FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Automakers track you down to your weight, collect up to 25 GBs per hour - Modern automobiles collect copious amounts of data ranging from driving habits to the weight of its occupants but this leaves the gray area of ownership and how the data is used. https://www.scmagazine.com/home/security-news/iot/modern-automobiles-collect-copious-amounts-of-data-ranging-from-driving-habits-to-the-weight-of-its-occupants/

Ten indicted in U.S. as authorities crack down on GozNym banking trojan network - A coordinated international law enforcement operation in the U.S. and Europe has dismantled the GozNym cybercriminal network responsible for infecting roughly 41,000 computers with banking malware and stealing approximately $100 million from victims. https://www.scmagazine.com/home/security-news/legal-security-news/ten-indicted-in-u-s-as-authorities-crack-down-on-goznym-banking-trojan-network/

What Colorado learned from treating a cyberattack like a disaster - The Colorado Department of Transportation joined the ranks of dozens of other U.S. government entities affected by the SamSam ransomware virus when it was infected with the malware in February 2018. https://statescoop.com/what-colorado-learned-from-treating-a-cyberattack-like-a-disaster/

Baltimore city council forms committee to examine ransomware attack response - Ten days after Baltimore was hit with a ransomware attack that has effectively shut down large swathes of the city�s computer network the city council has created the Committee on Cybersecurity and Emergency Preparedness to examine how the municipality dealt with the situation. https://www.scmagazine.com/home/security-news/ransomware/baltimore-city-council-forms-committee-to-examine-ransomware-attack-response/

The Story Behind The U.S. Conflict with Huawei - In early 2018, in a complex of low-rise buildings in the Australian capital, a team of government hackers was engaging in a destructive digital war game. https://uk.reuters.com/investigates/special-report/huawei-usa-campaign/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Open database, poor decision making exposes PII of 8 million - The recent mistaken exposure of the information of 8 million people due to an open Elasticsearch database exposed the danger not only of cloud storage security, but the importance of individuals keeping their personal information close to the vest. https://www.scmagazine.com/home/security-news/data-breach/open-database-poor-decision-making-exposes-pii-of-8-million/

Report: Hacking group wipes content from over 12,000 open MongoDB databases - In less than a month�s time, the �Unistellar� hacking group has reportedly accessed over 12,000 unsecured MongoDB databases and stolen their contents, apparently holding them for ransom. https://www.scmagazine.com/home/security-news/cybercrime/report-hacking-group-wipes-content-from-over-12000-open-mongodb-databases/

Unsecure Chtrbox AWS database exposes data on 49 million Instagram influencers, accounts - An unsecured Chtrbox database hosted by Amazon Web Services (AWS) and discovered by security researcher Anurag Sen has exposed the records of more than 49 million Instagram influencers. https://www.scmagazine.com/home/security-news/privacy-compliance/unsecure-chtrbox-aws-database-exposes-data-on-49-million-instagram-influencers-accounts/

Breach of Stack Overflow�s production systems exposes data on roughly 250 users - An unauthorized party accessed Stack Overflow�s production systems earlier this month and executed privileged web requests that exposed information on roughly 250 public network users, the Q&A website for programmers announced last Friday. https://www.scmagazine.com/home/security-news/breach-of-stack-overflows-production-systems-exposes-data-on-roughly-250-users/

Unsecure Chtrbox AWS database exposes data on 49 million Instagram influencers, accounts - An unsecured Chtrbox database hosted by Amazon Web Services (AWS) and discovered by security researcher Anurag Sen has exposed the records of more than 49 million Instagram influencers. https://www.scmagazine.com/home/security-news/privacy-compliance/unsecure-chtrbox-aws-database-exposes-data-on-49-million-instagram-influencers-accounts/

Google G Suite glitch left some passwords stored in plain text for 14 years - A bug in Google�s G Suite left the passwords of some users to be stored in plain text for the past 14 years, though the company doesn�t believe the information was accessed by unauthorized third parties. https://www.scmagazine.com/home/security-news/google-g-suite-glitch-left-some-passwords-stored-in-plain-text-for-14-years/

TeamViewer reportedly hit by Chinese hackers in 2016 - TeamViewer announced it was the victim of a cyber attack which took place in 2016 although some sources claim that hackers were in the firm�s network as early as 2014. https://www.scmagazine.com/home/security-news/cybercrime/teamviewer-announced-it-was-the-victim-of-a-cyber-attack-which-took-place-in-2016-although-some-sources-claim-that-hackers-were-in-the-firms-network-as-early-as-2014/

Louisville Regional Airport Authority grounded by ransomware attack - The Louisville Regional Airport Authority (LRAA) had its wings clipped on Monday by a ransomware attack on its systems, reports say. https://www.scmagazine.com/home/security-news/louisville-regional-airport-authority-grounded-by-ransomware-attack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
 Board and Management Oversight - Principle 6: Banks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems, databases and applications.
   
   Segregation of duties is a basic internal control measure designed to reduce the risk of fraud in operational processes and systems and ensure that transactions and company assets are properly authorized, recorded and safeguarded. Segregation of duties is critical to ensuring the accuracy and integrity of data and is used to prevent the perpetration of fraud by an individual. If duties are adequately separated, fraud can only be committed through collusion.
   
   E-banking services may necessitate modifying the ways in which segregation of duties are established and maintained because transactions take place over electronic systems where identities can be more readily masked or faked. In addition, operational and transaction-based functions have in many cases become more compressed and integrated in e-banking applications. Therefore, the controls traditionally required to maintain segregation of duties need to be reviewed and adapted to ensure an appropriate level of control is maintained. Because access to poorly secured databases can be more easily gained through internal or external networks, strict authorization and identification procedures, safe and sound architecture of the straight-through processes, and adequate audit trails should be emphasized.
   
   Common practices used to establish and maintain segregation of duties within an e-banking environment include the following:
   
   1)  Transaction processes and systems should be designed to ensure that no single employee/outsourced service provider could enter, authorize and complete a transaction.
   
   2)  Segregation should be maintained between those initiating static data (including web page content) and those responsible for verifying its integrity.
   
   3)  E-banking systems should be tested to ensure that segregation of duties cannot be bypassed.
   
   4)  Segregation should be maintained between those developing and those administrating e-banking systems.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Firewall Policy (Part 1 of 3)
 
 A firewall policy states management's expectations for how the firewall should function and is a component of the overall security policy. It should establish rules for traffic coming into and going out of the security domain and how the firewall will be managed and updated. Therefore, it is a type of security policy for the firewall, and forms the basis for the firewall rules. The firewall selection and the firewall policy should stem from the ongoing security risk assessment process. Accordingly, management needs to update the firewall policy as the institution's security needs and the risks change. At a minimum, the policy should address:
 
 ! Firewall topology and architecture,
 ! Type of firewall(s) being utilized,
 ! Physical placement of the firewall components,
 ! Monitoring firewall traffic,
 ! Permissible traffic (generally based on the premise that all traffic not expressly allowed is denied, detailing which applications can traverse the firewall and under what exact circumstances such activities can take place),
 ! Firewall updating,
 ! Coordination with intrusion detection and response mechanisms,
 ! Responsibility for monitoring and enforcing the firewall policy,
 ! Protocols and applications permitted,
 ! Regular auditing of a firewall's configuration and testing of the firewall's effectiveness, and
 ! Contingency planning.
 
 Financial institutions should also appropriately train and manage their staffs to ensure the firewall policy is implemented properly. Alternatively, institutions can outsource the firewall management, while ensuring that the outsourcer complies with the institution's specific firewall policy.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.3.1 Payroll Fraud

As for most large organizations that control financial assets, attempts at fraud and embezzlement are likely to occur. Historically, attempts at payroll fraud have almost always come from within HGA or the other agencies that operate systems on which HGA depends. Although HGA has thwarted many of these attempts, and some have involved relatively small sums of money, it considers preventing financial fraud to be a critical computer security priority, particularly in light of the potential financial losses and the risks of damage to its reputation with Congress, the public, and other federal agencies.

Attempts to defraud HGA have included the following:

20.3.2 Payroll Errors

Of greater likelihood, but of perhaps lesser potential impact on HGA, are errors in the entry of time and attendance data; failure to enter information describing new employees, terminations, and transfers in a timely manner; accidental corruption or loss of time and attendance data; or errors in interagency coordination and processing of personnel transfers.

Errors of these kinds can cause financial difficulties for employees and accounting problems for HGA. If an employee's vacation or sick leave balance became negative erroneously during the last pay period of the year, the employee's last paycheck would be automatically reduced. An individual who transfers between HGA and another agency may risk receiving duplicate paychecks or no paychecks for the pay periods immediately following the transfer. Errors of this sort that occur near the end of the year can lead to errors in W-2 forms and subsequent difficulties with the tax collection agencies.