Virtual IT audits - In response to the national emergency, I am now performing virtual FFIEC IT audits for insured financial institutions.  I am a former bank examiner with over 50 years IT audit experience.  Please email R. Kinney Williams at examiner@yennik.com from your bank's domain and I will email you information and fees.

FYI - Top 10 Routinely Exploited Vulnerabilities - The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors. https://www.us-cert.gov/ncas/alerts/aa20-133a

What is the Zero Trust Framework in cybersecurity and 5 considerations for building a Zero Trust IT environment - Zero Trust isn’t a product or service, and it’s certainly not just a buzzword. Rather, it’s a particular approach to cybersecurity. It means exactly what it says – not ‘verify, then trust’ but ‘never trust and always verify.’ https://www.scmagazine.com/home/opinion/executive-insight/what-is-the-zero-trust-framework-in-cybersecurity-and-5-considerations-for-building-a-zero-trust-it-environment/

US Computer Fraud and Abuse Act: How an upcoming Supreme Court ruling could have serious ramifications for ethical hackers - An FBI sting that led to the arrest of a US police officer could have significant ramifications for how the country’s security researchers go about their work. https://portswigger.net/daily-swig/us-computer-fraud-and-abuse-act-how-an-upcoming-supreme-court-ruling-could-have-serious-ramifications-for-ethical-hackers

The FBI Backs Down Against Apple - Again - The agency cracked the Pensacola iPhones, but it still views Cupertino as a problem—even though it's easier to break into iPhones than it has been in years. https://www.wired.com/story/fbi-backs-down-apple-encryption-pensacola-iphones/

Six need-to-know takeaways from the Verizon breach report - Verizon researchers analyzed 157,525 known “incidents” (defined as a security event that results in the compromise of an information asset) and 3,950 confirmed breaches (meaning data exposure to an unauthorized party was officially disclosed) - all taking place from Nov. 1, 2018 through Oct. 31, 2019. https://www.scmagazine.com/home/security-news/data-breach/six-need-to-know-takeaways-from-the-verizon-breach-report/

Bigger budgets have not entailed more security - Greater spending on cybersecurity products hasn’t entailed a better organizational security posture. Despite the millions of dollars spent by organizations year on year, the average cost of a cyberattack jumped by 50 percent between 2018 to 2019, hitting $4.6 million per incident. https://www.scmagazine.com/home/opinion/executive-insight/bigger-budgets-have-not-entailed-more-security/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - DHL shipping scam takes a low-pressure approach - A scam based on a fake DHL delivery notification has been making the rounds with the malicious actors using a new, mellow approach to conning people out of their information. https://www.scmagazine.com/home/security-news/dhl-shipping-scam-takes-a-low-pressure-approach/

Toll Group Says Ransomware Attackers Stole Data - Australian shipping giant Toll Group has vowed to again not pay a ransom after suffering its second ransomware attack of the year, which it first disclosed earlier this month. https://www.govinfosecurity.com/toll-group-says-ransomware-attackers-stole-data-a-14271

There's Norway you're going to believe this: Government investment fund conned out of $10m in cyber-attack - The Norwegian Investment Fund has been swindled out of $10m (Ł8.2m) by fraudsters who pulled off what's been described as "an advanced data breach." https://www.theregister.co.uk/2020/05/14/norway_investment_fund_hack/

UK electricity middleman hit by cyber-attack - Elexon said the incident only impacted its internal IT network, employee laptops, and company email server. https://www.zdnet.com/article/uk-electricity-middleman-hit-by-cyber-attack/

Ransomware attack impacts Texas Department of Transportation - A new ransomware attack is affecting the Texas government. This time, hackers got into the network of the state’s Department of Transportation (TxDOT). https://www.bleepingcomputer.com/news/security/ransomware-attack-impacts-texas-department-of-transportation/

BLUESCOPE RESPONSE TO CYBER INCIDENT - BlueScope today confirmed that its IT systems have been affected by a cyber incident, causing disruptions to parts of the Company’s operations. https://secure.weblink.com.au/clients/WebChartClient/clients/BlueScopeSteel2/article.asp?view=3541284

Europe's supercomputers hijacked by attackers for crypto mining - The Archer supercomputer in Edinburgh was one of those affected
At least a dozen supercomputers across Europe have shut down after cyber-attacks tried to take control of them. https://www.bbc.com/news/technology-52709660

Arkansas, Illinois COVID-19 unemployment websites leak data - Arkansas and Illinois both reportedly exposed sensitive citizen data after failing to adequately secure web services that the states urgently propped up in order to process applications for the federal Pandemic Unemployment Assistance program. https://www.scmagazine.com/website-web-server-security/arkansas-illinois-covid-19-unemployment-websites-leak-data/

British airline easyJet breached, data of 9 million customers compromised - An attack against British airline easyJet by “a highly sophisticated source” accessed the email addresses and travel details of approximately nine million customers, including credit card details of 2,208 customers. https://www.scmagazine.com/home/security-news/british-airline-easyjet-breached-data-of-9-million-customers-compromised/

Email phishing scam impersonates LogMeIn to trick remote workers - Add LogMeIn to the list of remote services and collaboration platforms whose users are being targeted by phishing scammers seeking to take advantage of businesses’ current work-from-home policies under COVID-19. https://www.scmagazine.com/home/security-news/phishing/email-phishing-scam-impersonates-logmein-to-trick-remote-workers/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Some of the oversight activities management should consider in administering the service provider relationship are categorized and listed below. The degree of oversight activities will vary depending upon the nature of the services outsourced. Institutions should consider the extent to which the service provider conducts similar oversight activities for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties) and the extent to which the institution may need to perform oversight activities on the service provider’s significant supporting agents.

Monitor Financial Condition and Operations

• Evaluate the service provider’s financial condition periodically.
• Ensure that the service provider’s financial obligations to subcontractors are being met in a timely manner.
• Review audit reports (e.g., SAS 70 reviews, security reviews) as well as regulatory examination reports if available, and evaluate the adequacy of the service providers’ systems and controls including resource availability, security, integrity, and confidentiality.
• Follow up on any deficiencies noted in the audits and reviews of the service provider.
• Periodically review the service provider’s policies relating to internal controls, security, systems development and maintenance, and back up and contingency planning to ensure they meet the institution’s minimum guidelines, contract requirements, and are consistent with the current market and technological environment.
• Review access control reports for suspicious activity.
• Monitor changes in key service provider project personnel allocated to the institution.
• Review and monitor the service provider’s insurance policies for effective coverage.
• Perform on-site inspections in conjunction with some of the reviews performed above, where practicable and necessary.
• Sponsor coordinated audits and reviews with other client institutions.

Some services provided to insured depository institutions by service providers are examined by the FFIEC member agencies. Regulatory examination reports, which are only available to clients/customers of the service provider, may contain information regarding a service provider’s operations. However, regulatory reports are not a substitute for a financial institution’s due diligence in oversight of the service provider.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
  
  MONITORING AND UPDATING
  
  A static security program provides a false sense of security and will become increasingly ineffective over time. Monitoring and updating the security program is an important part of the ongoing cyclical security process. Financial institutions should treat security as dynamic with active monitoring; prompt, ongoing risk assessment; and appropriate updates to controls. Institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should use that information to update the risk assessment, strategy, and implemented controls. Monitoring and updating the security program begins with the identification of the potential need to alter aspects of the security program and then recycles through the security process steps of risk assessment, strategy, implementation, and testing.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
  
  6.2 Central Computer Security Programs
  
  The purpose of a central computer security program is to address the overall management of computer security within an organization. In the federal government, the organization could consist of a department, agency, or other major operating unit.
  
  As with the management of all resources, central computer security management can be performed in many practical and cost-effective ways. The importance of sound management cannot be overemphasized. There is also a downside to centrally managed computer security programs. Specifically, they present greater risk that errors in judgment will be more widely propagated throughout the organization. As they strive to meet their objectives, managers need to consider the full impact of available options when establishing their computer security programs.
  
  6.2.1 Benefits of Central Computer Security Programs
  
  A central security problem should provide two quite distinct types of benefits:
  
  !  Increased efficiency and economy of security throughout the organization, and
  
  !  the ability to provide centralized enforcement and oversight.
  
  Both of these benefits are in keeping with the purpose of the Paperwork Reduction Act, as implemented in OMB Circular A-130.
  
  The Paperwork Reduction Act establishes a broad mandate for agencies to perform their information management activities in an efficient, effective, and economical manner...Agencies shall assure an adequate level of security for all agency automated information systems, whether maintained in-house or commercially.