FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Cybercriminals take the day off to watch the World Cup - There is no doubt the World Cup has a negative impact on business productivity, but it may come as a surprise to find cybercriminals are no different and take the day off when their nation's squad is playing. https://www.scmagazine.com/cybercriminals-take-the-day-off-to-watch-the-world-cup/article/780398/

US CERT issues security advisory on Kea server for memory flaw - US-CERT issued a security advisory, rated medium, for Kea DHCP version 1.4.0 that could cause memory leakage resulting in the failure of memory locations and a server crash. https://www.scmagazine.com/us-cert-issues-security-advisory-on-kea-server-for-memory-flaw/article/780378/

Walmart files patent for audio surveillance technology to monitor employees and customers - Walmart Tuesday filed a patent for audio surveillance technology to record customers and employees to proposedly focus on minute details of the shopping and checkout. https://www.scmagazine.com/walmart-files-patent-for-audio-surveillance-technology-to-monitor-employees-and-customers/article/780864/

Coast Guard Academy to offer new major in cyber systems - The U.S. Coast Guard Academy is now offering an academic program in cyber systems, its first new major in a quarter century. https://federalnewsradio.com/technology-news/2018/07/coast-guard-academy-to-offer-new-major-in-cyber-systems/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - UMC Physicians offers identity protection to affected patients following data breech - More than 18,000 patients of University Medical Center Physicians could be affected by a data breech disclosed by the UMC Health System on Thursday. http://www.lubbockonline.com/news/20180712/umc-physicians-offers-identity-protection-to-affected-patients-following-data-breech

Blizzard DoS attack affected Overwatch, Heroes of the Storm, World of Warcraft - A weekend-long denial-of-service (DoS) attack which targeted Blizzard Entertainment causing severe lag for some players and preventing others from logging in at all, finally came to an end Monday morning. https://www.scmagazine.com/blizzard-hit-with-another-dos-attack-affecting-overwatch-heroes-of-the-storm-world-of-warcraft/article/780371/

MedEvolve FTP server left open to web, patient data compromised - A customer of the medical practice management software firm MedEvolve had the PII of at least 15 patients, and possibly more, were exposed when a file on an FTP server was left open to the internet. https://www.scmagazine.com/medevolve-ftp-server-left-open-to-web-patient-data-compromised/article/780386/

Career and Technology Education Centers of Licking County acknowledge possible breach - Career and Technology Education Centers (C-TEC) of Licking County in Newark, Ohio suffered a possible data breach earlier this year that could have exposed individuals' names and Social Security numbers, according to local reports. https://www.scmagazine.com/career-and-technology-education-centers-of-licking-county-acknowledge-possible-breach/article/780212/

Timehop admits to more data leakage, details GDPR danger - Bad actor was inside social network for months without being detected - Nostalgia aggregator Timehop has revised its advice about the data breach it reported earlier this week. http://www.theregister.co.uk/2018/07/12/timehop_data_leak_update/

Ticketmaster Breach Part of Massive Payment Card Hacking Campaign - Cybersecurity vendor RiskIQ's investigation of a recently disclosed breach at Ticketmaster UK showed that the online ticket seller is just one of hundreds of victims of a huge campaign to steal payment card data. http://www.darkreading.com/attacks-breaches/ticketmaster-breach-part-of-massive-payment-card-hacking-campaign/d/d-id/1332266

Blizzard DoS attack affected Overwatch, Heroes of the Storm, World of Warcraft - A weekend-long denial-of-service (DoS) attack which targeted Blizzard Entertainment causing severe lag for some players and preventing others from logging in at all, finally came to an end Monday morning. https://www.scmagazine.com/blizzard-hit-with-another-dos-attack-affecting-overwatch-heroes-of-the-storm-world-of-warcraft/article/780371/

Telefonica breach leaves data on millions exposed - Hackers exploited a flaw at Spanish operator Telefonica early Monday and likely exposed all the personal data of millions of the company's customers. https://www.scmagazine.com/telefonica-breach-leaves-data-on-millions-exposed/article/781066/

Return to the top of the newsletter

WEB SITE COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)
  
  Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.
  
  Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.
  
  Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 
  
  SECURITY PROCESS 
  
  Action Summary - Financial institutions should implement an ongoing security process, and assign clear and appropriate roles and responsibilities to the board of directors, management, and employees.
  
  OVERVIEW
  
  The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and ensure accountability for system actions. The process includes five areas that serve as the framework for this booklet:
  
  1)  Information Security Risk Assessment - A process to identify threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.
  
  2)  Information Security Strategy - A plan to mitigate risk that integrates technology, policies, procedures and training. The plan should be reviewed and approved by the board of directors.
  
  3)  Security Controls Implementation - The acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk - appropriate controls, and assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties.
  
  4)  Security Testing - The use of various methodologies to gain assurance that risks are appropriately assessed and mitigated. These testing methodologies should verify that significant controls are effective and performing as intended.
  
  5)  Monitoring and Updating - The process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used to update the risk assessment, strategy, and controls. Monitoring and updating makes the process continuous instead of a one - time event.
  
  Security risk variables include threats, vulnerabilities, attack techniques, the expected frequency of attacks, financial institution operations and technology, and the financial institution's defensive posture. All of these variables change constantly. Therefore, an institution's management of the risks requires an ongoing process.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 17.1.1 Identity
 
 It is probably fair to say that the majority of access controls are based upon the identity of the user (either human or process), which is usually obtained through identification and authentication (I&A). The identity is usually unique, to support individual accountability, but can be a group identification or can even be anonymous. For example, public information dissemination systems may serve a large group called "researchers" in which the individual researchers are not known.
 
 17.1.2 Roles
 
 Access to information may also be controlled by the job assignment or function (i.e., the role) of the user who is seeking access. Examples of roles include data entry clerk, purchase officer, project leader, programmer, and technical editor. Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. An individual may be authorized for more than one role, but may be required to act in only a single role at a time. Changing roles may require logging out and then in again, or entering a role-changing command. Note that use of roles is not the same as shared-use accounts. An individual may be assigned a standard set of rights of a shipping department data entry clerk, for example, but the account would still be tied to that individual's identity to allow for auditing.
 
 The use of roles can be a very effective way of providing access control. The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.
 
 Many systems already support a small number of special-purpose roles, such as System Administrator or Operator. For example, an individual who is logged on in the role of a System Administrator can perform operations that would be denied to the same individual acting in the role of an ordinary user.
 
 Recently, the use of roles has been expanded beyond system tasks to application-oriented activities. For example, a user in a company could have an Order Taking role, and would be able to collect and enter customer-billing information, check on availability of particular items, request shipment of items, and issue invoices. In addition, there could be an Accounts Receivable role, which would receive payments and credit them to particular invoices. A Shipping role could then be responsible for shipping products and updating the inventory. To provide additional security, constraints could be imposed so a single user would never be simultaneously authorized to assume all three roles. Constraints of this kind are sometimes referred to as separation of duty constraints.