FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - IRS commissioner looks for hiring authority to onboard IT talent in weeks, not months - IRS Commissioner Chuck Rettig has urged members of a House Appropriations subcommittee to give the agency the authority to hire short-term cyber and IT talent more quickly and pay them at a rate beyond the pay scale for career employees. https://federalnewsnetwork.com/hiring-retention/2019/04/irs-commissioner-looks-for-hiring-authority-to-onboard-it-talent-in-weeks-not-months/

Study: 67 percent of hotel websites grant third parties access to personal booking data, reservations - A study of more than 1,500 hotels in 54 countries found that 67 percent of their websites leak booking reference codes to third-party partners, allowing them to potentially access guests’ booking details and personal information. https://www.scmagazine.com/home/security-news/study-67-percent-of-hotel-websites-grant-third-parties-access-to-personal-booking-data-reservations/

Hackers publish info on FBI National Academy alum - Hackers posted personal information on FBI, Secret Service and other federal employees as well as police officers nicked from three websites associated with the FBI National Academy (FBINAA). https://www.scmagazine.com/home/security-news/hackers-publish-info-on-fbi-national-academy-alum/

Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong. - Within days of a cyberattack, warehouses of the snack foods company Mondelez International filled with a backlog of Oreo cookies and Ritz crackers. https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html

Cyber is among new USAF competitive career categories - The Air Force is rolling out seven new competitive career categories for officers that will include cyber, intelligence, and space as a way to boost promotion, training and talent retention, the service announced April 11. https://fcw.com/articles/2019/04/11/usaf-cyber-career-category.aspx

North Dakota's IT department takes charge of cybersecurity for the entire - North Dakota Gov. Doug Burgum signed a bill Friday making his state’s Information Technology Department the first in the country to manage cybersecurity operations across all of the state’s public organizations, including local governments, schools, courts and the state legislature. https://statescoop.com/north-dakotas-it-department-takes-charge-of-cybersecurity-for-the-entire-state/

European Commission: No evidence Kaspersky software is malicious - The European Commission yesterday acknowledged in a public document that it possesses no evidence to support the notion that software from Russia-based Kaspersky Lab software is malicious. https://www.scmagazine.com/home/security-news/european-commission-no-evidence-kaspersky-software-is-malicious/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ransomware knocks Greenville, N.C. offline - Greenville, N.C., has effectively been knocked offline by a ransomware attack with the city IT department having shut down the majority of its servers to limit the extent of the attack. https://www.scmagazine.com/home/security-news/ransomware/ransomware-knocks-greenville-n-c-offline/

Massive SIM swap fraud leaves traditional 2FA users at risk - As two-factor authentication becomes more popular, threat actors have proven once again how this security feature can be exploited if not implemented properly. https://www.scmagazine.com/home/security-news/cybercrime/as-two-factor-authentication-becomes-more-popular-threat-actors-have-proven-once-again-how-this-security-feature-can-be-exploited-if-not-implemented-properly/

VPN apps found insecurely storing session cookies - Researchers with National Defense ISAC Remote Access Working Group discovered multiple Virtual Private Networks (VPN) applications were insecurely storing authentication and/or session cookies in memory logs and files. https://www.scmagazine.com/home/security-news/vulnerabilities/researchers-with-national-defense-isac-remote-access-working-group-discovered-multiple-vpn-apps-improperly-storing-session-cookies/

How the city of Ottawa was stung by email fraud - The city of Ottawa’s financial staff have been criticized by its auditor general for failing to follow its money transfer rules after the municipality’s treasurer was tricked into wiring over $100,000 in what is known as a business email compromise scam. https://www.itworldcanada.com/article/how-the-city-of-ottawa-was-stung-by-email-fraud/416840

Garfield County, Utah falls victim to ransomware, pays attackers - Garfield County, Utah became the latest municipality to not only be hit with a ransomware attack, but succumb to the attackers demand and pay the ransom. https://www.scmagazine.com/home/security-news/ransomware/garfield-county-utah-falls-victim-to-ransomware-pays-attackers/

Microsoft web mail services breached after support agent’s credentials are compromised - Hackers reportedly compromised a Microsoft Corp. support agent’s credentials, allowing them to gain unauthorized access to the company’s various web-based email services, including Outlook, MSN and Hotmail, for at least three months in 2019. https://www.scmagazine.com/home/security-news/microsoft-web-mail-services-breached-after-support-agents-credentials-are-compromised/

Microsoft Email Hack Shows the Lurking Danger of Customer Support - On Friday night, Microsoft sent notification emails to an unknown number of its individual email users—across Outlook, MSN, and Hotmail—warning them about a data breach. https://www.wired.com/story/microsoft-email-hack-outlook-hotmail-customer-support/

Student hacks online school government election - A student running for class president of Berkley High School in California hacked into the email accounts of his fellow students in order to swing the school’s first ever online election his way. https://www.scmagazine.com/home/security-news/election-2016-cybersecurity-insights/student-hacks-online-school-government-election/

Report: Ecuadorian websites besieged by cyberattacks following Julian Assange’s arrest - Since Julian Assange’s arrest and removal from London’s Ecuadorian embassy last week, the websites of Ecuador’s public institutions have been subjected to roughly 40 million cyberattacks, Agence France-Presse reported yesterday. https://www.scmagazine.com/home/security-news/report-ecuadorian-websites-besieged-by-cyberattacks-following-julian-assanges-arrest/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Board and Management Oversight - Principle 2: The Board of Directors and senior management should review and approve the key aspects of the bank's security control process. 
  
  The Board of Directors and senior management should oversee the development and continued maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. This should include establishing appropriate authorization privileges, logical and physical access controls, and adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities.
  
  Safeguarding of bank assets is one of the Board's fiduciary duties and one of senior management's fundamental responsibilities. However, it is a challenging task in a rapidly evolving e-banking environment because of the complex security risks associated with operating over the public Internet network and using innovative technology.
  
  To ensure proper security controls for e-banking activities, the Board and senior management need to ascertain whether the bank has a comprehensive security process, including policies and procedures, that addresses potential internal and external security threats both in terms of incident prevention and response. Key elements of an effective e-banking security process include: 
  
  1) Assignment of explicit management/staff responsibility for overseeing the establishment and maintenance of corporate security policies.
  
  2) Sufficient physical controls to prevent unauthorized physical access to the computing environment.
  
  3) Sufficient logical controls and monitoring processes to prevent unauthorized internal and external access to e-banking applications and databases.
  
  4)  Regular review and testing of security measures and controls, including the continuous tracking of current industry security developments and installation of appropriate software upgrades, service packs and other required measures.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Firewalls
  
  A firewall is a collection of components (computers, routers, and software) that mediate access between different security domains. All traffic between the security domains must pass through the firewall, regardless of the direction of the flow. Since the firewall serves as a choke point for traffic between security domains, they are ideally situated to inspect and block traffic and coordinate activities with network IDS systems.
  
  Financial institutions have four primary firewall types from which to choose: packet filtering, stateful inspection, proxy servers, and application-level firewalls. Any product may have characteristics of one or more firewall types. The selection of firewall type is dependent on many characteristics of the security zone, such as the amount of traffic, the sensitivity of the systems and data, and applications.  Over the next few weeks we will discussed the different types of firewalls.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM  (HGA)

This chapter illustrates how a hypothetical government agency (HGA) deals with computer security issues in its operating environment. It follows the evolution of HGA's initiation of an assessment of the threats to its computer security system all the way through to HGA's recommendations for mitigating those risks. In the real world, many solutions exist for computer security problems. No single solution can solve similar security problems in all environments. Likewise, the solutions presented in this example may not be appropriate for all environments.

This case study is provided for illustrative purposes only, and should not be construed as guidance or specific recommendations to solving specific security issues. Because a comprehensive example attempting to illustrate all handbook topics would be inordinately long, this example necessarily simplifies the issues presented and omits many details. For instance, to highlight the similarities and differences among controls in the different processing environments, it addresses some of the major types of processing platforms linked together in a distributed system: personal computers, local-area networks, wide-area networks, and mainframes; it does not show how to secure these platforms.

This section also highlights the importance of management's acceptance of a particular level of risk--this will, of course, vary from organization to organization. It is management's prerogative to decide what level of risk is appropriate, given operating and budget environments and other applicable factors.