FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Make this part of your employee's IT security training - 10 Ways to tell if that email is legitimate...or not - Phishing has become one of the most pervasive problems facing data security staffs today. https://www.scmagazine.com/10-ways-to-tell-if-that-email-is-legitimateor-not/article/754459/

7 common flaws that keep security managers up at night - Security managers are constantly asked what keeps them up at night. Unfortunately, given today's threat landscape, it's a very long list. https://www.scmagazine.com/7-common-flaws-that-keep-security-managers-up-at-night/article/754621/

Top 6 steps for GDPR compliance - Effective May 25, 2018, the European Union's General Data Protection Regulation, commonly called GDPR, will become not only the law of the land in Europe but across the globe. https://www.scmagazine.com/top-6-steps-for-gdpr-compliance/article/754487/

Government passes critical infrastructure national security Bill - Under the new legislation, the minister will have a 'last resort' power to direct electricity, gas, ports, and water entities to 'do or not do a certain thing' to mitigate national security risks. http://www.zdnet.com/article/government-passes-critical-infrastructure-national-security-bill/

New York offers free cyber security tools to public to deter hackers - New York City will offer free cyber security tools to the public as part of a new effort to improve online safety, officials said on Thursday, a week after Atlanta was hit with a ransomware attack that knocked some municipal systems offline. https://www.reuters.com/article/us-usa-cyber-new-york/new-york-offers-free-cyber-security-tools-to-public-to-deter-hackers-idUSKBN1H52XC

Under Armour deftly manages breach, dodges GDPR scrutiny - In the wake of a breach that compromised personal information of 150 million MyFitnessPal accounts, some in the security industry are giving Under Armour a thumbs up for both the way it has handled the incident and security measures it had in place. https://www.scmagazine.com/under-armour-deftly-manages-breach-dodges-gdpr-scrutiny/article/755186/

Despite risks, a majority of firms are allowing the use of Wi-Fi hotspots - While experts have warned about the perils of connecting to unsecured public Wi-Fi hotspots in the past, new research has revealed that organisations are suffering more from security issues than in the past. https://www.scmagazine.com/despite-risks-a-majority-of-firms-are-allowing-the-use-of-wi-fi-hotspots/article/754926/

Maryland High School Girls Prove State’s Future as Cybersecurity Hub - The winners of the GirlsGoCyberStart competition, a series of innovative cybersecurity training challenges meant to inspire the next generation of cybersecurity professionals and identify talented youth in Maryland, met with Labor Secretary Kelly M. Schulz on Friday at a reception in Annapolis. http://www.dllr.maryland.gov/whatsnews/girlsgocyber.shtml

The 5 Stages of Data Breach Grief - As an incident response (IR) professional, investigating data breaches has introduced me to many new people, but it's never under the best circumstances. https://www.scmagazine.com/the-5-stages-of-data-breach-grief/article/753445/

GAO - Areas for Improvement in the Federal Reserve Banks' Information System Controls. https://www.gao.gov/products/GAO-18-334R

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Under Armour: unauthorized third party accessed 150 million MyFitnessPal accounts - Under Armour notified MyFitnessPal users that an authorized third party accessed usernames, email addresses and hashed passwords in about 150 million accounts in late February. https://www.scmagazine.com/under-armour-unauthorized-third-party-accessed-150-million-myfitnesspal-accounts/article/754907/

Baltimore 911 dispatch system hacked, investigation underway, officials confirm - Baltimore’s 911 dispatch system was hacked by an unknown actor or actors over the weekend, prompting a temporary shutdown of automated dispatching and an investigation into the breach, Mayor Catherine Pugh’s office confirmed Tuesday. http://www.baltimoresun.com/news/maryland/crime/bs-md-ci-911-hacked-20180327-story.html

Saks, Lord & Taylor breached, 5 million payment cards likely compromised - The five million stolen credit and debit cards offered for sale starting March 28 by the JokerStash hacking syndicate known as Fin7 likely came from records stolen from Saks Fifth Avenue and Lord & Taylor customers between 2017 until their release last month. https://www.scmagazine.com/saks-lord-taylor-breached-5-million-payment-cards-likely-compromised/article/755180/

Under Armour: unauthorized third party accessed 150 million MyFitnessPal accounts - Under Armour notified MyFitnessPal users that an unauthorized third party accessed usernames, email addresses and hashed passwords in about 150 million accounts in late February. https://www.scmagazine.com/under-armour-unauthorized-third-party-accessed-150-million-myfitnesspal-accounts/article/754907/

Staff at Northern Ireland assembly warned over email breach - Warnings issued to change passwords. Northern Ireland Assembly has issued warnings to staff following cyber-attacks on its IT system, according to reports by the Belfast Telegraph. https://www.scmagazine.com/staff-at-northern-ireland-assembly-warned-over-email-breach/article/754924/

Panerabread.com Leaks Millions of Customer Records - Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned. https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/

Cyberattack knocks Energy Services Group offline - A cyberattack against Energy Services Group (ESG), which handles customer transactions for natural gas pipelines owned by several energy firms, has knocked the company's systems offline. https://www.scmagazine.com/cyberattack-knocks-energy-services-group-offline/article/755983/

Panera breach neglected since 2017, may have exposed data of millions - The personal data of what may be as many as 37 million Panerabread.com customers was left exposed for eight months before being pulled offline today. https://www.scmagazine.com/panera-breach-may-have-compromised-data-of-nearly-seven-million-customers/article/755990/

Information on 6,800 CareFirst members exposed in phishing attack - CareFirst BlueCross BlueShield said one of its employees recently fell victim to a phishing attack that led to thousands of its members' personal information being exposed. https://www.scmagazine.com/information-on-6800-carefirst-members-exposed-in-phishing-attack/article/755772/

Return to the top of the newsletter

WEB SITE COMPLIANCE  -We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 9 of 10)
  
  B. RISK MANAGEMENT TECHNIQUES
  
  Implementing Weblinking Relationships
  
  Customer Service Complaints
  
  Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.
  
  Monitoring Weblinking Relationships
  
  The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements.  Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  Product Certification and Security Scanning Products
  
  Several organizations exist which independently assess and certify the adequacy of firewalls and other computer system related products. Typically, certified products have been tested for their ability to permit and sustain business functions while protecting against both common and evolving attacks.
  
  Security scanning tools should be run frequently by system administrators to identify any new vulnerabilities or changes in the system. Ideally, the scan should be run both with and without the firewall in place so the firewall's protective capabilities can be fully evaluated. Identifying the susceptibility of the system without the firewall is useful for determining contingency procedures should the firewall ever go down. Some scanning tools have different versions with varying degrees of intrusion/attack attempts.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY

15.7 Mobile and Portable Systems

The analysis and management of risk usually has to be modified if a system is installed in a vehicle or is portable, such as a laptop computer. The system in a vehicle will share the risks of the vehicle, including accidents and theft, as well as regional and local risks.

Portable and mobile share an increased risk of theft and physical damage. In addition , portable systems can be "misplaced" or left unattended by careless users. Secure storage of laptop computers is often required when they are not in use.

If a mobile or portable system uses particularly valuable or important data, it may be appropriate to either store its data on a medium that can be removed from the system when it is unattended or to encrypt the data. In any case, the issue of how custody of mobile and portable computers are to be controlled should be addressed. Depending on the sensitivity of the system and its application, it may be appropriate to require briefings of users and signed briefing acknowledgments.

Encryption of data files on stored media may also be a cost-effective precaution against disclosure of confidential information if a laptop computer is lost or stolen.

15.8 Approach to Implementation

Like other security measures, physical and environmental security controls are selected because they are cost-beneficial. This does not mean that a user must conduct a detailed cost-benefit analysis for the selection of every control. There are four general ways to justify the selection of controls:

1) They are required by law or regulation. Fire exit doors with panic bars and exit lights are examples of security measures required by law or regulation. Presumably, the regulatory authority has considered the costs and benefits and has determined that it is in the public interest to require the security measure. A lawfully conducted organization has no option but to implement all required security measures.

2) The cost is insignificant, but the benefit is material. A good example of this is a facility with a key-locked low-traffic door to a restricted access. The cost of keeping the door locked is minimal, but there is a significant benefit. Once a significant benefit/minimal cost security measure has been identified, no further analysis is required to justify its implementation.

3) The security measure addresses a potentially "fatal" security exposure but has a reasonable cost. Backing up system software and data is an example of this justification . For most systems, the cost of making regular backup copies is modest (compared to the costs of operating the system), the organization would not be able to function if the stored data were lost, and the cost impact of the failure would be material. In such cases, it would not be necessary to develop any further cost justification for the backup of software and data. However, this justification depends on what constitutes a modest cost, and it does not identify the optimum backup schedule. Broadly speaking, a cost that does not require budgeting of additional funds would qualify.

4) The security measure is estimated to be cost-beneficial. If the cost of a potential security measure is significant, and it cannot be justified by any of the first three reasons listed above, then its cost (both implementation and ongoing operation) and its benefit (reduction in future expected losses) need to be analyzed to determine if it is cost-beneficial. In this context, cost-beneficial means that the reduction in expected loss is significantly greater than the cost of implementing the security measure.

Arriving at the fourth justification requires a detailed analysis. Simple rules of thumb do not apply. Consider, for example, the threat of electric power failure and the security measures that can protect against such an event. The threat parameters, rate of occurrence, and range of outage durations depend on the location of the system, the details of its connection to the local electric power utility, the details of the internal power distribution system, and the character of other activities in the building that use electric power. The system's potential losses from service interruption depends on the details of the functions it performs. Two systems that are otherwise identical can support functions that have quite different degrees of urgency. Thus, two systems may have the same electric power failure threat and vulnerability parameters, yet entirely different loss potential parameters.

Furthermore, a number of different security measures are available to address electric power failures. These measures differ in both cost and performance. For example, the cost of an uninterruptible power supply (UPS) depends on the size of the electric load it can support, the number of minutes it can support the load, and the speed with which it assumes the load when the primary power source fails. An on-site power generator could also be installed either in place of a UPS (accepting the fact that a power failure will cause a brief service interruption) or in order to provide long-term backup to a UPS system. Design decisions include the magnitude of the load the generator will support, the size of the on-site fuel supply, and the details of the facilities to switch the load from the primary source or the UPS to the on-site generator.

This example shows systems with a wide range of risks and a wide range of available security measures (including, of course, no action), each with its own cost factors and performance parameters.