FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI -Retrained agency employees can be a key source of cybersecurity talent, NSC official says - As the government embraces new technology and looks for the right people to utilize it, federal agencies might have no choice but to develop unexpected sources of talent, a White House official said Thursday. https://www.fedscoop.com/agencies-can-retrain-employees-get-cyber-talent/

Audit finds Department of Homeland Security's security is insecure - The agency that keeps America safe runs un-patched Flash, and worse besides - The United States' Department of Homeland Security could do more to keep its IT systems secure, a government report has found. http://www.theregister.co.uk/2018/03/08/feds_scolded_for_slow_security_patching_and_outdated_operating_systems/

New IoT security rules: Stop using default passwords and allow software updates - Internet of Things (IoT) devices should never be equipped with universal default passwords, and any credentials or personal data within the device must be securely stored, while devices must provide be easy for consumers to configure and delete data from. http://www.zdnet.com/article/new-iot-security-rules-stop-using-default-passwords-and-allow-software-updates/

FBI used Best Buy's Geek Squad as confidential informants, FOIA docs show - Does the FBI really need tech companies to provide backdoors in their products to gain access to illegal material stored there? Apparently not...as long as members of the Geek Squad are willing to do the agency's bidding. https://www.scmagazine.com/fbi-used-best-buys-geek-squad-as-confidential-informants-foia-docs-show/article/749591/

Military seeks seasoned industry professionals as next cyber warriors, but they’ll have to start at the bottom - The likely next commander of U.S. Cyber Command told Congress last week that a pilot program lawmakers established to recruit more seasoned cyber experts into the military’s uniformed workforce is making some headway. But, he strongly suggested it’s been hampered by its inability to commission new officers at ranks that are commensurate with their experience. https://federalnewsradio.com/dod-reporters-notebook-jared-serbu/2018/03/military-seeks-seasoned-industry-professionals-as-next-cyber-warriors-but-theyll-have-to-start-at-the-bottom/

Is Your Organization Practicing Good Security Hygiene? - Well-known, public exploits continue to wreak havoc across organizations, whether due to lagging software updates, users falling prey to well-crafted phishing attempts, or security infrastructure lacking awareness of specific product vulnerabilities. https://www.scmagazine.com/is-your-organization-practicing-good-security-hygiene/article/749143/

GAO: Homeland Security too slow in hiring cyber workers - The Department of Homeland Security has failed to hire needed cybersecurity professionals even though it was given approval to do so by Congress in 2014, according to a report released March 8 by the Government Accountability Office. https://www.fifthdomain.com/civilian/2018/03/08/gao-homeland-security-too-slow-in-hiring-cyber-workers/

SEC charges former Equifax U.S. CIO with insider trading related to data breach - The Securities and Exchange Commission (SEC) has charged former Equifax executive Jun Ying with insider trading saying he sold stock based on confidential company information enabling him to avoid more than $117,000 in losses. https://www.scmagazine.com/sec-charges-former-equifax-us-cio-with-insider-trading-related-to-data-breach/article/751109/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Dofoil trojan spotted and stopped after 400,000 instances recorded - Microsoft said it discovered and stopped a large attack that attempted to use variants of the Dofoil, or Smoke Loader, trojan to spread a cryptocurrency miner. https://www.scmagazine.com/dofoil-trojan-spotted-and-stopped-after-400000-instances-recorded/article/750098/

NSA Retreats From Targeted PCs If They're Already Infected by Other APT Malware - Hacking tools leaked last year and believed to belong to the US National Security Agency (NSA) contain an utility for detecting the presence of malware developed by other cyber-espionage groups. https://www.bleepingcomputer.com/news/security/nsa-retreats-from-targeted-pcs-if-theyre-already-infected-by-other-apt-malware/

N.Y. hospital data breach, 135,000 patients potentially affected - An Albany, N.Y. hospital suffered a data breach affecting about 135,000 patients when an unauthorized party gained access to its servers. https://www.scmagazine.com/ny-hospital-data-breach-135000-patients-potentially-affected/article/750533/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 6 of 10)
  
  B. RISK MANAGEMENT TECHNIQUES
  
  Planning Weblinking Relationships
  
  Due Diligence
  
  A financial institution should conduct sufficient due diligence to determine whether it wishes to be associated with the quality of products, services, and overall content provided by third-party sites. A financial institution should consider more product-focused due diligence if the third parties are providing financial products, services, or other financial website content. In this case, customers may be more likely to assume the institution reviewed and approved such products and services. In addition to reviewing the linked third-party's financial statements and its customer service performance levels, a financial institution should consider a review of the privacy and security policies and procedures of the third party.  Also, the financial institution should consider the character of the linked party by considering its past compliance with laws and regulations and whether the linked advertisements might by viewed as deceptive advertising in violation of Section 5 of the Federal Trade Commission Act.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  SECURITY MEASURES
  
  System Architecture and Design 
  
  Measures to address access control and system security start with the appropriate system architecture. Ideally, if an Internet connection is to be provided from within the institution, or a Web site established, the connection should be entirely separate from the core processing system. If the Web site is placed on its own server, there is no direct connection to the internal computer system. However, appropriate firewall technology may be necessary to protect Web servers and/or internal systems. 
  
  Placing a "screening router" between the firewall and other servers provides an added measure of protection, because requests could be segregated and routed to a particular server (such as a financial information server or a public information server). However, some systems may be considered so critical, they should be completely isolated from all other systems or networks.  Security can also be enhanced by sending electronic transmissions from external sources to a machine that is not connected to the main operating system.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  SECURITY MEASURES
  
  System Architecture and Design 
  
  Measures to address access control and system security start with the appropriate system architecture. Ideally, if an Internet connection is to be provided from within the institution, or a Web site established, the connection should be entirely separate from the core processing system. If the Web site is placed on its own server, there is no direct connection to the internal computer system. However, appropriate firewall technology may be necessary to protect Web servers and/or internal systems. 
  
  Placing a "screening router" between the firewall and other servers provides an added measure of protection, because requests could be segregated and routed to a particular server (such as a financial information server or a public information server). However, some systems may be considered so critical, they should be completely isolated from all other systems or networks.  Security can also be enhanced by sending electronic transmissions from external sources to a machine that is not connected to the main operating system.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY

15.2 Fire Safety Factors

Building fires are a particularly important security threat because of the potential for complete destruction of both hardware and data, the risk to human life, and the pervasiveness of the damage. Smoke, corrosive gases, and high humidity from a localized fire can damage systems throughout an entire building. Consequently, it is important to evaluate the fire safety of buildings that house systems. Following are important factors in determining the risks from fire.

Ignition Sources. Fires begin because something supplies enough heat to cause other materials to burn. Typical ignition sources are failures of electric devices and wiring, carelessly discarded cigarettes, improper storage of materials subject to spontaneous combustion, improper operation of heating devices, and, of course, arson.

Fuel Sources. If a fire is to grow, it must have a supply of fuel, material that will burn to support its growth, and an adequate supply of oxygen. Once a fire becomes established, it depends on the combustible materials in the building (referred to as the fire load) to support its further growth. The more fuel per square meter, the more intense the fire will be.

Building Operation. If a building is well maintained and operated so as to minimize the accumulation of fuel (such as maintaining the integrity of fire barriers), the fire risk will be minimized.

Building Occupancy. Some occupancies are inherently more dangerous than others because of an above-average number of potential ignition sources. For example, a chemical warehouse may contain an above-average fuel load.

Fire Detection. The more quickly a fire is detected, all other things being equal, the more easily it can be extinguished, minimizing damage. It is also important to accurately pinpoint the location of the fire.

Fire Extinguishment. A fire will burn until it consumes all of the fuel in the building or until it is extinguished. Fire extinguishment may be automatic, as with an automatic sprinkler system or a HALON discharge system, or it may be performed by people using portable extinguishers, cooling the fire site with a stream of water, by limiting the supply of oxygen with a blanket of foam or powder, or by breaking the combustion chemical reaction chain.

When properly installed, maintained, and provided with an adequate supply of water, automatic sprinkler systems are highly effective in protecting buildings and their contents. Nonetheless, one often hears uninformed persons speak of the water damage done by sprinkler systems as a disadvantage. Fires that trigger sprinkler systems cause the water damage. In short, sprinkler systems reduce fire damage, protect the lives of building occupants, and limit the fire damage to the building itself. All these factors contribute to more rapid recovery of systems following a fire.

Halons have been identified as harmful to the Earth's protective ozone layer. So, under an international agreement (known as the Montreal Protocol), production of halons ended January 1, 1994. In September 1992, the General Services Administration issued a moratorium on halon use by federal agencies.

Each of these factors is important when estimating the occurrence rate of fires and the amount of damage that will result. The objective of a fire-safety program is to optimize these factors to minimize the risk of fire.

Types of Building Construction

There are four basic kinds of building construction: (a) light frame, (b) heavy timber, (c) incombustible, and (d) fire resistant. Note that the term fireproof is not used because no structure can resist a fire indefinitely. Most houses are light frame, and cannot survive more than about thirty minutes in a fire. Heavy timber means that the basic structural elements have a minimum thickness of four inches. When such structures burn, the char that forms tends to insulate the interior of the timber and the structure may survive for an hour or more depending on the details. Incombustible means that the structure members will not burn. This almost always means that the members are steel. Note, however, that steel loses it strength at high temperatures, at which point the structure collapses. Fire resistant means that the structural members are incombustible and are insulated. Typically, the insulation is either concrete that encases steel members, or is a mineral wool that is sprayed onto the members. Of course, the heavier the insulation, the longer the structure will resist a fire.

Note that a building constructed of reinforced concrete can still be destroyed in a fire if there is sufficient fuel present and fire fighting is ineffective. The prolonged heat of a fire can cause differential expansion of the concrete, which causes spalling. Portions of the concrete split off, exposing the reinforcing, and the interior of the concrete is subject to additional spalling. Furthermore, as heated floor slabs expand outward, they deform supporting columns. Thus, a reinforced concrete parking garage with open exterior walls and a relatively low fire load has a low fire risk, but a similar archival record storage facility with closed exterior walls and a high fire load has a higher risk even though the basic building material is incombustible.