FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for your bank in Texas, New Mexico, Colorado, and Oklahoma.  Please email R. Kinney Williams at examiner@yennik.com from your bank's domain and I will email you information and fees

FYI - Five tips for managing remote workers during a pandemic - Is your organization ready to securely support a wide range of remote workers in the wake of a global pandemic? https://www.scmagazine.com/home/opinion/executive-insight/five-tips-for-managing-remote-workers-during-a-pandemic/

Surveillance campaign against Libyans uses fake Johns Hopkins COVID-19-tracking map - Its not just opportunistic, financially-motivated criminals who are seizing on the novel coronavirus pandemic to conduct cyberattacks. Operators of spyware are also exploiting the health crisis to boost their surveillance efforts. https://www.cyberscoop.com/covid-19-spyware-libya-lookout-johns-hopkins-map/

France warns of new ransomware gang targeting local governments - CERT France says some local governments have been infected with a new version of the Pysa (Mespinoza) ransomware. https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/

NIST asks for public comments on new cybersecurity risk management document - The National Institute of Standards and Technology is asking for public comments on a new report that provides insight into how organizations can integrate cybersecurity into enterprise risk management.
https://www.fifthdomain.com/civilian/2020/03/20/nist-asks-for-public-comments-on-new-cybersecurity-risk-management-document/
https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8286-draft.pdf

Free cybersecurity tools coming online to protect WFH staffers - Several cybersecurity firms are going the extra mile to help customers set up a safe environment for their telecommuting workforce. https://www.scmagazine.com/home/security-news/news-archive/coronavirus/free-cybersecurity-tools-coming-online-to-protect-wfh-staffers/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Five billion records exposed in open �data breach database� - More than five billion records were exposed after a Keepnet Labs Elasticsearch �data breach database� housing a trove of security incidents from the last seven years was left unprotected. https://www.scmagazine.com/home/security-news/database-security/five-billion-records-exposed-in-open-data-breach-database/

Rogers� vendor leaves database open - A third-party service provider to Rogers Communications left open a database used for marketing purposes, exposing customer PII.
https://www.scmagazine.com/home/security-news/data-breach/rogers-vendor-leaves-database-open/
https://www.bleepingcomputer.com/news/security/rogers-data-breach-exposed-customer-info-in-unsecured-database/

Food Delivery Website in Germany Targeted by DDoS Attackers - Malicious individuals targeted a food delivery website located in Germany with a distributed denial-of-service (DDoS) attack. https://www.tripwire.com/state-of-security/security-data-protection/food-delivery-website-in-germany-targeted-by-ddos-attackers/

Maze ransomware attackers extort vaccine testing facility - The cybercriminal gang behind Maze ransomware has been extorting a UK-based clinical research organization that�s been preparing to play a potential role in testing vaccine candidates for the novel coronavirus, despite assurances that they would not harm any health care organizations during the COVID-19 crisis. https://www.scmagazine.com/home/security-news/ransomware/maze-ransomware-attackers-extort-vaccine-testing-facility/

FSB contractor breach exposes secret cyber weapons program leveraging IoT vulnerabilities - The hack of an FSB contractor has exposed details of the Russian intelligence agency�s cyber weapons program aimed at exploiting vulnerabilities in IoT devices. https://www.scmagazine.com/home/security-news/fsb-contractor-breach-exposes-secret-cyber-weapons-program-leveraging-iot-vulnerabilities/

COVID-19 Vaccine Test Center Hit By Cyber Attack, Stolen Data Posted Online - A medical facility on standby to help test any coronavirus vaccine has been hit by a ransomware group that promised not to target medical organizations. https://www.forbes.com/sites/daveywinder/2020/03/23/covid-19-vaccine-test-center-hit-by-cyber-attack-stolen-data-posted-online/#156e1df18e55

South Carolina Fire Department Servers Disabled by Hacker- Staff at the Bluffton Township Fire Department discovered they could not log into their computers Sunday and alerted IT staff, who discovered that records, files and email communications had been encrypted. https://www.govtech.com/security/South-Carolina-Fire-Department-Servers-Disabled-by-Hacker.html

Security Breach Disrupts Fintech Firm Finastra - Finastra, a company that provides a range of technology solutions to banks worldwide, said today it was shutting down key systems in response to a security breach discovered this morning. https://krebsonsecurity.com/2020/03/security-breach-disrupts-fintech-firm-finastra/

Healthcare data breach: Medical device manufacturer discloses phishing attack - A US-based manufacturer of medical devices for diabetes patients has revealed that customer data was exposed during a phishing attack that breached five employee email accounts in January. https://portswigger.net/daily-swig/healthcare-data-breach-medical-device-manufacturer-discloses-phishing-attack

FSB contractor breach exposes secret cyber weapons program leveraging IoT vulnerabilities - The hack of an FSB contractor has exposed details of the Russian intelligence agency�s cyber weapons program aimed at exploiting vulnerabilities in IoT devices. https://www.scmagazine.com/home/security-news/fsb-contractor-breach-exposes-secret-cyber-weapons-program-leveraging-iot-vulnerabilities/

Tupperware site hacked with credit card skimmer - Tupperware hasn�t yet put a lid on a targeted cyberattack that uses a credit card skimmer to collect customer payment information at checkout on the tupperware[.]com site and some of its local sites. https://www.scmagazine.com/home/security-news/tupperware-site-hacked-with-credit-card-skimmer/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider

Operations and Controls

� Determine adequacy of the service provider�s standards, policies and procedures relating to internal controls, facilities management (e.g., access requirements, sharing of facilities, etc.), security (e.g., systems, data, equipment, etc.), privacy protections, maintenance of records, business resumption contingency planning, systems development and maintenance, and employee background checks.
� Determine if the service provider provides sufficient security precautions, including, when appropriate, firewalls, encryption, and customer identity authentication, to protect institution resources as well as detect and respond to intrusions.
� Review audit reports of the service provider to determine whether the audit scope, internal controls, and security safeguards are adequate.
� Evaluate whether the institution will have complete and timely access to its information maintained by the provider.
� Evaluate the service provider�s knowledge of regulations that are relevant to the services they are providing. (e.g., Regulation E, privacy and other consumer protection regulations, Bank Secrecy Act, etc.).
� Assess the adequacy of the service provider�s insurance coverage including fidelity, fire, liability, data losses from errors and omissions, and protection of documents in transit.

Financial Condition

� Analyze the service provider�s most recent audited financial statements and annual report as well as other indicators (e.g., publicly traded bond ratings), if available.
� Consider factors such as how long the service provider has been in business and the service provider�s market share for a given service and how it has fluctuated.
� Consider the significance of the institution�s proposed contract on the service provider�s financial condition.
� Evaluate technological expenditures. Is the service provider�s level of investment in technology consistent with supporting the institution�s activities? Does the service provider have the financial resources to invest in and support the required technology?

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
  
  INSURANCE  (Part 1 of 2)
  
  Financial institutions have used insurance coverage as an effective method to transfer risks from themselves to insurance carriers. Insurance coverage is increasingly available to cover risks from security breaches or denial of service attacks. For example, several insurance companies offer e - commerce insurance packages that can reimburse financial institutions for losses from fraud, privacy breaches, system downtime, or incident response. When evaluating the need for insurance to cover information security threats, financial institutions should understand the following points:
  
  ! Insurance is not a substitute for an effective security program.
  ! Traditional fidelity bond coverage may not protect from losses related to security intrusions.
  ! Availability, cost, and covered risks vary by insurance company.
  ! Availability of new insurance products creates a more dynamic environment for these factors.
  ! Insurance cannot adequately cover the reputation and compliance risk related to customer relationships and privacy.
  ! Insurance companies typically require companies to certify that certain security practices are in place.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
 
 5.2 Issue-Specific Policy
 
 Whereas program policy is intended to address the broad organization-wide computer security program, issue-specific policies are developed to focus on areas of current relevance and concern (and sometimes controversy) to an organization. Management may find it appropriate, for example, to issue a policy on how the organization will approach contingency planning (centralized vs. decentralized) or the use of a particular methodology for managing risk to systems. A policy could also be issued, for example, on the appropriate use of a cutting-edge technology (whose security vulnerabilities are still largely unknown) within the organization. Issue-specific policies may also be appropriate when new issues arise, such as when implementing a recently passed law requiring additional protection of particular information. Program policy is usually broad enough that it does not require much modification over time, whereas issue-specific policies are likely to require more frequent revision as changes in technology and related factors take place.
 
 In general, for issue-specific and system-specific policy, the issuer is a senior official; the more global, controversial, or resource-intensive, the more senior the issuer.
 
 5.2.1 Example Topics for Issue-Specific Policy
 
 Both new technologies and the appearance of new threats often require the creation of issue-specific policies.  There are many areas for which issue-specific policy may be appropriate. Two examples are explained below.
 
 Internet Access. Many organizations are looking at the Internet as a means for expanding their research opportunities and communications. Unquestionably, connecting to the Internet yields many benefits - and some disadvantages. Some issues an Internet access policy may address include who will have access, which types of systems may be connected to the network, what types of information may be transmitted via the network, requirements for user authentication for Internet-connected systems, and the use of firewalls and secure gateways.
 
 E-Mail Privacy. Users of computer e-mail systems have come to rely upon that service for informal communication with colleagues and others. However, since the system is typically owned by the employing organization, from time-to-time, management may wish to monitor the employee's e-mail for various reasons (e.g., to be sure that it is used for business purposes only or if they are suspected of distributing viruses, sending offensive e-mail, or disclosing organizational secrets.) On the other hand, users may have an expectation of privacy, similar to that accorded U.S. mail. Policy in this area addresses what level of privacy will be accorded e-mail and the circumstances under which it may or may not be read.
 
 Other potential candidates for issue-specific policies include: approach to risk management and contingency planning, protection of confidential/proprietary information, unauthorized software, acquisition of software, doing computer work at home, bringing in disks from outside the workplace, access to other employees' files, encryption of files and e-mail, rights of privacy, responsibility for correctness of data, suspected malicious code, and physical emergencies.