FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Leaking cloud buckets - How to protect your information in the cloud - Imagine you're an IT executive responsible for the safekeeping of tens of millions of customer data records. You're storing this data in the cloud because it's unsustainable to maintain it in your own data center. But, just now, you received an email from hackers stating they have gained control of your cloud data and are demanding a hefty ransom to give it back. What do you do? https://www.scmagazine.com/leaking-cloud-buckets--how-to-protect-your-information-in-the-cloud/article/749931/

NIST targets APTs with resilience strategies - From the Office of Personnel Management data breach to the Russian hacking of the 2016 elections, cyberattacks from hostile nation-states, criminal and terrorist groups and rogue individuals are becoming more frequent. https://gcn.com/articles/2018/03/21/nist-cyber-resilience-apt.aspx

The Debate is Over: Artificial Intelligence is the Future for Cybersecurity - Last week, Google's parent company, Alphabet, announced the launch of Chronicle – an artificial intelligence-based solution for the cybersecurity industry – promising “the power to fight cyber crime on a global scale.” https://www.scmagazine.com/the-debate-is-over-artificial-intelligence-is-the-future-for-cybersecurity/article/749603/

Hackers exploit old flaw to turn Linux servers into cryptocurrency miners - The malicious actors who installed and ran a cryptocurrency mining operation on hacked Tesla ASW servers and Jenkins servers is now targeting servers running Linux and has so far generated more than $74,000 in Monero. https://www.scmagazine.com/hackers-exploit-old-flaw-to-turn-linux-servers-into-cryptocurrency-miners/article/753144/

SC Media calls for Women in Security recommendations - As the world celebrated International Women's Day this week, SC Media kicked off its annual search for women who have made notable contributions to the cybersecurity community over the past year. https://www.scmagazine.com/sc-media-calls-for-women-in-security-recommendations/article/750091/

San Diego is suing Experian over data breach - The city of San Diego is suing Experian over the data breach that compromised millions of records including those of 250,000 people in San Diego. https://www.scmagazine.com/san-diego-city-attorney-mara-elliott-filed-a-lawsuit-against-experian-claiming-the-firm-failed-to-notify-citizens-of-the-breach/article/753111/

US mulls drafting gray-haired hackers during times of crisis - Shortage of tech talent has government pondering end to age, gender restrictions - A US government commission has asked the public for its thoughts on possible changes to the military's selective service rules to allow the conscription of technical talent, including those with computer-oriented skills, regardless of sex or age. http://www.theregister.co.uk/2018/03/21/uncle_sam_mulls_drafting_grayhaired_hackers_during_times_of_crisis/

Security industry reacts to UK police cyber-crime budget revelations - As UK police forces are revealed to have spent just £1.3 million on cyber-crime training in the last three years, security industry response is damning. https://www.scmagazine.com/security-industry-reacts-to-uk-police-cyber-crime-budget-revelations/article/753254/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Atlanta computer systems under siege in possible ransomware attack - A ransomware attack possibly bearing the markings of SamSam may be responsible for outages in the City of Atlanta's computer systems. https://www.scmagazine.com/atlanta-computer-systems-under-siege-in-possible-ransomware-attack/article/753123/

Criminal behind $1 billion cyber bank robberies arrested in Spain - The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting more than 100 financial institutions worldwide has been arrested in Alicante, Spain. https://www.scmagazine.com/criminal-behind-1-billion-cyber-bank-robberies-arrested-in-spain/article/753598/

Vanderbilt University researcher's claim breaches linked to patient deaths - A Vanderbilt University researcher is claiming more than 2,100 patient deaths are linked to hospital data breaches each year. https://www.scmagazine.com/sung-choi-of-the-universitys-owen-graduate-school-of-management-said-data-breaches-trigger-a-decline-in-customer-care/article/753772/

Vanderbilt University researcher's claim breaches linked to patient deaths - A Vanderbilt University researcher is claiming more than 2,100 patient deaths are linked to hospital data breaches each year. https://www.scmagazine.com/sung-choi-of-the-universitys-owen-graduate-school-of-management-said-data-breaches-trigger-a-decline-in-customer-care/article/753772/

Fancy Bear suspected in United Kingdom's Anti-Doping Agency cyberattack - Fancy Bear hackers are suspected of launching a foiled cyber-attack on the U.K.'s Anti-Doping Agency. https://www.scmagazine.com/ukad-said-it-believes-its-systems-are-robust-with-appropriate-levels-of-cybersecurity/article/754115/

Boeing hit and recovering from possible WannaCry attack - Aerospace manufacturer Boeing is reporting that the company has mitigated what may have been a small outbreak of WannaCry ransomware that hit one of its manufacturing facilities on March 28. https://www.scmagazine.com/boeing-hit-and-recovering-from-possible-wannacry-attack/article/754599/

Unsecured N.Y. medical practice server exposes 42,000 records - A Long Island, N.Y., medical practice left an exposed port normally used for remote synchronization open exposing at least 42,000 medical records. https://www.scmagazine.com/unsecured-ny-medical-practice-server-exposes-42000-records/article/754284/

Grindr flaws spill personal info on users, reveals locations - Security flaws in Grindr can expose the personal information and location of its three million or so users. https://www.scmagazine.com/grindr-flaws-spill-personal-info-on-users-reveals-locations/article/754486/

Return to the top of the newsletter

WEB SITE COMPLIANCE -We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 8 of 10)
  
  B. RISK MANAGEMENT TECHNIQUES
  
  Implementing Weblinking Relationships
  
  The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.
  
  Disclaimers and Disclosures
  
  Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.
  
  In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.
  
  A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.
  
  In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  Data Transmission and Types of Firewalls 
  
  Data traverses the Internet in units referred to as packets. Each packet has headers which contain information for delivery, such as where the packet is from, where it is going, and what application it contains. The varying firewall techniques examine the headers and either permit or deny access to the system based on the firewall's rule configuration. 
  
  There are different types of firewalls that provide various levels of security. For instance, packet filters, sometimes implemented as screening routers, permit or deny access based solely on the stated source and/or destination IP address and the application (e.g., FTP). However, addresses and applications can be easily falsified, allowing attackers to enter systems. Other types of firewalls, such as circuit-level gateways and application gateways, actually have separate interfaces with the internal and external (Internet) networks, meaning no direct connection is established between the two networks. A relay program copies all data from one interface to another, in each direction. An even stronger firewall, a stateful inspection gateway, not only examines data packets for IP addresses, applications, and specific commands, but also provides security logging and alarm capabilities, in addition to historical comparisons with previous transmissions for deviations from normal context.
  
  Implementation 
  
  When evaluating the need for firewall technology, the potential costs of system or data compromise, including system failure due to attack, should be considered. For most financial institution applications, a strong firewall system is a necessity. All information into and out of the institution should pass through the firewall. The firewall should also be able to change IP addresses to the firewall IP address, so no inside addresses are passed to the outside. The possibility always exists that security might be circumvented, so there must be procedures in place to detect attacks or system intrusions. Careful consideration should also be given to any data that is stored or placed on the server, especially sensitive or critically important data.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY
 
 15.5 Plumbing Leaks
 
 While plumbing leaks do not occur every day, they can be seriously disruptive. The building's plumbing drawings can help locate plumbing lines that might endanger system hardware. These lines include hot and cold water, chilled water supply and return lines, steam lines, automatic sprinkler lines, fire hose standpipes, and drains. If a building includes a laboratory or manufacturing spaces, there may be other lines that conduct water, corrosive or toxic chemicals, or gases.
 
 As a rule, analysis often shows that the cost to relocate threatening lines is difficult to justify. However, the location of shutoff valves and procedures that should be followed in the event of a failure must be specified. Operating and security personnel should have this information immediately available for use in an emergency. In some cases, it may be possible to relocate system hardware, particularly distributed LAN hardware.
 
 15.6 Interception of Data
 
 Depending on the type of data a system processes, there may be a significant risk if the data is intercepted. There are three routes of data interception: direct observation, interception of data transmission, and electromagnetic interception.
 
 Direct Observation. System terminal and workstation display screens may be observed by unauthorized persons. In most cases, it is relatively easy to relocate the display to eliminate the exposure.
 
 Interception of Data Transmissions. If an interceptor can gain access to data transmission lines, it may be feasible to tap into the lines and read the data being transmitted. Network monitoring tools can be used to capture data packets. Of course, the interceptor cannot control what is transmitted, and so may not be able to immediately observe data of interest. However, over a period of time there may be a serious level of disclosure. Local area networks typically broadcast messages.106 Consequently, all traffic, including passwords, could be retrieved. Interceptors could also transmit spurious data on tapped lines, either for purposes of disruption or for fraud.
 
 Electromagnetic Interception. Systems routinely radiate electromagnetic energy that can be detected with special-purpose radio receivers. Successful interception will depend on the signal strength at the receiver location; the greater the separation between the system and the receiver, the lower the success rate. TEMPEST shielding, of either equipment or rooms, can be used to minimize the spread of electromagnetic signals. The signal-to-noise ratio at the receiver, determined in part by the number of competing emitters will also affect the success rate. The more workstations of the same type in the same location performing "random" activity, the more difficult it is to intercept a given workstation's radiation. On the other hand, the trend toward wireless (i.e., deliberate radiation) LAN connections may increase the likelihood of successful interception.