FFIEC IT audits - To meet the national emergency, I am now performing remote/offsite FFIEC IT audits for insured financial institutions.  I am a former bank examiner with over 50 years IT audit experience.  Please email R. Kinney Williams at examiner@yennik.com from your bank's domain and I will email you information and fees.

FYI - BB&T sues tech vendor Hitachi Vantara over 2018 outage - BB&T is suing computer hardware vendor Hitachi Vantara, claiming the company was responsible for a "catastrophic" outage that kept millions of customers from accessing the bank’s online, mobile, ATM and wire transfer services for 15 hours over several days in February 2018. https://www.bankingdive.com/news/bbt-sues-hitachi-vantara-2018-outage-suntrust-chime-capital-one/568447/

Microsoft Buys Corp.com So Bad Guys Can’t - In February, KrebsOnSecurity told the story of a private citizen auctioning off the dangerous domain corp.com for the starting price of $1.7 million. https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/

Best practices for implementing a Data loss prevention (DLP) solution - Traditional defenses are no match for targeted attacks that bypass security controls and steal sensitive data. As IT changes continue to occur, organizations need to be more strategic to combat modern threats. https://www.scmagazine.com/home/opinion/executive-insight/best-practices-for-implementing-a-dlp-solution/

COVID-19 has changed business, but threat actors and tools remain strangely familiar - The coronavirus pandemic has forced massive changes upon businesses, but the overall cyber threat landscape remains relatively stable. https://www.scmagazine.com/home/security-news/news-archive/coronavirus/covid-19-has-changed-business-but-threat-actors-and-tools-remain-strangely-familiar/

U.S., U.K. authorities warn of state-linked and criminal hacking exploiting coronavirus pandemic - American and British cybersecurity authorities on Wednesday issued a fresh warning that “a growing number of cyber criminals and other malicious groups” are exploiting the coronavirus pandemic, adding to a chorus of public and private-sector advisories intended to blunt COVID-19-related hacking. https://www.cyberscoop.com/coronavirus-hacking-dhs-ncsc/

Domain name registry suspends 600 suspicious coronavirus websites - Web domain name registrars are stepping up their efforts to tackle scammers, and it starts even before their websites go live. https://www.zdnet.com/article/domain-name-registrar-suspends-600-suspicious-coronavirus-websites/

DHS releases new network security guidance for telework - The Cybersecurity and Infrastructure Security Agency released temporary guidance April 8 for federal network cybersecurity as a way to increase protections during the spike in telework from the coronavirus pandemic. https://www.fifthdomain.com/civilian/dhs/2020/04/08/dhs-releases-new-network-security-guidance-for-telework/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Drug testing firm sends data breach alerts after ransomware attack - Hammersmith Medicines Research LTD (HMR), a research company on standby to perform live trials of Coronavirus vaccines, has started emailing data breach notifications after having their data stolen and published in a ransomware attack. https://www.bleepingcomputer.com/news/security/drug-testing-firm-sends-data-breach-alerts-after-ransomware-attack/

San Francisco airport websites hacked to swipe personal device credentials - Two websites affiliated with San Francisco International Airport (SFO) were compromised with code last March, allowing attackers to steal device login credentials from users who visited these sites, airport officials have disclosed. https://www.scmagazine.com/home/security-news/cybercrime/san-francisco-airport-websites-compromised-to-swipe-credentials/

Phishing emails impersonate White House, Trump, give false COVID-19 guidance - Americans anxious over the spread of COVID-19 could be forgiven for falling for an email that purports to provide information on the pandemic from “The Federal Government, President Donald Trump,” but is instead a phishing scheme originating from a Russian email account. https://www.scmagazine.com/home/security-news/news-archive/coronavirus/phishing-emails-impersonate-white-house-give-false-covid-19-guidance/

Travelex paid $2.3 million ransom, report - Travelex reportedly shelled out a $2.3 million ransom payment after being struck on New Year’s Eve with REvil/Sodinokibi ransomware. https://www.scmagazine.com/home/security-news/ransomware/travelex-paid-2-3-million-ransom-report/

Compromised email account leads to Saint Francis Ministries data breach - An unauthorized party gained entry into an an employee’s email account at Saint Francis Ministries, accessing sensitive personal identifying information, as well as financial and protected health data. https://www.scmagazine.com/home/security-news/cybercrime/compromised-email-account-leads-to-saint-francis-ministries-data-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Audit

The institution should generally include in the contract the types of audit reports the institution is entitled to receive (e.g., financial, internal control and security reviews). The contract can specify audit frequency, cost to the institution associated with the audits if any, as well as the rights of the institution and its agencies to obtain the results of the audits in a timely manner. The contract may also specify rights to obtain documentation regarding the resolution of audit
disclosed deficiencies and inspect the processing facilities and operating practices of the service provider. Management should consider, based upon the risk assessment phase, the degree to which independent internal audits completed by service provider audit staff can be used and the need for external audits and reviews (e.g., SAS 70 Type I and II reviews). (AICPA Statement of Auditing Standards 70 “Reports of Processing of Transactions by Service Organizations,” known as SAS 70 Reports, are one commonly used form of external review. Type I SAS 70 reports review the service provider’s policies and procedures. Type II SAS 70 reports provide tests of actual controls against policies and procedures.)

For services involving access to open networks, such as Internet-related services, special attention should be paid to security. The institution may wish to include contract terms requiring periodic audits to be performed by an independent party with sufficient expertise. These audits may include penetration testing, intrusion detection, and firewall configuration. The institution should receive sufficiently detailed reports on the findings of these ongoing audits to adequately assess security without compromising the service provider’s security. It can be beneficial to both the service provider and the institution to contract for such ongoing tests on a coordinated basis given the number of institutions that may contract with the service provider and the importance of the test results to the institution.

Reports

Contractual terms should discuss the frequency and type of reports the institution will receive (e.g., performance reports, control audits, financial statements, security, and business resumption testing reports). Guidelines and fees for obtaining custom reports should also be discussed.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
  
  SECURITY TESTING - TESTING CONCEPTS AND APPLICATION
  
  Testing Risks to Data Integrity, Confidentiality, and Availability. Management is responsible for carefully controlling information security tests to limit the risks to data integrity, confidentiality, and system availability. Because testing may uncover nonpublic customer information, appropriate safeguards to protect the information must be in place. Contracts with third parties to provide testing services should require that the third parties implement appropriate measures to meet the objectives of section 501(b) of the GLBA. Management also is responsible for ensuring that employee and contract personnel who perform the tests or have access to the test results have passed appropriate background checks, and that contract personnel are appropriately bonded. Because certain tests may pose more risk to system availability than other tests, management is responsible for considering whether to require the personnel performing those tests to maintain logs of their testing actions. Those logs can be helpful should the systems react in an unexpected manner.
  
  Confidentiality of Test Plans and Data. Since knowledge of test planning and results may facilitate a security breach, institutions should carefully limit the distribution of their testing information. Management is responsible for clearly identifying the individuals responsible for protecting the data and provide guidance for that protection, while making the results available in a useable form to those who are responsible for following up on the tests. Management also should consider requiring contractors to sign nondisclosure agreements and to return to the institution information they obtained in their testing.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
 
 5.3.2 Operational Security Rules
 
 After management determines the security objectives, the rules for operating a system can be laid out, for example, to define authorized and unauthorized modification. Who (by job category, organization placement, or name) can do what (e.g., modify, delete) to which specific classes and records of data, and under what conditions.
 
 The degree of specificity needed for operational security rules varies greatly. The more detailed the rules are, up to a point, the easier it is to know when one has been violated. It is also, up to a point, easier to automate policy enforcement. However, overly detailed rules may make the job of instructing a computer to implement them difficult or computationally complex.
 
 In addition to deciding the level of detail, management should decide the degree of formality in documenting the system-specific policy. Once again, the more formal the documentation, the easier it is to enforce and to follow policy. On the other hand, policy at the system level that is too detailed and formal can also be an administrative burden. In general, good practice suggests a reasonably detailed formal statement of the access privileges for a system. Documenting access controls policy will make it substantially easier to follow and to enforce.  Another area that normally requires a detailed and formal statement is the assignment of security responsibilities. Other areas that should be addressed are the rules for system usage and the consequences of noncompliance.
 
 Policy decisions in other areas of computer security, such as those described in this handbook, are often documented in the risk analysis, accreditation statements, or procedural manuals. However, any controversial, atypical, or uncommon policies will also need formal statements. Atypical policies would include any areas where the system policy is different from organizational policy or from normal practice within the organization, either more or less stringent. The documentation for a typical policy contains a statement explaining the reason for deviation from the organization's standard policy.
 
 Sample Operational Security Rule:
  
 Personnel clerks may update fields for weekly attendance, charges to annual leave, employee addresses, and telephone numbers. Personnel specialists may update salary information. No employees may update their own records.