FFIEC information
technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
to
On-site FFIEC IT Audits.
FYI
- OCC Begins Accepting National Bank Charter Applications From
Financial Technology Companies - The Office of the Comptroller of
the Currency today announced it will begin accepting applications
for national bank charters from nondepository financial technology
companies engaged in the business of banking.
www.occ.gov/news-issuances/news-releases/2018/nr-occ-2018-74.html
ERP security warning as hackers step up attacks on systems -
Vulnerable ERP applications are being increasingly targeted by
attackers. The US Department of Homeland Security has warned
businesses of the growing risk of attackers targeting enterprise
resource planning (ERP) systems.
https://www.zdnet.com/article/erp-security-warning-as-hackers-step-up-attacks-on-systems/
NSA Hasn’t Implemented Post-Snowden Security Fixes, Audit Finds -
The nation’s cyber spy agency is suffering from substantial cyber
vulnerabilities, according to a first-of-its-kind unclassified audit
overview from the agency’s inspector general released Wednesday.
https://www.nextgov.com/cybersecurity/2018/07/nsa-hasnt-implemented-post-snowden-security-fixes-audit-finds/150067/
Multiple Ransomware Attacks Cut Off Police Access to Crime Database
in Riverside, Ohio - The department lost access to the Ohio Law
Enforcement Gateway on May 14 to shield the statewide system from
damage and prevent data exposure.
http://www.govtech.com/security/Multiple-Ransomware-Attacks-Cut-Off-Police-Access-to-Crime-Database-in-Riverside-Ohio.html
Old school: Yale discloses breach from more than 10 years ago - Talk
about excessive tardiness: Yale University yesterday disclosed that
more than 10 years ago, an online intruder breached one of the Ivy
League school's databases, which contained information on alumni,
faculty and staff members.
https://www.scmagazine.com/old-school-yale-discloses-breach-from-more-than-10-years-ago/article/784584/
US Warns of Supply Chain Attacks - The US government has repeated
warnings of state-sponsored cyber-attacks made possible by
infiltrating the software supply chain.
https://www.infosecurity-magazine.com/news/us-warns-of-supply-chain-attacks/
Houston Tests Its Preparedness for A Cyberattack - The city is
conducting a three-day exercise to find out how well it would react
to such an attack on top of a major disaster.
https://www.houstonpublicmedia.org/articles/news/city-of-houston/2018/07/25/297211/houston-tests-its-preparedness-for-a-cyberattack/
Pentagon reveals a Do Not Buy software list as a cybersecurity
measure - The U.S. Department of Defense has instructed its
procurers and contractors to stop buying software that may have
Chinese or Russian connections to help defend these institutions
against a possible cyberattack.
https://www.scmagazine.com/pentagon-reveals-a-do-not-buy-software-list-as-a-cybersecurity-measure/article/784588/
SamSam ransomware payments hit $6 million, malware called labor
intensive to operate - SamSam ransomware, known for its recent
takedown of several high-profile targets, is a well-coded piece of
malware that is backed by a group that does not mind spending time
to properly set up its victims to ensure a maximum payout from each
attack, resulting in about $6 million being paid so far, according
to a study by SophosLabs.
https://www.scmagazine.com/samsam-ransomware-payments-hit-6-million-malware-called-labor-intensive-to-operate/article/784454/
Kentucky city cites the risk of terrorism for not releasing
surveillance details - The Lexington, Ky., police department cited
the risk of terrorism as an excuse to not release information
concerning its surveillance equipment.
https://www.scmagazine.com/kentucky-city-cites-the-risk-of-terrorism-for-not-releasing-surveillance-details/article/784749/
'Security incident' at Reddit exposed user data to hackers - A
hacker who compromised the accounts of a few Reddit employees who
are with the company's cloud and source code hosting providers
penetrated some of its systems and accessed user data, including
email addresses and a 2007 backup of a database that contained old
salted and hashed passwords.
https://www.scmagazine.com/security-incident-at-reddit-exposed-user-data-to-hackers/article/785327/
Insecure server holding U.K. fashion retailers' customer data
breached by white hat - A server containing a database holding
customer information pertaining to various U.K.-based online fashion
retailers was discovered to be insecure after it was breached by a
white-hat hacker on July 9.
https://www.scmagazine.com/insecure-server-holding-uk-fashion-retailers-customer-data-breached-by-white-hat/article/785301/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- LifeLock unsubscribe error unlocks customers' email address info -
Symantec's ID theft prevention subsidiary LifeLock suffered from
some embarrassing optics on Wednesday after it was reported that an
error in its e-marketing unsubscribe process left the email
addresses of its customers exposed to potential data theft and
tampering.
https://www.scmagazine.com/lifelock-unsubscribe-error-unlocks-customers-email-address-info/article/783775/
Fake bank apps found on Google Play - The official Google Play app
store has again been found harboring malicious apps, this time fake
banking apps that steal credit card credentials and other banking
information.
https://www.scmagazine.com/fake-bank-apps-found-on-google-play/article/783777/
Ransomware attack knocks out shipping giant COSCO's U.S. network - A
ransomware attack has severely disabled the U.S. network of COSCO
(China Ocean Shipping Company), one of the world's largest shipping
companies.
https://www.scmagazine.com/ransomware-attack-knocks-out-cosco-shipping-giants-american-network/article/783584/
lue Springs Family Care endangers patient records, enables
ransomware attack - Missouri-based health care provider Blue Springs
Family Care has disclosed a ransomware attack resulting from a data
breach that may have also compromised patients records -- 44,979, to
be precise, according to news reports.
https://www.scmagazine.com/data-breach-at-blue-springs-family-care-endangers-patient-records-enables-ransomware-attack/article/784080/
Idaho inmates hack prison tablets, steal $225,000 in commissary
credits - The Idaho Department of Corrections reported that 364
prisoners hacked into its computer tablets and falsely credited
almost $225,000 into their personal prison accounts.
https://www.scmagazine.com/idaho-inmates-hack-prison-tablets-steal-225000-in-commissary-credits/article/783887/
Malvertising scam compromises 10,000+ websites; researchers suggest
ad network and resellers may be culpable - A malicious actor
essentially posing as a web publisher compromised more than 10,000
WordPress websites in an elaborate malvertising campaign involving
various ad resellers and ad networks, according to a report.
https://www.scmagazine.com/malvertising-scam-compromises-10000-websites-researchers-suggest-ad-network-and-resellers-may-be-culpable/article/784226/
Hack of D.C. police cameras was part of ransomware scheme,
prosecutors say - When hackers took over two-thirds of D.C. police’s
surveillance cameras days before the 2017 presidential inauguration,
it appeared that the cyberattack was limited to elicit a single
ransom payment.
https://www.washingtonpost.com/local/public-safety/attack-on-dc-police-security-cameras-had-broad-implications/2018/07/24/7ff01d78-8440-11e8-9e80-403a221946a7_story.html
Alaska city, borough under attack by CryptoLocker - The Borough of
Matanuska-Susitna (Mat-Su) and City of Valdez in Alaska were each
hit with ransomware attacks, within days of each other, which
knocked both networks offline.
https://www.scmagazine.com/alaska-city-borough-under-attack-by-cryptolocker/article/784776/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures and Notices
Several consumer regulations provide for disclosures and/or
notices to consumers. The compliance officer should check the
specific regulations to determine whether the disclosures/notices
can be delivered via electronic means. The delivery of disclosures
via electronic means has raised many issues with respect to the
format of the disclosures, the manner of delivery, and the ability
to ensure receipt by the appropriate person(s). The following
highlights some of those issues and offers guidance and examples
that may be of use to institutions in developing their electronic
services.
Disclosures are generally required to be "clear and conspicuous."
Therefore, compliance officers should review the web site to
determine whether the disclosures have been designed to meet this
standard. Institutions may find that the format(s) previously used
for providing paper disclosures may need to be redesigned for an
electronic medium. Institutions may find it helpful to use "pointers
" and "hotlinks" that will automatically present the disclosures to
customers when selected. A financial institution's use solely of
asterisks or other symbols as pointers or hotlinks would not be as
clear as descriptive references that specifically indicate the
content of the linked material.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet. This booklet is
required reading for anyone involved in information systems
security, such as the Network Administrator, Information Security
Officer, members of the IS Steering Committee, and most important
your outsourced network security consultants. Your outsourced
network security consultants can receive the "Internet Banking News"
by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
the e-newsletter.
ROLES
AND RESPONSIBILITIES (2 of 2)
Senior management should enforce its security program by clearly
communicating responsibilities and holding appropriate individuals
accountable for complying with these requirements. A central
authority should be responsible for establishing and monitoring the
security program. Security management responsibilities, however, may
be distributed throughout the institution from the IT department to
various lines of business depending on the institution's size,
complexity, culture, nature of operations, and other factors. The
distribution of duties should ensure an appropriate segregation of
duties between individuals or organizational groups.
Senior management also has the responsibility to ensure
integration of security controls throughout the organization. To
support integration, senior management should
1) Ensure the security process is governed by organizational
policies and practices that are consistently applied,
2) Require that data with similar criticality and sensitivity
characteristics be protected consistently regardless of where in the
organization it resides,
3) Enforce compliance with the security program in a balanced and
consistent manner across the organization, and
4)
Coordinate information security with physical security.
Senior management should make decisions regarding the acceptance
of security risks and the performance of risk mitigation activities
using guidance approved by the board of directors.
Employees should know, understand, and be held accountable for
fulfilling their security responsibilities. Institutions should
define these responsibilities in their security policy. Job
descriptions or contracts should specify any additional security
responsibilities beyond the general policies. Financial institutions
can achieve effective employee awareness and understanding through
security training, employee certifications of compliance, self -
assessments, audits, and monitoring.
Management also should consider the roles and responsibilities of
external parties. Technology service providers (TSPs), contractors,
customers, and others who have access to the institution's systems
and data should have their security responsibilities clearly
delineated and documented in contracts.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 17 - LOGICAL ACCESS CONTROL
17.1.7 Common Access
Modes
In addition to considering criteria for when access should occur,
it is also necessary to consider the types of access, or access
modes. The concept of access modes is fundamental to access control.
Common access modes, which can be used in both operating or
application systems, include the following:
1) Read access provides users with the capability to view
information in a system resource (such as a file, certain records,
certain fields, or some combination thereof), but not to alter it,
such as delete from, add to, or modify in any way. One must assume
that information can be copied and printed if it can be read
(although perhaps only manually, such as by using a print screen
function and retyping the information into another file).
2) Write access allows users to add to, modify, or delete
information in system resources (e.g., files, records, programs).
Normally user has read access to anything they have write access to.
3) Execute privilege allows users to run programs.
4) Delete access allows users to erase system resources
(e.g., files, records, fields, programs). Note that if users have
write access but not delete access, they could overwrite the field
or file with gibberish or otherwise inaccurate information and, in
effect, delete the information.
Other specialized access modes (more often found in applications)
include:
1) Create access allows users to create new files, records,
or fields.
2) Search access allows users to list the files in a
directory.
Of course, these criteria can be used in conjunction with one
another. For example, an organization may give authorized
individuals write access to an application at any time from within
the office but only read access during normal working hours if they
dial-in.
Depending upon the technical mechanisms available to implement
logical access control, a wide variety of access permissions and
restrictions are possible. No discussion can present all
possibilities.We
continue the series on the National Institute of Standards and
Technology (NIST) Handbook.
Chapter 17 - LOGICAL ACCESS CONTROL
17.1.7 Common Access
Modes
In addition to considering criteria for when access should occur,
it is also necessary to consider the types of access, or access
modes. The concept of access modes is fundamental to access control.
Common access modes, which can be used in both operating or
application systems, include the following:
1) Read access provides users with the capability to view
information in a system resource (such as a file, certain records,
certain fields, or some combination thereof), but not to alter it,
such as delete from, add to, or modify in any way. One must assume
that information can be copied and printed if it can be read
(although perhaps only manually, such as by using a print screen
function and retyping the information into another file).
2) Write access allows users to add to, modify, or delete
information in system resources (e.g., files, records, programs).
Normally user has read access to anything they have write access to.
3) Execute privilege allows users to run programs.
4) Delete access allows users to erase system resources
(e.g., files, records, fields, programs). Note that if users have
write access but not delete access, they could overwrite the field
or file with gibberish or otherwise inaccurate information and, in
effect, delete the information.
Other specialized access modes (more often found in applications)
include:
1) Create access allows users to create new files, records,
or fields.
2) Search access allows users to list the files in a
directory.
Of course, these criteria can be used in conjunction with one
another. For example, an organization may give authorized
individuals write access to an application at any time from within
the office but only read access during normal working hours if they
dial-in.
Depending upon the technical mechanisms available to implement
logical access control, a wide variety of access permissions and
restrictions are possible. No discussion can present all
possibilities. |