|
Virtual IT
audits
-
As a result of the crisis and to help protect your staff, I am performing
virtual FFIEC IT audits
for banks and credit unions. I am a
former bank examiner
with years of IT auditing experience.
Please contact R. Kinney Williams at
examiner@yennik.com from your bank's email and I will send you
information and fees. All correspondence is
confidential.
FYI
-
Federal Reserve Board announces it will resume examination
activities for all banks, after previously announcing a reduced
focus on exam activity in light of the coronavirus response.
https://www.federalreserve.gov/newsevents/pressreleases/bcreg20200615a.htm
Hackers breached A1 Telekom, Austria's largest ISP - A1 Telekom,
the largest internet service provider in Austria, has admitted to a
security breach this week, following a whistleblower's expose.
https://www.zdnet.com/article/hackers-breached-a1-telekom-austrias-largest-isp/
Agencies Spending Millions on 'Crossbow' Spy Tech, an Upgraded
Stingray - Motherboard found various military and federal law
enforcement agencies have bought the Crossbow, which appears to
target phones on 4G.
https://www.vice.com/en_us/article/jgxm3g/crossbow-imsi-catcher-new-stingray
Florence, Ala. Hit By Ransomware 12 Days After Being Alerted - In
late May, security alerted numerous officials in Florence, Ala. that
their information technology systems had been infiltrated by hackers
who specialize in deploying ransomware.
https://krebsonsecurity.com/2020/06/florence-ala-hit-by-ransomware-12-days-after-being-alerted-by-krebsonsecurity/
US amends ban to allow companies to work with Huawei for developing
5G standards - The United States has announced it has amended the
ban on US companies doing business with Huawei. The move entails
allowing US companies to share information about technologies with
Huawei for the purpose of developing joint standards without
requiring an export licence.
https://www.zdnet.com/article/us-amends-ban-to-allow-companies-to-work-with-huawei-for-developing-5g-standards/
Outages draw speculation of DDoS attack on U.S. but reality likely
more ‘boring’ - A series of outages at mobile providers, ISPs,
streaming services, games and social media platforms prompted
speculation Monday that the U.S. could be under a massive
coordinated DDoS attack, though security experts said that scenario
seemed unlikely.
https://www.scmagazine.com/home/security-news/outages-draw-speculation-of-ddos-attack-on-u-s-but-reality-likely-more-boring/
Two Bills to Bolster Cyber Defenses Introduced in the Senate - Sen.
Gary Peters, D-Mich., introduced two bills – the Continuity of
Economy Act of 2020 and the National Guard Cyber Interoperability
Act of 2020 – with the goal of bolstering the United States’ cyber
defenses.
https://www.meritalk.com/articles/two-bills-to-bolster-cyber-defenses-introduced-in-the-senate/
Aflac’s Tim Callahan presses hard line on managing third-party risk
- Ask 100 people to define risk and you’ll get 100 definitions (if
not more), but all typically agree on one thing: identifying and
managing risk is extremely important to an organization’s livelihood
and resilience.
https://www.scmagazine.com/infosec-world-2020/infosec-world-2020-managing-risk-can-make-the-difference-between-remediation-and-ruin/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Knoxville ransomware attack shutters parts of city website - A
ransomware attack took out parts of the Knoxville city website but
did not compromise personal or financial information.
https://www.scmagazine.com/home/security-news/ransomware/knoxville-ransomware-attack-shutters-parts-of-city-website/
Russian hacker releases at least 14,000 Mexican taxpayer IDs -
Researchers at Lucy Security recently discovered that a Russian
hacker named m1x breached a Mexican government web portal and three
days later once the government refused to pay a ransom,
publicly-released some 14,000 Mexican taxpayer ID numbers.
https://www.scmagazine.com/home/security-news/apts-cyberespionage/russian-hacker-releases-at-least-14000-mexican-taxpayer-ids/
Honda confirms its network has been hit by cyberattack - Japanese
manufacturer confirms it has been the victim of a cyberattack, said
it is working to 'restore full functionality of production'.
https://www.zdnet.com/article/honda-confirms-its-network-has-been-hit-by-cyber-attack/
Ransomware attack compromises Australian beer supply - A ransomware
attack on beverage company Lion could result in a temporary shortage
of Australian beer after it was compelled to shut down key systems.
https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-compromises-australian-beer-supply/
South African bank to replace 12m cards after employees stole master
key - Postbank says employees printed its master key at one of its
data centers and then used it to steal $3.2 million.
https://www.zdnet.com/article/south-african-bank-to-replace-12m-cards-after-employees-stole-master-key/
Niche Dating Apps Expose 100,000s of Users in Massive Data Breach -
Led by Noam Rotem and Ran Locar, vpnMentor’s research team
discovered a data breach exposing incredibly sensitive images from
numerous niche dating and hook up apps.
https://www.vpnmentor.com/blog/report-dating-apps-leak/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part
2 of 10)
A. RISK DISCUSSION
Introduction
Compliance risk arises when the linked third party acts in a
manner that does not conform to regulatory requirements. For
example, compliance risk could arise from the inappropriate release
or use of shared customer information by the linked third party.
Compliance risk also arises when the link to a third party creates
or affects compliance obligations of the financial institution.
Financial institutions with weblinking relationships are also
exposed to other risks associated with the use of technology, as
well as certain risks specific to the products and services provided
by the linked third parties. The amount of risk exposure depends on
several factors, including the nature of the link.
Any link to a third-party website creates some risk exposure for
an institution. This guidance applies to links to affiliated, as
well as non-affiliated, third parties. A link to a third-party
website that provides a customer only with information usually does
not create a significant risk exposure if the information being
provided is relatively innocuous, for example, weather reports.
Alternatively, if the linked third party is providing information or
advice related to financial planning, investments, or other more
substantial topics, the risks may be greater. Links to websites that
enable the customer to interact with the third party, either by
eliciting confidential information from the user or allowing the
user to purchase a product or service, may expose the insured
financial institution to more risk than those that do not have such
features.
Return
to the top of the newsletter
FFIEC IT SECURITY -
We continue the series from the
FDIC "Security Risks Associated with the Internet."
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our coverage of
the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Customer Access."
Risk Mitigation
Security should not be compromised when offering wireless
financial services to customers or deploying wireless internal
networks. Financial institutions should carefully consider the risks
of wireless technology and take appropriate steps to mitigate those
risks before deploying either wireless networks or applications. As
wireless technologies evolve, the security and control features
available to financial institutions will make the process of risk
mitigation easier. Steps that can be taken immediately in wireless
implementation include:
1) Establishing a minimum set of security requirements for
wireless networks and applications;
2) Adopting proven security policies and procedures to address
the security weaknesses of the wireless environment;
3) Adopting strong encryption methods that encompass end-to-end
encryption of information as it passes throughout the wireless
network;
4) Adopting authentication protocols for customers using wireless
applications that are separate and distinct from those provided by
the wireless network operator;
5) Ensuring that the wireless software includes appropriate audit
capabilities (for such things as recording dropped transactions);
6) Providing appropriate training to IT personnel on network,
application and security controls so that they understand and can
respond to potential risks; and
9) Performing independent security testing of wireless network
and application implementations.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
6.4 System-Level
Computer Security Programs
While the central program addresses the entire spectrum of
computer security for an organization, system-level programs ensure
appropriate and cost-effective security for each system. This
includes influencing decisions about what controls to implement,
purchasing and installing technical controls, day-to-day computer
security administration, evaluating system vulnerabilities, and
responding to security problems. It encompasses all the areas
discussed in the handbook.
System-level computer security program personnel are the local
advocates for computer security. The system security manager/officer
raises the issue of security with the cognizant system manager and
helps develop solutions for security problems. For example, has the
application owner made clear the system's security requirements?
Will bringing a new function online affect security, and if so, how?
Is the system vulnerable to hackers and viruses? Has the contingency
plan been tested? Raising these kinds of questions will force system
managers and application owners to identify and address their
security requirements. |
