IT Audits - We conduct onsite/remote FFIEC IT audits for insured financial institutions as well as pen-tests, FFIEC & ADA website audits.  I am a former bank examiner with over 50 years IT audit experience.  Please email R. Kinney Williams at examiner@yennik.com from your bank's domain and I will email you information and fees.

FYI - As unemployment claims soar, cyber workforce remains strong - Of the nearly 10 million Americans who recently have filed for unemployment insurance – 6.6 million this week and 3.3 million the week before – as the coronavirus pandemics shut down businesses and the economy, the cybersecurity workforce seemingly has been spared. https://www.scmagazine.com/home/security-news/news-archive/coronavirus/as-unemployment-claims-soar-to-6-6-million-cyber-workforce-remains-strong/

FBI warns Zoom, teleconference meetings vulnerable to hijacking - As remote work surges amid the coronavirus pandemic, the FBI issued a public bulletin Monday warning Zoom and other video teleconferencing services may not be as private, or as secure, as users may assume. https://www.cyberscoop.com/zoom-fbi-teleconference-hijacking/

Coronavirus: Microsoft directly warns hospitals, 'Fix your vulnerable VPN appliances' - Microsoft issues its first-ever targeted ransomware alert to hospitals over their vulnerable VPN appliances. https://www.zdnet.com/article/coronavirus-microsoft-directly-warns-hospitals-fix-your-vulnerable-vpn-appliances/

NYC schools step away as Zoom sets remediation plan - Concerns over privacy prompted New York City to ban the use of Zoom by city schools and move instead to an approved platform like Google Meet or Microsoft Teams “as soon as possible.” https://www.scmagazine.com/home/security-news/nyc-schools-ban-zoom-amid-privacy-concerns/

The inside scoop on insider threats - Cybercriminals continue to develop new attack methods that pose a serious risk to enterprise security, but they are not the only threats enterprises need to defend against. Employees – whether well-meaning but careless or those with malicious intentions, pose a great risk. In fact, insider threats are among the leading causes of data breaches. https://www.scmagazine.com/home/opinion/executive-insight/the-inside-scoop-on-insider-threats/

So Wait, How Encrypted Are Zoom Meetings Really? - The service's mixed messages have frustrated cryptographers, as the US government and other sensitive organizations increasingly depend on it. https://www.wired.com/story/zoom-security-encryption/

Too Many Exchange Servers Remain Unpatched - A security vulnerability in Microsoft Exchange that was fixed in February is still unpatched on hundreds of thousands of Exchange servers, according to the latest numbers from Rapid7. https://duo.com/decipher/too-many-exchange-servers-remain-unpatched

Researchers fool devices’ biometric scanners with replicated fingerprints - Researchers at Cisco Talos said they were able to fool biometrics-based user authentication technology on eight mobile devices by using 3D-printed molds to create replicates of users’ fingerprints. https://www.scmagazine.com/home/security-news/researchers-fool-devices-biometric-scanners-with-replicated-fingerprints/

Coronavirus turns up the heat on cybersecurity projects - Cybersecurity projects – even important ones – often languish, due to budget constraints, scarce resources or simply because they’re just lower priority in the long list of things that need to be done. But for all the havoc it’s wreaked, the Covid-19 pandemic has pushed many of these initiatives to the forefront where they’re gaining traction. https://www.scmagazine.com/home/security-news/news-archive/coronavirus/coronavirus-turns-up-the-heat-on-cybersecurity-projects/

Google faces new legal action for violating COPPA - The millions of children now taking online elementary school classes due to COVID-19 has proven to be a boon for Google, however the huge increase in usage comes at a time when the company is being sued by two entities for violating state and federal child privacy regulations for its other learning tools. https://www.scmagazine.com/home/security-news/privacy-compliance/google-faces-new-legal-action-for-violating-coppa/

Maropost database with 95 million left open and unsecure - A database owned by the email delivery and marketing firm Maropost was reportedly found open and unsecured exposing about 95 million customer records. https://www.scmagazine.com/home/security-news/data-breach/maropost-database-with-95-million-left-open-and-unsecure/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 14 million Key Ring users exposed in open database - A misconfigured Amazon Web Services S3 bucket has exposed the data of about 14 million users of the popular Key Ring app that includes some payment and medical card information. https://www.scmagazine.com/home/security-news/data-breach/14-million-key-ring-users-exposed-in-open-database/

Marriott Got Hacked. Yes, Again - The hotel chain has suffered its second major breach in 16 months. Here's how to find out if you're affected. - In November 2018, hotel giant Marriott disclosed that it had suffered one of the largest breaches in history. https://www.wired.com/story/marriott-hacked-yes-again-2020/

Phish of GoDaddy Employee Jeopardized Escrow.com, Among Others - A spear-phishing attack this week hooked a customer service employee at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned. The incident gave the phisher the ability to view and modify key customer records, access that was used to change domain settings for a half-dozen GoDaddy customers, including transaction brokering site escrow.com. https://krebsonsecurity.com/2020/03/phish-of-godaddy-employee-jeopardized-escrow-com-among-others/

Ransomware strikes biotech firm researching possible COVID-19 treatments - As the COVID-19 pandemic was spreading through the U.S. last month, hackers struck a California-based biotechnology company which makes tools that researchers are using to learn about the coronavirus. https://www.cyberscoop.com/covid-19-ransomware-10x-genomics-data-breach/

14 million Key Ring users exposed in open database - A misconfigured Amazon Web Services S3 bucket has exposed the data of about 14 million users of the popular Key Ring app that includes some payment and medical card information. https://www.scmagazine.com/home/security-news/data-breach/14-million-key-ring-users-exposed-in-open-database/

Jupiter, Fla., fighting REvil/Sodinokibi ransomware and Coronavirus - The town of Jupiter, located in an area of Florida hard hit by Coronavirus, is continuing to recover from a late March ransomware attack. https://www.scmagazine.com/home/security-news/ransomware/jupiter-fla-fighting-revil-sodinokibi-ransomware-and-coronavirus/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Security and Confidentiality

The contract should address the service provider’s responsibility for security and confidentiality of the institution’s resources (e.g., information, hardware). The agreement should prohibit the service provider and its agents from using or disclosing the institution’s information, except as necessary to or consistent with providing the contracted services, to protect against unauthorized use (e.g., disclosure of information to institution competitors). If the service provider receives
nonpublic personal information regarding the institution’s customers, the institution should notify the service provider to assess the applicability of the privacy regulations. Institutions should require the service provider to fully disclose breaches in security resulting in unauthorized intrusions into the service provider that may materially affect the institution or its customers. The service provider should report to the institution when material intrusions occur, the effect on the institution, and corrective action to respond to the intrusion.

Controls

Consideration should be given to contract provisions addressing control over operations such as:

• Internal controls to be maintained by the service provider.
• Compliance with applicable regulatory requirements.
• Records to be maintained by the service provider.
• Access to the records by the institution.
• Notification by the service provider to the institution and the institution’s approval rights
regarding material changes to services, systems, controls, key project personnel allocated to
the institution, and new service locations.
• Setting and monitoring of parameters relating to any financial functions, such as payments
processing and any extensions of credit on behalf of the institution.
• Insurance coverage to be maintained by the service provider.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
  
  SECURITY TESTING
  
  Information security is an integrated process that reduces information security risks to acceptable levels. The entire process, including testing, is driven by an assessment of risks. The greater the risk, the greater the need for the assurance and validation provided by effective information security testing.
  
  In general, risk increases with system accessibility and the sensitivity of data and processes. For example, a high-risk system is one that is remotely accessible and allows direct access to funds, fund transfer mechanisms, or sensitive customer data. Information only Web sites that are not connected to any internal institution system or transaction capable service are lower-risk systems. Information systems that exhibit high risks should be subject to more frequent and rigorous testing than low-risk systems. Because tests only measure the security posture at a point in time, frequent testing provides increased assurance that the processes that are in place to maintain security over time are functioning.
  
  A wide range of tests exists. Some address only discrete controls, such as password strength. Others address only technical configuration, or may consist of audits against standards. Some tests are overt studies to locate vulnerabilities. Other tests can be designed to mimic the actions of attackers. In many situations, management may decide to perform a range of tests to give a complete picture of the effectiveness of the institution's security processes. Management is responsible for selecting and designing tests so that the test results, in total, support conclusions about whether the security control objectives are being met.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
 
 5.3 System-Specific Policy
 
 Program policy and issue-specific policy both address policy from a broad level, usually encompassing the entire organization. However, they do not provide sufficient information or direction, for example, to be used in establishing an access control list or in training users on what actions are permitted. System-specific policy fills this need. It is much more focused, since it addresses only one system.
 
 Many security policy decisions may apply only at the system level and may vary from system to system within the same organization. While these decisions may appear to be too detailed to be policy, they can be extremely important, with significant impacts on system usage and security. These types of decisions can be made by a management official, not by a technical system administrator. (The impacts of these decisions, however, are often analyzed by technical system administrators.)
 
 To develop a cohesive and comprehensive set of security policies, officials may use a management process that derives security rules from security goals. It is helpful to consider a two-level model for system security policy: security objectives and operational security rules, which together comprise the system-specific policy. Closely linked and often difficult to distinguish, however, is the implementation of the policy in technology.
 
 System-specific security policy includes two components: security objectives and operational security rules. It is often accompanied by implementing procedures and guidelines.
 
 5.3.1 Security Objectives
 
 The first step in the management process is to define security objectives for the specific system. Although, this process may start with an analysis of the need for integrity, availability, and confidentiality, it should not stop there. A security objective needs to more specific; it should be concrete and well defined. It also should be stated so that it is clear that the objective is achievable. This process will also draw upon other applicable organization policies.
 Security objectives consist of a series of statements that describe meaningful actions about explicit resources. These objectives should be based on system functional or mission requirements, but should state the security actions that support the requirements.
 
 Development of system-specific policy will require management to make trade-offs, since it is unlikely that all desired security objectives will be able to be fully met. Management will face cost, operational, technical, and other constraints.
 
 Sample Security Objective:  Only individuals in the accounting and personnel departments are authorized to provide or modify information used in payroll processing.