FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

IT pros don't learn from cyberattacks, study - Unfortunately the same doesn't apply to IT professionals, regardless of which state they're in, since they appear to be setting themselves up to be fooled again as a recent study found 46 percent of IT professionals don't change their security strategy after a cyberattack. https://www.scmagazine.com/study-finds-it-pros-dont-learn-from-mistakes-after-a-breach/article/748775/

Equifax breach worse than thought, consumers affected now total 147.9M - Equifax has once again bumped up the estimated number of U.S. consumers affected by its massive breach – now saying that data on 147.9 million was somehow exposed. https://www.scmagazine.com/equifax-breach-worse-than-thought-consumers-affected-now-total-1479m/article/748044/

Healthcare sector's biggest threats come from insiders, report - Healthcare is the only industry in which internal threat actors are the biggest threat to an organization, a recent study posits. https://www.scmagazine.com/healthcare-only-industry-in-which-internal-actors-are-the-biggest-threat-to-an-organization/article/748386/

After 'isolated' hack, Germany says government computers are secure - The German government said on Wednesday that hackers had breached the network of government computers with an isolated attack that had been brought under control and which was being investigated by security officials. https://www.scmagazine.com/after-isolated-hack-germany-says-government-computers-are-secure/article/748191/

Penn. AG sues Uber over breach, delayed notification - Pennsylvania's attorney general is suing Uber for delaying disclosure for more than a year of a breach that exposed the personal information, such as driver's licenses, of 57 million customers and drivers. https://www.scmagazine.com/penn-ag-sues-uber-over-breach-delayed-notification/article/748778/

Google gets sued for denying "right to be forgotten" request - A businessman, whose "right to be forgotten" request was denied by Google to "defend the public's right to access lawful information", has filed a lawsuit in the high court in a bid to make Google remove references to his criminal past. https://www.scmagazine.com/google-gets-sued-for-denying-right-to-be-forgotten-request/article/748731/

ComboJack malware steals digital payments, cryptocurrency, by modifying info saved to clipboards - Researchers have discovered a new malware that steals cryptocurrency and other electronic funds by surreptitiously modifying wallet or payment information whenever victims copy it to their devices' clipboards. https://www.scmagazine.com/combojack-malware-steals-digital-payments-cryptocurrency-by-modifying-info-saved-to-clipboards/article/749086/

Millennial Habits May Bring an End to the Password Era - The use of passwords as a single method to prove identity is increasingly becoming obsolete – and for good reason. With major data breaches opening the floodgates on our personal information and the increasing availability of password hacking tools, passwords are no longer effective at keeping our personal identities secured. https://www.scmagazine.com/millennial-habits-may-bring-an-end-to-the-password-era/article/746144/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Marine Forces Reserve data breach leaks data of about 21K - The personal information of thousands of Marines, sailors, and civilians was compromised after an unencrypted email was sent to the wrong email distribution list Monday morning. https://www.scmagazine.com/data-of-21000-compromised-after-sensitive-info-sent-to-wrong-address/article/747616/

GitHub hit with the largest DDoS attack ever seen - DDoS attackers have found a new way of magnifying their attacks, with experts warning that bigger attacks are likely. http://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/

German government confirms hackers blitzkrieged its servers to steal data - The German Interior ministry has confirmed that it has identified a serious attack against its servers, amidst reports that the culprits were the Russian APT28 – aka Fancy Bear – hacking group. http://www.theregister.co.uk/2018/03/01/german_government_confirms_hackers_blitzkrieged_its_servers_to_steal_data/

Malware forces closure of hundreds of Tim Hortons outlets across Canada - A mysterious malware has taken out the cash registers of hundreds of Tim Hortons restaurants across Canada forcing many of them to close prompting legal action from franchise owners. https://www.scmagazine.com/tim-hortons-hit-with-malware-forcing-hundreds-to-close/article/747271/

GitHub rides out record-breaking DDoS attack that leveraged memcached servers - GitHub on Wednesday withstood the largest-ever recorded distributed denial of service attack in history, experiencing roughly 10 minutes of disruption during the onslaught, which was amplified using exposed memcached servers -- a vector that has seen a significant increase in abuse since last month. https://www.scmagazine.com/github-rides-out-record-breaking-ddos-attack-that-leveraged-exposed-memcached-servers/article/748373/

FS-ISAC hit with phishing attacks - A Financial Services Information Sharing and Analysis Center (FS-ISAC) employee fell victim to a phishing attack that compromised login credentials enabling additional phishing attacks. https://www.scmagazine.com/financial-cyberthreat-sharing-platform-hit-with-phishing-attacks/article/748361/

Rockdale ISD his with W-2 scam - Every employee with the Rockdale, Texas Independent School District had their W-2 tax form information stolen in a spearphishing attack. https://www.scmagazine.com/rockdale-isd-his-with-w-2-scam/article/748740/

167 Applebee's locations across 15 states hit with POS breach - RMH Franchise Holdings, which claims to be the second largest Applebee's franchisee, is warning Applebee's customers that point-of-sale malware affected 167 restaurants in 15 states. https://www.scmagazine.com/applebees-hit-with-pos-breach/article/749139/

Fresno State data breach, 15,000 affected - A stolen external hard drive has led to the personal information of more than 15,000 people formerly and currently associated with California State University at Fresno athletic department. https://www.scmagazine.com/fresno-state-data-breach-15000-affected/article/749459/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 5 of 10)
  
  B. RISK MANAGEMENT TECHNIQUES
  
  Introduction
  
  Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.
  
  Planning Weblinking Relationships
  
  In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:
  
  1)  due diligence with respect to third parties to which the financial institution is considering links; and
  
  2)  written agreements with significant third parties.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  SECURITY MEASURES
  
  Certificate Authorities and Digital Certificates 
  
  Certificate authorities and digital certificates are emerging to further address the issues of authentication, non‑repudiation, data privacy, and cryptographic key management.  A certificate authority (CA) is a trusted third party that verifies the identity of a party to a transaction . To do this, the CA vouches for the identity of a party by attaching the CA's digital signature to any messages, public keys, etc., which are transmitted.  Obviously, the CA must be trusted by the parties involved, and identities must have been proven to the CA beforehand.  Digital certificates are messages that are signed with the CA's private key.  They identify the CA, the represented party, and could even include the represented party's public key. 
  
  The responsibilities of CAs and their position among emerging technologies continue to develop.  They are likely to play an important role in key management by issuing, retaining, or distributing  public/private key pairs. 
  
  Implementation 
  
  The implementation and use of encryption technologies, digital signatures, certificate authorities, and digital certificates can vary.  The technologies and methods can be used individually, or in combination with one another.  Some techniques may merely encrypt data in transit from one location to another.  While this keeps the data confidential during transmission, it offers little in regard to authentication and non-repudiation.  Other techniques may utilize digital signatures, but still require the encrypted submission of sensitive information, like credit card numbers.  Although protected during transmission, additional measures would need to be taken to ensure the sensitive information remains protected once received and stored. 
  
  The protection afforded by the above security measures will be governed by the capabilities of the technologies, the appropriateness of the technologies for the intended use, and the administration of the technologies utilized.  Care should be taken to ensure the techniques  utilized are sufficient to meet the required needs of the institution.  All of the technical and  implementation differences should be explored when determining the most appropriate package.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY

15.1 Physical Access Controls

Physical access controls restrict the entry and exit of personnel (and often equipment and media) from an area, such as an office building, suite, data center, or room containing a LAN server.

The control over physical access to the elements of a system can include controlled areas, barriers that isolate each area, entry points in the barriers that isolate each area, entry points in the barriers, and screening measures at each of the entry points. In addition, staff members who work in a restricted area serve an important role in providing physical security, as they can be trained to challenge people they do not recognize.

Physical access controls should address not only the area containing system hardware, but also locations of wiring used to connect elements of the system, the electric power service, the air conditioning and heating plant, telephone and data lines, backup media and source documents, and any other elements required system's operation. This means that all the areas in the building(s) that contain system elements must be identified.

There are many types of physical access controls, including badges, memory cards, guards, keys, true-floor-to-true-ceiling wall construction, fences, and locks.

It is also important to review the effectiveness of physical access controls in each area, both during normal business hours, and at other times-particularly when an area may be unoccupied. Effectiveness depends on both the characteristics of the control devices used (e.g., keycard-controlled doors) and the implementation and operation. Statements to the effect that "only authorized persons may enter this area" are not particularly effective. Organizations should determine whether intruders can easily defeat the controls, the extent to which strangers are challenged, and the effectiveness of other control procedures. Factors like these modify the effectiveness of physical controls.

The feasibility of surreptitious entry also needs to be considered. For example, it may be possible to go over the top of a partition that stops at the underside of a suspended ceiling or to cut a hole in a plasterboard partition in a location hidden by furniture. If a door is controlled by a combination lock, it may be possible to observe an authorized person entering the lock combination. If keycards are not carefully controlled, an intruder may be able to steal a card left on a desk or use a card passed back by an accomplice.

Corrective actions can address any of the factors listed above. Adding an additional barrier reduces the risk to the areas behind the barrier. Enhancing the screening at an entry point can reduce the number of penetrations. For example, a guard may provide a higher level of screening than a keycard-controlled door, or an anti-pass back feature can be added. Reorganizing traffic patterns, work flow, and work areas may reduce the number of people who need access to a restricted area. Physical modifications to barriers can reduce the vulnerability to surreptitious entry. Intrusion detectors, such as closed-circuit television cameras, motion detectors, and other devices, can detect intruders in unoccupied spaces.

Life Safety

It is important to understand that the objectives of physical access controls may be in conflict with those of life safety. Simply stated, life safety focuses on providing easy exit from a facility, particularly in an emergency, while physical security strives to control entry. In general, life safety must be given first consideration, but it is usually possible to achieve an effective balance between the two goals.

For example, it is often possible to equip emergency exit doors with a time delay. When one pushes on the panic bar, a loud alarm sounds, and the door is released after a brief delay. The expectation is that people will be deterred from using such exits improperly, but will not be significantly endangered during an emergency evacuation.