FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for your bank in Texas, New Mexico, Colorado, and Oklahoma.  Please drop Kinney Williams an email at examiner@yennik.com from your domain and I will email you information and fees.

FYI - Over 2000 UK Government Devices Go Missing in a Year - Over 2000 mobile devices used by UK government employees have gone missing in the space of a year, with a significant number unencrypted, according to new Freedom of Information (FOI) data. https://www.infosecurity-magazine.com/news/2000-uk-government-devices-missing/
 
 Ransomware Wreaks Havoc Across Europe - Security experts have this week warned Italian and Swiss businesses to be on their guard as ongoing ransomware campaigns continue to target vulnerable systems. https://www.infosecurity-magazine.com/news/ransomware-wreaks-havoc-across/
 
 Protect your data assets – Building a secure NAS from the ground up - How long could your enterprise operate without access to vital data assets and customer information? Odds are, not very long. https://www.scmagazine.com/home/opinion/executive-insight/protect-your-data-assets-building-a-dscure-nas-from-the-ground-up/
 
 Security perimeters in the cloud aren’t dead—They’re ephemeral - It goes without saying that companies migrating IT systems and operations to the cloud face a growing number of challenges related to security. https://www.scmagazine.com/home/opinion/executive-insight/security-perimeters-in-the-cloud-arent-dead-theyre-ephemeral/
 
 Chevrolet Silverado Thieves Disable OnStar Tracking - As counter measures to prevent vehicle theft become more and more advanced, car thieves are responding with high-tech tools of their own. That much is evidenced by a recent string of stolen Chevrolet Silverado pickups, all of which had OnStar anti-theft counter measures disabled almost immediately. https://gmauthority.com/blog/2020/02/chevrolet-silverado-thieves-disable-onstar-tracking/
 
 FBI recommends passphrases over password complexity - Longer passwords, even consisting of simpler words or constructs, are better than short passwords with special characters. For more than a decade now, security experts have had discussions about what's the best way of choosing passwords for online accounts. https://www.zdnet.com/article/fbi-recommends-passphrases-over-password-complexity/
 
 ATTACKS, INTRUSIONS, DATA THEFT & LOSS
 
 FYI - MGM admits to 2019 data breach affecting 10.6 million customers - MGM Resorts has confirmed there was unauthorized access to one of the company’s cloud servers in 2019 that contained information on a reported 10.6 million guests, possibly including several high-profile guests.
 https://www.scmagazine.com/home/security-news/data-breach/mgm-admits-to-2019-data-breach-affecting-10-6-million-customers/
 https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/
 
 US natural gas operator shuts down for 2 days after being infected by ransomware - Infection spread to site's OT network that monitors and controls physical processes. A US-based natural gas facility shut down operations for two days after sustaining a ransomware infection that prevented personnel from receiving crucial real-time operational data from control and communication equipment, the Department of Homeland Security said on Tuesday. https://www.scmagazine.com/home/opinion/executive-insight/protect-your-data-assets-building-a-dscure-nas-from-the-ground-up/
 
 Hackers Were Inside Citrix for Five Months - Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords. https://krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months/
 
 DISA breach likely exposed personal data on at least 200K - The breach at one of the networks of the Defense Information Systems Agency (DISA), which secures communications for President Trump and military intelligence and other government officials, affected as many as 200,000 people, exposing their personal information, including Social Security numbers. https://www.scmagazine.com/home/security-news/disa-breach-likely-exposed-personal-data-on-at-least-200k/
 
 Campaign staffer’s husband arrested for DDoSing former Rep. Katie Hill’s opponent - The husband of a campaign staffer for former Rep. Katie Hill, D-CA., was arrested by the FBI for allegedly launching four DDoS attacks against the former congresswoman’s primary opponent. https://www.scmagazine.com/home/security-news/cyberattack/campaign-staffers-husband-arrested-for-ddosing-former-rep-katie-hills-opponent/
 
 360,000 Quebec teachers PII possibly compromised - The PII of at least 51,400, and possibly as many as 360,000 educators, in Quebec Province was exposed when a malicious actor obtained login credentials to the Ministère de l’Éducation et de l’Enseignement supérieur network. https://www.scmagazine.com/home/security-news/data-breach/360000-quebec-teachers-pii-possibly-compromised/
 
 ISS World hack leaves thousands of employees offline - A cyber-attack has hit the major facilities company ISS World, which has half a million employees worldwide. https://www.bbc.com/news/technology-51572575
 
 NRC Health recovering from ransomware attack - NRC Health was hit with a ransomware attack Feb. 11 and it still working to restore its systems and services. The company, which works with 75% of the 200 largest U.S. hospital chains, administers patient survey tools to hospitals. https://www.fiercehealthcare.com/tech/vendor-nrc-health-working-to-restore-it-systems-after-ransomware-attack
 
 Toll Faces Customer Fallout After Cyberattack - Toll Group, the Australian freight delivery service provider, is struggling to restore its services completely after being hit by the recent “Mailto” ransomware attack on its infrastructure. https://www.cisomag.com/toll-faces-customer-fallout-after-cyberattack/
 
 Samsung cops to data leak after unsolicited '1/1' Find my Mobile push notification - Samsung has admitted that what it calls a "small number" of users could indeed read other people's personal data following last week's unexplained Find my Mobile notification. https://www.theregister.co.uk/2020/02/24/samsung_data_breach_find_my_mobile/
 
 Clearview AI client list breached - The facial recognition company Clearview AI is informing customers that a hacker stole its entire client list.  Clearview AI gained unwanted notoriety earlier this year when it was disclosed that the company was obtaining billions of photos by scraping the for use by law enforcement agencies. https://www.scmagazine.com/home/security-news/data-breach/clearview-ai-client-list-breached/
 
 Munson Healthcare data breach exposes PHI - The northern-Michigan based Munson Healthcare group reported several employee email accounts were hacked and being accessed for two and a half months last year exposing PHI. https://www.scmagazine.com/home/security-news/data-breach/munson-healthcare-data-breach-exposes-phi/
 
 Return to the top of the newsletter
 
 WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 3 of 4)
    
    Due Diligence in Selecting a Service Provider
    
    Once the institution has completed the risk assessment, management should evaluate service providers to determine their ability, both operationally and financially, to meet the institution’s needs. Management should convey the institution’s needs, objectives, and necessary controls to the potential service provider. Management also should discuss provisions that the contract should contain. The appendix to this statement contains some specific factors for management to consider in selecting a service provider.
    
    Contract Issues
    
    Contracts between the institution and service provider should take into account business requirements and key risk factors identified during the risk assessment and due diligence phases. Contracts should be clearly written and sufficiently detailed to provide assurances for performance, reliability, security, confidentiality, and reporting. Management should consider whether the contract is flexible enough to allow for changes in technology and the financial
    institution's operations. Appropriate legal counsel should review contracts prior to signing.
    
    Institutions may encounter situations where service providers cannot or will not agree to terms that the institution requests to manage the risk effectively. Under these circumstances, institutions should either not contract with that provider or supplement the service provider’s commitments with additional risk mitigation controls. The appendix to this statement contains some specific considerations for management in contracting with a service provider.
 
 Return to the top of the newsletter
 
 FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   INTRUSION DETECTION AND RESPONSE
   
   Operational Anomalies
   
   Operational anomalies may be evidence of a broad number of issues, one of which is potential intrusion. Anomalies that act as intrusion-warning indicators fall into two categories, those apparent in system processing, and those apparent outside the system.
   
   System processing anomalies are evident in system logs and system behavior. Good identification involves pre-establishing which system processing data streams will be monitored for anomalies, defining which anomalies constitute an indicator of an intrusion, and the frequency of the monitoring. For example, remote access logs can be reviewed daily for access during unusual times. Other logs can be reviewed on other regular cycles for other unusual behaviors. System behavior covers a broad range of issues, from CPU utilization to network traffic protocols, quantity and destinations. One example of a processing anomaly is CPU utilization approaching 100% when the scheduled jobs typically require much less. Anomalous behavior, however, may not signal an intrusion.
   
   Outside the system, detection is typically based on system output, such as unusual Automated Clearing House transactions or bill payment transactions. Those unusual transactions may be flagged as a part of ordinary transaction reviews, or customers and other system users may report them. Customers and other users should be advised as to where and how to report anomalies. The anomalous output, however, may not signal an intrusion.
   
   Central reporting and analysis of all IDS output, honeypot monitoring, and anomalous system behavior assists in the intrusion identification process. Any intrusion reporting should use out-of-band communications mechanisms to protect the alert from being intercepted or compromised by an intruder.
 
 Return to the top of the newsletter
 
 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 4.9 Threats to Personal Privacy
  
  The accumulation of vast amounts of electronic information about individuals by governments, credit bureaus, and private companies, combined with the ability of computers to monitor, process, and aggregate large amounts of information about individuals have created a threat to individual privacy. The possibility that all of this information and technology may be able to be linked together has arisen as a specter of the modern information age. This is often referred to as "Big Brother." To guard against such intrusion, Congress has enacted legislation, over the years, such as the Privacy Act of 1974 and the Computer Matching and Privacy Protection Act of 1988, which defines the boundaries of the legitimate uses of personal information collected by the government.
  
  The threat to personal privacy arises from many sources. In several cases federal and state employees have sold personal information to private investigators or other "information brokers." One such case was uncovered in 1992 when the Justice Department announced the arrest of over two dozen individuals engaged in buying and selling information from Social Security Administration (SSA) computer files.42 During the investigation, auditors learned that SSA employees had unrestricted access to over 130 million employment records. Another investigation found that 5 percent of the employees in one region of the IRS had browsed through tax records of friends, relatives, and celebrities. Some of the employees used the information to create fraudulent tax refunds, but many were acting simply out of curiosity.
  
  As more of these cases come to light, many individuals are becoming increasingly concerned about threats to their personal privacy. A July 1993 special report in MacWorld cited polling data taken by Louis Harris and Associates showing that in 1970 only 33 percent of respondents were concerned about personal privacy. By 1990, that number had jumped to 79 percent.
  
  While the magnitude and cost to society of the personal privacy threat are difficult to gauge, it is apparent that information technology is becoming powerful enough to warrant fears of both government and corporate "Big Brothers." Increased awareness of the problem is needed.