FFIEC IT audits - To meet the national emergency, I am now performing remote/offsite FFIEC IT audits for insured financial institutions.  I am a former bank examiner with over 50 years IT audit experience.  Please email R. Kinney Williams at examiner@yennik.com from your bank's domain and I will email you information and fees.

FYI - The Pentagon Hasn't Fixed Basic Cybersecurity Blind Spots - Five years ago, the Department of Defense set dozens of security hygiene goals. A new report finds that it has abandoned or lost track of most of them. https://www.wired.com/story/pentagon-cybersecurity-blind-spots/

U.S. offers up to $5M for info on North Korean cyber activity - Four U.S. federal agencies on Wednesday jointly issued an advisory that warns of ongoing North Korea-sponsored cyberthreat operations, and offers a reward of up to $5 million for information on such operations. https://www.scmagazine.com/home/security-news/cybercrime/u-s-offers-up-to-5m-for-info-on-north-korean-cyber-activity/

Texas judge OKs expanded mail-in voting during COVID-19 pandemic - A week after troubling images emerged of voters sporting face masks and trying to maintain social distancing as they stood in long lines during the Wisconsin primary, a Texas court ruled that the state’s registered voters would qualify to vote via mail during the pandemic. https://www.scmagazine.com/home/security-news/texas-judge-oks-expanded-mail-in-voting-during-covid-19-pandemic/

OVER 460 VULNERABILITIES RESOLVED IN TENTH BUG BOUNTY CHALLENGE WITH U.S. DEPARTMENT OF DEFENSE THANKS TO HACKERS ON HACKERONE - U.S. Air Force awards hackers over $290,000 in fourth ‘Hack the Air Force’ Challenge with HackerOne https://www.hackerone.com/press-release/over-460-vulnerabilities-resolved-tenth-bug-bounty-challenge-us-department-defense

Amid Security Concerns: to Zoom or not to Zoom? - Zoom has rolled out new security features and promised a cyber security and privacy makeover after withering reports of the platform’s failings. In the meantime, enterprises are left to wonder ‘to Zoom or not Zoom?’ https://securityledger.com/2020/04/amid-security-concerns-to-zoom-or-not-to-zoom/

Microsoft throws extended support lifeline for folk stuck on car-crash Windows 10 1809 - Also: 2010 server products to survive into 2021 as overstretched admins given more breathing space. https://www.theregister.co.uk/2020/04/15/windows_10_1809_support_extended/

More CFOs feeling the heat with ransomware - Too often we’re hearing about ​cities​ and ​organizations​ falling prey to ransomware attacks with the average cost of ransomware related downtime ​hovering around $55K​ – note that’s just the cost of ​downtime, which excludes any ransom that might be paid. https://www.scmagazine.com/home/opinion/executive-insight/more-cfos-feeling-the-heat-with-ransomware/

That critical VMware vuln allowed anyone on your network to create new admin users, no creds needed - A critical vulnerability in VMware's vCenter management product allowed any old bod on the same network to remotely create an admin-level user, research by Guardicore Labs has revealed. https://www.theregister.co.uk/2020/04/17/vmware_vcenter_critical_vuln_anyone_create_admin_users/

DHS Urges Pulse Secure VPN Users To Update Passwords - The DHS urged organizations to update their passwords and make sure that a critical Pulse Secure VPN flaw has been patched, as attackers continue to exploit the flaw. https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/

Ministry of Defence lowers supplier infosec standards thanks to COVID-19 outbreak - Updated Security standards for defence contractors have been lowered thanks to the coronavirus outbreak, Britain's Ministry of Defence has told its suppliers. https://www.theregister.co.uk/2020/04/20/mod_relaxes_cyber_essentials_plus_suppliers/

REVIEW CFAA FOR FIRST TIME - For the first time, the United States Supreme Court has agreed to review a case involving the Computer Fraud and Abuse Act (CFAA), the highly controversial anti-hacking law that many in the civil liberties and digital rights communities have argued is overly broad and punitive. The case could be a landmark in the decades-old effort to narrow the scope of the CFAA. https://duo.com/decipher/supreme-court-to-review-cfaa-for-first-time

Details on 267M Facebook users sold for cheap on dark web - A cybercriminal actor on the dark web has made available a dataset of Facebook accounts belonging to 267 million users, recently selling the collective lot to researchers for 500 Euros. https://www.scmagazine.com/home/security-news/details-on-267m-facebook-users-sold-for-cheap-on-dark-web/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - California software developer hit with W-2 scam - COVID-19 may have made April 15 just another day on the calendar this year, but cybercriminals are still running W-2 tax form scams this time hitting Applications Software Technologies. https://www.scmagazine.com/home/security-news/data-breach/california-software-developer-hit-with-w-2-scam/

GitHub users being hit with credential stealing phishing messages - GitHub users are being targeted by a Sawfish phishing campaign designed to steal their GitHub login credentials and time-based one-time password (TOTP) codes. https://www.scmagazine.com/home/security-news/phishing/github-users-being-hit-with-credential-stealing-phishing-messages/

23 million Webkinz login credentials found on the dark web - The popular children’s website Webkinz suffered a massive data breach earlier this month that saw about 23 million user login credentials exposed on a dark web forum. https://www.scmagazine.com/home/security-news/data-breach/23-million-webkinz-login-credentials-found-on-the-dark-web/

Maze ransomware attack catches IT services firm Cognizant unawares - Digital solutions provider and IT consultant giant Cognizant has been struck by a Maze ransomware attack that infected its systems and caused service disruptions to its clients. https://www.scmagazine.com/home/security-news/cybercrime/maze-ransomware-attack-catches-it-services-firm-cognizant-unawares/

Clearview AI source code, facial recognition apps, data exposed - In a familiar refrain, a cloud data bucket was left open, but this time the stakes were high – a misconfigured server exposed the source code, copies of its facial recognition apps as well as private data at controversial startup Clearview AI, which gained unwanted notoriety earlier this year for obtaining billions of photos by scraping the internet for use by law enforcement agencies. https://www.scmagazine.com/home/security-news/database-security/clearview-ai-source-code-facial-recognition-apps-data-exposed/

20M Aptoide accounts exposed by leak on hacker forum - More than 20 million accounts registered with the software marketplace application Aptoide have been reportedly exposed after a unknown actor posted stolen user data on a hacking forum. https://www.scmagazine.com/home/security-news/cybercrime/20m-aptoide-accounts-exposed-by-leak-on-hacker-forum/

German government might have lost tens of millions of euros in COVID-19 phishing attack - German state of North Rhine-Westphalia failed to put in place a citizen verification procedure and allowed fraudsters to steal millions of euros. https://www.zdnet.com/article/german-government-might-have-lost-tens-of-millions-of-euros-in-covid-19-phishing-attack/

IT services firm Cognizant hit with Maze ransomware - Cognizant, a multibillion-dollar IT services company with clients in the banking and oil and gas industries, said Saturday its computer systems had been disrupted by Maze ransomware, a strain of malicious code that has been used in cyberattacks in the U.S. and Europe in recent months. https://www.cyberscoop.com/cognizant-maze-ransomware-fortune-500/

SBA emergency loan applicants’ data likely exposed - A breach at the Small Business Administration may have exposed personal information on almost 8,000 small businesses that applied to the agency’s Economic Injury Disaster Loan program (EIDL), recently expanded to include organizations affected by the COVID-19 pandemic. https://www.scmagazine.com/home/security-news/network-security/sba-emergency-loan-applicants-data-likely-exposed/

Fitness software maker Kinomap leaves database open exposing 42 million users - A database from the fitness software company Kinomap was found exposed on the internet leaving the records of 42 million users open and viewable for at least one month. https://www.scmagazine.com/home/security-news/data-breach/fitness-software-maker-kinomap-leaves-database-open-exposing-42-million-users/

Online leak undermines Torrance’s claim that no personal data was affected by cyberattack - A new online post by the DoppelPaymer gang further suggests that a cyberattack experienced by Torrance, California in late February-early March was a case of ransomware — one that appears to have affected personal data, despite the Los Angeles-area city’s claims otherwise. https://www.scmagazine.com/home/security-news/cybercrime/online-leak-undermines-citys-claim-that-no-personal-data-was-affected-by-cyberattack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
   
   Due Diligence in Selecting a Service Provider - Contract Issues
   
  Business Resumption and Contingency Plans
   
  The contract should address the service provider’s responsibility for backup and record protection, including equipment, program and data files, and maintenance of disaster recovery and contingency plans. Responsibilities should include testing of the plans and providing results to the institution. The institution should consider interdependencies among service providers when determining business resumption testing requirements. The service provider should provide the institution with operating procedures the service provider and institution are to implement in the event business resumption contingency plans are implemented. Contracts should include specific provisions for business recovery timeframes that meet the institution’s business requirements. The institution should ensure that the contract does not contain any provisions that would excuse the service provider from implementing its contingency plans.
   
  Sub-contracting and Multiple Service Provider Relationships
   
  Some service providers may contract with third-parties in providing services to the financial institution. To provide accountability, it may be beneficial for the financial institution to seek an agreement with and designate a primary contracting service provider. The institution may want to consider including a provision specifying that the contracting service provider is responsible for the service provided to the institution regardless of which entity is actually conducting the operations. The institution may also want to consider including notification and approval requirements regarding changes to the service provider’s significant subcontractors.
   
  Cost
   
  The contract should fully describe fees and calculations for base services, including any development, conversion, and recurring services, as well as any charges based upon volume of activity and for special requests. Cost and responsibility for purchase and maintenance of hardware and software may also need to be addressed. Any conditions under which the cost structure may be changed should be addressed in detail including limits on any cost increases.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
  
  SECURITY TESTING - TESTING CONCEPTS AND APPLICATION
  
  Measurement and Interpretation of Test Results. Institutions should design tests to produce results that are logical and objective. Results that are reduced to metrics are potentially more precise and less subject to confusion, as well as being more readily tracked over time. The interpretation and significance of test results are most useful when tied to threat scenarios. Traceability. Test results that indicate an unacceptable risk in an institution's security should be traceable to actions subsequently taken to reduce the risk to an acceptable level.
  
  Thoroughness. Institutions should perform tests sufficient to provide a high degree of assurance that their security plan, strategy and implementation is effective in meeting the security objectives. Institutions should design their test program to draw conclusions about the operation of all critical controls. The scope of testing should encompass all systems in the institution's production environment and contingency plans and those systems within the institution that provide access to the production environment.
  
  Frequency. Test frequency should be based on the risk that critical controls are no longer functioning. Factors to consider include the nature, extent, and results of prior tests, the value and sensitivity of data and systems, and changes to systems, policies and procedures, personnel, and contractors. For example, network vulnerability scanning on highrisk systems can occur at least as frequently as significant changes are made to the network.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
 
 5.3.3 System-Specific Policy Implementation
 
 Technology plays an important - but not sole - role in enforcing system-specific policies. When technology is used to enforce policy, it is important not to neglect nontechnology-based methods. For example, technical system-based controls could be used to limit the printing of confidential reports to a particular printer. However, corresponding physical security measures would also have to be in place to limit access to the printer output or the desired security objective would not be achieved.
  
 Technical methods frequently used to implement system-security policy are likely to include the use of logical access controls. However, there are other automated means of enforcing or supporting security policy that typically supplement logical access controls. For example, technology can be used to block telephone users from calling certain numbers. Intrusion-detection software can alert system administrators to suspicious activity or can take action to stop the activity. Personal computers can be configured to prevent booting from a floppy disk.
 
 Technology-based enforcement of system-security policy has both advantages and disadvantages. A computer system, properly designed, programmed, installed, configured, and maintained, consistently enforces policy within the computer system, although no computer can force users to follow all procedures. Management controls also play an important role - and should not be neglected. In addition, deviations from the policy may sometimes be necessary and appropriate; such deviations may be difficult to implement easily with some technical controls. This situation occurs frequently if implementation of the security policy is too rigid (which can occur when the system analysts fail to anticipate contingencies and prepare for them).