FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Technology Service Provider Contracts - The attached document describes examiner observations about gaps in financial institutions' contracts with technology service providers that may require financial institutions to take additional steps to manage their own business continuity and incident response. www.fdic.gov/news/news/financial/2019/fil19019.html

GAO takes Fiscal Services to task over new and old cyber problems - The General Accounting Office (GAO) criticized the Bureau of the Fiscal Service, which is part of the U.S. Department of the Treasury, over new and old cybersecurity problems in a new audit. https://www.scmagazine.com/home/government/gao-takes-fiscal-services-to-task-over-new-and-old-cyber-problems/

Michigan medical practice folds after ransomware attack - A Battle Creek, Mich. medical practice is being forced to shut its doors after cyberattackers wiped out its files when the firm refused to pay a ransom. https://www.scmagazine.com/home/security-news/ransomware/michigan-medical-practice-folds-after-ransomware-attack/

Insurer refuses payout to DLA Piper over NotPetya cyberattack - Multinational law firm DLA Piper was hit in the crossfire of a Russia-back ransomware attack which wiped out systems and costs the firm 15,000 hours of extra overtime for its IT staff. http://www.scmagazine.com/home/security-news/cybercrime/multinational-law-firm-dla-piper-was-hit-in-the-crossfire-of-a-russia-back-ransomware-attack-which-wiped-out-systems-and-costs-the-firm-15000-hours-of-extra-overtime-for-its-it-staff/

When a Phone App Opens Your Apartment Door, but You Just Want a Key - The third floor of the warehouse on West 45th Street in Manhattan was a sprawl of rotting wood when the two artists first arrived. https://www.nytimes.com/2019/03/23/nyregion/keyless-apartment-entry-nyc.html

Insurance Companies collaborate to offer cybersecurity ratings - In a collaborative effort, some of the world’s largest insurers have set out to create a consumer ratings service for the cybersecurity industry. https://www.scmagazine.com/home/security-news/cybercrime/a-collaborative-effort-by-some-of-the-worlds-largest-insurers-has-set-out-to-create-a-consumer-ratings-service-for-the-cybersecurity-industry/

World Backup Day: Data loss underscores need to backup - The steady stream of reports of schools, towns and companies being hit with ransomware and having to either pay their attackers for access to the encrypted content or spend months recovering because the data involved was not backed up makes World Backup Day more important than ever. https://www.scmagazine.com/home/security-news/world-backup-day-data-loss-underscores-need-to-backup/

Calling all women… Women are doing incredible, innovative things throughout the cybersecurity industry. As part of our continuing celebration of these successes, SC Media once again is kicking off its annual search for those women who have made notable contributions to the cybersecurity community over the past year and we would like you to help us. https://www.scmagazine.com/home/security-news/calling-all-women/

Office Depot, Support.com to pay $35M in restitution over tech scam - Office Depot and Support.com will pay $35 million to settle a legal action brought by the Federal Trade Commission (FTC) that alleged that alleged the two companies tricked customers into buying repair and technical services by saying malware was found on their computer. https://www.scmagazine.com/home/security-news/legal-security-news/office-depot-support-com-to-pay-35m-in-restitution-over-tech-scam/

Empowering Regulators Could Stop the Next Equifax Breach, Watchdog Says - Giving the regulatory agencies more power to punish companies after breaches could make industry invest more in cybersecurity, according to the Government Accountability Office. https://www.nextgov.com/analytics-data/2019/03/empowering-regulators-could-stop-next-equifax-breach-watchdog-says/155842/

Air Force’s New Fast-Track Process Can Grant Cybersecurity Authorizations In One Week - The process is a mix of quick but comprehensive testing up front followed by continuous monitoring through the life of the app. https://www.nextgov.com/cybersecurity/2019/03/air-forces-new-fast-track-process-can-grant-cybersecurity-authorizations-one-week/155860/
 
ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - South Korean websites hit with rare waterhole phishing scheme - Security researchers have come across a waterholing campaign that have compromised four South Korean websites by injecting fake login forms to steal user credentials. https://www.scmagazine.com/home/security-news/phishing/south-korean-websites-hit-with-rare-waterhole-phishing-scheme/

Toyota reports second breach in five weeks - For the second time in five weeks, Toyota has acknowledged a breach – this one affecting 3.1 million customers at its subsidiaries while the first was in Australia and believed to be the work of Ocean Lotus, or APT32. https://www.scmagazine.com/home/security-news/toyota-reports-second-breach-in-five-weeks/

Albany, N.Y. hit with ransomware attack - Albany, New York was hit with a ransomware attack on March 30 that has shut down an undetermined number of several city services. https://www.scmagazine.com/home/security-news/ransomware/albany-n-y-hit-with-ransomware-attack/

2M credit cards exposed in Buca di Beppo, Earl of Sandwich, Planet Hollywood parent company breach - A point-of-sale data breach allegedly discovered a month ago and just now admitted, exposed two million credit cards belonging to diners of Earl Enterprises restaurants. https://www.scmagazine.com/home/security-news/data-breach/2m-credit-cards-exposed-in-buca-di-beppo-earl-of-sandwich-planet-hollywood-parent-company-breach/

Saudis hacked Jeff Bezos’s personal data, probe finds - Saudi Arabia’s government gleaned private information from Amazon CEO Jeff Bezos’s phone, security consultant Gavin de Becker said his investigation into how texts and intimate photos from Bezos’s phone had their way to the National Enquirer discovered. https://www.scmagazine.com/home/security-news/saudis-hacked-jeff-bezoss-personal-data-probe-finds/

Virus Attacks Spain's Defence Intranet, Foreign State Suspected-Paper - A computer virus infected the Spanish Defence Ministry's intranet this month with the aim of stealing high tech military secrets, El País newspaper said on Tuesday, citing sources leading the investigation as suspecting a foreign power behind the cyberattack. https://www.nytimes.com/reuters/2019/03/26/technology/26reuters-spain-security-cybertattack.html

Several major airlines grounded planes Monday morning across U.S. because of software problem - Several major airlines nationwide grounded their planes Monday morning because of a software outage. https://www.washingtonpost.com/transportation/2019/04/01/southwest-airlines-grounds-planes-across-country/?noredirect=on&utm_term=.87806559606c

Arizona Beverages ransomware attack exacerbated by unpatched servers, poorly configured back-up system - Arizona Beverages, quick to the grocer’s shelf with its ubiquitous iced teas, has been slow to get much of its network running again after it discovered its backup system wasn’t properly configured to restore its systems in the wake of a targeted ransomware attack and was forced to spend a pretty penny to bring in outside help. https://www.scmagazine.com/home/security-news/ransomware/arizona-beverages-ransomware-attack-exacerbated-by-unpatched-servers-poorly-configured-back-up-system/

Georgia Tech stung with 1.3 million-person data breach - Georgia Tech is reporting that it suffered a data breach when a Georgia Institute of Technology web app exposed the information on 1.3 million current and former students, student applicants along with staff members. https://www.scmagazine.com/home/security-news/data-breach/georgia-tech-stung-with-1-3-million-person-data-breach/

Georgia Tech stung with 1.3 million-person data breach - Georgia Tech is reporting that it suffered a data breach when a Georgia Institute of Technology web app exposed the information on 1.3 million current and former students, student applicants along with staff members. https://www.scmagazine.com/home/security-news/data-breach/georgia-tech-stung-with-1-3-million-person-data-breach/

540M Facebook member records exposed by an unsecure AWS S3 bucket - Upguard is reporting it found more than 540 million records from two Facebook app providers on two unprotected Amazon S3 buckets. https://www.scmagazine.com/home/security-news/data-breach/540m-facebook-member-records-exposed-by-an-unsecure-aws-s3-bucket/

Freshmen hack high school WiFi to avoid a test - Two Secaucus, N.J., high school freshmen have been accused of allegedly knocking their school’s WiFi system offline possibly using a malware as a service deal to create the situation. https://www.scmagazine.com/home/security-news/mobile-security/freshmen-hack-high-school-wifi-to-avoid-a-test/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Board and Management Oversight - Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. (Part 1 of 2)
  
  Vigilant management oversight is essential for the provision of effective internal controls over e-banking activities. In addition to the specific characteristics of the Internet distribution channel discussed in the Introduction, the following aspects of e-banking may pose considerable challenge to traditional risk management processes:
  
  1) Major elements of the delivery channel (the Internet and related technologies) are outside of the bank's direct control.
  
  2) The Internet facilitates delivery of services across multiple national jurisdictions, including those not currently served by the institution through physical locations.
  
  3) The complexity of issues that are associated with e-banking and that involve highly technical language and concepts are in many cases outside the traditional experience of the Board and senior management.
  
  In light of the unique characteristics of e-banking, new e-banking projects that may have a significant impact on the bank's risk profile and strategy should be reviewed by the Board of Directors and senior management and undergo appropriate strategic and cost/reward analysis. Without adequate up-front strategic review and ongoing performance to plan assessments, banks are at risk of underestimating the cost and/or overestimating the payback of their e-banking initiatives.
  
  In addition, the Board and senior management should ensure that the bank does not enter into new e-banking businesses or adopt new technologies unless it has the necessary expertise to provide competent risk management oversight. Management and staff expertise should be commensurate with the technical nature and complexity of the bank's e-banking applications and underlying technologies. Adequate expertise is essential regardless of whether the bank's e-banking systems and services are managed in-house or outsourced to third parties. Senior management oversight processes should operate on a dynamic basis in order to effectively intervene and correct any material e-banking systems problems or security breaches that may occur. The increased reputational risk associated with e-banking necessitates vigilant monitoring of systems operability and customer satisfaction as well as appropriate incident reporting to the Board and senior management.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Routing (Part 1 of 2)
  
  Packets are moved through networks using routers, switches, and hubs. The unique IP address is commonly used in routing. Since users typically use text names instead of IP addresses for their addressing, the user's software must obtain the numeric IP address before sending the message. The IP addresses are obtained from the Domain Naming System (DNS), a distributed database of text names (e.g., anybank.com) and their associated IP addresses. For example, financial institution customers might enter the URL of the Web site in their Web browser. The user's browser queries the domain name server for the IP associated with anybank.com. Once the IP is obtained, the message is sent. Although the example depicts an external address, DNS can also function on internal addresses.
  
  A router directs where data packets will go based on a table that links the destination IP address with the IP address of the next machine that should receive the packet. Packets are forwarded from router to router in that manner until they arrive at their destination.  Since the router reads the packet header and uses a table for routing, logic can be included that provides an initial means of access control by filtering the IP address and port information contained in the message header. Simply put, the router can refuse to forward, or forward to a quarantine or other restricted area, any packets that contain IP addresses or ports that the institution deems undesirable. Security policies should define the filtering required by the router, including the type of access permitted between sensitive source and destination IP addresses. Network administrators implement these policies by configuring an access configuration table, which creates a filtering router or a basic firewall.
  
  A switch directs the path a message will take within the network. Switching works faster than IP routing because the switch only looks at the network address for each message and directs the message to the appropriate computer. Unlike routers, switches do not support packet filtering. Switches, however, are designed to send messages only to the device for which they were intended. The security benefits from that design can be defeated and traffic through a switch can be sniffed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.3.6 Complying with Export Rules

The US government controls the export of cryptographic implementations. The rules governing export can be quite complex, since they consider multiple factors. In addition, cryptography is a rapidly changing field, and rules may change from time to time. Questions concerning the export of a particular implementation should be addressed to appropriate legal counsel.

19.4 Interdependencies

There are many interdependencies among cryptography and other security controls highlighted in this handbook. Cryptography both depends on other security safeguards and assists in providing them.

Physical Security. Physical protection of a cryptographic module is required to prevent -- or at least detect --- physical replacement or modification of the cryptographic system and the keys within it. In many environments (e.g., open offices, portable computers), the cryptographic module itself has to provide the desired levels of physical security. In other environments (e.g., closed communications facilities, steel-encased Cash-Issuing Terminals), a cryptographic module may be safely employed within a secured facility.

User Authentication. Cryptography can be used both to protect passwords that are stored in computer systems and to protect passwords that are communicated between computers. Furthermore, cryptographic-based authentication techniques may be used in conjunction with, or in place of, password-based techniques to provide stronger authentication of users.

Logical Access Control. In many cases, cryptographic software may be embedded within a host system, and it may not be feasible to provide extensive physical protection to the host system. In these cases, logical access control may provide a means of isolating the cryptographic software from other parts of the host system and for protecting the cryptographic software from tampering and the keys from replacement or disclosure. The use of such controls should provide the equivalent of physical protection.

Audit Trails. Cryptography may play a useful role in audit trails. For example, audit records may need to be signed. Cryptography may also be needed to protect audit records stored on computer systems from disclosure or modification. Audit trails are also used to help support electronic signatures.

Assurance. Assurance that a cryptographic module is properly and securely implemented is essential to the effective use of cryptography. NIST maintains validation programs for several of its standards for cryptography. Vendors can have their products validated for conformance to the standard through a rigorous set of tests. Such testing provides increased assurance that a module meets stated standards, and system designers, integrators, and users can have greater confidence that validated products conform to accepted standards.

A cryptographic system should be monitored and periodically audited to ensure that it is satisfying its security objectives. All parameters associated with correct operation of the cryptographic system should be reviewed, and operation of the system itself should be periodically tested and the results audited. Certain information, such as secret keys or private keys in public key systems, should not be subject to audit. However, nonsecret or nonprivate keys could be used in a simulated audit procedure.