FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Trump issues executive order to help grow the U.S. cybersecurity workforce - President Trump today issued an executive order directing the creation of various programs to help eliminate the cybersecurity labor shortage, promote cybersecurity work within the government and encourage widespread adoption of the cybersecurity workforce framework created by the National Initiative for Cybersecurity Education (NICE). https://www.scmagazine.com/home/security-news/government-and-defense/trump-issues-executive-order-to-help-grow-the-u-s-cybersecurity-workforce/

World Password Day: Are we in the Last Days? - As authentication methods improve and companies like Microsoft declare the end of the password era is here, some cybersecurity experts argue this may be one of the last Global Password days to be held. https://www.scmagazine.com/home/security-news/privacy-compliance/some-cybersecurity-experts-argue-this-may-be-one-of-the-last-global-password-days/

Cybersecurity executive changes - https://www.scmagazine.com/home/security-news/corporate-news/cybersecurity-executive-changes-2/

From paper compliance to operational compliance - Data privacy has become an overarching issue top of mind to organizations across industries and geographies over the past several years. https://www.scmagazine.com/home/opinion/from-paper-compliance-to-operational-compliance/

When’s the last time you looked at your incident response plan? - Security is broad. That is evident in, for example, the Security Rule within the Health Insurance Portability and Accountability Act, a central compliance concern for any organization handling the health data of U.S. citizens. https://www.scmagazine.com/home/opinion/executive-insight/whens-the-last-time-you-looked-at-your-incident-response-plan/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Wolters Kluwer still down from May 6 cyberattack - The information services firm Wolters Kluwer has been battling to recover from a cyberattack that forced the company to shut down many of its tax and accounting software applications, which is causing issues for those using the affected products. https://www.scmagazine.com/home/security-news/malware/wolters-kluwer-still-down-from-may-6-cyberattack/

Man-in-the-Middle vulnerabilities in D-Link cameras - A series of vulnerabilities in the D-Link DCS-2132L cloud camera allow attackers to remotely tap into the video streams of the devices and also manipulate the device’s firmware. https://www.scmagazine.com/home/security-news/vulnerabilities/a-series-of-vulnerabilities-in-the-d-link-dcs-2132l-cloud-camera-allow-attackers-to-remotely-tap-into-the-video-streams-of-the-devices-and-also-manipulate-the-devices-firmware/

Job seeker’s data exposed on open Ladders database - The employment website Ladders exposed almost 14 million user records when it left an Amazon Elasticsearch database unprotected. https://www.scmagazine.com/home/security-news/cloud-security/job-seekers-data-exposed-on-open-ladders-database/

Mystery Database Exposed Info on 80 Million US Households - Researchers Locate an Unprotected 24 GB Database With Names, Addresses and Incomes - A mysterious, unsecured database hosted on Microsoft's cloud platform contained personal information on nearly 80 million U.S. households, according to two researchers who found it. http://www.bankinfosecurity.com/mystery-database-exposed-info-on-80-million-us-households-a-12432

Denial of service event impacted U.S. power utility last month - An apparent cyberattack on March 5 caused disruptions at a western U.S. electric utility by creating a denial of service condition, according to an official summary of Electric Disturbance Events reports processed by the U.S. Department of Energy (DOE) this year. https://www.scmagazine.com/home/security-news/denial-of-service-event-impacted-u-s-power-utility-last-month/

‘Mirrorthief’ card-skimming attack steals card data from online college stores - A total of 201 online college stores in the U.S. and Canada have fallen victim to a Magecart-style card-skimming attack that appears to be the work of a new cybercrime group with no clear ties to past Magecart activity. https://www.scmagazine.com/home/security-news/mirrorthief-card-skimming-attack-steals-card-data-from-online-college-stores/

Buena Vista Horace Mann student data compromised - An unknown number of students at Buena Vista Horace Mann (BVHM) school in San Francisco had their information exposed when a district worker emailed their information to an unauthorized individual. https://www.scmagazine.com/home/security-news/data-breach/buena-vista-horace-mann-student-data-compromised/

Baltimore struck with Robbinhood ransomware, city servers down - Baltimore’s government computer system was hit reportedly with Robbinhood ransomware yesterday shutting down most of the city’s servers and forcing the city council to cancel meetings. https://www.scmagazine.com/home/security-news/ransomware/baltimore-struck-with-robbinhood-ransomware-city-servers-down/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
  Board and Management Oversight - Principle 4: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet. (Part 2 of 2)
   
   The bank must determine which authentication methods to use based on management's assessment of the risk posed by the e-banking system as a whole or by the various sub-components. This risk analysis should evaluate the transactional capabilities of the e-banking system (e.g. funds transfer, bill payment, loan origination, account aggregation etc.), the sensitivity and value of the stored e-banking data, and the customer's ease of using the authentication method.
   
   Robust customer identification and authentication processes are particularly important in the cross-border e-banking context given the additional difficulties that may arise from doing business electronically with customers across national borders, including the greater risk of identity impersonation and the greater difficulty in conducting effective credit checks on potential customers.
   
   As authentication methods continue to evolve, banks are encouraged to monitor and adopt industry sound practice in this area such as ensuring that:
   
   1)  Authentication databases that provide access to e-banking customer accounts or sensitive systems are protected from tampering and corruption. Any such tampering should be detectable and audit trails should be in place to document such attempts.
   
   2)  Any addition, deletion or change of an individual, agent or system to an authentication database is duly authorized by an authenticated source.
   
   3)  Appropriate measures are in place to control the e-banking system connection such that unknown third parties cannot displace known customers.
   
   4)  Authenticated e-banking sessions remain secure throughout the full duration of the session or in the event of a security lapse the session should require re-authentication.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Application - Level Firewalls
  
  Application-level firewalls perform application-level screening, typically including the filtering capabilities of packet filter firewalls with additional validation of the packet content based on the application. Application-level firewalls capture and compare packets to state information in the connection tables. Unlike a packet filter firewall, an application-level firewall continues to examine each packet after the initial connection is established for specific application or services such as telnet, FTP, HTTP, SMTP, etc. The application-level firewall can provide additional screening of the packet payload for commands, protocols, packet length, authorization, content, or invalid headers. Application-level firewalls provide the strongest level of security, but are slower and require greater expertise to administer properly.
  
  The primary disadvantages of application - level firewalls are:
  
  ! The time required to read and interpret each packet slows network traffic. Traffic of certain types may have to be split off before the application level firewall and passed through different access controls.
  
  ! Any particular firewall may provide only limited support for new network applications and protocols. They also simply may allow traffic from those applications and protocols to go through the firewall.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.2.1 System Architecture

Most of HGA's staff (a mix of clerical, technical, and managerial staff) are provided with personal computers (PCs) located in their offices. Each PC includes hard-disk and floppy-disk drives.

The PCs are connected to a local area network (LAN) so that users can exchange and share information. The central component of the LAN is a LAN server, a more powerful computer that acts as an intermediary between PCs on the network and provides a large volume of disk storage for shared information, including shared application programs. The server provides logical access controls on potentially sharable information via elementary access control lists. These access controls can be used to limit user access to various files and programs stored on the server. Some programs stored on the server can be retrieved via the LAN and executed on a PC; others can only be executed on the server.

To initiate a session on the network or execute programs on the server, users at a PC must log into the server and provide a user identifier and password known to the server. Then they may use files to which they have access.

One of the applications supported by the server is electronic mail (e-mail), which can be used by all PC users. Other programs that run on the server can only be executed by a limited set of PC users.

Several printers, distributed throughout HGA's building complex, are connected to the LAN. Users at PCs may direct printouts to whichever printer is most convenient for their use.

Since HGA must frequently communicate with industry, the LAN also provides a connection to the Internet via a router. The router is a network interface device that translates between the protocols and addresses associated with the LAN and the Internet. The router also performs network packet filtering, a form of network access control, and has recently been configured to disallow non-e-mail (e.g., file transfer, remote log-in) between LAN and Internet computers.

The LAN server also has connections to several other devices.