FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - I will be on vacation next week from Wednesday February 14 through Tuesday February 20.  On my return Wednesday, February 21, we will be scheduling pen-tests, as well as FFIEC/ADA web site audits.

NIST deadline looms for agencies to improve digital authentication standards - As a deadline for implementation draws near, the National Institute of Standards and Technology is working with agencies to ensure their legacy systems are keeping up with its latest standards in identity management and authentication solutions. https://federalnewsradio.com/cybersecurity/2018/01/nist-deadline-looms-for-agencies-to-improve-digital-authentication-standards/

U.S. CERT posts cybersecurity suggestions for Pyeongchang Winter Olympic attendees - With the torch lighting for the Winter Olympics in Pyeongchang just over a week away U.S. CERT has issued cybersecuirty guidelines for those visiting the games, tips that can also be used in any public environment. https://www.scmagazine.com/us-cert-posts-cybersecurity-suggestions-for-pyeongchang-winter-olympic-attendees/article/741026/

Lack of encryption in cloud applications rendering enterprises vulnerable - Enterprises are developing and using enterprise applications on a large scale for various purposes, but a lack of encryption, coupled with serious security flaws in such applications, is also rendering enterprises vulnerable. https://www.scmagazine.com/lack-of-encryption-in-cloud-applications-rendering-enterprises-vulnerable/article/741010/

Cloud-Based Security - This has been a strange and interesting month. Our regular readers will note that we have the smallest crop of products, probably ever. There is a reason for that. The field of cloud-based security is small, new – emerging, really – and is trying to define itself. https://www.scmagazine.com/cloud-based-security/article/741430/

Gas station software flaws offer cheap gas, admin rights, and more - A pair of researchers discovered vulnerabilities in an automated gas station management system that allowed them to shut down fuel pumps, steal credit card data and alter fuel prices. https://www.scmagazine.com/gas-pump-vulnerabilities-in-widespread-software-grant-low-prices-and-credit-card-data/article/741764/

What Should Businesses Expect in 2018? Five Data Breach Predictions for the New Year - It was virtually impossible to ignore the high-profile attacks and data breaches that dominated headlines in 2017. https://www.scmagazine.com/what-should-businesses-expect-in-2018-five-data-breach-predictions-for-the-new-year/article/734623/

Columbia University grad arrested for using key logger software - A Columbia University grad student was arrested for leaving key logger malware on USB sticks left throughout the campus. https://www.scmagazine.com/columbia-university-grad-busted-for-hacking-school-computers/article/742124/

Massachusetts attorney general adds online data breach report portal - Massachusetts is trying to make it easier for businesses and organizations to report a data breach by setting up an online portal. https://www.scmagazine.com/massachusetts-attorney-general-adds-online-data-breach-report-portal/article/742269/

Defense, civilian contractors laying groundwork to implement NIST information-sharing framework - It’s a long road ahead, but federal agencies and contractors are laying the groundwork to implement the National Institute of Standards and Technology’s latest framework aimed at protecting federal information that’s shared on systems not owned by the federal government. https://federalnewsradio.com/cybersecurity/2018/02/defense-civilian-contractors-laying-groundwork-to-implement-nist-information-sharing-framework/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Stolen adult site login credentials help fuel dark web economy - Cybercriminals have been using adult content as a lure to spread malware and steal information since adult content hit the internet, but recent research shows that access to legitimate sites are also fueling a lucrative trade on the dark web. https://www.scmagazine.com/kaspersky-research-highlights-cyber-threats-facing-users-of-adult-websites/article/741464/

Massive Smominru Cryptocurrency Botnet Rakes In Millions - Criminals behind the cryptocurrency miner Smominru have raked in between $2.8 to $3.6 million since May. The payday is impressive, say researchers at Proofpoint, who report that operators have amassed a formidable botnet of infected servers pumping out 24 Monero daily, or the equivalent of $8,500. https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/

Phishing emails impersonate FBI's Internet Crime Complaint Center - The FBI on Thursday issued a warning that scammers have been crafting phishing emails that impersonate the agency's Internet Crime Complaint Center (IC3), claiming recipients were recently defrauded, and in some cases even offering restitution if the individuals provide personal information. https://www.scmagazine.com/phishing-emails-impersonate-fbis-internet-crime-complaint-center/article/741763/

Misconfigured Amazon Web Services bucket exposes 12,000 social media influencers - Another misconfigured Amazon Web Services (AWS) S3 cloud storage bucket has been left insecure this time exposing the sensitive data of 12,000 social media influencers, most of whom were female. https://www.scmagazine.com/the-bucket-was-left-exposed-by-the-paris-based-brand-marketing-company-octoly/article/742119/

Phishing scam exposes W-2 forms of Keokuk, Iowa employees and officials - The small Iowan city of Keokuk has disclosed that a cybercriminal used a phishing scam to fraudulently obtain an electronic file containing the 2017 W-2 tax forms of current and former employees and elected officials. https://www.scmagazine.com/phishing-scam-exposes-w-2-forms-of-keokuk-iowa-employees-and-officials/article/742093/

DHS employee fumbled classified Super Bowl security documents - A Department of Homeland Security staffer fumbled several classified documents in December creating a physical data breach. https://www.scmagazine.com/dhs-employee-fumbled-classified-super-bowl-security-documents/article/741920/

Final Fantasy network recovers after losing health points to DDoS attack - The network hosting the role-playing video game Final Fantasy XIV experienced significant disruptions for three hours yesterday as the result of a distributed denial of service (DDoS) attack. https://www.scmagazine.com/final-fantasy-network-recovers-after-losing-health-points-to-ddos-attack/article/742432/

Business Wire under sustained DDoS attack, traffic slowed - A persistent distributed denial of service (DDoS) attack over the past week has prompted a slowdown on the Business Wire website, but seemingly hasn't exposed client data, company Chief Operating Officer (COO) Richard DeLeo told customers in a Tuesday alert. https://www.scmagazine.com/business-wire-under-sustained-ddos-attack-traffic-slowed/article/742578/

Malicious Reddit 'twin' discovered - The internet now has two front pages, but one is a fake created as a typosquatter to scam Reddit fans or as phishing bait. https://www.scmagazine.com/malicious-reddit-twin-discovered/article/742814/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We begin this week reviewing the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 1 of 10)

A. RISK DISCUSSION

Introduction

A significant number of financial institutions regulated by the financial institution regulatory agencies (Agencies) maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.

When financial institutions use weblinks to connect to third-party websites, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.

Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:

• customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
• customer dissatisfaction with the quality of products or services obtained from a third party; and
• customer confusion as to whether certain regulatory protections apply to third-party products or services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  Utilization of the Internet presents numerous issues and risks which must be addressed. While many aspects of system performance will present additional challenges to the bank, some will be beyond the bank's control. The reliability of the Internet continues to improve, but situations including delayed or misdirected transmissions and operating problems involving Internet Service Providers (ISPs) could also have an effect on related aspects of the bank's business. 
  
  The risks will not remain static. As technologies evolve, security controls will improve; however, so will the tools and methods used by others to compromise data and systems. Comprehensive security controls must not only be implemented, but also updated to guard against current and emerging threats. Security controls that address the risks will be presented over the next few weeks.
  
  SECURITY MEASURES
  
  The FDIC paper discusses the primary interrelated technologies, standards, and controls that presently exist to manage the risks of data privacy and confidentiality, data integrity, authentication, and non-repudiation.
  
  Encryption, Digital Signatures, and Certificate Authorities 
  
  Encryption techniques directly address the security issues surrounding data privacy, confidentiality, and data integrity.  Encryption technology is also employed in digital signature processes, which address the issues of authentication and non-repudiation.  Certificate authorities and digital certificates are emerging to address security concerns, particularly in the area of authentication.  The function of and the need for encryption, digital signatures, certificate authorities, and digital certificates differ depending on the particular security issues presented by the bank's activities.  The technologies, implementation standards, and the necessary legal infrastructure continue to evolve to address the security needs posed by the Internet and electronic commerce.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

14.5.6 Transmittal

Media control may be transferred both within the organization and to outside elements. Possibilities for securing such transmittal include sealed and marked envelopes, authorized messenger or courier, or U.S. certified or registered mail.

14.5.7 Disposition

When media is disposed of, it may be important to ensure that information is not improperly disclosed. This applies both to media that is external to a computer system (such as a diskette) and to media inside a computer system, such as a hard disk. The process of removing information from media is called sanitization.

Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting is an effective method for clearing data from magnetic media. As the name implies, overwriting uses a program to write (1s, 0s, or a combination) onto the media. Common practice is to overwrite the media three times. Overwriting should not be confused with merely deleting the pointer to a file (which typically happens when a delete command is used). Overwriting requires that the media be in working order. Degaussing is a method to magnetically erase data from magnetic media. Two types of degausser exist: strong permanent magnets and electric degaussers. The final method of sanitization is destruction of the media by shredding or burning.

Many people throw away old diskettes, believing that erasing the files on the diskette has made the data un-retrievable. In reality, however, erasing a file simply removes the pointer to that file. The pointer tells the computer where the file is physically stored. Without this pointer, the files will not appear on a directory listing. This does not mean that the file was removed. Commonly available utility programs can often retrieve information that is presumed deleted.