FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - The White House wants to build a single, unified strategy for strengthening the cybersecurity workforce at every agency across government. - The White House reorganization plan would force agencies to assess the strength of their cyber workforce and quickly fill the gaps they find. https://www.nextgov.com/cybersecurity/2018/06/white-house-reorganization-addresses-cyber-workforce-gap/149189/

Tesla Alleges an Employee Stole Gigabytes of Trade Secrets - The company has filed a lawsuit against former employee Martin Tripp for allegedly hacking confidential information and sending it to unidentified sources. https://motherboard.vice.com/en_us/article/7xma7d/tesla-alleges-an-employee-stole-gigabytes-of-trade-secrets-gigafactory-martin-tripp

Dealing with the insider threat on your network - The insider threat is real and happens on a too-often basis. Just recently, California's Department of Fish and Wildlife (CDFW) issued an internal memo warning that a former employee downloaded worker and vendor records to a personal device without authorization and took the records outside of the state's network. https://www.scmagazine.com/dealing-with-the-insider-threat-on-your-network/article/772979/

The Supreme Court Just Greatly Strengthened Digital Privacy - In a highly anticipated decision released Friday, the US Supreme Court updated Fourth Amendment protections for the digital era. In a 5-4 ruling, the court decided in Carpenter v. United States that the government generally needs a warrant in order to access cell site location information, which is automatically generated whenever a mobile phone connects to a cell tower and is stored by wireless carriers for years. https://www.wired.com/story/carpenter-v-united-states-supreme-court-digital-privacy/

Bill Could Give Californians Unprecedented Control Over Data - Lawmakers in California have introduced a sweeping privacy bill to the state legislature that would give Californians unprecedented control over their data and rein in the power of their Silicon Valley neighbors. https://www.wired.com/story/new-privacy-bill-could-give-californians-unprecedented-control-over-data/

Hackers weaponised secure USB drives to target air-gapped networks - A cyber-espionage group is targeting a specific type of secure USB drive created by a South Korean defence company in a bid to gain access to its air-gapped networks. https://www.scmagazine.com/hackers-weaponised-secure-usb-drives-to-target-air-gapped-networks/article/776144/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 270,000 Med Associates records possibly compromised in data breach - Healthcare claims services provider Med Associates is notifying its patients that the facility suffered a data breach in March potentially exposing PII, including medical diagnosis and payment card information. https://www.scmagazine.com/270000-med-associates-records-possibly-compromised-in-data-breach/article/775441/

Hackers get into PDQ's hen house, swipe credit card data - The fast-food chain PDQ is telling its customers their payment card information may have been compromised due to a point-of-sale data breach. https://www.scmagazine.com/hackers-get-into-pdqs-hen-house-swipe-credit-card-data/article/775798/

Comcast API on Xfinity site exposed customer data - Comcast shut down an API on its Xfinity website after it was discovered to reveal home addresses, account numbers and additional customer data without permission to others sharing the same network as the customer or using an app on the network. https://www.scmagazine.com/comcast-api-on-xfinity-site-exposed-customer-data/article/775995/

Hackers exploit FastBooking flaw to steal customer data from hundreds of hotels - Hackers exploited a web app vulnerability on a FastBooking server to install malware and pilfer data – such as names, email addresses, booking information and payment card data – on guests at hundreds of hotels. https://www.scmagazine.com/hackers-exploit-fastbooking-flaw-to-steal-customer-data-from-hundreds-of-hotels/article/776351/

Ticketmaster UK customers hit in third-party breach - Ticketmaster UK is alerting its customers to a third-party security incident that may have compromised their information. https://www.scmagazine.com/ticketmaster-uk-customers-hit-in-third-party-breach/article/776665/

Superion's Click2Gov breaches affects thousands of municipal customers across several states - The payment information of tens of thousands of local government customers across the country were exposed after hackers leveraged a vulnerability in Superion's Click2Gov function in the payment server used for online utilities payments. https://www.scmagazine.com/superions-click2gov-breaches-affects-thousands-of-municipal-customers-across-several-states/article/776331/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Truth in Lending Act (Regulation Z)
  
  The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.
  
  Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Testing.
  
  Management should ensure that information system networks are tested regularly. The nature, extent, and frequency of tests should be proportionate to the risks of intrusions from external and internal sources. Management should select qualified and reputable individuals to perform the tests and ensure that tests do not inadvertently damage information systems or reveal confidential information to unauthorized individuals. Management should oversee the tests, review test results, and respond to deficiencies in a timely manner. In accordance with OCC's "Technology Risk Management: PC Banking," management should ensure that an objective, qualified source conducts a penetration test of Internet banking systems at least once a year or more frequently when appropriate.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION
 
 16.4.2 Maintaining Authentication 16.5 Interdependencies
 
 There are many interdependencies among I&A and other controls. Several of them have been discussed in the chapter.
 
 Logical Access Controls. Access controls are needed to protect the authentication database. I&A is often the basis for access controls. Dial-back modems and firewalls, discussed in Chapter 17, can help prevent hackers from trying to log-in.
 
 Audit. I&A is necessary if an audit log is going to be used for individual accountability.
 
 Cryptography. Cryptography provides two basic services to I&A: it protects the confidentiality of authentication data, and it provides protocols for proving knowledge and/or possession of a token without having to transmit data that could be replayed to gain access to a computer system.
 
 16.6 Cost Considerations
 
 In general, passwords are the least expensive authentication technique and generally the least secure. They are already embedded in many systems. Memory tokens are less expensive than smart tokens, but have less functionality. Smart tokens with a human interface do not require readers, but are more inconvenient to use. Biometrics tends to be the most expensive.
 
 For I&A systems, the cost of administration is often underestimated. Just because a system comes with a password system does not mean that using it is free. For example, there is significant overhead to administering the I&A system.