Virtual IT audits - In response to the national emergency, I am now performing virtual FFIEC IT audits for insured financial institutions.  I am a former bank examiner with over 50 years IT audit experience.  Please email R. Kinney Williams at examiner@yennik.com from your bank's domain and I will email you information and fees.

FYI - CISA RELEASES NEW CYBER ESSENTIALS TOOLKIT - As a follow-up to the November 2019 release of Cyber Essentials, the Cybersecurity and Infrastructure Security Agency (CISA) released the first in a series of six Cyber Essentials Toolkits. https://www.cisa.gov/news/2020/05/29/cisa-releases-new-cyber-essentials-toolkit

Judge demands Capital One release Mandiant cyberforensic report on data breach - Attorneys suing the company will now have access to the report in preparation for a potential trial. https://www.zdnet.com/article/judge-demands-capital-one-releases-mandiant-cyberforensic-report-on-data-breach/

How insurance CISOs can address cloud migration security concerns - The cloud is hardly new for most industries, but insurance is still in its early days with respect to widespread adoption. https://www.scmagazine.com/home/opinion/executive-insight/how-insurance-cisos-can-address-cloud-migration-security-concerns/

Facial recognition fails accuracy test raises privacy concerns; ACLU sues Clearview AI - Existing criticisms of facial recognition technology once again is being called into question as news of Amazon’s “Rekognition” software was found to incorrectly match 105 U.S. and U.K. politicians. https://www.scmagazine.com/home/security-news/privacy-compliance/facial-recognition-fails-accuracy-test-raises-privacy-concerns-aclu-sues-clearview-ai/

German govt urges iOS users to patch critical Mail app flaws - Germany's federal cybersecurity agency today urged iOS users to immediately install the iOS and iPadOS security updates released by Apple on May 20 to patch two actively exploited zero-click security vulnerabilities impacting the default email app. https://www.bleepingcomputer.com/news/security/german-govt-urges-ios-users-to-patch-critical-mail-app-flaws/

If someone could stop hackers pwning medical systems right now, that would be cool, say Red Cross and friends - The rules of war that protect hospitals should extend into cyberspace. https://www.theregister.com/2020/05/26/red_cross_coronavirus_hacking/

Israeli official confirms attempted cyberattack on water systems - Israel last month thwarted a cyberattack on control systems at water facilities, a senior government official said Thursday while warning of the dangers of escalating conflicts in cyberspace. https://www.cyberscoop.com/israel-cyberattacks-water-iran-yigal-unna/

5 Steps organizations should take to ensure CCPA compliance - Now that the California Consumer Privacy Act has officially taken effect, follow these 5 steps to ensure compliance, even if your organization is outside the Golden State. https://www.scmagazine.com/home/opinion/executive-insight/5-steps-organizations-should-take-to-ensure-ccpa-compliance/

48% of employees are less likely to follow safe data practices when working from home - A new report from cybersecurity firm Tessian found that the move to working from home has had drastic effects on how people approach data loss prevention. https://www.techrepublic.com/article/48-of-employees-are-less-likely-to-follow-safe-data-practices-when-working-from-home/

Work from home survey finds major security lapses as workers share devices, reuse passwords - In his own home, a researcher was able to hack various network connected devices that are not computers and mobile phones. Stay-at-home workers are threatening corporate IT security with 93 percent of them admitting they reuse passwords and 29 percent allowing other family members to use their company-issued devices for homework and online entertainment, according to a report. https://www.scmagazine.com/home/security-news/news-archive/coronavirus/work-from-home-survey-finds-major-security-lapses-as-workers-share-devices-reuse-passwords/

OMB: Federal agencies reported 8 percent fewer cybersecurity incidents in FY 2019 - A new report issued by the U.S. Office of Management and Budget (OMB) says federal agencies reported eight percent fewer cybersecurity incidents in fiscal year 2019, compared to 2018 - an improvement it attributes to the recent “maturation of agencies’ information security programs.” https://www.scmagazine.com/home/security-news/omb-federal-agencies-reported-8-percent-fewer-cybersecurity-incidents-in-fy-2019/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Test platform leaks Bank of America clients’ Covid-19 PPP loan applications - Bank of America has disclosed that it briefly exposed certain business clients’ Paycheck Protection Program (PPP) applications to outside parties after uploading the documents onto a test platform. https://www.scmagazine.com/home/security-news/news-archive/coronavirus/test-platform-leaks-bank-of-america-clients-covid-19-ppp-loan-applications/

Michigan State University hit by ransomware gang - The operators of the NetWalker ransomware gang have given MSU officials seven days to pay the ransom or they will leak stolen university files. https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/

Rio Arriba County Commission Chair Leo Jaramillo Says FBI Investigating Tuesday’s Cyber Attack On County - Rio Arriba County discovered Tuesday that it was the victim of a ransomware cyber attack which resulted in a significant number of the County’s network servers, electronic files and databases have been encrypted and can’t be accessed, reviewed or edited. https://losalamosreporter.com/2020/05/27/rio-arriba-county-commission-chair-leo-jaramillo-says-fbi-investigating-tuesdays-cyber-attack-on-county/

Hackers Compromise Cisco Servers Via SaltStack Flaws - Attackers compromised six Cisco VIRL-PE servers that are affected by critical SaltStack vulnerabilities. https://threatpost.com/hackers-compromise-cisco-servers-saltstack/156091/

Minneapolis reportedly hit with DoS attack amid protests over killing - As protests over a death intensified in Minneapolis, the city was reportedly hit with a DoS attack early Thursday morning that left multiple websites and computer systems dysfunctional for several hours. https://www.scmagazine.com/home/security-news/minneapolis-hit-with-dos-attacks-amid-protests-over-floyd-killing/

Kentucky is 6th state to disclose leak of unemployment claims amid Covid-19 - Kentucky has become the sixth state to disclose a data leak related to unemployment-related forms that has taken place during the Covid-19 pandemic. https://www.scmagazine.com/home/security-news/kentucky-is-6th-state-to-disclose-leak-of-unemployment-claims-amid-covid-19/

Shiny Hunters’ latest hit: Minted among 73.1M records offered - More details have emerged about hacker group “Shiny Hunters’” prey this past month of more than 11 website victims, including Minted, a marketplace of independent illustrators and designers offering consumers items such as custom greeting cards. https://www.scmagazine.com/home/security-news/shiny-hunters-latest-hit-minted-among-73-1m-records-offered/

Minneapolis websites hit with apparent cyberattacks amid civic unrest - Possible hacktivists over the weekend may have taken advantage of the civic unrest and protests taking place in Minneapolis, temporarily crippling two city websites in the wake of the killing of George Floyd at the hands of a police officer who has been arrested on murder charges. https://www.scmagazine.com/home/security-news/minneapolis-websites-hit-with-apparent-cyberattacks-amid-civic-unrest/

Malware in GitHub-hosted projects designed to spread among open-source developers - Twenty-six open-source projects hosted on GitHub repositories were found to be infected with malware and capable of serving up weaponized code to potential developers in a potential supply chain attack, the GitHub Security Lab has disclosed. https://www.scmagazine.com/home/security-news/malware/malware-in-github-hosted-projects-designed-to-spread-among-open-source-developers/

Fortune 500 company NTT discloses security breach - Japanese telecommunications giant NTT says hackers breached its internal network and stole data on 621 customers. Nippon Telegraph & Telephone (NTT), the 64th biggest company in the world, according to the Fortune 500 list, has disclosed today a security breach. https://www.zdnet.com/article/fortune-500-company-ntt-discloses-security-breach/

REvil ransomware gang publishes 'Elexon staff's passports' after UK electrical middleman shrugs off attack - The REvil/Sodinokibi ransomware gang has just published what it claimed were files stolen from UK power grid middleman Elexon. https://www.theregister.com/2020/06/01/elexon_ransomware_was_revil_sodinokibi/

Hacker leaks database of dark web hosting provider - Leaked data contains email addresses, site admin passwords, and .onion domain private keys. https://www.zdnet.com/article/hacker-leaks-database-of-dark-web-hosting-provider/

Ransomware locks down the Nipissing First Nation - The Nipissing First Nation administration stopped a ransomware attack in its tracks but not soon enough to prevent disruption of communications. https://www.bleepingcomputer.com/news/security/ransomware-locks-down-the-nipissing-first-nation/

Amtrak breach impacts unknown number of Guest Rewards accounts - Amtrak has alerted an unknown number of Guest Rewards customers it suffered a data breach at the hands of an unknown third party that gained unauthorized access to certain accounts. https://www.scmagazine.com/home/security-news/cybercrime/amtrak-breach-impacts-unknown-number-of-guest-rewards-accounts/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Monitor Contract Compliance and Revision Needs

• Review invoices to assure proper charges for services rendered, the appropriateness of rate changes and new service charges.
• Periodically, review the service provider’s performance relative to service level agreements, determine whether other contractual terms and conditions are being met, and whether any revisions to service level expectations or other terms are needed given changes in the institution’s needs and technological developments.
• Maintain documents and records regarding contract compliance, revision and dispute resolution.

Maintain Business Resumption Contingency Plans

• Review the service provider’s business resumption contingency plans to ensure that any services considered mission critical for the institution can be restored within an acceptable timeframe.
• Review the service provider’s program for contingency plan testing. For many critical services, annual or more frequent tests of the contingency plan are typical.
• Ensure service provider interdependencies are considered for mission critical services and applications.

Return to the top of the newsletter

FFIEC IT SECURITY - We conclude our series on the FFIEC interagency Information Security Booklet. 
  
  MONITORING AND UPDATING - UPDATING
  
  Financial institutions should evaluate the information gathered to determine the extent of any required adjustments to the various components of their security program. The institution will need to consider the scope, impact, and urgency of any new threat. Depending on the new threat or vulnerability, the institution will need to reassess the risk and make changes to its security process (e.g., the security strategy, the controls implementation, or the security testing requirements).
  
  Institution management confronts routine security issues and events on a regular basis. In many cases, the issues are relatively isolated and may be addressed through an informal or targeted risk assessment embedded within an existing security control process. For example, the institution might assess the risk of a new operating system vulnerability before testing and installing the patch. More systemic events like mergers, acquisitions, new systems, or system conversions, however, would warrant a more extensive security risk assessment. Regardless of the scope, the potential impact and the urgency of the risk exposure will dictate when and how controls are changed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
  
  6.2.3 Central Enforcement and Oversight
  
  Besides helping an organization improve the economy and efficiency of its computer security program, a centralized program can include an independent evaluation or enforcement function to ensure that organizational subunits are cost-effectively securing resources and following applicable policy. While the Office of the Inspector General (OIG) and external organizations, such as the General Accounting Office (GAO), also perform a valuable evaluation role, they operate outside the regular management channels.
  
  There are several reasons for having an oversight function within the regular management channel. First, computer security is an important component in the management of organizational resources. This is a responsibility that cannot be transferred or abandoned. Second, maintaining an internal oversight function allows an organization to find and correct problems without the potential embarrassment of an IG or GAO audit or investigation. Third, the organization may find different problems from those that an outside organization may find. The organization understands its assets, threats, systems, and procedures better than an external organization; additionally, people may have a tendency to be more candid with insiders.