FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for your bank in Texas, New Mexico, Colorado, and Oklahoma.  Please email R. Kinney Williams at examiner@yennik.com from your bank's domain and I will email you information and fees

FYI - White hat hackers find thousands of vulnerabilities: DoD - The U.S. Department of Defense’s Cyber Crime Center (DC3) received more than 2,800 validated vulnerability reports from a variety of sources, according to its 2019 Vulnerability Disclosure Program (VDP). https://www.scmagazine.com/home/security-news/vulnerabilities/white-hat-hackers-find-thousands-of-vulnerabilities-dod/

Telecom firms urge FCC flexibility as carriers replace Chinese equipment - The U.S. Senate Committee on Commerce, Science and Transportation on Wednesday held a hearing where officials from leading tech and telecom firms posed key recommendations to lawmakers who seek to replace and further prohibit telecommunications equipment that may pose a security risk, including products from China-based Huawei and ZTE. Among the key suggestions was that any effort to “rip and replace” untrusted equipment should really be treated a “replace, then rip.” https://www.scmagazine.com/home/security-news/government-and-defense/telecom-firms-urge-fcc-flexibility-as-carriers-replace-chinese-equipment/

Five reasons why COVID-19 will bolster the cyber-security industry - Amid sharply falling public markets and spiraling panic around the rapid proliferation of the coronavirus (a.k.a. Covid-19), the cybersecurity industry seems to be well poised for sustainable growth despite some foreseeable turbulence. https://www.scmagazine.com/home/security-news/news-archive/coronavirus/five-reasons-why-covid-19-will-bolster-the-cyber-security-industry/

Siemens Shares Incident Response Playbook for Energy Infrastructure - The playbook simulates a cyberattack on the energy industry to educate regulators, utilities, and IT and OT security experts. Cyberattacks against the energy sector have shifted from targeting information technology (IT) to operational technology (OT) as attackers aim to disrupt critical infrastructure. This change is forcing companies to rethink how they would detect and remove threats without affecting operations.
https://www.darkreading.com/attacks-breaches/siemens-shares-incident-response-playbook-for-energy-infrastructure/d/d-id/1337256 
https://assets.new.siemens.com/siemens/assets/api/uuid:7ee9587c-dfd3-4f8a-b447-c9fb7302ed96/version:1582144985/cyberattackdigitalr4v2.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - City of Cartersville paid $380k ransom to restore access to files - Almost one year after a ransomware attack struck the city of Cartersville, Ga., municipal officials revealed that they paid a ransom of $380,000 to regain access to their files. https://www.scmagazine.com/home/security-news/ransomware/city-of-cartersville-paid-380k-ransom-to-restore-access-to-files/

J.Crew says year-old breach exposed customer account info - J.Crew notified a group of customers that an unauthorized third-party accessed their accounts nearly a year ago using their login credentials and obtained personal information, including the last four digits of payment card numbers, expiration dates, card types and billing addresses as well as order numbers, shipping confirmation numbers and shipment status. https://www.scmagazine.com/home/security-news/j-crew-says-year-old-breach-exposed-customer-account-info/

Staffer emails compromised and customer details exposed in T-Mobile US's third security whoopsie in as many years - And there it is – exactly what telco was fretting over in FY'19 results - T-Mobile US was hacked by miscreants who may have stolen some customer information. https://www.theregister.co.uk/2020/03/05/tmobile_breach/

Ryuk ransomware hits Fortune 500 company EMCOR - Company expects the incident to have an impact on its 2020 earnings, according to its 2019 Q4 financial report. EMCOR Group (NYSE: EME), a US-based Fortune 500 company specialized in engineering and industrial construction services, disclosed last month a ransomware incident that took down some of its IT systems. https://www.zdnet.com/article/ryuk-ransomware-hits-fortune-500-company-emcor/

Virgin Media leaves database open, thousands of records exposed - The UK telecom and ISP Virgin Media is informing some customers of a data breach that took place when unauthorized persons accessed an incorrectly configured database. https://www.scmagazine.com/home/security-news/data-breach/virgin-media-leaves-database-open-thousands-of-records-exposed/

Durham, N.C. bull rushed by ransomware; recovery underway - The city of Durham, North Carolina and the government of Durham County have experienced disruptions since a ransomware attack last Friday, but local government officials claim the damage was contained and recovery efforts are well underway. https://www.scmagazine.com/home/security-news/ransomware/durham-n-c-bull-rushed-by-ransomware-recovery-underway/

European power grid organization says its IT network was hacked - The organization that ensures coordination of European electricity markets said Monday that its IT network had been compromised in a “cyber intrusion.” https://www.cyberscoop.com/european-entso-breach-fingrid/

Defense contractor CPI knocked offline by ransomware attack - A major electronics manufacturer for defense and communications markets was knocked offline after a ransomware attack, TechCrunch has learned. https://techcrunch.com/2020/03/05/cpi-ransomware-defense-contractor/2020/03/05/cpi-ransomware-defense-contractor/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
   
   Due Diligence in Selecting a Service Provider
   
   Some of the factors that institutions should consider when performing due diligence in selecting a service provider are categorized and listed below. Institutions should review the service provider’s due diligence process for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties). Depending on the services being outsourced and the level of in-house expertise, institutions should consider whether to hire or consult with qualified independent sources. These sources include consultants, user groups, and trade associations that are familiar with products and services offered by third parties. Ultimately, the depth of due diligence will vary depending on the scope and importance of the outsourced services as well as the risk to the institution from these services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INTRUSION DETECTION AND RESPONSE
  
  INTRUSION RESPONSE  (Part 2 of 2)
  
  Successful implementation of any response policy and procedure requires the assignment of responsibilities and training. Some organizations formalize the response organization with the creation of a computer security incident response team (CSIRT). The CSIRT is typically tasked with performing, coordinating, and supporting responses to security incidents. Due to the wide range of non-technical issues that are posed by an intrusion, typical CSIRT membership includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution. Those areas include management, legal, public relations, as well as information technology. Other organizations may outsource some of the CSIRT functions, such as forensic examinations. When CSIRT functions are outsourced, institutions should ensure that their institution's policies are followed by the service provider and confidentiality of data and systems are maintained.
  
  Institutions can assess best the adequacy of their preparations through testing.
  
  While containment strategies between institutions can vary, they typically contain the following broad elements:
  
  ! Isolation of compromised systems, or enhanced monitoring of intruder activities;
  ! Search for additional compromised systems;
  ! Collection and preservation of evidence; and
  ! Communication with effected parties, the primary regulator, and law enforcement.
  Restoration strategies should address the following:
  ! Elimination of an intruder's means of access;
  ! Restoration of systems, programs and data to known good state;
  ! Filing of a Suspicious Activity Report (Guidelines for filing are included in individual agency guidance); and
  ! Communication with effected parties.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
 
 Tools to Implement Policy - Standards, Guidelines, and Procedures:
 
 Because policy is written at a broad level, organizations also develop standards, guidelines, and procedures that offer users, managers, and others a clearer approach to implementing policy and meeting organizational goals. Standards and guidelines specify technologies and methodologies to be used to secure systems. Procedures are yet more detailed steps to be followed to accomplish particular security-related tasks. Standards, guidelines, and procedures may be promulgated throughout an organization via handbooks, regulations, or manuals.
 
 Organizational standards (not to be confused with American National Standards, FIPS, Federal Standards, or other national or international standards) specify uniform use of specific technologies, parameters, or procedures when such uniform use will benefit an organization. Standardization of organization wide identification badges is a typical example, providing ease of employee mobility and automation of entry/exit systems. Standards are normally compulsory within an organization.
 
 Guidelines assist users, systems personnel, and others in effectively securing their systems. The nature of guidelines, however, immediately recognizes that systems vary considerably, and imposition of standards is not always achievable, appropriate, or cost-effective. For example, an organizational guideline may be used to help develop system-specific standard procedures. Guidelines are often used to help ensure that specific security measures are not overlooked, although they can be implemented, and correctly so, in more than one way.
 
 Procedures normally assist in complying with applicable security policies, standards, and guidelines. They are detailed steps to be followed by users, system operations personnel, or others to accomplish a particular task (e.g., preparing new user accounts and assigning the appropriate privileges).
 
 Some organizations issue overall computer security manuals, regulations, handbooks, or similar documents. These may mix policy, guidelines, standards, and procedures, since they are closely linked. While manuals and regulations can serve as important tools, it is often useful if they clearly distinguish between policy and its implementation. This can help in promoting flexibility and cost-effectiveness by offering alternative implementation approaches to achieving policy goals.