FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Two-factor authentication hackable - Two-factor authentication may not be the panacea of securing access to online accounts that many believe it is as KnowBe4's Kevin Mitnick shows how easily this defensive measure can be spoofed. https://www.scmagazine.com/two-factor-authentication-hackable/article/765135/

RESPONSE - Two-factor authentication is hackable, so what, everything is - I confess, I remain baffled whenever I read the statement, "this can be hacked". In this world, everything can be hacked, given enough time, enough of this and of that. Everything is vulnerable, based on the simple fact that WE are humans and, consequently, we are vulnerable. https://www.scmagazine.com/two-factor-authentication-is-hackable-so-what-everything-is/article/765571/

IBM bans all removable storage, for all staff, everywhere - Risk of ‘financial and reputational damage’ is too high, says CISO - IBM has banned its staff from using removable storage devices. http://www.theregister.co.uk/2018/05/10/ibm_bans_all_removable_storage_for_all_staff_everywhere/

NIS Directive comes into force to boost infrastructure cyber-security - The Security of Network Information Systems (NIS) Directive, which aims to ensure that critical infrastructure is protected from cyber-attacks and computer network failure, has come into force today with fines for non-compliance. https://www.scmagazine.com/nis-directive-comes-into-force-to-boost-infrastructure-cyber-security/article/765121/

NIST adds privacy recommendations to its Risk Management Framework - The National Institute of Standards and Technology has updated its Risk Management Framework (RMF) to cover privacy issues with a focus on helping organizations better understand and protect their member's personally identifiable information (PII). https://www.scmagazine.com/nist-adds-privacy-recommendations-to-its-risk-management-framework/article/764855/

Cybersecurity salaries highest in retail sector - A recent study found cybersecurity salaries in the retail sector are among the highest in the field while those in education and telecommunication are some of the lowest. https://www.scmagazine.com/in-larger-companies-salaries-often-range-from-75000-100000-a-year-while-firms-with-less-than-100-employees-salaries-range-between-50000-75000/article/765482/

Open Source in Your Data Center - What You Should Know - Open-source software started out as a grassroots movement and morphed in a short time into a mega-industry. https://www.scmagazine.com/open-source-in-your-data-center--what-you-should-know/article/761869/

Senate votes 52-47 to preserve net neutrality - After the Federal Communications Commission voted earlier this year to nix net neutrality, the U.S. Senate today passed the Congressional Review Act discharge resolution meant to preserve it. https://www.scmagazine.com/senate-votes-52-47-to-preserve-net-neutrality/article/766457/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Goodyear, Ariz., utility POS system breached - The City of Goodyear, Ariz., is reporting a possible data breach associated with its online utility bill payment system causing the municipality to disable the system while it investigates. https://www.scmagazine.com/goodyear-ariz-utility-pos-system-breached/article/764973/

Chili's got data breached, data breached, data breached - Chili's is informing its customers that between March and April 2018 payment card information was compromised at some of its 1,600 locations and industry execs are giving the restaurant chain props for quickly coming forward once the breach was discovered. https://www.scmagazine.com/chilis-got-data-breached-data-breached-data-breached/article/765792/

Third-party software vulnerability results in Mexican bank heist scoring millions - Mexican authorities are investigating suspect a bank hack that siphoned hundreds of millions of pesos out of at least five banks.
https://www.scmagazine.com/mexican-bank-cyberheist-nabs-millions/article/765804/
https://www.bloomberg.com/news/articles/2018-05-13/mexico-says-possible-bank-hack-led-to-large-cash-withdrawals 

Police Dept Loses 10 Months of Work to Ransomware. Gets Infected a Second Time! - Ransomware has infected the servers of the Riverside Fire and Police department for the second time in a month. https://www.bleepingcomputer.com/news/security/police-dept-loses-10-months-of-work-to-ransomware-gets-infected-a-second-time/

Data from 3 million Facebook myPersonality app users left exposed for four years - Personal information on more than three million Facebook users who used the now-suspended myPersonality app was exposed online for four years and accessible by anyone who had a username and password publicly available on GitHub, according to an investigation by New Scientist. https://www.scmagazine.com/intimate-data-from-3-million-facebook-mypersonality-app-users-left-exposed-for-four-years/article/765895/

Rail Europe North America discloses breach of e-commerce IT platform - U.S. residents who purchased European train tickets through Rail Europe North America (RENA) may be affected by a nearly three-month data breach/compromise of its e-commerce websites' IT platform that started late last year. https://www.scmagazine.com/rail-europe-north-america-discloses-breach-of-e-commerce-it-platform/article/765919/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 5 of  6)
  
  Consumer Education
  
  The FDIC believes that consumers have an important role to play in protecting themselves from identity theft. As identity thieves become more sophisticated, consumers can benefit from accurate, up-to-date information designed to educate them concerning steps they should take to reduce their vulnerability to this type of fraud. The financial services industry, the FDIC and other federal regulators have made significant efforts to raise consumers' awareness of this type of fraud and what they can do to protect themselves.
  
  In 2005, the FDIC sponsored four identity theft symposia entitled Fighting Back Against Phishing and Account-Hijacking. At each symposium (held in Washington, D.C., Atlanta, Los Angeles and Chicago), panels of experts from government, the banking industry, consumer organizations and law enforcement discussed efforts to combat phishing and account hijacking, and to educate consumers on avoiding scams that can lead to account hijacking and other forms of identity theft. Also in 2006, the FDIC sponsored a symposia series entitled Building Confidence in an E-Commerce World. Sessions were held in San Francisco, Phoenix and Miami. Further consumer education efforts are planned for 2007.
  
  In 2006, the FDIC released a multi-media educational tool, Don't Be an On-line Victim, to help online banking customers avoid common scams. It discusses how consumers can secure their computer, how they can protect themselves from electronic scams that can lead to identity theft, and what they can do if they become the victim of identity theft. The tool is being distributed through the FDIC's web site and via CD-ROM. Many financial institutions also now display anti-fraud tips for consumers in a prominent place on their public web site and send customers informational brochures discussing ways to avoid identity theft along with their account statements. Financial institutions are also redistributing excellent educational materials from the Federal Trade Commission, the federal government's lead agency for combating identity theft.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we start a three part review of controls to prevent and detect intrusions.
  
  Management should determine the controls necessary to deter, detect, and respond to intrusions, consistent with the best practices of information system operators. Controls may include the following: 
  
  1) Authentication. Authentication provides identification by means of some previously agreed upon method, such as passwords and biometrics. (A method of identifying a person's identity by analyzing a unique physical attribute.) The means and strength of authentication should be commensurate with the risk. For instance, passwords should be of an appropriate length, character set, and lifespan (The lifespan of a password is the length of time the password allows access to the system. Generally speaking, shorter lifespans reduce the risk of password compromises.) for the systems being protected. Employees should be trained to recognize and respond to fraudulent attempts to compromise the integrity of security systems. This may include "social engineering" whereby intruders pose as authorized users to gain access to bank systems or customer records.
  
  2) Install and Update Systems. When a bank acquires and installs new or upgraded systems or equipment, it should review security parameters and settings to ensure that these are consistent with the intrusion risk assessment plan. For example, the bank should review user passwords and authorization levels for maintaining "separation of duties" and "need to know" policies. Once installed, security flaws to software and hardware should be identified and remediated through updates or "patches." Continuous monitoring and updating is essential to protect the bank from vulnerabilities. Information related to vulnerabilities and patches are typically available from the vendor, security-related web sites, and in bi-weekly National Infrastructure Protection Center's CyberNotes.
  
  3) Software Integrity. Copies of software and integrity checkers (An integrity checker uses logical analysis to identify whether a file has been changed.) are used to identify unauthorized changes to software. Banks should ensure the security of the integrity checklist and checking software. Where sufficient risk exists, the checklist and software should be stored away from the network, in a location where access is limited. Banks should also protect against viruses and other malicious software by using automated virus scanning software and frequently updating the signature file (The signature file contains the information necessary to identify each virus.) to enable identification of new viruses.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION
 
 16.2.1 Memory Tokens
 
 Memory tokens store, but do not process, information. Special reader/writer devices control the writing and reading of data to and from the tokens. The most common type of memory token is a magnetic striped card, in which a thin stripe of magnetic material is affixed to the surface of a card (e.g., as on the back of credit cards). A common application of memory tokens for authentication to computer systems is the automatic teller machine (ATM) card. This uses a combination of something the user possesses (the card) with something the user knows (the PIN).
 
 Some computer systems authentication technologies are based solely on possession of a token, but they are less common. Token-only systems are more likely to be used in other applications, such as for physical access.
 
 Benefits of Memory Token Systems. Memory tokens when used with PINs provide significantly more security than passwords. In addition, memory cards are inexpensive to produce. For a hacker or other would-be masquerader to pretend to be someone else, the hacker must have both a valid token and the corresponding PIN. This is much more difficult than obtaining a valid password and user ID combination (especially since most user IDs are common knowledge).
 
 Another benefit of tokens is that they can be used in support of log generation without the need for the employee to key in a user ID for each transaction or other logged event since the token can be scanned repeatedly. If the token is required for physical entry and exit, then people will be forced to remove the token when they leave the computer. This can help maintain authentication.
 
 Problems With Memory Token Systems. Although sophisticated technical attacks are possible against memory token systems, most of the problems associated with them relate to their cost, administration, token loss, user dissatisfaction, and the compromise of PINs. Most of the techniques for increasing the security of memory token systems relate to the protection of PINs. Many of the techniques discussed in the sidebar on Improving Password Security apply to PINs.
 
 1) Requires special reader. The need for a special reader increases the cost of using memory tokens. The readers used for memory tokens must include both the physical unit that reads the card and a processor that determines whether the card and/or the PIN entered with the card is valid. If the PIN or token is validated by a processor that is not physically located with the reader, then the authentication data is vulnerable to electronic monitoring (although cryptography can be used to solve this problem).
 
 2) Token loss. A lost token may prevent the user from being able to log in until a replacement is provided. This can increase administrative overhead costs.
  
 The lost token could be found by someone who wants to break into the system, or could be stolen or forged. If the token is also used with a PIN, any of the methods described above in password problems can be used to obtain the PIN. Common methods are finding the PIN taped to the card or observing the PIN being entered by the legitimate user. In addition, any information stored on the magnetic stripe that has not been encrypted can be read.
 
 3) User Dissatisfaction. In general, users want computers to be easy to use. Many users find it inconvenient to carry and present a token. However, their dissatisfaction may be reduced if they see the need for increased security.
 
 Attacks on memory-card systems have sometimes been quite creative. One group stole an ATM machine that they installed at a local shopping mall. The machine collected valid account numbers and corresponding PINs, which the thieves used to forge cards. The forged cards were then used to withdraw money from legitimate ATMs.