FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Musical.ly�s $5.7M FTC fine largest yet under COPPA - Musical.ly, the social networking app now known as TikTok, illegally gathered and used children�s personal data, and must now pay a $5.7million fine for violating the Children�s Online Privacy Protection Act (COPPA), the Federal Trade Commission (FTC) said Wednesday. https://www.scmagazine.com/home/security-news/musical-lys-5-7m-ftc-fine-largest-yet-under-coppa/

Why the cyber fast track is stalled at DOD - The Pentagon is having trouble bringing on cyber workers through the Cyber Excepted Service, thanks to too few personnel and a backlogged and complicated security clearance process. https://fcw.com/articles/2019/02/26/dod-it-oversight-williams.aspx

TSA's pipeline security team has five employees - The Transportation Security Administration division responsible for securing the nation's 2.7 million miles of pipeline currently has just five dedicated full-time employees, none with cybersecurity expertise, according to a TSA official. https://fcw.com/articles/2019/02/26/tsa-pipeline-hearing-johnson.aspx

United Airlines CISO: To soar, security teams must focus on business, not technology - Many corporate IT security organizations are starting to realign their strategies by taking less of a technology-focused approach and instead prioritizing what�s most important from a global business perspective according to Emily Heath, VP and CISO at United Airlines. https://www.scmagazine.com/home/security-news/united-airlines-ciso-to-soar-security-teams-must-focus-on-business-not-technology/

Sonic hit by $5 million suit over 2017 data breach - The drive-in fast food chain Sonic is being sued by the American Airlines Federal Credit Union for $5 million in an attempt to recoup money the credit union lost due to Sonic�s data breach in 2017. https://www.scmagazine.com/home/security-news/data-breach/sonic-hit-5-million-suite-over-2017-data-breach/

Vendor risk management - The SC Labs team this month took a deep dive into vendor risk management (VRM) solutions. According to Gartner, VRM is the process of ensuring that service providers and IT suppliers don�t create an unacceptable potential for business disruption or negative impact on business performance. https://www.scmagazine.com/home/reviews/vendor-risk-management/

More than 1,500 feds applied for first Cyber Reskilling Academy cohort - More than 1,500 federal employees applied to be part of the first cohort of the Federal Cyber Reskilling Academy, a three-month training program that will offer cybersecurity and technology education to federal employees not currently working in IT assignments. https://www.fedscoop.com/cyber-reskilling-academy-1500-applicants/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Dow Jones database holding 2.4 million records of politically exposed persons - A cybersecurity researcher found the Down Jones Watchlist residing in an open Elasticsearch database containing 2.4 million records of politicians, criminals and national and international sanction lists. https://www.scmagazine.com/home/security-news/data-breach/dow-jones-database-holding-2-4-million-records-of-politically-exposed-persons/

Rush University Medical Center data breach, 45,000 patients affected - About 45,000 Rush University Medical Center patients had their data exposed when a third-party employee mistakenly exposed a file containing the data to an unauthorized individual. https://www.scmagazine.com/home/security-news/data-breach/rush-university-medical-center-data-breach-45000-patients-affected/

More healthcare facilities affected by Wolverine Solutions Group data breach come forward - Hundreds healthcare facilities and more than one million patients had their information compromised when their shared third-party vendor Wolverine Solutions Group (WSG) suffered a ransomware attack in September 2018. https://www.scmagazine.com/home/security-news/data-breach/more-healthcare-facilities-affected-by-wolverine-solutions-group-data-breach-come-forward/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Risk management principles (Part 1 of 2)
  
  Based on the early work of the Electronic Banking Group EBG, the Committee concluded that, while traditional banking risk management principles are applicable to e-banking activities, the complex characteristics of the Internet delivery channel dictate that the application of these principles must be tailored to fit many online banking activities and their attendant risk management challenges. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. Further, as the Committee believes that banks should adopt an integrated risk management approach for all banking activities, it is critical that the risk management oversight afforded e-banking activities becomes an integral part of the banking institution's overall risk management framework.
  
  To facilitate these developments, the Committee asked the EBG to identify the key risk management principles that would help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities and, in turn, promote the safe and sound electronic delivery of banking products and services.
  
  These Risk Management Principles for Electronic Banking, which are identified in this Report, are not put forth as absolute requirements or even "best practice" but rather as guidance to promote safe and sound e-banking activities. The Committee believes that setting detailed risk management requirements in the area of e-banking might be counter-productive, if only because these would be likely to become rapidly outdated by the speed of change related to technological and product innovation. Therefore the principles included in the present Report express supervisory expectations related to the overall objective of banking supervision to ensure safety and soundness in the financial system rather than stringent regulations.
  
  The Committee is of the view that such supervisory expectations should be tailored and adapted to the e-banking distribution channel but not be fundamentally different to those applied to banking activities delivered through other distribution channels. Consequently, the principles presented below are largely derived and adapted from supervisory principles that have already been expressed by the Committee or national supervisors over a number of years. In some areas, such as the management of outsourcing relationships, security controls and legal and reputational risk management, the characteristics and implications of the Internet distribution channel introduce a need for more detailed principles than those expressed to date.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Protocols and Ports (Part 1 of 3)
  
  Network communications rely on software protocols to ensure the proper flow of information. A protocol is a set of rules that allows communication between two points in a telecommunications connection. Different types of networks use different protocols. The Internet and most intranets and extranets, however, are based on the TCP/IP layered model of protocols. That model has four layers, and different protocols within each layer. The layers, from bottom to top, are the network access layer, the Internet layer, the host-to-host layer, and the application layer. Vulnerabilities and corresponding attack strategies exist at each layer. This becomes an important consideration in evaluating the necessary controls. Hardware and software can use the protocols to restrict network access. Likewise, attackers can use weaknesses in the protocols to attack networks.
  
  The primary TCP/IP protocols are the Internet protocol (IP) and the transmission control protocol (TCP). IP is used to route messages between devices on a network, and operates at the Internet layer. TCP operates at the host-to-host layer, and provides a connection-oriented, full - duplex, virtual circuit between hosts. Different protocols support different services for the network. The different services often introduce additional vulnerabilities. For example, a third protocol, the user datagram protocol (UDP) is also used at the host-to-host layer. Unlike TCP, UDP is not connection - oriented, which makes it faster and a better protocol for supporting broadcast and streaming services. Since UDP is not connection-oriented, however, firewalls often do not effectively filter it. To provide additional safeguards, it is often blocked entirely from inbound traffic or additional controls are added to verify and authenticate inbound UDP packets as coming from a trusted host.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.2.3.1 Secret Key Electronic Signatures

An electronic signature can be implemented using secret key message authentication codes (MACs). For example, if two parties share a secret key, and one party receives data with a MAC that is correctly verified using the shared key, that party may assume that the other party signed the data. This assumes, however, that the two parties trust each other. Thus, through the use of a MAC, in addition to data integrity, a form of electronic signature is obtained. Using additional controls, such as key notarization and key attributes, it is possible to provide an electronic signature even if the two parties do not trust each other.

Systems incorporating message authentication technology have been approved for use by the federal government as a replacement for written signatures on electronic documents.

19.2.3.2 Public Key Electronic Signatures

Another type of electronic signature called a digital signature is implemented using public key cryptography. Data is electronically signed by applying the originator's private key to the data. (The exact mathematical process for doing this is not important for this discussion.) To increase the speed of the process, the private key is applied to a shorter form of the data, called a "hash" or "message digest," rather than to the entire set of data. The resulting digital signature can be stored or transmitted along with the data. The signature can be verified by any party using the public key of the signer. This feature is very useful, for example, when distributing signed copies of virus-free software. Any recipient can verify that the program remains virus-free. If the signature verifies properly, then the verifier has confidence that the data was not modified after being signed and that the owner of the public key was the signer.

NIST has published standards for a digital signature and a secure hash for use by the federal government in FIPS 186, Digital Signature Standard and FIPS 180, Secure Hash Standard.