Virtual IT audits - In response to the national emergency, I am now performing virtual FFIEC IT audits for insured financial institutions.  I am a former bank examiner with over 50 years IT audit experience.  Please email R. Kinney Williams at examiner@yennik.com from your bank's domain and I will email you information and fees.

FYI - Attackers’ use of virtual machine to hide ransomware is a first, say researchers - Virtual machines are an important tool for threat analysts as they debug and investigate malware. But now there is a documented case of malicious cyber actors exploiting a VM to their advantage in an attempt to hide a Ragnar Locker ransomware attack. https://www.scmagazine.com/home/security-news/ransomware/attackers-use-of-virtual-machine-to-hide-ransomware-is-a-first-say-researchers/

Rogue ADT tech spied on hundreds of customers in their homes via CCTV – including me, says teen girl - Lawsuits filed after alarm biz admits worker snooped on victims - A technician at ADT remotely accessed hundreds of customers' CCTV cameras to spy on people in their own homes, the burglar-alarm biz has admitted. https://www.theregister.co.uk/2020/05/19/adt_spying_lawsuit/

New virtual cyber school gives teens chance to try out as cyber security agents from home - Young people encouraged to join online classes to develop problem-solving and cyber skills. https://www.gov.uk/government/news/new-virtual-cyber-school-gives-teens-chance-to-try-out-as-cyber-security-agents-from-home

Verizon's data breach report highlights how unsecured cloud storage opens door to attacks - Anecdotally, it has been clear for a while that enterprises are often leaving cloud storage repositories open due to oversight or error. Now Verizon's security research shows that the "error" category is on the rise due to better reporting. https://www.zdnet.com/article/verizons-data-breach-report-highlights-how-unsecured-cloud-storage-opens-door-to-attacks/

Japan investigates potential leak of prototype missile data in Mitsubishi hack - The country is analyzing how such a leak could impact national security. Japan has launched an investigation into the potential exposure of confidential missile data in the wake of a cyberattack on Mitsubishi Electric Corp. https://www.zdnet.com/article/japan-investigates-potential-leak-of-prototype-missile-design-in-mitsubishi-hack/

How security can enable business continuity by protecting newly remote employees - The shelter-in-place orders and closure of non-essential businesses that have been implemented to slow the spread of COVID-19 have brought the need for business continuity to the forefront. https://www.scmagazine.com/home/opinion/executive-insight/how-security-can-enable-business-continuity-by-protecting-newly-remote-employees/

Cybersecurity among six sectors booming during Covid-19, with Q1 funding exceeding $1.5B - As the Covid-19 pandemic continues to hobble economies around the world, cybersecurity is one of six sectors currently booming, with first quarter funding topping $1.5 billion. https://www.scmagazine.com/home/security-news/cybersecurity-among-six-sectors-booming-during-covid-19-with-q1-funding-exceeding-1-5b/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Colorado, Florida & Ohio become latest states to disclose PUA program data leaks - Colorado, Ohio and Florida have become the latest states to disclose the accidental exposure of information belonging to citizens who applied to the federal Pandemic Unemployment Assistance program as a means of seeking some financial security during the ongoing COVID-19 crisis. https://www.scmagazine.com/home/security-news/colorado-and-ohio-become-latest-states-to-disclose-pua-program-data-leaks/

Modular backdoor sneaked into video game developers’ servers - A suspected Chinese APT group used a newly discovered modular backdoor to infect at least one video game developer’s build orchestration server and at least one other company’s game servers, researchers have reported. https://www.scmagazine.com/home/security-news/gaming/modular-backdoor-sneaked-into-video-game-developers-servers/

Home Chef confirms data breach after eight million records sold on dark web - The recent breach of Home Chef, confirmed this week, after malicious actor Shiny Hunters sold eight million of its records on the dark web underscores the looming security challenge of managing employees who access business data from outside the confines of the secure network. https://www.scmagazine.com/home/security-news/home-chef-confirms-data-breach-after-eight-million-records-sold-on-dark-web/

Toll's stolen data finds itself on the 'dark web' - Follows the company in January revealing it would revert to manual processes following a ransomware incident. https://www.zdnet.com/article/tolls-stolen-data-finds-itself-on-the-dark-web/

EasyJet Hackers Take Off with Travel Details for 9M Customers - The vacation-centric airline is warning victims about social-engineering attacks. https://threatpost.com/easyjet-hackers-travel-details-9m-customers/155894/

Snake ransomware leaks patient data from Fresenius Medical Care - Medical data and personally identifiable information belonging to patients at a Fresenius Medical Care unit are currently available online on a paste website. https://www.bleepingcomputer.com/news/security/snake-ransomware-leaks-patient-data-from-fresenius-medical-care/

Israeli websites defaced, as more offensive cyber activity flares up in Middle East - Following a month of cyberattacks involving Iran and Israel, experts are reluctant to predict all-out digital warfare between the nation states, despite the obvious recent tit for tat that underscores age-old, religion-based tensions. https://www.scmagazine.com/home/security-news/apts-cyberespionage/israel-iran-trade-cyberattacks/

Israeli websites defaced, as more offensive cyber activity flares up in Middle East - Following a month of cyberattacks involving Iran and Israel, experts are reluctant to predict all-out digital warfare between the nation states, despite the obvious recent tit for tat that underscores age-old, religion-based tensions. https://www.scmagazine.com/home/security-news/apts-cyberespionage/israel-iran-trade-cyberattacks/

Arbonne breach of 3,500+ Calif. residents’ PII could test privacy law - The exposure of the PII of more than 3,500 California residents in the database of international multi-level marketing firm Arbonne following a breach on April 23 offers a glimpse into whether the state will enforce its new privacy statute that went into effect in January. https://www.scmagazine.com/home/security-news/privacy-compliance/arbonne-breach-of-3500-calif-residents-pii-could-test-privacy-law/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Assess Quality of Service and Support

• Regularly review reports documenting the service provider’s performance. Determine if the reports are accurate and allow for a meaningful assessment of the service provider’s performance.
• Document and follow up on any problem in service in a timely manner. Assess service provider plans to enhance service levels.
• Review system update procedures to ensure appropriate change controls are in effect, and ensure authorization is established for significant system changes.
• Evaluate the provider’s ability to support and enhance the institution’s strategic direction including anticipated business development goals and objectives, service delivery requirements, and technology initiatives.
• Determine adequacy of training provided to financial institution employees.
• Review customer complaints on the products and services provided by the service provider.
• Periodically meet with contract parties to discuss performance and operational issues.
• Participate in user groups and other forums.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
  
  MONITORING AND UPDATING - MONITORING
  
  Effective monitoring of threats includes both non - technical and technical sources. Nontechnical sources include organizational changes, business process changes, new business locations, increased sensitivity of information, or new products and services. Technical sources include new systems, new service providers, and increased access. Security personnel and financial institution management must remain alert to emerging threats and vulnerabilities. This effort could include the following security activities:
  
  ! Senior management support for strong security policy awareness and compliance. Management and employees must remain alert to operational changes that could affect security and actively communicate issues with security personnel. Business line managers must have responsibility and accountability for maintaining the security of their personnel, systems, facilities, and information.
  
  ! Security personnel should monitor the information technology environment and review performance reports to identify trends, new threats, or control deficiencies. Specific activities could include reviewing security and activity logs, investigating operational anomalies, and routinely reviewing system and application access levels.
  
  ! Security personnel and system owners should monitor external sources for new technical and nontechnical vulnerabilities and develop appropriate mitigation solutions to address them. Examples include many controls discussed elsewhere in this booklet including:
  
   -  Establishing an effective configuration management process that monitors for vulnerabilities in hardware and software and establishes a process to install and test security patches,
  
   -  Maintaining up - to - date anti - virus definitions and intrusion detection attack definitions, and
  
   -  Providing effective oversight of service providers and vendors to identify and react to new security issues.
  
  ! Senior management should require periodic security self-assessments and audits to provide an ongoing assessment of policy compliance and ensure prompt corrective action of significant deficiencies.
  
  ! Security personnel should have access to automated tools appropriate for the complexity of the financial institution systems. Automated security policy and security log analysis tools can significantly increase the effectiveness and productivity of security personnel.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
  
  6.2.2 Efficient, Economic Coordination of Information
  
  A central computer security program helps to coordinate and manage effective use of security-related resources throughout the organization. The most important of these resources are normally information and financial resources.
  
  Sound and timely information is necessary for managers to accomplish their tasks effectively. However, most organizations have trouble collecting information from myriad sources and effectively processing and distributing it within the organization. This section discusses some of the sources and efficient uses of computer security information.
  
  Within the federal government, many organizations such as the Office of Management and Budget, the General Services Administration, the National Institute of Standards and Technology, and the National Telecommunications and Information Administration, provide information on computer, telecommunications, or information resources. This information includes security-related policy, regulations, standards, and guidance. A portion of the information is channeled through the senior designated official for each agency.  Agencies are expected to have mechanisms in place to distribute the information the senior designated official receives.
  
  Computer security-related information is also available from private and federal professional societies and groups. These groups will often provide the information as a public service, although some private groups charge a fee for it. However, even for information that is free or inexpensive, the costs associated with personnel gathering the information can be high.
   
  Internal security-related information, such as which procedures were effective, virus infections, security problems, and solutions, need to be shared within an organization. Often this information is specific to the operating environment and culture of the organization.
  
  A computer security program administered at the organization level can provide a way to collect the internal security-related information and distribute it as needed throughout the organization. Sometimes an organization can also share this information with external groups.
  
  Another use of an effective conduit of information is to increase the central computer security program's ability to influence external and internal policy decisions. If the central computer security program office can represent the entire organization, then its advice is more likely to be heeded by upper management and external organizations. However, to be effective, there should be excellent communication between the system-level computer security programs and the organization level. For example, if an organization were considering consolidating its mainframes into one site (or considering distributing the processing currently done at one site), personnel at the central program could provide initial opinions about the security implications. However, to speak authoritatively, central program personnel would have to actually know the security impacts of the proposed change -- information that would have to be obtained from the system-level computer security program.
  
  An organization's components may develop specialized expertise, which can be shared among components. For example, one operating unit may primarily use UNIX and have developed skills in UNIX security. A second operating unit (with only one UNIX machine), may concentrate on MVS security and rely on the first unit's knowledge and skills for its UNIX machine.
  
  Besides being able to help an organization use information more cost effectively, a computer security program can also help an organization better spend its scarce security dollars. Organizations can develop expertise and then share it, reducing the need to contract out repeatedly for similar services. The central computer security program can help facilitate information sharing.
  
  Personnel at the central computer security program level can also develop their own areas of expertise. For example, they could sharpen their skills could in contingency planning and risk analysis to help the entire organization perform these vital security functions.
  Some Principal Security Program Interactions
  
  Besides allowing an organization to share expertise and, therefore, save money, a central computer security program can use its position to consolidate requirements so the organization can negotiate discounts based on volume purchasing of security hardware and software. It also facilitates such activities as strategic planning and organization-wide incident handling and security trend analysis.