FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Despite increased cyber-risk awareness, poor password hygiene still rules - It was often suggested in the past by many that lack of appreciation of true cyber-threats posed by hackers made people complacent about their password habits, but new research has revealed that even though people are now more aware of security best practices than in the past, their password management has remained largely unchanged. https://www.scmagazine.com/despite-increased-cyber-risk-awareness-poor-password-hygiene-still-rules/article/763215/

Trump administration looking to rescind cyberwarfare approval process - The Trump administration is reportedly looking to rescind Presidential Policy Directive 20 an important policy memorandum that currently guides the approval process for government-backed cyberattacks. https://www.scmagazine.com/the-framework-in-question-has-been-a-point-of-frustration-inside-the-pentagon-long-before-trump-came-into-office/article/763394/

After Equifax breach, major firms still rely on same flawed software - At least seven tech giants still use the vulnerable software that hackers exploited to attack Equifax last year. https://www.zdnet.com/article/after-equifax-breach-companies-rely-on-same-flawed-software/

FBI Latest Internet Crime Report Released - IC3 Says Victim Losses Exceeded $1.4 Billion in 2017. https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718

Georgia governor vetoes anti-bug bounty bill - Cybersecurity officials breathed a sigh of relief as Georgia Governor Nathan Deal vetoed state bill 315 that would have essentially have made it a crime to hack into a computer system, even to simply find its weaknesses, and gave the O.K. for companies to hack back against hackers. https://www.scmagazine.com/georgia-governor-vetoes-anti-bug-bounty-bill/article/764858/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Twitter urges users to change passwords after finding bug in password storage system - Whether serendipitous or ironic, Global Password Day found Twitter advising users to change their passwords after a bug in its password storage system “unmasked” the passwords in an internal log. https://www.scmagazine.com/twitter-urges-users-to-change-passwords-after-finding-bug-in-password-storage-system/article/763431/

FLEETCOR Technologies gift card systems breached - FLEETCOR Technologies, a $2.25 billion company specializing in fuel cards and workforce payment products and services, publicly disclosed this past Thursday that its gift card systems were accessed last month by an unauthorized party. https://www.scmagazine.com/fleetcor-technologies-gift-card-systems-breached/article/763965/

Trojanized CMS plug-ins infect thousands of websites in tech support scam campaign - A recently uncovered tech support scam campaign has compromised thousands of websites with malicious ad injections that redirect users to a browser locker page that claims their computers are infected. https://www.scmagazine.com/trojanized-cms-plug-ins-infect-thousands-of-websites-in-tech-support-scam-campaign/article/764473/

Cryptojacking campaign hits 400 Drupal-based sites, many run by governments and universities - Nearly 400 websites running outdated and vulnerable versions of the Drupal content management system, many affiliated with governments and educational institutions, were recently discovered to be infected with Coinhive-based cryptomining software. https://www.scmagazine.com/cryptojacking-campaign-hits-400-drupal-based-sites-many-run-by-governments-and-universities/article/764827/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 4 of  6)
  
  Supervisory Action
  
  As a result of guidelines issued by the FDIC, together with other federal agencies, financial institutions are required to develop and implement a written program to safeguard customer information, including the proper disposal of consumer information (Security Guidelines).5 The FDIC considers this programmatic requirement to be one of the foundations of identity theft prevention. In guidance that became effective on January 1, 2007, the federal banking agencies made it clear that they expect institutions to use stronger and more reliable methods to authenticate the identity of customers using electronic banking systems. Moreover, the FDIC has also issued guidance stating that financial institutions are expected to notify customers of unauthorized access to sensitive customer information under certain circumstances. The FDIC has issued a number of other supervisory guidance documents articulating its position and expectations concerning identity theft. Industry compliance with these expectations will help to prevent and mitigate the effects of identity theft.
  
  Risk management examiners trained in information technology (IT) and the requirements of the Bank Secrecy Act (BSA) evaluate a number of aspects of a bank's operations that raise identity theft issues. IT examiners are well-qualified to evaluate whether banks are incorporating emerging IT guidance into their Identity Theft Programs and GLBA 501(b) Information Security Programs; responsibly overseeing service provider arrangements; and taking action when a security breach occurs. In addition, IT examiners will consult with BSA examiners during the course of an examination to ensure that the procedures institutions employ to verify the identity of new customers are consistent with existing laws and regulations to prevent financial fraud, including identity theft.
  
  The FDIC has also issued revised examination procedures for the Fair Credit Reporting Act (FCRA), through the auspices of the Federal Financial Institutions Examination Council's (FFIEC) Consumer Compliance Task Force.  These procedures are used during consumer compliance examinations and include steps to ensure that institutions comply with the FCRA's fraud and active duty alert provisions. These provisions enable consumers to place alerts on their consumer reports that require users, such as banks, to take additional steps to identify the consumer before new credit is extended. The procedures also include reviews of institutions' compliance with requirements governing the accuracy of data provided to consumer reporting agencies. These requirements include the blocking of data that may be the result of an identity theft. Compliance examiners are trained in the various requirements of the FCRA and ensure that institutions have effective programs to comply with the identity theft provisions. Consumers are protected from identity theft through the vigilant enforcement of all the examination programs, including Risk Management, Compliance, IT and BSA.
  
  The Fair and Accurate Credit Transactions Act directed the FDIC and other federal agencies to jointly promulgate regulations and guidelines that focus on identity theft "red flags" and customer address discrepancies. As proposed, the guidelines would require financial institutions and creditors to establish a program to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The proposed joint regulation would require financial institutions and creditors to establish reasonable policies to implement the guidelines, including a provision requiring debit and credit card issuers to assess the validity of a request for a change of address. In addition, the agencies proposed joint regulations that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when the user receives a notice of address discrepancy. When promulgated in final form, these joint regulations and guidelines will comprise another element of the FDIC's program to prevent and mitigate identity theft.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review security strategies and plans. 
  
  Senior management and the board of directors are responsible for overseeing the development and implementation of their bank's security strategy and plan. Key elements to be included in those strategies and plans are an intrusion risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. These elements are needed for both internal and outsourced operations.
  
  The first step in managing the risks of intrusions is to assess the effects that intrusions could have on the institution. Effects may include direct dollar loss, damaged reputation, improper disclosure, lawsuits, or regulatory sanctions. In assessing the risks, management should gather information from multiple sources, including (1) the value and sensitivity of the data and processes to be protected, (2) current and planned protection strategies, (3) potential threats, and (4) the vulnerabilities present in the network environment. Once information is collected, management should identify threats and the likelihood of those threats materializing, rank critical information assets and operations, and estimate potential damage.
  
  The analysis should be used to develop an intrusion protection strategy and risk management plan. The intrusion protection strategy and risk management plan should be consistent with the bank's information security objectives. It also should balance the cost of implementing adequate security controls with the bank's risk tolerance and profile. The plan should be implemented within a reasonable time. Management should document this information, its analysis of the information, and decisions in forming the protection strategy and risk management plan. By documenting this information, management can better control the assessment process and facilitate future risk assessments.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION
 
 16.1.2 Cryptographic Keys
 
 Although the authentication derived from the knowledge of a cryptographic key may be based entirely on something the user knows, it is necessary for the user to also possess (or have access to) something that can perform the cryptographic computations, such as a PC or a smart card. For this reason, the protocols used are discussed in the Smart Tokens section of this chapter. However, it is possible to implement these types of protocols without using a smart token. Additional discussion is also provided under the Single Log-in section.
 
 16.2 I&A Based on Something the User Possesses
 
 Although some techniques are based solely on something the user possesses, most of the techniques described in this section are combined with something the user knows. This combination can provide significantly stronger security than either something the user knows or possesses alone.
 
 Objects that a user possesses for the purpose of I&A are called tokens. This section divides tokens into two categories: memory tokens and smart tokens, which we will cover in the next two issues.