FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for your bank in Texas, New Mexico, Colorado, and Oklahoma.  Please drop Kinney Williams an email at examiner@yennik.com from your domain and I will email you information and fees.

FYI - Czech authorities investigating Avast over recent data collection practices - The Czech Republic’s Office for Personal Data Protection (DPA) said in a brief statement today that it has launched a preliminary investigation into Avast Software s.r.o., following reports that the Prague-based antivirus company collected data from users of its free AV product and sold it via a separate business division. https://www.scmagazine.com/home/security-news/czech-authorities-investigating-avast-over-recent-data-collection-practices/

House lawmakers fear Census IT ‘debacle’ similar to Iowa caucus fiasco - Exactly a month out from when the Census Bureau will roll out its internet self-response platform for the 2020 population count, the Government Accountability Office has flagged significant IT challenges, “including those related to addressing cybersecurity weaknesses in a timely manner.” https://federalnewsnetwork.com/cybersecurity/2020/02/house-members-fear-census-it-tech-debacle-similar-to-iowa-caucus-rollout/

When Your Used Car is a Little Too ‘Mobile’ - Many modern vehicles let owners use the Internet or a mobile device to control the car’s locks, track location and performance data, and start the engine. https://krebsonsecurity.com/2020/02/when-your-used-car-is-a-little-too-mobile/

Cyberinsurance: The value from an incident response lens - Cyberinsurance is not new to the scene, and an increasing number of organizations are accepting its critical role in safeguarding them against costly cybersecurity incidents. https://www.scmagazine.com/home/opinion/executive-insight/cyberinsurance-the-value-from-an-incident-response-lens/

CISA issues warns critical infrastructure sectors after successful ransomware attack on pipeline operator - The Department of Homeland Security CISA is warning critical infrastructure operators to redouble their security efforts after a natural gas compression facility was hit and shut down by a ransomware attack. https://www.scmagazine.com/home/security-news/ransomware/cisa-issues-warns-critical-infrastructure-sectors-after-successful-ransomware-attack-on-pipeline-operator/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Texas attack: Garrison, Nacogdoches schools hit with ransomware - A school district and city in the same geographically area in Texas were each hit with ransomware this week with the city of Garrison making a quick recovery, however, the Nacogdoches Independent School District (NISD) is still struggling. https://www.scmagazine.com/home/security-news/ransomware/texas-attack-garrison-nacogdoches-schools-hit-with-ransomware/

Florida county elections hit with ransomware before 2016 elections - Florida has had its share of election incidents – in 2000 results of the presidential election hung by a chad. But in 2016, weeks before the heated presidential tussle, it seems, miscreants launched a ransomware attack on the West Palm Beach County Supervisor of Elections Office. https://www.scmagazine.com/home/security-news/florida-county-elections-hit-with-ransomware-before-2016-elections/

Ransomware Actors Targets Police Department in Miami, Demand Millions in Ransom - The City of North Miami Beach was hit by a ransomware attack as police officials detected the infection on their department’s computer network earlier in the week. https://cyware.com/news/ransomware-actors-targets-police-department-in-miami-demand-millions-in-ransom-e0c83e4a

Idaho Central Credit Union reports two breaches - Idaho Central Credit Union has started informing some customers of two data breaches that impacted the financial institution. https://www.scmagazine.com/home/security-news/data-breach/idaho-central-credit-union-reports-two-breaches/

Email scam swindles $2.6M from Puerto Rican government corporation - The Puerto Rico government fell for a phishing scam that bilked the U.S. territory out of $2.6 million - an incident that sounds like a possible business email compromise. https://www.scmagazine.com/home/security-news/cybercrime/email-scam-swindles-2-6m-from-puerto-rican-government-corporation/

Rutter’s convenience stores suffer POS data breach - The Pennsylvania and West Virginia convenience store chain Rutter’s was subjected to a POS skimming attack for at least seven months affecting card readers inside some stores and at gas pumps. https://www.scmagazine.com/home/security-news/data-breach/rutters-convenience-stores-suffers-pos-data-breach/

Cyber-Attack Takes Down Redcar Council Services - A local authority in the north-east of England appears to have suffered a major ransomware attack, leaving online public services down for 135,000 locals, for over a week. https://www.infosecurity-magazine.com/news/cyber-attack-takes-down-redcar/

Malware Attack Hits Boston Children’s Hospital Physician Group - A physician group affiliated with Boston Children’s Hospital is experiencing a system outage caused by malware; email hacks, phishing, and database misconfiguration complete this week’s breach roundup. https://healthitsecurity.com/news/malware-attack-hits-boston-childrens-hospital-physician-group

Commerce Exposed Sensitive Data to Foreign Nationals - A U.S. Department of Commerce Office of the Inspector General (OIG) report found that Commerce exposed sensitive data to unvetted foreign nationals through poor security program controls. https://www.meritalk.com/articles/commerce-exposed-sensitive-data-to-foreign-nationals/

Return to the top of the newsletter

WEB SITE COMPLIANCE -

Risk Management of Outsourced Technology Services ( Part 2 of 4)

Risk Assessment

The board of directors and senior management are responsible for understanding the risks associated with outsourcing arrangements for technology services and ensuring that effective risk management practices are in place. As part of this responsibility, the board and management should assess how the outsourcing arrangement will support the institution’s objectives and strategic plans and how the service provider’s relationship will be managed. Without an effective risk assessment phase, outsourcing technology services may be inconsistent with the institution’s strategic plans, too costly, or introduce unforeseen risks.

Outsourcing of information and transaction processing and settlement activities involves risks that are similar to the risks that arise when these functions are performed internally. Risks include threats to security, availability and integrity of systems and resources, confidentiality of information, and regulatory compliance. In addition, the nature of the service provided, such as bill payment, funds transfer, or emerging electronic services, may result in entities performing transactions on behalf of the institution, such as collection or disbursement of funds, that can increase the levels of credit, liquidity, transaction, and reputation risks.

Management should consider additional risk management controls when services involve the use of the Internet. The broad geographic reach, ease of access, and anonymity of the Internet require close attention to maintaining secure systems, intrusion detection and reporting systems, and customer authentication, verification, and authorization. Institutions should also understand that the potential risks introduced are a function of a system’s structure, design and controls and not necessarily the volume of activity.

An outsourcing risk assessment should consider the following:  

• Strategic goals, objectives, and business needs of the financial institution.
• Ability to evaluate and oversee outsourcing relationships.
• Importance and criticality of the services to the financial institution.
• Defined requirements for the outsourced activity.
• Necessary controls and reporting processes.
• Contractual obligations and requirements for the service provider.
• Contingency plans, including availability of alternative service providers, costs and resources
required to switch service providers.
• Ongoing assessment of outsourcing arrangements to evaluate consistency with strategic
objectives and service provider performance.
• Regulatory requirements and guidance for the business lines affected and technologies used.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INTRUSION DETECTION AND RESPONSE
  
  Honeypots
  
  A honeypot is a network device that the institution uses to attract attackers to a harmless and monitored area of the network. Honeypots have three key advantages over network and host IDS systems. Since the honeypot's only function is to be attacked, any network traffic to or from the honeypot potentially signals an intrusion. Monitoring that traffic is simpler than monitoring all traffic passing a network IDS. Honeypots also collect very little data, and all of that data is highly relevant. Network IDS systems gather vast amounts of traffic which must be analyzed, sometimes manually, to generate a complete picture of an attack. Finally, unlike IDS, a honeypot does not pass packets without inspection when under a heavy traffic load.
  
  Honeypots have two key disadvantages. They are ineffective unless they are attacked. Consequently, organizations that use honeypots for detection usually make the honeypot look attractive to an attacker. Attractiveness may be in the name of the device, its apparent capabilities, or in its connectivity. Since honeypots are ineffective unless they are attacked, they are typically used to supplement other intrusion detection capabilities.
  
  Honeypots also introduce the risk of being compromised without triggering an alarm, then becoming staging grounds for attacks on other devices. The level of risk is dependent on the degree of monitoring, capabilities of the honeypot, and its connectivity. For instance, a honeypot that is not rigorously monitored, that has excellent connectivity to the rest of the institution's network, and that has varied and easy - to - compromise services presents a high risk to the confidentiality, integrity, and availability of the institution's systems and data. On the other hand, a honeypot that is rigorously monitored and whose sole capability is to log connections and issue bogus responses to the attacker, while signaling outside the system to the administrator, demonstrates much lower risk.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4.7 Malicious Code
 
 Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other "uninvited" software. Sometimes mistakenly associated only with personal computers, malicious code can attack other platforms.
 
 A 1993 study of viruses found that while the number of known viruses is increasing exponentially, the number of virus incidents is not. The study concluded that viruses are becoming more prevalent, but only "gradually."
 
 The rate of PC-DOS virus incidents in medium to large North American businesses appears to be approximately 1 per 1,000 PCs per quarter; the number of infected machines is perhaps 3 or 4 times this figure if we assume that most such businesses are at least weakly protected against viruses.
 
 Actual costs attributed to the presence of malicious code have resulted primarily from system outages and staff time involved in repairing the systems. Nonetheless, these costs can be significant.
 
 Malicious Software: A Few Key Terms
 
 1)  Virus: A code segment that replicates by attaching copies of itself to existing executables. The new copy of the virus is executed when a user executes the new host program. The virus may include an additional "payload" that triggers when specific conditions are met. For example, some viruses display a text string on a particular date. There are many types of viruses, including variants, overwriting, resident, stealth, and polymorphic.
 
 2)  Trojan Horse: A program that performs a desired task, but that also includes unexpected (and undesirable) functions. Consider as an example an editing program for a multi-user system. This program could be modified to randomly delete one of the users' files each time they perform a useful function (editing), but the deletions are unexpected and definitely undesired!
 
 3)  Worm: A self-replicating program that is self-contained and does not require a host program. The program creates a copy of itself and causes it to execute; no user intervention is required. Worms commonly use network services to propagate to other host systems.
 
 4.8 Foreign Government Espionage
 
 In some instances, threats posed by foreign government intelligence services may be present. In addition to possible economic espionage, foreign intelligence services may target unclassified systems to further their intelligence missions. Some unclassified information that may be of interest includes travel plans of senior officials, civil defense and emergency preparedness, manufacturing technologies, satellite data, personnel and payroll data, and law enforcement, investigative, and security files. Guidance should be sought from the cognizant security office regarding such threats.