FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

Password manager flaws can expose data on compromised devices, report says - Flaws in top password managers can expose the very data they are supposed to protect, a study by researchers. https://www.scmagazine.com/home/security-news/password-manager-flaws-can-expose-data-on-compromised-devices-report-says/

The role of the CISO during a cyber crisis - The role of a chief information security officer (CISO) can never be miscategorized as low-stress. https://www.scmagazine.com/home/opinion/the-role-of-the-ciso-during-a-cyber-crisis/

Wendy’s to pay $50M in data breach settlement - Wendy’s has agreed to pay $50 million to settle negligence claims following its 2015-2016 data breach that affected more than 1,000 of the burger chain’s locations. https://www.scmagazine.com/home/security-news/wendys-has-agreed-to-pay-50-million-to-settle-negligence-claims-following-its-2015-2016-data-breach-that-affected-more-than-1000-of-the-burger-chains-locations/

White House Orders Agencies to Defend the Skies From Cyberattacks - In its National Strategy for Aviation Security, the Trump administration called on the government to be more proactive in spotting threats to U.S. airspace. https://www.nextgov.com/cybersecurity/2019/02/white-house-orders-agencies-defend-skies-cyberattacks/155018/

Computers vulnerable to attack through USB ports, report - University of Cambridge and Rice University researchers have created a platform that allows cyberattacks to be conducted through a variety of computer peripherals through their USB-C port. https://www.scmagazine.com/home/security-news/vulnerabilities/computers-vulnerable-to-attack-through-usb-ports-report/

UK consumers more likely to abandon a breached company - Yanks and Brits may both have a soft spot in their hearts for beer and sports, but when it comes to trusting a company that has suffered a data breach, these two groups of people have quite different opinions. https://www.scmagazine.com/home/security-news/data-breach/uk-consumers-more-likely-to-abandon-a-breached-company/

ODNI, OPM planning series of sweeping updates to federal personnel vetting system - The Trump administration is planning to roll out a series of sweeping changes to suitability, credentialing and security clearance procedures that officials say will bring more speed and efficiency to a process that’s been stuck in the past for decades. https://federalnewsnetwork.com/workforce/2019/02/odni-opm-planning-series-of-sweeping-updates-to-federal-personnel-vetting-system/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 42,000 patients data compromised AdventHealth Medical Group data breach - AdventHealth Medical Group Pulmonary and Sleep Medicine officials are warning up to 42,000 of their patients of a 16-month-long data breach at the facility that exposed their personal and health information. https://www.scmagazine.com/home/security-news/data-breach/42000-patients-data-compromised-adventhealth-medical-group-data-breach/

Tampa mayor’s Twitter hacked, used to send bomb and ballistic missile threats - A hacker took over the Twitter account of Tampa Mayor Bob Buckhorn and sent out a fake ballistic missile warning and a bomb threat from the compromised account. https://www.scmagazine.com/home/security-news/a-hacker-took-over-the-twitter-account-of-tampa-fl-mayor-bob-buckhorn-and-sent-out-a-fake-ballistic-missile-warning-and-a-bomb-threat-from-the-compromised-account/

Misconfigured database exposes 974,000 University of Washington Medicine patients - Almost one million University of Washington (UW) Medicine personal health information files were exposed for most of December 2018 due to a misconfigured database. https://www.scmagazine.com/home/security-news/data-breach/misconfigured-database-exposes-974000-university-of-washington-medicine-patients/

Undisclosed number of TurboTax accounts breached - Intuit, the company behind tax preparation software TurboTax, said users’ accounts may have been accessed by an unauthorized party. https://www.scmagazine.com/home/security-news/intuit-the-company-behind-tax-preparation-software-turbotax-alerted-users-their-accounts-may-have-been-accessed-by-an-unauthorized-party/

SEDC stored millions of utility customers’ passwords in plaintext - An anonymous independent researcher found millions of utility customers’ passwords had previously been stored in plaintext. https://www.scmagazine.com/home/security-news/an-anonymous-independent-researcher-found-millions-of-utility-customers-passwords-had-previously-been-stored-in-plaintext/
Payroll Provider Gives Extortionists a Payday

Payroll software provider Apex Human Capital Management suffered a ransomware attack this week that severed payroll management services for hundreds of the company’s customers for nearly three days. https://krebsonsecurity.com/2019/02/payroll-provider-gives-extortionists-a-payday/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Risk management challenges
  
  The Electronic Banking Group (EBG) noted that the fundamental characteristics of e-banking (and e-commerce more generally) posed a number of risk management challenges:
  
  1.   The speed of change relating to technological and customer service innovation in e-banking is unprecedented. Historically, new banking applications were implemented over relatively long periods of time and only after in-depth testing. Today, however, banks are experiencing competitive pressure to roll out new business applications in very compressed time frames - often only a few months from concept to production. This competition intensifies the management challenge to ensure that adequate strategic assessment, risk analysis and security reviews are conducted prior to implementing new e-banking applications.
  
  2.   Transactional e-banking web sites and associated retail and wholesale business applications are typically integrated as much as possible with legacy computer systems to allow more straight-through processing of electronic transactions. Such straight-through automated processing reduces opportunities for human error and fraud inherent in manual processes, but it also increases dependence on sound systems design and architecture as well as system interoperability and operational scalability.
  
  3.  E-banking increases banks' dependence on information technology, thereby increasing the technical complexity of many operational and security issues and furthering a trend towards more partnerships, alliances and outsourcing arrangements with third parties, many of whom are unregulated. This development has been leading to the creation of new business models involving banks and non-bank entities, such as Internet service providers, telecommunication companies and other technology firms.
  
  4)  The Internet is ubiquitous and global by nature. It is an open network accessible from anywhere in the world by unknown parties, with routing of messages through unknown locations and via fast evolving wireless devices. Therefore, it significantly magnifies the importance of security controls, customer authentication techniques, data protection, audit trail procedures, and customer privacy standards.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Network Configuration
  
  Computer networks often extend connectivity far beyond the financial institution and its data center. Networks provide system access and connectivity between business units, affiliates, TSPs, business partners, customers, and the public. This increased connectivity requires additional controls to segregate and restrict access between various groups and information users.
  
  A typical approach to securing a large network involves dividing the network into logical security domains. A logical security domain is a distinct part of a network with security policies that differ from other domains. The differences may be far broader than network controls, encompassing personnel, host, and other issues.
  
  Typical network controls that distinguish security domains include access control software permissions, dedicated lines, filtering routers, firewalls, remote-access servers, and virtual private networks. This booklet will discuss additional access controls within the applications and operating systems residing on the network in other sections. Before selecting the appropriate controls, financial institutions should map and configure the network to identify and control all access control points. Network configuration considerations could include the following actions:
  
  ! Identifying the various applications and user-groups accessed via the network;
  
  ! Identifying all access points to the network including various telecommunications channels (e.g., wireless, Ethernet, frame relay, dedicated lines, remote dial - up access, extranets, Internet);
  
  ! Mapping the internal and external connectivity between various network segments;
  
  ! Defining minimum access requirements for network services (i.e., most often referenced as a network services access policy); and
  
  ! Determining the most appropriate network configuration to ensure adequate security and performance.
  
  With a clear understanding of network connectivity, the financial institution can avoid introducing security vulnerabilities by minimizing access to less - trusted domains and employing encryption for less secure connections. Institutions can then determine the most effective deployment of protocols, filtering routers, firewalls, gateways, proxy servers, and/or physical isolation to restrict access. Some applications and business processes may require complete segregation from the corporate network (e.g., no connectivity between corporate network and wire transfer system). Others may restrict access by placing the services that must be accessed by each zone in their own security domain, commonly called a "demilitarized zone" (DMZ).

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.2.3 Electronic Signatures

Today's computer systems store and process increasing numbers of paper-

based documents in electronic form. Having documents in electronic form permits rapid processing and transmission and improves overall efficiency. However, approval of a paper document has traditionally been indicated by a written signature. What is needed, therefore, is the electronic equivalent of a written signature that can be recognized as having the same legal status as a written signature. In addition to the integrity protections, discussed above, cryptography can provide a means of linking a document with a particular person, as is done with a written signature. Electronic signatures can use either secret key or public key cryptography; however, public key methods are generally easier to use.

Cryptographic signatures provide extremely strong proof that a message has not been altered and was signed by a specific key.¹³⁷ However, there are other mechanisms besides cryptographic-based electronic signatures that perform a similar function. These mechanisms provide some assurance of the origin of a message, some verification of the message's integrity, or both.

• Examination of the transmission path of a message. When messages are sent across a network, such as the Internet, the message source and the physical path of the message are recorded as a part of the message. These can be examined electronically or manually to help ascertain the origin of a message.
  
• Use of a value-added network provider. If two or more parties are communicating via a third party network, the network provider may be able to provide assurance that messages originate from a given source and have not been modified.
  
• Acknowledgment statements. The recipient of an electronic message may confirm the message's origin and contents by sending back an acknowledgment statement.