FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - RiskSec preview: Angelo Longo, CISO at Resorts Casino Hotel - We’ve all heard how IoT technologies have and will continue to cause massive challenges to the execution and maintenance of security controls for organizations. https://www.scmagazine.com/home/events/risksec-speaker-preview-angelo-longo-ciso-at-resorts-casino-hotel/

A v-CISO’s Take on the 5 Issues Facing Cybersecurity - There’s a quiet shift going on in the business community, one that has the potential of tipping the scales against cyber criminals; and it has nothing to do with AI, machine learning or any other shiny, new technology. https://www.scmagazine.com/home/opinions/a-v-cisos-take-on-the-5-issues-facing-cybersecurity/

Elizabeth Warren wants jail time for CEOs in Equifax-style breaches - Should more CEOs go to jail after data breaches? Elizabeth Warren thinks so. In 2017, criminals stole the personal data of about 143 million people from the credit rating system Equifax. https://arstechnica.com/tech-policy/2019/04/elizabeth-warren-wants-to-jail-negligent-ceos-in-some-data-breaches/

Motel 6 to pay $12M for sharing guest info with ICE - Motel 6 will pay a $12 million settlement to Washington state after employees at several of the chain’s locations shared information – without a warrant – on 80,000 guests in the state with Immigration and Customs Enforcement (ICE) over a two-year period. https://www.scmagazine.com/home/security-news/motel-6-to-pay-12m-for-sharing-guest-info-with-ice/

Groups Offer Ideas for Improving Healthcare Cybersecurity - Several industry groups have offered suggestions - ranging from better cyber information sharing to new regulatory "safe harbors" for entities complying with best practices - to Sen. Mark Warner, D-Va., in response to his recent request for input on how the healthcare sector can improve its cybersecurity posture. http://www.govinfosecurity.com/groups-offer-ideas-for-improving-healthcare-cybersecurity-a-12336

Yahoo offers $117 million to settle 2016 data breach suit - Yahoo has more than doubled its proposed data breach settlement payout to $117.5 million after having a smaller amount rejected by a California judge in January. https://www.scmagazine.com/home/security-news/data-breach/yahoo-offers-117-million-to-settle-2016-data-breach-suit/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Pharma firm Bayer hit with WINNTI malware - The German drug manufacturer Bayer reported it was hit with a cyberattack launched from China that used WINNTI malware that resided on its network for at least one year. https://www.scmagazine.com/home/security-news/malware/pharma-firm-bayer-hit-with-winnti-malware/

Chinese HR firms and recruiting agencies found to leak more than half a billion resumes - Chinese companies were discovered leaking more than half a billion resumes on the web via poorly secured ElasticSearch and MongoDB databases. https://www.scmagazine.com/home/security-news/data-breach/chinese-companies-were-discovered-to-be-leaking-more-than-half-a-billion-resumes-on-the-web-via-poorly-secured-elasticsearch-and-mongodb-databases/

Georgia Tech stung with 1.3 million-person data breach - Georgia Tech is reporting that it suffered a data breach when a Georgia Institute of Technology web app exposed the information on 1.3 million current and former students, student applicants along with staff members. https://www.scmagazine.com/home/security-news/data-breach/georgia-tech-stung-with-1-3-million-person-data-breach/

Nevada data center used to distribute Dridex, GandCrab malware right under the FBI's nose - Scammers used data centers located in the United States to launch nasty strains of malware against English-speaking web users, according to Bromium research published Thursday. https://www.cyberscoop.com/necurs-botnet-nevada-data-center-bromium/

Phishing attacker gains access to Baystate Medical Center patient records - Baystate Medical Center reportedly suffered a data breach possibly impacting 12,000 patients. https://www.scmagazine.com/home/security-news/data-breach/phishing-attacker-gains-access-to-baystate-medical-center-patient-records/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Board and Management Oversight - Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. (Part 2 of 2)
  
  Finally, the Board and senior management should ensure that its risk management processes for its e-banking activities are integrated into the bank's overall risk management approach. The bank's existing risk management policies and processes should be evaluated to ensure that they are robust enough to cover the new risks posed by current or planned e-banking activities. Additional risk management oversight steps that the Board and senior management should consider taking include:
  
  1) Clearly establishing the banking organization's risk appetite in relation to e-banking.
  
  2) Establishing key delegations and reporting mechanisms, including the necessary escalation procedures for incidents that impact the bank's safety, soundness or reputation (e.g. networks penetration, employee security infractions and any serious misuse of computer facilities).
  
  3) Addressing any unique risk factors associated with ensuring the security, integrity and availability of e-banking products and services, and requiring that third parties to whom the banks has outsourced key systems or applications take similar measures.
  
  4) Ensuring that appropriate due diligence and risk analysis are performed before the bank conducts cross-border e-banking activities.
  
  The Internet greatly facilitates a bank's ability to distribute products and services over virtually unlimited geographic territory, including across national borders. Such cross-border e-banking activity, particularly if conducted without any existing licensed physical presence in the "host country," potentially subjects banks to increased legal, regulatory and country risk due to the substantial differences that may exist between jurisdictions with respect to bank licensing, supervision and customer protection requirements. Because of the need to avoid inadvertent non-compliance with a foreign country's laws or regulations, as well as to manage relevant country risk factors, banks contemplating cross-border e-banking operations need to fully explore these risks before undertaking such operations and effectively manage them.
  
  Depending on the scope and complexity of e-banking activities, the scope and structure of risk management programs will vary across banking organizations. Resources required to oversee e-banking services should be commensurate with the transactional functionality and criticality of systems, the vulnerability of networks and the sensitivity of information being transmitted.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Routing (Part 2 of 2)
  
  Routers and switches are sometimes difficult to locate. Users may install their own devices and create their own unauthorized subnets. Any unrecognized or unauthorized network devices pose security risks. Financial institutions should periodically audit network equipment to ensure that only authorized and maintained equipment resides on their network.
  
  DNS hosts, routers and switches are computers with their own operating system. If successfully attacked, they can allow traffic to be monitored or redirected. Financial institutions must restrict, log, and monitor administrative access to these devices. Remote administration typically warrants an encrypted session, strong authentication, and a secure client. The devices should also be appropriately patched and hardened.
  
  Packets are sent and received by devices using a network interface card (NIC) for each network to which they connect. Internal computers would typically have one NIC card for the corporate network or a subnet. Firewalls, proxy servers, and gateway servers are typically dual-homed with two NIC cards that allow them to communicate securely both internally and externally while limiting access to the internal network.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.5 Cost Considerations

Using cryptography to protect information has both direct and indirect costs. Cost is determined in part by product availability; a wide variety of products exist for implementing cryptography in integrated circuits, add-on boards or adapters, and stand-alone units.

19.5.1 Direct Costs

The direct costs of cryptography include:

• Acquiring or implementing the cryptographic module and integrating it into the computer system. The medium (i.e., hardware, software, firmware, or combination) and various other issues such as level of security, logical and physical configuration, and special processing requirements will have an impact on cost.
  
  
• Managing the cryptography and, in particular, managing the cryptographic keys, which includes key generation, distribution, archiving, and disposition, as well as security measures to protect the keys, as appropriate