FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - How hackers managed to steal $13.5 million in Cosmos bank heist - An in-depth look into the incident reveals how the 112-year-old bank may have been swindled out of millions. https://www.zdnet.com/article/how-hackers-managed-to-steal-13-5-million-in-cosmos-bank-heist/

FBI faces ‘recruiting challenge’ in plan to hire data scientists at all field offices - As the FBI looks to move to the cloud and share data more easily, the agency says it has the funding it needs to hire data experts across all 56 of its field offices. https://federalnewsradio.com/workforce/2018/08/fbi-faces-recruiting-challenge-in-plan-to-hire-data-scientists-at-all-field-offices/

Harsh Reality: Former NSA contractor sentenced to 63 months for leaking classified report - The former NSA contractor who last June pleaded guilty to leaking classified defense reports pertaining to Russian election interference to a media outlet, was sentenced today to 63 months in federal prison. https://www.scmagazine.com/harsh-reality-former-nsa-contractor-reality-winner-sentenced-to-63-months-for-leaking-classified-report/article/790851/

How to stop falling behind on cybersecurity training - Today's fast-paced digital world means the number of cyberthreats are multiplying by the minute and organizations' IT environments are in a constant state of flux. https://www.scmagazine.com/how-to-stop-falling-behind-on-cybersecurity-training/article/783909/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Massive WordPress redirect Campaign spotted targeting tagDiv Themes and Ultimate Member Plugins - Sucuri researchers have uncovered what they described as a massive WordPress redirecting campaign targeting vulnerable tagDiv themes and Ultimate Member plugins. https://www.scmagazine.com/massive-wordpress-redirect-campaign-spotted-targeting-tagdiv-themes-and-ultimate-member-plugins/article/790878/

Babysitting app Sitter exposed the data of 93,000 customers - The babysitting app Sitter notified some 93,000 account holders their personal data was exposed after independent security researcher Bob Diachenko discovered an inadvertently exposed MongoDB file. https://www.scmagazine.com/babysitting-app-sitter-exposed-the-data-of-93000-customers/article/790846/

Cheddar's restaurant data breach exposes 567,000 payment cards - Darden Restaurants suffered a point-of-sale system data breach at certain of its Cheddar's Scratch Kitchen locations that exposed at least 567,000 payment card numbers. https://www.scmagazine.com/cheddars-restaurant-data-breach-exposes-567000-payment-cards/article/790687/

Bank of Spain's website hit by cyber attack - The Bank of Spain’s website has been hit since Sunday by a cyber attack which has temporarily disrupted access to the site, a spokesman for the central bank said on Monday. https://www.reuters.com/article/us-spain-cyber-cenbank/bank-of-spains-website-hit-by-cyber-attack-idUSKCN1LC23B

T-Mobile discovers security breach of certain customer information - T-Mobile US and its unit Metro PCS informed customers on Thursday about a potential security breach that was discovered and shut down by the company. https://www.cnbc.com/2018/08/24/t-mobile-discovers-security-breach-of-certain-customer-information.html

Air Canada mobile app breach potentially impacts about 20,000 profiles - Air Canada yesterday warned customers of "unusual login behavior" on its mobile app between Aug. 22 and 24, during which time a portion of its account profiles may have been accessed in unauthorized fashion. https://www.scmagazine.com/air-canada-mobile-app-breach-potentially-impacts-about-20000-profiles/article/791996/

Return to the top of the newsletter

WEB SITE COMPLIANCE - The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:
  
  When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services.  Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk.  The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed.  This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.
  
  The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan.  This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements.  For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer.  The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INFORMATION SECURITY RISK ASSESSMENT
  
  ANALYZE INFORMATION (1 of 2)
  
  The information gathered is used to characterize the system, to identify and measure threats to the system and the data it contains and transmits, and to estimate the likelihood that a threat will take action against the system or data.
  
  System characterization articulates the understanding of the system, including the boundaries of the system being assessed, the system's hardware and software, and the information that is stored, processed, and transmitted. Since operational systems may have changed since they were last documented, a current review of the system should be performed. Developmental systems, on the other hand, should be analyzed to determine their key security rules and attributes. Those rules and attributes should be documented as part of the systems development lifecycle process. System characterization also requires the cross-referencing of vulnerabilities to current controls to identify those that mitigate specific threats, and to assist in highlighting the control areas that should be improved.
  
  A key part of system characterization is the ranking of data and system components according to their sensitivity and importance to the institution's operations. Additionally, consistent with the GLBA, the ranking should consider the potential harm to customers of unauthorized access and disclosure of customer non - public personal information. Ranking allows for a reasoned and measured analysis of the relative outcome of various attacks, and the limiting of the analysis to sensitive information or information and systems that may materially affect the institution's condition and operations.
  
  Threats are identified and measured through the creation and analysis of threat scenarios. Threat scenarios should be comprehensive in their scope (e.g., they should consider reasonably foreseeable threats and possible attacks against information and systems that may affect the institution's condition and operations or may cause data disclosures that could  result in substantial harm or inconvenience to customers). They should consider the potential effect and likelihood for failure within the control environment due to non-malicious or malicious events. They should also be coordinated with business continuity planning to include attacks performed when those plans are implemented. Non-malicious scenarios typically involve accidents related to inadequate access controls and natural disasters. Malicious scenarios, either general or specific, typically involve a motivated attacker (i.e., threat) exploiting a vulnerability to gain access to an asset to create an outcome that has an impact.
  
  An example of a general malicious threat scenario is an unskilled attacker using a program script to exploit a vulnerable Internet-accessible Web server to extract customer information from the institution's database. Assuming the attacker's motivation is to seek recognition from others, the attacker publishes the information, causing the financial institution to suffer damage to its reputation. Ultimately, customers are likely to be victims of identity theft.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 17.3.1.4 Constrained User Interfaces
 
 Often used in conjunction with ACLs are constrained user interfaces, which restrict users' access to specific functions by never allowing them to request the use of information, functions, or other specific system resources for which they do not have access. Three major types exist: (1) menus, (2) database views, and (3) physically constrained user interfaces.
 
 Constrained user interfaces can provide a form of access control that closely models how an organization operates. Many systems allow administrators to restrict users' ability to use the operating system or application system directly. Users can only execute commands that are provided by the administrator, typically in the form of a menu. Another means of restricting users is through restricted shells, which limit the system commands the user can invoke. The use of menus and shells can often make the system easier to use and can help reduce errors.
 
 Menu-driven systems are a common constrained user interface, where different users are provided different menus on the same system. 
 
 Database views is a mechanism for restricting user access to data contained in a database. It may be necessary to allow a user to access a database, but that user may not need access to all the data in the database (e.g., not all fields of a record nor all records in the database). Views can be used to enforce complex access requirements that are often needed in database situations, such as those based on the content of a field. For example, consider the situation where clerks maintain personnel records in a database. Clerks are assigned a range of clients based upon last name (e.g., A-C, D-G). Instead of granting a user access to all records, the view can grant the user access to the record based upon the first letter of the last name field.
 
 Physically constrained user interfaces can also limit a user's abilities. A common example is an ATM machine, which provides only a limited number of physical buttons to select options; no alphabetic keyboard is usually present.