the safeguarding of user IDs and passwords.  The Internet presents numerous issues to consider in this regard. Passwords can be obtained through deceptive "spoofing" techniques such as redirecting users to false Web sites where passwords or user names are entered, or creating shadow copies of Web sites where attackers can monitor all activities of a user. Many "spoofing" techniques are hard to identify and guard against, especially for an average user, making authentication processes an important defense mechanism. 
  
  The unauthorized or unsuspected acquisition of data such as passwords, user IDs, e-mail addresses, phone numbers, names, and addresses, can facilitate an attempt at unauthorized access to a system or application. If passwords and user IDs are a derivative of someone's personal information, malicious parties could use the information in software programs specifically designed to generate possible passwords. Default files on a computer, sometimes called "cache" files, can automatically retain images of such data received or sent over the Internet, making them a potential target for a system intruder. 
  
  Security Flaws and Bugs / Active Content Languages 
  
  Vulnerabilities in software and hardware design also represent an area of concern. Security problems are often identified after the release of a new product, and solutions to correct security flaws commonly contain flaws themselves. Such vulnerabilities are usually widely publicized, and the identification of new bugs is constant. These bugs and flaws are often serious enough to compromise system integrity. Security flaws and exploitation guidelines are also frequently available on hacker Web sites. Furthermore, software marketed to the general public may not contain sufficient security controls for financial institution applications. 
  
  Newly developed languages and technologies present similar security concerns, especially when dealing with network software or active content languages which allow computer programs to be attached to Web pages (e.g., Java, ActiveX). Security flaws identified in Web browsers (i.e., application software used to navigate the Internet) have included bugs which, theoretically, may allow the installation of programs on a Web server, which could then be used to back into the bank's system. Even if new technologies are regarded as secure, they must be managed properly. For example, if controls over active content languages are inadequate, potentially hostile and malicious programs could be automatically downloaded from the Internet and executed on a system.  
  
  Viruses / Malicious Programs 
  
  Viruses and other malicious programs pose a threat to systems or networks that are connected to the Internet, because they may be downloaded directly. Aside from causing destruction or damage to data, these programs could open a communication link with an external network, allowing unauthorized system access, or even initiating the transmission of data.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

14.5.6 Transmittal

Media control may be transferred both within the organization and to outside elements. Possibilities for securing such transmittal include sealed and marked envelopes, authorized messenger or courier, or U.S. certified or registered mail.

14.5.7 Disposition

When media is disposed of, it may be important to ensure that information is not improperly disclosed. This applies both to media that is external to a computer system (such as a diskette) and to media inside a computer system, such as a hard disk. The process of removing information from media is called sanitization.

Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting is an effective method for clearing data from magnetic media. As the name implies, overwriting uses a program to write (1s, 0s, or a combination) onto the media. Common practice is to overwrite the media three times. Overwriting should not be confused with merely deleting the pointer to a file (which typically happens when a delete command is used). Overwriting requires that the media be in working order. Degaussing is a method to magnetically erase data from magnetic media. Two types of degausser exist: strong permanent magnets and electric degaussers. The final method of sanitization is destruction of the media by shredding or burning.

Many people throw away old diskettes, believing that erasing the files on the diskette has made the data un-retrievable. In reality, however, erasing a file simply removes the pointer to that file. The pointer tells the computer where the file is physically stored. Without this pointer, the files will not appear on a directory listing. This does not mean that the file was removed. Commonly available utility programs can often retrieve information that is presumed deleted.