FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try. - In August, a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyberassault. The attack was not designed to simply destroy data or shut down the plant, investigators believe. It was meant to sabotage the firm’s operations and trigger an explosion. https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

US Power Company Fined $2.7M for Failing to Comply with Energy Industry Cyber Standards - A US-based power company has agreed to pay a $2.7 million penalty after inadvertently exposing sensitive data online and violating energy industry cybersecurity standards. https://www.tripwire.com/state-of-security/latest-security-news/us-power-company-fined-2-7m-failing-comply-energy-industry-cyber-standards/

A raft of flaws in AMD chips makes bad hacks much, much worse - AMD says its Secure Processor is impenetrable. Instead, it can harbor malware. https://arstechnica.com/information-technology/2018/03/a-raft-of-flaws-in-amd-chips-make-bad-hacks-much-much-worse/

New York power companies can now charge Bitcoin miners more - With few community benefits, power authorities are cracking down. On Wednesday, the New York State Public Service Commission (PSC) ruled that municipal power companies could charge higher electricity rates to cryptocurrency miners who try to benefit from the state's abundance of cheap hydroelectric power. https://arstechnica.com/tech-policy/2018/03/new-york-power-companies-can-now-charge-bitcoin-miners-more/

U.S. nuclear power regulator urged to reject limits on cyber protections - A science advocacy group urged the U.S. Nuclear Regulatory Commission on Friday to reject a longstanding industry request to limit cyber attack protections at nuclear plants, a day after the Trump administration publicly blamed Moscow for hacking into nuclear power and other energy infrastructure. https://www.reuters.com/article/us-usa-cyber-nuclear/u-s-nuclear-power-regulator-urged-to-reject-limits-on-cyber-protections-idUSKCN1GS2NA

EU needs one set of vulnerability disclosure rules, says expert task force - Cybersecurity researchers in the European Union need legal certainty and consistent standards across its 28 member states if they are to hunt for software vulnerabilities, according to a blue-ribbon commission established by the Center for European Policy Studies. https://www.cyberscoop.com/eu-vulnerability-disclosure-rules-says-expert-task-force/

Government push for email authentication helps cut back on BEC scams, study - Despite major investments in cybersecurity, email fraud continues to rise as cybercriminals' tactics become more advanced. https://www.scmagazine.com/business-email-compromises-still-a-threat-with-email-fraud-on-the-rise-study/article/752474/

Phishing Madness? Ohio State University phishes students to teach security - Although it couldn't manage to outscore Gonzaga in the NCAA March Madness Tournament, Ohio State looked to up its cybersecurity awareness game by phishing students. https://www.scmagazine.com/ohio-state-university-phishes-students-to-teach-security/article/752223/

New ransomware Zenis will delete backup files even if victim pays - A self-proclaimed “mischievous boy” who calls himself “ZENIS” unleashed ransomware attacks that encrypt the files and then purposely deleted the backups. https://www.scmagazine.com/new-ransomware-zenis-will-delete-backup-files-even-if-victim-pays/article/752763/

15-year-old finds vulnerability in Ledger cryptowallets - A 15-year-old security researcher discovered a serious flaw in Ledger cryptocurrency wallets that would allow an attacker to siphon the device's private key and drain a user's cryptocurrency account(s). https://www.scmagazine.com/the-exploit-allows-an-attacker-to-bypass-security-checks-to-upload-their-own-malicious-code-in-order-to-steal-the-sensitive-data/article/752599/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Breaches expose 50,000 student and teacher records at Leon County Schools; more districts likely affected - The records of roughly 50,000 students, parents, teachers and staff members from the Leon County Schools (LCS) District in Tallahassee, Fla. were compromised in two related breach incidents involving a third-party education services provider. https://www.scmagazine.com/breaches-expose-50000-student-and-teacher-records-at-leon-county-schools-more-districts-likely-affected/article/751424/

BJC Healthcare data breach, 33,000 affected - BJC HealthCare said a data storage error potentially compromised 33,420 patient records when the information was accidentally made publicly available for nine months. https://www.scmagazine.com/bjc-healthcare-data-breach-33000-affected/article/751419/

Open AWS S3 bucket managed by Walmart jewelry partner exposes info on 1.3M customers - Personal information belonging to 1.3 million customers of Walmart jewelry partner MBM Company has been exposed because yet another Amazon S3 bucket was left open on the internet. https://www.scmagazine.com/open-aws-s3-bucket-managed-by-walmart-jewelry-partner-exposes-info-on-13m-customers/article/751751/

Open AWS S3 bucket managed by Walmart jewelry partner exposes info on 1.3M customers - Personal information belonging to 1.3 million customers of Walmart jewelry partner MBM Company has been exposed because yet another Amazon S3 bucket was left open on the internet. https://www.scmagazine.com/open-aws-s3-bucket-managed-by-walmart-jewelry-partner-exposes-info-on-13m-customers/article/751751/

Orbitz hit with data breach, info on 880,000 payment cards at risk - The online travel company Orbitz has suffered a major data breach possibly exposing the personal information associated with the owners of up to 880,000 payment cards. https://www.scmagazine.com/orbitz-hit-with-data-breach-info-on-880000-payment-cards-at-risk/article/752465/

Credential stuffing attack suspected after several UK National Lottery accounts compromised - As many as 150 player accounts registered with the UK's National Lottery were compromised, accessed and potentially viewed by an unauthorized party, according to an online statement from Camelot, the parent company that runs the sweepstakes. https://www.scmagazine.com/credential-stuffing-attack-suspected-after-several-uk-national-lottery-accounts-compromised/article/752394/

Davidson County (N.C.) back online following a ransomware attack - Davidson County's computer network is once again fully operational one month after getting hit with a ransomware attack that affected the majority of the municipalities servers and computers. https://www.scmagazine.com/davidson-county-nc-back-online-following-a-ransomware-attack/article/752590/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 7 of 10)
  
  B. RISK MANAGEMENT TECHNIQUES
  
  Planning Weblinking Relationships
  
  Agreements
  
  If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:
  
  1)  dissatisfied purchasers of third-party products or services;
  
  2)  patent or trademark holders for infringement by the third party; and
  
  3)  persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.
  
  The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.
  
  In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.
  
  Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations.  For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  SECURITY MEASURES
  
  Firewalls  - Description, Configuration, and Placement 
  
  A firewall is a combination of hardware and software placed between two networks which all traffic, regardless of the direction, must pass through. When employed properly, it is a primary security measure in governing access control and protecting the internal system from compromise. 
  
  The key to a firewall's ability to protect the network is its configuration and its location within the system. Firewall products do not afford adequate security protection as purchased. They must be set up, or configured, to permit or deny the appropriate traffic. To provide the most security, the underlying rule should be to deny all traffic unless expressly permitted. This requires system administrators to review and evaluate the need for all permitted activities, as well as who may need to use them. For example, to protect against Internet protocol (IP) spoofing, data arriving from an outside network that claims to be originating from an internal computer should be denied access. Alternatively, systems could be denied access based on their IP address, regardless of the origination point. Such requests could then be evaluated based on what information was requested and where in the internal system it was requested from. For instance, incoming FTP requests may be permitted, but outgoing FTP requests denied.
  
  Often, there is a delicate balance between what is necessary to perform business operations and the need for security. Due to the intricate details of firewall programming, the configuration should be reassessed after every system change or software update. Even if the system or application base does not change, the threats to the system do. Evolving risks and threats should be routinely monitored and considered to ensure the firewall remains an adequate security measure. If the firewall system should ever fail, the default should deny all access rather than permit the information flow to continue. Ideally, firewalls should be installed at any point where a computer system comes into contact with another network. The firewall system should also include alerting mechanisms to identify and record successful and attempted attacks and intrusions. In addition, detection mechanisms and procedures should include the generation and routine review of security logs.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY
 
 15.3 Failure of Supporting Utilities
  
 Systems and the people who operate them need to have a reasonably well-controlled operating environment. Consequently, failures of heating and air-conditioning systems will usually cause a service interruption and may damage hardware. These utilities are composed of many elements, each of which must function properly.
 
 For example, the typical air-conditioning system consists of (1) air handlers that cool and humidify room air, (2) circulating pumps that send chilled water to the air handlers, (3) chillers that extract heat from the water, and (4) cooling towers that discharge the heat to the outside air. Each of these elements has a mean-time-between-failures (MTBF) and a mean-time-to-repair (MTTR). Using the MTBF and MTTR values for each of the elements of a system, one can estimate the occurrence rate of system failures and the range of resulting service interruptions.
 
 This same line of reasoning applies to electric power distribution, heating plants, water, sewage, and other utilities required for system operation or staff comfort. By identifying the failure modes of each utility and estimating the MTBF and MTTR, necessary failure threat parameters can be developed to calculate the resulting risk. The risk of utility failure can be reduced by substituting units with lower MTBF values. MTTR can be reduced by stocking spare parts on site and training maintenance personnel. And the outages resulting from a given MTBF can be reduced by installing redundant units under the assumption that failures are distributed randomly in time. Each of these strategies can be evaluated by comparing the reduction in risk with the cost to achieve it.
 
 15.4 Structural Collapse
 
 A building may be subjected to a load greater than it can support. Most commonly this is a result of an earthquake, a snow load on the roof beyond design criteria, an explosion that displaces or cuts structural members, or a fire that weakens structural members. Even if the structure is not completely demolished, the authorities may decide to ban its further use, sometimes even banning entry to remove materials. This threat applies primarily to high-rise buildings and those with large interior spaces without supporting columns.