FFIEC IT audits - To meet the national emergency, I am now performing remote/offsite FFIEC IT audits for insured financial institutions.  I am a former bank examiner with over 50 years IT audit experience.  Please email R. Kinney Williams at examiner@yennik.com from your bank's domain and I will email you information and fees.

FYI - Connecticut town drops drone program to combat COVID-19 spread over privacy concerns - Drones chasing people around during a worldwide pandemic to determine if they’ve been infected with the coronavirus seemed too much like something out of a sci-fi movie, fraught with privacy and security concerns, for a Connecticut town that joined, then quickly ditched its plans to participate in, the Draganfly drone Flatten the Curve program. https://www.scmagazine.com/home/security-news/connecticut-town-drops-drone-program-to-combat-covid-19-spread-over-privacy-concerns/

After intense scrutiny, Zoom tightens up security with version 5. New features include not, er, spilling video calls to network snoops - Zoom's ongoing game of whack-a-mole with security bugs in its code continued today with the imminent emission of version 5, replete with support for 256-bit AES-GCM encryption. https://www.theregister.co.uk/2020/04/22/zoom_5/

Israeli cyber defenders warn of attacks on water supply - Israel’s National Cyber Array issued a notification that cyberattacks have been launched against a variety of water control critical infrastructure targets. https://www.scmagazine.com/home/security-news/cyberattack/israeli-cyber-defenders-warn-of-attacks-on-water-supply/

The quick and the breached: Futureproofing security operations - Security is about rates: the adversary is innovative, motivated, funded and enjoys the advantages of asymmetry in cyber conflict. The rate of improvement in the proficiency of attackers is increasing faster than, by-and-large, that of the defenders. https://www.scmagazine.com/home/opinion/executive-insight/the-quick-and-the-breached-futureproofing-security-operations/

Chinese ‘Frontline’ COVID-19 Research Firm Reported Hacked: Data Now On Dark Web - It’s a controversial subject—the use of CT scans to diagnose coronavirus—but it’s an emerging field. And while the likes of the U.S. Centers for Disease Control and Prevention and the American College of Radiology have cautioned against it, one Chinese medical company has harnessed Intel’s technology and Huawei’s marketing channels to push its solutions into frontline hospitals. https://www.forbes.com/sites/zakdoffman/2020/04/26/chinese-covid-19-detection-firm-just-got-hacked-data-for-sale-on-dark-web-new-report/#770d88b75dec

Microsoft Teams vulnerability patched, could lead to account takeover - Microsoft’s Teams collaboration platform contains a vulnerability that can be exploited with a malicious GIF enabling an attacker to take over a company’s Teams accounts. https://www.scmagazine.com/home/security-news/vulnerabilities/microsoft-teams-vulnerability-patched-could-lead-to-account-takeover/

Build a data-driven defense strategy to fight cybercrime - The coronavirus pandemic is being compared to war-like conditions by the World Health Organization. https://www.scmagazine.com/home/opinion/executive-insight/build-a-data-driven-defense-strategy-to-fight-cybercrime/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Paay open database exposes 2.5M transactions, challenges PCI compliance - The start-up payment processing firm Paay that promotes itself as providing extra security to online transactions called that claim into question when it misconfigured a payment card database, exposing 2.5 million credit card transactions and raising concerns over PCI compliance. https://www.scmagazine.com/home/security-news/paay-open-database-exposes-2-5m-transactions-challenges-pci-compliance/

WHO confirms credentials leak included staff working on COVID-19 response - The World Health Organization (WHO) said the recent leak of 450 active WHO email addresses and passwords along with credentials of thousands working on the response to the coronavirus pandemic didn’t put the organization’s systems at risk. https://www.scmagazine.com/home/security-news/who-confirms-credentials-leak-included-staff-working-on-covid-19-response/

Online leak undermines Torrance’s claim that no personal data was affected by cyberattack - A new online post by the DoppelPaymer gang further suggests that a cyberattack experienced by Torrance, California in late February-early March was a case of ransomware — one that appears to have affected personal data, despite the Los Angeles-area city’s claims otherwise. https://www.scmagazine.com/home/security-news/cybercrime/online-leak-undermines-citys-claim-that-no-personal-data-was-affected-by-cyberattack/

SBA reveals potential data breach impacting 8,000 emergency business loan applicants - The US Small Business Administration (SBA) has revealed a suspected data breach impacting the portal used by business owners to apply for emergency loans. https://www.zdnet.com/article/sba-reveals-potential-data-breach-impacting-8000-emergency-business-loan-applicants/

Hackers have breached 60 ad servers to load their own malicious ads - A mysterious hacker group has been taking over ad servers for the past nine months in order to insert malicious ads into their ad inventory, ads that redirect users to malware download sites. https://www.zdnet.com/article/hackers-have-breached-60-ad-servers-to-load-their-own-malicious-ads/

LA County Hit with DoppelPaymer Ransomware Attack - The DoppelPaymer ransomware operators claim that they’ve hit a Los Angeles county with a ransomware attack – and are now leaking the city’s data online, according to a recent report. https://threatpost.com/la-county-hit-with-doppelpaymer-ransomware-attack/155024/

Hackers Trick 3 British Private Equity Firms Into Sending Them $1.3 Million - In a recent highly targeted BEC attack, hackers managed to trick three British private equity firms into wire-transferring a total of $1.3 million to the bank accounts fraudsters have access to — while the victimized executives thought they closed an investment deal with some startups. https://thehackernews.com/2020/04/bec-scam-wire-transfer-money.html

Nintendo confirms 160,000 user accounts hacked - Nintendo has confirmed 160,000 user accounts have been accessed exposing a limited amount of PII and possibly access to Nintendo store accounts. https://www.scmagazine.com/home/security-news/gaming/nintendo-confirms-160000-user-accounts-hacked/

Cyberattack strikes down Colorado’s Parkview Medical Center - One week after suffering an as yet unnamed type of cyberattack, Parkview Medical Center’s network is still inoperative. https://www.scmagazine.com/home/security-news/cyberattack/cyberattack-strikes-down-colorados-parkview-medical-center/

Hackers publish ExecuPharm internal data after ransomware attack - U.S. pharmaceutical giant ExecuPharm has become the latest victim of data-stealing ransomware. https://techcrunch.com/2020/04/27/execupharm-clop-ransomware/

Zaha Hadid Architects hit with ransomware attack - Information stolen from the servers of Zaha Hadid Architects (ZHA) is being held at ransom by computer hackers. https://archinect.com/news/article/150195258/zaha-hadid-architects-hit-with-ransomware-attack

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
   
   Due Diligence in Selecting a Service Provider - Contract Issues
   
   Ownership and License
   
   The contract should address ownership and allowable use by the service provider of the institution’s data, equipment/hardware, system documentation, system and application software, and other intellectual property rights. Other intellectual property rights may include the institution’s name and logo; its trademark or copyrighted material; domain names; web sites designs; and other work products developed by the service provider for the institution. The contract should not contain unnecessary limitations on the return of items owned by the institution. Institutions that purchase software should consider establishing escrow agreements. These escrow agreements may provide for the following: institution access to source programs under certain conditions (e.g., insolvency of the vendor), documentation of programming and systems, and verification of updated source code.
   
   Duration
   
   Institutions should consider the type of technology and current state of the industry when negotiating the appropriate length of the contract and its renewal periods. While there can be benefits to long-term technology contracts, certain technologies may be subject to rapid change and a shorter-term contract may prove beneficial. Similarly, institutions should consider the appropriate length of time required to notify the service provider of the institutions’ intent not to renew the contract prior to expiration. Institutions should consider coordinating the expiration dates of contracts for inter-related services (e.g., web site, telecommunications, programming, network support) so that they coincide, where practical. Such coordination can minimize the risk of terminating a contract early and incurring penalties as a result of necessary termination of another related service contract.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
  
  SECURITY TESTING - INDEPENDENT DIAGNOSTIC TESTS
  (FYI - This is the type of independent diagnostic testing that we perform.  Please refer to http://www.internetbankingaudits.com/ for information.)
  
  Penetration tests, audits, and assessments can use the same set of tools in their methodologies.  The nature of the tests, however, is decidedly different. Additionally, the definitions of penetration test and assessment, in particular, are not universally held and have changed over time.
  
  Penetration Tests. A penetration test subjects a system to the real - world attacks selected and conducted by the testing personnel. The benefit of a penetration test is to identify the extent to which a system can be compromised before the attack is identified and assess the response mechanism's effectiveness. Penetration tests generally are not a comprehensive test of the system's security and should be combined with other independent diagnostic tests to validate the effectiveness of the security process.
  
  Audits. Auditing compares current practices against a set of standards. Industry groups or institution management may create those standards. Institution management is responsible for demonstrating that the standards they adopt are appropriate for their institution.
  
  Assessments. An assessment is a study to locate security vulnerabilities and identify corrective actions. An assessment differs from an audit by not having a set of standards to test against. It differs from a penetration test by providing the tester with full access to the systems being tested. Assessments may be focused on the security process or the information system. They may also focus on different aspects of the information system, such as one or more hosts or networks.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
  
  5.4 Interdependencies
  
  Policy is related to many of the topics covered in this handbook:
  
  Program Management. Policy is used to establish an organization's computer security program, and is therefore closely tied to program management and administration. Both program and system-specific policy may be established in any of the areas covered in this handbook. For example, an organization may wish to have a consistent approach to incident handling for all its systems - and would issue appropriate program policy to do so. On the other hand, it may decide that its applications are sufficiently independent of each other that application managers should deal with incidents on an individual basis.
  
  Access Controls. System-specific policy is often implemented through the use of access controls. For example, it may be a policy decision that only two individuals in an organization are authorized to run a check-printing program. Access controls are used by the system to implement (or enforce) this policy.
  
  Links to Broader Organizational Policies. This chapter has focused on the types and components of computer security policy. However, it is important to realize that computer security policies are often extensions of an organization's information security policies for handling information in other forms (e.g., paper documents). For example, an organization's e-mail policy would probably be tied to its broader policy on privacy. Computer security policies may also be extensions of other policies, such as those about appropriate use of equipment and facilities.