FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for your bank in Texas, New Mexico, Colorado, and Oklahoma.  Please drop Kinney Williams an email at examiner@yennik.com from your domain and I will email you information and fees.

FYI - CISOs burdened by unhealthy stress levels, survey study finds - In a recent survey of 400 U.S.- and UK-based chief information security officers, an overwhelming number, 88 percent, said they find themselves under a moderate or high amount of job-related stress. https://www.scmagazine.com/home/research/cisos-burdened-by-unhealthy-stress-levels-survey-study-finds/

FBI Warns of DDoS Attack on State Voter Registration Site - The US Federal Bureau of Investigation (FBI) warned of a potential Distributed Denial of Service (DDoS) attack that targeted a state-level voter registration and information site in a Private Industry Notification (PIN) released today. https://www.bleepingcomputer.com/news/security/fbi-warns-of-ddos-attack-on-state-voter-registration-site/

A tale of two ransomware attacks - Two schools, two ransomware attack and two different outcomes. https://www.scmagazine.com/home/security-news/ransomware/a-tail-of-two-ransomware-attacks/

Spoiler alert: Attack simulation isn’t ethical hacking - Everything you wanted to know about Breach and Attack Simulation (BAS) vs. Automated Penetration Testing - Better prepared, Right!? Companies are investing a significant amount of resources in building and improving their cybersecurity posture. https://www.scmagazine.com/home/opinion/executive-insight/spoiler-alert-attack-simulation-isnt-ethical-hacking/

U.S. indicts four Chinese military members over Equifax breach - The U.S. Department of Justice has charged four members of the Chinese People’s Liberation Army with nine criminal counts, accusing them of orchestrating and carrying out the 2017 hack of credit reporting agency Equifax. https://www.scmagazine.com/home/security-news/legal-security-news/u-s-indicts-four-chinese-military-members-over-equifax-breach/

Metamorfo banking malware spreads around the world - A new variant of the Metamorfo banking malware is on the loose targeting a wider range of financial institutions than the original version tricking the victims into typing in sensitive information which it then steals. https://www.scmagazine.com/home/security-news/malware/metamofo-banking-malware-spreads-around-the-world/

Forgotten motherboard driver turns out to be perfect for slipping Windows ransomware past antivirus checks - Old Gigabyte code lets file-scrambling RobbinHood go undetected - A kernel-level driver for old PC motherboards has been abused by criminals to hijack Windows computers, disable antivirus, and hold files to ransom. https://www.theregister.co.uk/2020/02/11/forgotten_gigabte_driver_robbinhood/

Why you can’t bank on backups to fight ransomware anymore - Ransomware operators stealing data before they encrypt means backups are not enough. Not every ransomware attack is an unmitigated disaster. But even the most prepared organizations, it seems, can have small-scale disasters in the era of mass scans, spear phishes, and targeted ransomware. https://arstechnica.com/information-technology/2020/02/why-you-cant-bank-on-backups-to-fight-ransomware-anymore/

GAO - Weaknesses in Cybersecurity Management and Oversight Need to Be Addressed. https://www.gao.gov/products/GAO-20-199

Czech authorities investigating Avast over recent data collection practices - The Czech Republic’s Office for Personal Data Protection (DPA) said in a brief statement today that it has launched a preliminary investigation into Avast Software s.r.o., following reports that the Prague-based antivirus company collected data from users of its free AV product and sold it via a separate business division. https://www.scmagazine.com/home/security-news/czech-authorities-investigating-avast-over-recent-data-collection-practices/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Health Share of Oregon discloses data breach, theft of member PII - A break-in and stolen laptop are at the heart of the security incident. A burglary and stolen laptop from GridWorks IC, a vendor hired by Health Share of Oregon, has led to the exposure of Medicaid member data. https://www.zdnet.com/article/health-share-of-oregon-discloses-data-breach-theft-of-member-pii/

Bug hunter finds cryptocurrency-mining botnet on DOD network - Monero-mining botnet infects one of the DOD's Jenkins servers. A security researcher hunting for bug bounties discovered last month that a cryptocurrency-mining botnet had found a home and burrowed inside a web server operated by the US Department of Defense (DOD).  https://www.zdnet.com/article/bug-hunter-finds-cryptocurrency-mining-botnet-on-dod-network/

Malware Destroys Data of 30,000 Fondren Orthopedic Patients - A malware incident damaged some Fondren Orthopedic medical rcords; ransomware, business email compromise, an email gaffe, phishing, and a payroll security incident complete this week’s breach roundup. https://healthitsecurity.com/news/malware-destroys-data-of-30000-fondren-orthopedic-patients

Iranian internet attacked Saturday, knocked partially offline - An extensive, several-hour-long interruption to Iran’s telecom infrastructure and internet hit that took place on February 8 that was likely caused by a distributed denial of service (DDoS) attack. https://www.scmagazine.com/home/security-news/government-and-defense/iranian-internet-attacked-saturday-knocked-partially-offline/

Metro county shuts down 9 servers after ransomware attack on water department - A local county hit by a ransomware attack says it's slowly getting back up to speed. Rockdale County said is waiting on a ransom demand connected to this latest attack. https://www.wsbtv.com/news/local/rockdale-county/metro-county-shuts-down-9-servers-after-ransomware-attack-water-department/TJ54F4D5FVGMFIJGGO3MMVYIVY/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 1 of 4)
   
   Purpose and Background
   
   This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services.1 Financial institutions should consider the guidance outlined in this statement and the attached appendix in managing arrangements with their technology service providers.  While this guidance covers a broad range of issues that financial institutions should address, each financial institution should apply those elements based on the scope and importance of the outsourced services as well as the risk to the institution from the services.
   
   Financial institutions increasingly rely on services provided by other entities to support an array of technology-related functions. While outsourcing to affiliated or nonaffiliated entities can help financial institutions manage costs, obtain necessary expertise, expand customer product offerings, and improve services, it also introduces risks that financial institutions should address.  This guidance covers four elements of a risk management process: risk assessment, selection of
   service providers, contract review, and monitoring of service providers.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INTRUSION DETECTION AND RESPONSE
   
   Automated Intrusion Detection Systems (IDS) (Part 4 of 4)
   
   Some host-based IDS units address the difficulty of performing intrusion detection on encrypted traffic. Those units position their sensors between the decryption of the IP packet and the execution of any commands by the host. This host-based intrusion detection method is particularly appropriate for Internet banking servers and other servers that communicate over an encrypted channel. LKMs, however, can defeat these host-based IDS units.
   
   Host-based intrusion detection systems are recommended by the NIST for all mission-critical systems, even those that should not allow external access.
   
   The heuristic, or behavior, method creates a statistical profile of normal activity on the host or network. Boundaries for activity are established based on that profile. When current activity exceeds the boundaries, an alert is generated. Weaknesses in this system involve the ability of the system to accurately model activity, the relationship between valid activity in the period being modeled and valid activity in future periods, and the potential for malicious activity to take place while the modeling is performed. This method is best employed in environments with predictable, stable activity.
   
   Both signature-based and heuristic detection methods result in false positives (alerts where no attack exists), and false negatives (no alert when an attack does take place). While false negatives are obviously a concern, false positives can also hinder detection. When security personnel are overwhelmed with the number of false positives, they may look at the IDS reports with less vigor, allowing real attacks to be reported by the IDS but not researched or acted upon. Additionally, they may tune the IDS to reduce the number of false positives, which may increase the number of false negatives. Risk-based testing is necessary to ensure the detection capability is adequate.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4.6 Industrial Espionage
 
 Industrial espionage is the act of gathering proprietary data from private companies or the government for the purpose of aiding another company(ies). Industrial espionage can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries. Foreign industrial espionage carried out by a government is often referred to as economic espionage. Since information is processed and stored on computer systems, computer security can help protect against such threats; it can do little, however, to reduce the threat of authorized employees selling that information.
 
 Industrial espionage is on the rise. A 1992 study sponsored by the American Society for Industrial Security (ASIS) found that proprietary business information theft had increased 260 percent since 1985. The data indicated 30 percent of the reported losses in 1991 and 1992 had foreign involvement. The study also found that 58 percent of thefts were perpetrated by current or former employees. The three most damaging types of stolen information were pricing information, manufacturing process information, and product development and specification information. Other types of information stolen included customer lists, basic research, sales data, personnel data, compensation data, cost data, proposals, and strategic plans.
 
 Within the area of economic espionage, the Central Intelligence Agency has stated that the main objective is obtaining information related to technology, but that information on U.S. government policy deliberations concerning foreign affairs and information on commodities, interest rates, and other economic factors is also a target. The Federal Bureau of Investigation concurs that technology-related information is the main target, but also lists corporate proprietary information, such as negotiating positions and other contracting data, as a target.