|
Virtual
IT audits
-
In response to the national emergency, I am now performing
virtual FFIEC IT audits
for insured financial institutions.
I am a former bank examiner
with over 50 years IT audit experience.
Please email R. Kinney Williams at
examiner@yennik.com from your bank's domain and I will email you information
and fees.
FYI
- What one cybersecurity company has learned from responding to Maze
ransomware - When hackers lock the computer systems of a big company
with ransomware, the gears of corporate damage control kick into
action.
https://www.cyberscoop.com/maze-ransomware-mandiant-lessons-learned/
GitHub Takes Aim at Open Source Software Vulnerabilities - GitHub
Advanced Security will help automatically spot potential security
problems in the world's biggest open source platform.
https://www.wired.com/story/github-advanced-security-open-source/
New York City schools OK tailored Zoom platform for remote learning
- After privacy issues prompted the New York City Department of
Education to transition away from Zoom as a telelearning option, the
department has reversed that decision, noting that the
teleconferencing company has created a safer platform for the city’s
students.
https://www.scmagazine.com/home/security-news/new-york-city-schools-ok-tailored-zoom-platform-for-remote-learning/
SAP says 7 cloud products not currently up to security standards -
SAP SE this week publicly disclosed that seven of its cloud products
“do not meet one or several contractually agreed or statutory IT
security standards at present,” adding that the ERP software giant
is actively taking steps to remediate these issues.
https://www.scmagazine.com/home/security-news/network-security/sap-says-7-cloud-products-not-currently-up-to-security-standards/
MobiFriends data on 3.6 million users available for download online
- The leaked personal data of more than 3.6 million users registered
on dating site MobiFriends was made all the more vulnerable because
the site used the notoriously weak MD5 hashing.
https://www.scmagazine.com/home/security-news/mobifriends-data-on-3-6-million-users-available-for-download-online/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Phishing emails caught exploiting DocuSign and COVID-19 - A new
attack discovered by Abnormal Security aims to steal account
credentials from people who use the online document signing
platform.
https://www.techrepublic.com/article/phishing-emails-caught-exploiting-docusign-and-covid-19/
Credit card skimmer caught hiding behind website favicon - A website
seemingly offering images and icons for download is actually a
cover-up for a credit card skimming operation, says Malwarebytes.
https://www.techrepublic.com/article/credit-card-skimmer-caught-hiding-behind-website-favicon/
2FA app weaponized to infect Mac users with Dacls RAT - MacOS users
who think they have protected themselves by downloading a particular
two-factor authentication application may have actually infected
their machines with a new variant of the Dacls remote access trojan.
https://www.scmagazine.com/home/security-news/cybercrime/2fa-app-weaponized-to-infect-mac-users-with-dacls-rat/
Europe’s Largest Private Hospital Operator Fresenius Hit by
Ransomware - Fresenius, Europe’s largest private hospital operator
and a major provider of dialysis products and services that are in
such high demand thanks to the COVID-19 pandemic, has been hit in a
ransomware cyber attack on its technology systems.
https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware/
Transport biz Toll Group suffers second ransomware infection in just
three months - Which is just dandy seeing as deliveries are just a
wee bit important right now - Transport company Toll Group has been
slugged by ransomware for the second time in three months.
https://www.theregister.co.uk/2020/05/06/toll_group_second_ransomware_attack/
A hacker group tried to hijack 900,000 WordPress sites over the last
week - Massive hacking operations causes a 30 times spike in bad
traffic. A hacker group has attempted to hijack nearly one million
WordPress sites in the last seven days, according to a security
alert issued today by cyber-security firm Wordfence.
https://www.zdnet.com/article/a-hacker-group-tried-to-hijack-900000-wordpress-sites-over-the-last-week/
Hacker hijacks Milwaukee Bucks star’s Twitter account, posts
offensive trash talk - A malicious hacker reportedly hijacked the
Twitter account of NBA star forward Giannis Antetokounmpo and
riddled it with disparaging and offensive fake tweets about current
and former players.
https://www.scmagazine.com/home/security-news/cybercrime/hacker-hijacks-milwaukee-bucks-stars-twitter-account-posts-offensive-trash-talk/
REvil hackers extort law firm with Lady Gaga, Nicki Minaj, Elton
John as clients - Cyberattackers have breached a high-profile
entertainment and media law firm, infecting the practice with
ransomware and stealing files that apparently pertain to its star
clients, including Lady Gaga, Madonna, Elton John, Barbara
Streisand, Bruce Springsteen, Mariah Carey and Mary J. Blige.
https://www.scmagazine.com/home/security-news/ransomware/revil-hackers-extort-law-firm-with-lady-gaga-nicki-minaj-elton-john-as-clients/
MobiFriends data on 3.6 million users available for download online
- The leaked personal data of more than 3.6 million users registered
on dating site MobiFriends was made all the more vulnerable because
the site used the notoriously weak MD5 hashing.
https://www.scmagazine.com/home/security-news/mobifriends-data-on-3-6-million-users-available-for-download-online/
Iran-linked hackers recently targeted coronavirus drugmaker Gilead -
sources - Hackers linked to Iran have targeted staff at U.S.
drugmaker Gilead Sciences Inc in recent weeks, according to
publicly-available web archives reviewed by Reuters and three
cybersecurity researchers, as the company races to deploy a
treatment for the COVID-19 virus.
https://www.reuters.com/article/us-healthcare-coronavirus-gilead-iran-ex/exclusive-iran-linked-hackers-recently-targeted-coronavirus-drugmaker-gilead-sources-idUSKBN22K2EV
Ransomware Hit ATM Giant Diebold Nixdorf - Diebold Nixdorf, a major
provider of automatic teller machines (ATMs) and payment technology
to banks and retailers, recently suffered a ransomware attack that
disrupted some operations.
https://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf/
Package delivery giant Pitney Bowes confirms second ransomware
attack in 7 months - Pitney Bowes network infected with Maze
ransomware, after the company got hit by the Ryuk gang in October
last year.
https://www.zdnet.com/article/package-delivery-giant-pitney-bowes-confirms-second-ransomware-attack-in-7-months/
Texas Courts hit by ransomware, network disabled to limit spread -
The Texas court system was hit by ransomware on Friday night, May
8th, which led to the branch network including websites and servers
being disabled to block the malware from spreading to other systems.
https://www.bleepingcomputer.com/news/security/texas-courts-hit-by-ransomware-network-disabled-to-limit-spread/
Ruhr University Bochum shuts down servers after ransomware attack -
The Ruhr University Bochum (RUB), Ruhr-Universität Bochum in German,
announced today that it was forced to shut down large parts of its
central IT infrastructure, also including the backup systems, after
a ransomware attack that took place overnight, between May 6 and May
7.
https://www.bleepingcomputer.com/news/security/ruhr-university-bochum-shuts-down-servers-after-ransomware-attack/
Hackers Turned Virginia Government Websites Into Elaborate eBooks
Scam Pages - Hackers hijacked and took over control of two
subdomains on the official website of the Virginia state government.
For some reason, they then turned the two sites into some sort of
eBook scam.
https://www.vice.com/en_us/article/88947x/hackers-virginia-government-websites-ebooks-scam
Magellan Health warns ransomware attack exposed PII - Magellan
Health is warning customers that an April 11 ransomware attack may
have affected their personal information.
https://www.scmagazine.com/home/security-news/magellan-health-warns-ransomware-attack-exposed-pii/
Pitney Bowes hit with second ransomware attack - For the second time
in a seven-month span, Pitney Bowes has been hit by a ransomware
attack, but cyber experts and financial analysts cautioned against
rashly judging the company’s security practices – or assuming fiscal
doom – with some suggesting that lessons learned from the first
attack may have limited the damage of the most recent one.
https://www.scmagazine.com/home/security-news/ransomware/pitney-bowes-hit-with-second-ransomware-attack/
Ransomware attack prompts Texas courts to disable websites, servers
- A ransomware attack on Texas courts discovered “during the
overnight hours” last Thursday night forced the Office of Court
Administration (OCA) to disable websites and servers.
https://www.scmagazine.com/home/security-news/ransomware-attack-prompts-texas-courts-to-disable-websites-servers/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract
Issues
Termination
The extent and flexibility of termination rights sought can vary
depending upon the service. Contracts for technologies subject to
rapid change, for example, may benefit from greater flexibility in
termination rights. Termination rights may be sought for a variety
of conditions including change in control (e.g., acquisitions and
mergers), convenience, substantial increase in cost, repeated
failure to meet service levels, failure to provide critical
services, bankruptcy,
company closure, and insolvency.
Institution management should consider whether or not the
contract permits the institution to terminate the contract in a
timely manner and without prohibitive expense (e.g., reasonableness
of cost or penalty provisions). The contract should state
termination and notification requirements with time frames to allow
the orderly conversion to another provider. The contract must
provide for return of the institution’s data, as well as other
institution resources, in a timely manner and in machine readable
format. Any costs associated with transition assistance should be
clearly stated.
Assignment
The institution should consider contract provisions that prohibit
assignment of the contract to a third party without the
institution’s consent, including changes to subcontractors.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY TESTING - OUTSOURCED SYSTEMS
Management is responsible for ensuring institution and customer
data is protected, even when that data is transmitted, processed, or
stored by a service provider. Service providers should have
appropriate security testing based on the risk to their
organization, their customer institutions, and the institution's
customers. Accordingly, management and auditors evaluating TSPs
providers should use the above testing guidance in performing
initial due diligence, constructing contracts, and exercising
ongoing oversight or audit responsibilities. Where indicated by the
institution's risk assessment, management is responsible for
monitoring the testing performed at the service provider through
review of timely audits and test results or other equivalent
evaluations.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
Computers and the information
they process are critical to many organizations' ability to perform
their mission and business functions. It therefore makes sense that
executives view computer security as a management issue and seek to
protect their organization's computer resources as they would any
other valuable asset. To do this effectively requires developing of
a comprehensive management approach.
This chapter presents an organization wide approach to computer
security and discusses its important management function. Because
organizations differ vastly in size, complexity, management styles,
and culture, it is not possible to describe one ideal computer
security program. However, this chapter does describe some of the
features and issues common to many federal organizations.
6.1 Structure of a Computer Security Program
Many computer security programs that are distributed throughout
the organization have different elements performing various
functions. While this approach has benefits, the distribution of the
computer security function in many organizations is haphazard,
usually based upon history (i.e., who was available in the
organization to do what when the need arose). Ideally, the
distribution of computer security functions should result from a
planned and integrated management philosophy.
Managing computer security at multiple levels brings many
benefits. Each level contributes to the overall computer security
program with different types of expertise, authority, and resources.
In general, higher-level officials (such as those at the
headquarters or unit levels in the agency described above) better
understand the organization as a whole and have more authority. On
the other hand, lower-level officials (at the computer facility and
applications levels) are more familiar with the specific
requirements, both technical and procedural, and problems of the
systems and the users. The levels of computer security program
management should be complementary; each can help the other be more
effective.
Since many organizations have at least two levels of computer
security management, this chapter divides computer security program
management into two levels: the central level and the system level.
(Each organization, though, may have its own unique structure.) The
central computer security program can be used to address the overall
management of computer security within an organization or a major
component of an organization. The system-level computer security
program addresses the management of computer security for a
particular system. |
