Virtual IT audits - In response to the national emergency, I am now performing virtual FFIEC IT audits for insured financial institutions.  I am a former bank examiner with over 50 years IT audit experience.  Please email R. Kinney Williams at examiner@yennik.com from your bank's domain and I will email you information and fees.

FYI - Two Charged with Stimulus Fraud - First in the nation to be charged with fraudulently seeking CARES Act SBA Paycheck Protection Loans - Two businessmen have been charged in the District of Rhode Island with allegedly filing bank loan applications fraudulently seeking more than a half-million dollars in forgivable loans guaranteed by the Small Business Administration (SBA) under the Coronavirus Aid, Relief, and Economic Security (CARES) Act. https://www.fdicoig.gov/press-release/two-charged-stimulus-fraud?

Exposure of 7.4B records at Le Figaro highlights ongoing problems with misconfigured databases - The exposure of 7.4 billion personal information-laden records, including some login credentials, at France’s Le Figaro underscores how unsecured databases persist even in a world hyperaware of privacy and data security. https://www.scmagazine.com/home/security-news/database-security/exposure-of-7-4b-records-at-le-figaro-highlights-ongoing-problems-with-misconfigured-databases/

Build a data-driven defense strategy to fight cybercrime - The coronavirus pandemic is being compared to war-like conditions by the World Health Organization. We know that bad decisions and poor data (or intelligence) during a war can have serious human and economic consequences. https://www.scmagazine.com/home/opinion/executive-insight/build-a-data-driven-defense-strategy-to-fight-cybercrime/

This new cybersecurity school will teach kids to crack codes from home - Online initiative looks to inspire a new generation of cybersecurity talent to bring out their 'digital Sherlock Holmes' while schools remain closed. https://www.zdnet.com/article/this-new-cybersecurity-school-will-teach-kids-to-crack-codes-from-home/

Banking trojan attack exposes dangers of not securing MDM solutions - A global conglomerate had 75 percent of its mobile devices infected by a variant of the Cerberus Android banking trojan after an attack compromised the company’s mobile device management (MDM) server and used it to spread the malware. https://www.scmagazine.com/home/security-news/mobile-security/banking-trojan-attack-exposes-dangers-of-not-securing-mdm-solutions/

Average ransom payment up 33 percent in Q1, Sodinokibi and Ryuk top variants - The ever industrious and forward-looking groups behind the majority of ransomware attacks essentially reinvented the business during the first quarter of 2020 developing new tools and methods that helped boost their success rate. https://www.scmagazine.com/home/security-news/ransomware/average-ransom-payment-up-33-percent-in-q1-sodinokibi-and-ryuk-top-variants/

Trump cites cybersecurity concerns issuing order to protect power grid - President Trump declared a national emergency to protect the nation’s the bulk-power infrastructure that stops the purchase or use of any equipment that involves a foreign adversary in any way. https://www.scmagazine.com/home/security-news/government-and-defense/trump-cites-cyber-concerns-issuing-order-to-protect-power-grid/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - GoDaddy takes seven months to discover data breach - Cybersecurity pros are coming down hard on GoDaddy after the domain registry company reported that an outsider had accessed customer login credentials possibly affecting all 19 million company accounts. https://www.scmagazine.com/home/security-news/data-breach/godaddy-takes-seven-months-to-discover-data-breach/

Phishing attacks spoof Microsoft Teams to steal user credentials - Attackers are exploiting the surge in the use of Microsoft Teams in an attempt to trap unsuspecting users, says Abnormal Security. https://www.techrepublic.com/article/phishing-attacks-spoof-microsoft-teams-to-steal-user-credentials/

Notification emails impersonate Microsoft Teams to steal credentials - As the use of collaborative platforms continues to tick up as people work from home during the Covid-19 pandemic, hackers are sending fake email notifications that appear to come from Microsoft Teams in an effort to steal employee credentials. https://www.scmagazine.com/home/security-news/phishing/notification-emails-impersonate-microsoft-teams-to-steal-credentials/

North Dakota government fiber provider hit by ransomware - The company that operates a fiber optic network that supports statewide and local government entities across North Dakota was a victim of a recent ransomware attack that included some of the firm’s files being published on a website that attempts to shame victims into paying. https://statescoop.com/north-dakota-government-fiber-provider-hit-maze-ransomware/

900,000 WordPress sites attacked via XSS vulnerabilities - Nearly 1 million WordPress sites are being hit by what is likely a single threat actor attempting to inject a redirect into the sites by exploiting a cross site scripting vulnerability. https://www.scmagazine.com/home/security-news/vulnerabilities/900000-wordpress-sites-attacked-via-xss-vulnerabilities/

No reprieve for health care orgs as ransomware hits hospital operator, plastic surgeons - If there was any lingering hope that cybercriminals would show mercy on health care providers during the COVID-19 crisis - as some claimed they would do - that pipe dream evaporated with the news that various ransomware groups attacked Fresenius, Europe’s largest private hospital operator, as well as a pair of U.S.-based plastic surgery clinics. https://www.scmagazine.com/home/security-news/ransomware/no-reprieve-for-health-care-orgs-as-ransomware-hits-hospital-operator-plastic-surgeons/

44M leaked Pakistani mobile user records apparently belong to Jazz - A month after hacker peddled 115 million records of Pakistani mobile users, information on 44 million of them have been leaked online. https://www.scmagazine.com/home/security-news/44m-leaked-pakistani-mobile-user-records-apparently-belong-to-jazz/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
   
   Due Diligence in Selecting a Service Provider - Contract Issues
   
   Dispute Resolution
   
   The institution should consider including in the contract a provision for a dispute resolution process that attempts to resolve problems in an expeditious manner as well as provide for continuation of services during the dispute resolution period.
   
   Indemnification
   
   Indemnification provisions generally require the financial institution to hold the service provider harmless from liability for the negligence of the institution, and vice versa. These provisions should be reviewed to reduce the likelihood of potential situations in which the institution may be liable for claims arising as a result of the negligence of the service provider.
   
   Limitation of Liability
   
   Some service provider standard contracts may contain clauses limiting the amount of liability that can be incurred by the service provider. If the institution is considering such a contract, consideration should be given to whether the damage limitation bears an adequate relationship to the amount of loss the financial institution might reasonably experience as a result of the service provider’s failure to perform its obligations.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
  
  SECURITY TESTING - KEY FACTORS
  
  Management is responsible for considering the following key factors in developing and implementing independent diagnostic tests:
  
  Personnel. Technical testing is frequently only as good as the personnel performing and supervising the test. Management is responsible for reviewing the qualifications of the testing personnel to satisfy themselves that the capabilities of the testing personnel are adequate to support the test objectives.
  
  Scope. The tests and methods utilized should be sufficient to validate the effectiveness of the security process in identifying and appropriately controlling security risks.
  
  Notifications. Management is responsible for considering whom to inform within the institution about the timing and nature of the tests. The need for protection of institution systems and the potential for disruptive false alarms must be balanced against the need to test personnel reactions to unexpected activities.
  
  Controls Over Testing. Certain testing can adversely affect data integrity, confidentiality, and availability. Management is expected to limit those risks by appropriately crafting test protocols. Examples of issues to address include the specific systems to be tested, threats to be simulated, testing times, the extent of security compromise allowed, situations in which testing will be suspended, and the logging of test activity. Management is responsible for exercising oversight commensurate with the risk posed by the testing.
  
  Frequency. The frequency of testing should be determined by the institution's risk assessment. High - risk systems should be subject to an independent diagnostic test at least once a year. Additionally, firewall policies and other policies addressing access control between the financial institution's network and other networks should be audited and verified at least quarterly.  Factors that may increase the frequency of testing include the extent of changes to network configuration, significant changes in potential attacker profiles and techniques, and the results of other testing.
  (FYI - This is exactly the type of independent diagnostic testing that we perform.  Please refer to http://www.internetbankingaudits.com/ for information.)
  
  Proxy Testing. Independent diagnostic testing of a proxy system is generally not effective in validating the effectiveness of a security process. Proxy testing, by its nature, does not test the operational system's policies and procedures, or its integration with other systems. It also does not test the reaction of personnel to unusual events. Proxy testing may be the best choice, however, when management is unable to test the operational system without creating excessive risk.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
  
  5.5 Cost Considerations
  
  A number of potential costs are associated with developing and implementing computer security policies. Overall, the major cost of policy is the cost of implementing the policy and its impacts upon the organization. For example, establishing a computer security program, accomplished through policy, does not come at negligible cost.
  
  Other costs may be those incurred through the policy development process. Numerous administrative and management activities may be required for drafting, reviewing, coordinating, clearing, disseminating, and publicizing policies. In many organizations, successful policy implementation may require additional staffing and training - and can take time. In general, the costs to an organization for computer security policy development and implementation will depend upon how extensive the change needed to achieve a level of risk acceptable to management.