FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Four Security Questions Healthcare Organizations Must Address When Moving to the Cloud - The healthcare industry is becoming more digitized with organizations seeing the value of shifting operations to the cloud. From patients and providers to insurers and pharmacists, cloud computing can help streamline everything from information storage and patient services to insurance transactions. https://www.scmagazine.com/home/news/opinions/four-security-questions-healthcare-organizations-must-address-when-moving-to-the-cloud/

Newegg Magecart data breach possibly avoidable - The cyber gang Magecart added another notch to its keyboard managing to infiltrate online electronics retailer Newegg with payment card skimming malware, according to two reports, with industry experts weighing in that such attacks can be avoided through higher levels of vigilance by corporate cybersecurity teams. https://www.scmagazine.com/home/news/newegg-magecart-data-breach-possibly-avoidable/

Adams County clerk resigns over role in data breach - One month after being accused of maleficence regarding a data breach that impacted Adams County, Wis., earlier this year, County Clerk Cindy Phillippi has resigned. https://www.scmagazine.com/home/news/adams-county-clerk-resigns-over-role-in-data-breach/

Equifax slapped with UK’s maximum penalty over 2017 data breach - Credit rating giant Equifax i has been issued with the maximum possible penalty by the UK’s data protection agency for last year’s massive data breach. https://techcrunch.com/2018/09/20/equifax-slapped-with-uks-maximum-penalty-over-2017-data-breach/

Newegg Magecart data breach possibly avoidable - The cyber gang Magecart added another notch to its keyboard managing to infiltrate online electronics retailer Newegg with payment card skimming malware, according to two reports, with industry experts weighing in that such attacks can be avoided through higher levels of vigilance by corporate cybersecurity teams. https://www.scmagazine.com/home/news/newegg-magecart-data-breach-possibly-avoidable/

United Nations data found exposed on web: researcher - Many of the national leaders gathering in New York this week for the United Nations General Assembly certainly can sympathize with the UN officials who are dealing with a data breach. https://www.scmagazine.com/home/news/united-nations-data-found-exposed-on-web-researcher/

SHEIN breach exposes emails, encrypted passwords of 6.42M customers - When hackers breached SHEIN, a U.S. based online fashion retailer, they were able to access the emails and encrypted passwords of 6.42 million customers, the company said. https://www.scmagazine.com/home/news/shein-breach-exposes-emails-encrypted-passwords-of-6-42m-customers/

To Find the Right Security Tool, Know Thyself Or Navigating the Security Maze - Today’s security threats are more complex, more frequent and more dangerous than ever – and finding the right tools to combat them can seem overwhelming. https://www.scmagazine.com/home/news/to-find-the-right-security-tool-know-thyself-or-navigating-the-security-maze/

USB malware and cryptominers are threat to emerging markets - Malware spread via USB drives pose a significant threat to emerging markets as threat actors look to target networks not connected to the internet, including those powering critical infrastructure. https://www.scmagazine.com/home/news/usb-malware-and-cryptominers-are-threat-to-emerging-markets/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers used data mining tool, network sniffer to steal Click2Gov information - The malicious actor behind a year-old campaign targeting the web payment portal Click2Gov appears to have been using a malicious webshell, data mining utility program and network sniffer to steal information from users, according to a new report from FireEye researchers. https://www.scmagazine.com/home/news/report-hackers-used-data-mining-tool-network-sniffer-to-steal-click2gov-information/

GovPayNow Leak of 14M+ Records Dates Back to 2012 - Thousands of US state and local governments use the service to process online payments for everything from traffic tickets to court fines. http://www.darkreading.com/threat-intelligence/govpaynow-leak-of-14m+-records-dates-back-to-2012/d/d-id/1332837

Scottish brewery ransomware attack leverages job opening - The Arran Brewery in Scotland was hit with a ransomware attack that saw a malicious actor using a job vacancy at the beer maker to slip in the malware. https://www.scmagazine.com/home/news/scottish-brewery-ransomware-attack-leverages-job-opening/

DDoS attack on education vendor hinders access to districts’ online portals - Multiple school districts are reportedly suffering the effects of a denial of service attack perpetrated against Blaine, Minn.-based Infinite Campus, a third-party online services provider. https://www.scmagazine.com/home/news/cybercrime/ddos-attack-on-education-vendor-hinders-access-to-districts-online-portals/

Dead retailer's 'customer data' turns up on seized kit, unencrypted and very much for sale - Infosec bod claims he glimpsed sensitive personal info left on unwiped servers. https://www.theregister.co.uk/2018/09/21/ncix_servers_sold/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INFORMATION SECURITY RISK ASSESSMENT
  
  KEY RISK ASSESSMENT PRACTICES (2 of 2)
  
  4)  Accountable Activities - The responsibility for performing risk assessments should reside primarily with members of management in the best position to determine the scope of the assessment, and the effectiveness of risk reduction techniques. For a mid - sized or large institution, that organization will likely be the business unit. The information security officer(s) are responsible for overseeing the performance of each risk assessment and the integration of the risk assessments into a cohesive whole. Senior management is accountable for abiding by the board of directors' guidance for risk acceptance and mitigation decisions.
  
  5)  Documentation - Documentation of the risk assessment process and procedures assists in ensuring consistency and completeness, as well as accountability. Documentation of the analysis and results provides a useful starting point for subsequent assessments, potentially reducing the effort required in those assessments. Documentation of risks accepted and risk mitigation decisions is fundamental to achieving accountability for risk decisions.
  
  6)  Enhanced Knowledge - Risk assessment increases management's knowledge of the institution's mechanisms for storing, processing, and communicating information, as well as the importance of those mechanisms to the achievement of the institution's objectives. Increased knowledge allows management to respond more rapidly to changes in the environment. Those changes can range from new technologies and threats to regulatory requirements.
  
  7)  Regular Updates - Risk assessments should be updated as new information affecting information security risks are identified (e.g., a new threat, vulnerability, adverse test result, hardware change, software change or configuration change). At least once a year, senior management should review the entire risk assessment to ensure relevant information is appropriately considered.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 17.4 Administration of Access Controls
 
 One of the most complex and challenging aspects of access control, administration involves implementing, monitoring, modifying, testing, and terminating user accesses on the system. These can be demanding tasks, even though they typically do not include making the actual decisions as to the type of access each user may have.124 Decisions regarding accesses should be guided by organizational policy, employee job descriptions and tasks, information sensitivity, user "need-to-know" determinations, and many other factors.
 
 There are three basic approaches to administering access controls: centralized, decentralized, or a combination of these. Each has relative advantages and disadvantages. Which is most appropriate in a given situation will depend upon the particular organization and its circumstances.
 
 System and Security Administration
 
 The administration of systems and security requires access to advanced functions (such as setting up a user account). The individuals who technically set up and modify who has access to what are very powerful users on the system; they are often called system or security administrators. On some systems, these users are referred to as having privileged accounts.
 
 The type of access of these accounts varies considerably. Some administrator privileges, for example, may allow an individual to administer only one application or subsystem, while a higher level of privileges may allow for oversight and establishment of subsystem administrators.
 
 Normally, users who are security administrators have two accounts: one for regular use and one for security use. This can help protect the security account from compromise. Furthermore, additional I&A precautions, such as ensuring that administrator passwords are robust and changed regularly, are important to minimize opportunities for unauthorized individuals to gain access to these functions.
 
 17.4.1 Centralized Administration
 
 Using centralized administration, one office or individual is responsible for configuring access controls. As users' information processing needs change, their accesses can be modified only through the central office, usually after requests have been approved by the appropriate official. This allows very strict control over information, because the ability to make changes resides with very few individuals. Each user's account can be centrally monitored, and closing all accesses for any user can be easily accomplished if that individual leaves the organization. Since relatively few individuals oversee the process, consistent and uniform procedures and criteria are usually not difficult to enforce. However, when changes are needed quickly, going through a central administration office can be frustrating and time-consuming.