FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Australia will force tech companies to help cops view encrypted data - The country's cyber security chief insists it won't involve a back door to bypass encryption. Australia will reveal in the coming weeks new laws that will force tech companies to help police access the encrypted data of suspected criminals, but is ambiguous on how those powers will work. https://www.cnet.com/news/australias-new-laws-will-force-tech-companies-to-help-cops-access-suspects-encrypted-data/

An Encryption Upgrade Could Upend Online Payments - At the end of June, digital credit card transactions are getting a mandatory encryption upgrade. It's good news - but not if you have an old device, or depend on a retailer that hasn't completed the transition. https://www.wired.com/story/tls-encryption-upgrade-credit-card-online-payments/

Vulnerabilities, Says Airline Hack Is ‘Only a Matter of Time’ - According to DHS and other US government documents obtained by Motherboard, the DHS is continuing to investigate how insecure commercial aircraft are to cyber attacks, with one research lab saying hacking a plane may lead to a "catastrophic disaster." https://motherboard.vice.com/en_us/article/d3kwzx/documents-us-government-hacking-planes-dhs

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Here's a transaction Transamerica regrets: Transgressors swipe retirees' personal info - 45,000 plan holders hit by crooks, say corp officials - Updated Financial house Transamerica has admitted criminals swiped some of its customers' sensitive personal information, including social security numbers. http://www.theregister.co.uk/2018/06/05/transamerica_retirement_plan_hack/

Chinese gov't hackers snag secret missile plans in Navy contractor breach - Hackers from the Chinese Ministry of State Security who broke into the systems of a contractor working for the U.S. Naval Undersea Warfare Center stole 614GB of sensitive information, including plans for a supersonic anti-ship missile to be launched from a submarine. https://www.scmagazine.com/chinese-govt-hackers-snag-secret-missile-plans-in-navy-contractor-breach/article/772420/

Hackers target payment transfer system at Chile's biggest bank, 'take $10m' - SWIFT-linked system was the target, claim infosec types - Banco de Chile has become the latest victim in a string of cyber attacks targeting the payment transfer systems of banks. http://www.theregister.co.uk/2018/06/11/chile_bank_wiper_prelude_cyberheaist/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Equal Credit Opportunity Act (Regulation B)
  
  The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.
  
  The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Gathering and Retaining Intrusion Information.
  
  Particular care should be taken when gathering intrusion information. The OCC expects management to clearly assess the tradeoff between enabling an easier recovery by gathering information about an intruder and the risk that an intruder will inflict additional damage while that information is being gathered. Management should establish and communicate procedures and guidelines to employees through policies, procedures, and training. Intrusion evidence should be maintained in a fashion that enables recovery while facilitating subsequent actions by law enforcement. Legal chain of custody requirements must be considered. In general, legal chain of custody requirements address controlling and securing evidence from the time of the intrusion until it is turned over to law enforcement personnel. Chain of custody actions, and those actions that should be guarded against, should be identified and embodied in the bank's policies, procedures, and training.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION
 
 16.4 Implementing I&A Systems
 
 Some of the important implementation issues for I&A systems include administration, maintaining authentication, and single log-in.
 
 16.4.1 Administration
 
 Administration of authentication data is a critical element for all types of authentication systems. The administrative overhead associated with I&A can be significant. I&A systems need to create, distribute, and store authentication data. For passwords, this includes creating passwords, issuing them to users, and maintaining a password file. Token systems involve the creation and distribution of tokens/PINs and data that tell the computer how to recognize valid tokens/PINs. For biometric systems, this includes creating and storing profiles.
 
 The administrative tasks of creating and distributing authentication data and tokens can be a substantial. Identification data has to be kept current by adding new users and deleting former users. If the distribution of passwords or tokens is not controlled, system administrators will not know if they have been given to someone other than the legitimate user. It is critical that the distribution system ensure that authentication data is firmly linked with a given individual.
 
 In addition, I&A administrative tasks should address lost or stolen passwords or tokens. It is often necessary to monitor systems to look for stolen or shared accounts.
 
 Authentication data needs to be stored securely, as discussed with regard to accessing password files. The value of authentication data lies in the data's confidentiality, integrity, and availability. If confidentiality is compromised, someone may be able to use the information to masquerade as a legitimate user. If system administrators can read the authentication file, they can masquerade as another user. Many systems use encryption to hide the authentication data from the system administrators.111 If integrity is compromised, authentication data can be added or the system can be disrupted. If availability is compromised, the system cannot authenticate users, and the users may not be able to work.
 
 One method of looking for improperly used accounts is for the computer to inform users when they last logged on. This allows users to check if someone else used their account.