FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Data breaches up 400 percent, 15 billion records compromised: report - The number of data breaches increased more than 400 percent in 2018 exposing almost 15 billion records, according to the identity intelligence company 4iQ. https://www.scmagazine.com/home/security-news/data-breach/data-breaches-up-400-percent-15-billion-records-compromised-report/

Equifax neglected cybersecurity prior to breach, Senate report finds - On the eve of executives from Equifax CEO and Marriott appearing before the Senate Permanent Subcommittee on Investigations to discuss the lessons learned from a pair of major breaches, the subcommittee released a scathing report accusing Equifax of neglect and “failing to prioritize cybersecurity,” which led to a 2017 breach that affected 145 million people. https://www.scmagazine.com/home/security-news/equifax-neglected-cybersecurity-prior-to-breach-senate-report-finds/

Comptroller Questions Priority Given by Agency Heads to Cybersecurity Issues - U.S. Comptroller General Gene Dodaro, who heads the Government Accountability Office (GAO), today publicly questioned the priority given by Federal agency heads to cybersecurity issues that have long been flagged by GAO on its “High Risk List,” the latest biennial edition of which was issued by the agency today. https://www.meritalk.com/articles/comptroller-questions-priority-given-by-agency-heads-to-cybersecurity-issues/

Improving security with micro-segmentation: Where do I start? - The irreversible movement from on-premise data centers to virtualized, hybrid-cloud infrastructures has raised a major security challenge for enterprises: how to protect mission-critical applications and workloads from threats lurking within the data center. https://www.scmagazine.com/home/opinion/improving-security-with-micro-segmentation-where-do-i-start/

Meeting GDPR standards doesn’t guarantee Calif. privacy law compliance, experts warn - Soon to be the most restrictive privacy law in the U.S., the California Consumer Privacy Act is set to take effect in January 2020. And companies that sit back and assume their compliance with GDPR is enough to meet the new legislation’s high expectations are in for a rude awakening, warned a panel of privacy executives at RSA 2019. https://www.scmagazine.com/home/security-news/meeting-gdpr-standards-doesnt-guarantee-calif-privacy-law-compliance-experts-warn/

Germany planning 'trustworthy' supplier requirement for all networks and 5G - A draft of updated security requirements is set to appear in Northern Hemisphere's spring. https://www.zdnet.com/article/germany-planning-trustworthy-supplier-requirement-for-all-networks-and-5g/

GAO - Cybersecurity Workforce: Agencies Need to Accurately Categorize Positions to Effectively Identify Critical Staffing Needs - https://www.gao.gov/products/GAO-19-144?utm_campaign=usgao_email&utm_content=topic_it&utm_medium=email&utm_source=govdelivery

NYU, NYC Cyber Command conduct inaugurate training exercise in new Brooklyn cyber range - Normally, it’s the job of the New York City Cyber Command (NYC3) to defend the city from online threats. But yesterday, its members were actually the ones dishing out the punishment, lobbing a series of attacks at a group of 25-30 New York University cybersecurity graduate students. https://www.scmagazine.com/home/security-news/nyu-nyc-cyber-command-conduct-inaugurate-training-exercise-in-new-brooklyn-cyber-range/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Unprotected MongoDB database exposes 763M unique email addresses, ‘business intel’ - Verifications.io has taken down an unprotected MongoDB database found by researchers last week to contain 150GB-worth of plaintext marketing data including 763 million unique email addresses and various corporations’ revenue data. https://www.scmagazine.com/home/security-news/unprotected-mongodb-database-exposes-763m-unique-email-addresses-business-intel/

Software maker Citrix hacked, business documents removed - Acting on a tip from the FBI, Citrix has investigated and confirmed that its network has been penetrated and data had been exfiltrated by an outside force. https://www.scmagazine.com/home/security-news/data-breach/software-maker-citrix-hacked-business-documents-removed/

Columbia Surgical Specialists pay $15,000 ransom to unlock files - Columbia Surgical Specialists paid an almost $15,000 ransom to regain access to files encrypted during a ransomware attack. https://www.scmagazine.com/home/security-news/ransomware/columbia-surgical-specialists-pay-15000-ransom-to-unlock-files/

Jackson County, Georgia pays $400,000 ransom to release files - Jackson County, Ga., is the latest ransomware victim to fork over a payment to its attackers in order to regain access to its encrypted files. https://www.scmagazine.com/home/security-news/data-breach/jackson-county-geogia-pays-400000-ransom-to-release-files/

Ransomware attack targets college admissions data - Threat actors launched ransomware attacks against three U.S. colleges seizing the data on students applying for admission to the schools and demanded 1 Bitcoin or approximately $3,800 from students to retrieve their “entire admission file.” https://www.scmagazine.com/home/security-news/threat-actors-launched-ransomware-attacks-against-three-u-s-colleges-seizing-the-data-on-students-applying-for-admission/

Hackers Break into System That Houses College Application Data - More than 900 colleges and universities use Slate, owned by Technolutions, to collect and manage information on applicants. http://www.darkreading.com/attacks-breaches/hackers-break-into-system-that-houses-college-application-data/d/d-id/1334125

Dozens of high-profile Box accounts found leaking sensitive data - Adversis researchers have discovered that dozens of companies have leaked sensitive data as a result of misconfigured Box accounts. https://www.scmagazine.com/home/security-news/dozens-of-high-profile-box-accounts-found-leaking-sensitive-data/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Risk management principles (Part 2 of 2)
  
  The Committee recognizes that banks will need to develop risk management processes appropriate for their individual risk profile, operational structure and corporate governance culture, as well as in conformance with the specific risk management requirements and policies set forth by the bank supervisors in their particular jurisdiction(s). Further, the numerous e-banking risk management practices identified in this Report, while representative of current industry sound practice, should not be considered to be all-inclusive or definitive, since many security controls and other risk management techniques continue to evolve rapidly to keep pace with new technologies and business applications.
  
  This Report does not attempt to dictate specific technical solutions to address particular risks or set technical standards relating to e-banking. Technical issues will need to be addressed on an on-going basis by both banking institutions and various standards-setting bodies as technology evolves. Further, as the industry continues to address e-banking technical issues, including security challenges, a variety of innovative and cost efficient risk management solutions are likely to emerge. These solutions are also likely to address issues related to the fact that banks differ in size, complexity and risk management culture and that jurisdictions differ in their legal and regulatory frameworks.
  
  For these reasons, the Committee does not believe that a "one size fits all" approach to e-banking risk management is appropriate, and it encourages the exchange of good practices and standards to address the additional risk dimensions posed by the e-banking delivery channel. In keeping with this supervisory philosophy, the risk management principles and sound practices identified in this Report are expected to be used as tools by national supervisors and implemented with adaptations to reflect specific national requirements where necessary, to help promote safe and secure e-banking activities and operations.
  
  The Committee recognizes that each bank's risk profile is different and requires a risk mitigation approach appropriate for the scale of the e-banking operations, the materiality of the risks present, and the willingness and ability of the institution to manage these risks. These differences imply that the risk management principles presented in this Report are intended to be flexible enough to be implemented by all relevant institutions across jurisdictions. National supervisors will assess the materiality of the risks related to e-banking activities present at a given bank and whether, and to what extent, the risk management principles for e-banking have been adequately met by the bank's risk management framework.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Protocols and Ports (Part 2 of 3)
  
  Other common protocols in a TCP/IP network include the following types.
  
  ! Address resolution protocol (ARP) - Obtains the hardware address of connected devices and matches that address with the IP address for that device. The hardware address is the Ethernet card's address, technically referred to as the "media access control" (MAC) address. Ethernet systems route messages by the MAC address, requiring a router to obtain both the IP address and the MAC address of connected devices. Reverse ARP (RARP) also exists as a protocol.
  
  ! Internet control message protocol (ICMP) - Used to send messages about network health between devices, provides alternate routing information if trouble is detected, and helps to identify problems with a routing.
  
  ! File transfer protocol (FTP) - Used to browse directories and transfer files. Although access can be authenticated or anonymous, FTP does not support encrypted authentication. Conducting FTP within encrypted channels, such as a Virtual Private Network (VPN), secure shell (SSH) or secure sockets layer (SSL) sessions can improve security.
  
  ! Trivial file transfer protocol (TFTP) - A file transfer protocol with no file - browsing ability, and no support for authentication.
  
  ! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail systems to send mail.
  
  ! Post office protocol (POP) - Commonly used to receive e-mail.
  
  ! Hypertext transport protocol (HTTP) - Used for Web browsing.
  
  ! Secure shell (SSH)  - Encrypts communications sessions, typically used for remote administration of servers.
  
  ! Secure sockets layer (SSL)  - Typically used to encrypt Webbrowsing sessions, sometimes used to secure e-mail transfers and FTP sessions.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.2.4 User Authentication

Cryptography can increase security in user authentication techniques. As discussed in Chapter 16, cryptography is the basis for several advanced authentication methods. Instead of communicating passwords over an open network, authentication can be performed by demonstrating knowledge of a cryptographic key. Using these methods, a one-time password, which is not susceptible to eavesdropping, can be used. User authentication can use either secret or public key cryptography.

19.3 Implementation Issues

This section explores several important issues that should be considered when using (e.g., designing, implementing, integrating) cryptography in a computer system.

19.3.1 Selecting Design and Implementation Standards

NIST and other organizations have developed numerous standards for designing, implementing, and using cryptography and for integrating it into automated systems. By using these standards, organizations can reduce costs and protect their investments in technology. Standards provide solutions that have been accepted by a wide community and that have been reviewed by experts in relevant areas. Standards help ensure interopability among different vendors' equipment, thus allowing an organization to select from among various products in order to find cost-effective equipment.

Managers and users of computer systems will have to select among various standards when deciding to use cryptography. Their selection should be based on cost-effectiveness analysis, trends in the standard's acceptance, and interoperability requirements. In addition, each standard should be carefully analyzed to determine if it is applicable to the organization and the desired application. For example, the Data Encryption Standard and the Escrowed Encryption Standard are both applicable to certain applications involving communications of data over commercial modems. Some federal standards are mandatory for federal computer systems, including DES (FIPS 46-2) and the DSS (FIPS 181).