Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.

FYI - How this work-from-home era transformed security awareness, tech development forever - As companies adapt to the work-from-home era, the technologies and the way they purchase products will also adapt. https://www.scmagazine.com/feature/devops/how-this-work-from-home-era-transformed-security-awareness-tech-development-forever

Security, compliance challenge financial firms’ efforts to use collaborative tools - Financial services institutions (FSIs) are trying their best to to implement collaborative tools in their applications and on their websites to better communicate and work with their retail and business customers online and on their mobile devices. https://www.scmagazine.com/analysis/application-security/security-compliance-challenge-financial-firms-efforts-to-use-collaborative-tools?

US rolls out new rules governing export of hacking and cyberdefense tools - According to the Washington Post, the new rules are meant to target companies selling to Russia and China. The US Commerce Department has released new rules designed to stop companies from selling hacking tools to China, Russia and other countries that may use them for nefarious purposes. https://www.zdnet.com/article/us-rolls-out-new-rules-governing-export-of-hacking-cyberdefense-tools/

CISA Leader Backs 24-Hour Timeline for Incident Reporting - A top leader of the U.S. Cybersecurity and Infrastructure Security Agency has voiced support for a 24-hour timeline for cyber incident reporting involving critical infrastructure, signaling a push by the Biden administration to implement a rapid mechanism for federal response. https://www.govinfosecurity.com/cisa-leader-backs-24-hour-timeline-for-incident-reporting-a-17767

Can healthcare improve third-party vendor security, business continuity? - As a whole, the healthcare sector relies on a significant number of third-party vendors and other business associates to maintain daily operations and provide relatively seamless transactions. https://www.scmagazine.com/feature/third-party-risk/can-healthcare-improve-third-party-vendor-security-business-continuity

Study: 40% of organizations globally in the past year hit by a cloud data breach - Thales on Wednesday reported that 40% of organizations globally have experienced a cloud-based data breach in the past 12 months. https://www.scmagazine.com/news/cloud-security/study-40-of-organizations-globally-in-the-past-year-hit-by-a-cloud-data-breach

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ransomware Sinks Teeth into Candy-Corn Maker Ahead of Halloween - Chicago-based Ferrara acknowledged an Oct. 9 attack that encrypted some systems and disrupted production. https://threatpost.com/ransomware-candy-corn-halloween/175630/

Cookie-swiping phishing scam steals YouTube channels from their creators - Freelance phishers-for-hire are targeting YouTube content providers, hoping to trick victims into downloading cookie-stealing malware so they can to hijack their channels for the purpose of publishing scam content. https://www.scmagazine.com/analysis/phishing/cookie-swiping-phishing-scam-steals-youtube-channels-from-their-creators

Judge Sentences Michigan Man to 7 Years in Prison for Hacking UPMC HR Databases and Stealing Employees’ Personal Information. https://www.justice.gov/usao-wdpa/pr/judge-sentences-michigan-man-7-years-prison-hacking-upmc-hr-databases-and-stealing

Ransomware attack drives Indiana provider offline; vendor breach impacts 173K dental patients - Vendor incidents and cyberattacks leading to network outages remain the leading threats against the healthcare sector, as two more providers report falling victim to these types of incidents. https://www.scmagazine.com/analysis/breach/ransomware-attack-drives-indiana-provider-offline-vendor-breach-impacts-173k-dental-patients

BillQuick says patch coming after Huntress report identifies vulnerabilities used in ransomware attack - BillQuick has said a short-term patch will be released to address some of the vulnerabilities identified this weekend by Huntress. https://www.zdnet.com/article/billquick-says-patch-coming-after-huntress-report-identifies-vulnerabilities-used-for-ransomware/

Popular NPM library hijacked to install password-stealers, miners - Hackers hijacked the popular UA-Parser-JS NPM library, with millions of downloads a week, to infect Linux and Windows devices with cryptominers and password-stealing trojans in a supply-chain attack. https://www.bleepingcomputer.com/news/security/popular-npm-library-hijacked-to-install-password-stealers-miners/

Ransomware attack drives Indiana provider offline; vendor breach impacts 173K dental patients - Vendor incidents and cyberattacks leading to network outages remain the leading threats against the healthcare sector, as two more providers report falling victim to these types of incidents. https://www.scmagazine.com/analysis/breach/ransomware-attack-drives-indiana-provider-offline-vendor-breach-impacts-173k-dental-patients

Kansas Man Admits Hacking Public Water Facility - Roughly seven months after being indicted for his actions, a Kansas man admitted in court to tampering with the systems at the Post Rock Rural Water District. https://www.securityweek.com/kansas-man-admits-hacking-public-water-facility

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
    While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking.  Over the next number of weeks we will cover the principles of Security Controls.
    
   Board and Management Oversight - Principle 4: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet.  (Part 1 of 2)
    
    It is essential in banking to confirm that a particular communication, transaction, or access request is legitimate. Accordingly, banks should use reliable methods for verifying the identity and authorization of new customers as well as authenticating the identity and authorization of established customers seeking to initiate electronic transactions.
    
    Customer verification during account origination is important in reducing the risk of identity theft, fraudulent account applications and money laundering. Failure on the part of the bank to adequately authenticate customers could result in unauthorized individuals gaining access to e-banking accounts and ultimately financial loss and reputational damage to the bank through fraud, disclosure of confidential information or inadvertent involvement in criminal activity.
    
    Establishing and authenticating an individual's identity and authorization to access banking systems in a purely electronic open network environment can be a difficult task. Legitimate user authorization can be misrepresented through a variety of techniques generally known as "spoofing." Online hackers can also take over the session of a legitimate authorized individual through use of a "sniffer" and carry out activities of a mischievous or criminal nature. Authentication control processes can in addition be circumvented through the alteration of authentication databases.
    
    Accordingly, it is critical that banks have formal policy and procedures identifying appropriate methodology(ies) to ensure that the bank properly authenticates the identity and authorization of an individual, agent or system by means that are unique and, as far as practical, exclude unauthorized individuals or systems. Banks can us a variety of methods to establish authentication, including PINs, passwords, smart cards, biometrics, and digital certificates. These methods can be either single factor or multi-factor (e.g. using both a password and biometric technology to authenticate). Multi-factor authentication generally provides stronger assurance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 1 of 2)
   
   All authentication methodologies display weaknesses. Those weaknesses are of both a technical and a nontechnical nature. Many of the weaknesses are common to all mechanisms. Examples of common weaknesses include warehouse attacks, social engineering, client attacks, replay attacks, and hijacking.
   
   Warehouse attacks result in the compromise of the authentication storage system, and the theft of the authentication data. Frequently, the authentication data is encrypted; however, dictionary attacks make decryption of even a few passwords in a large group a trivial task. A dictionary attack uses a list of likely authenticators, such as passwords, runs the likely authenticators through the encryption algorithm, and compares the result to the stolen, encrypted authenticators. Any matches are easily traceable to the pre-encrypted authenticator.
   
   Dictionary and brute force attacks are viable due to the speeds with which comparisons are made. As microprocessors increase in speed, and technology advances to ease the linking of processors across networks, those attacks will be even more effective. Because those attacks are effective, institutions should take great care in securing their authentication databases. Institutions that use one - way hashes should consider the insertion of secret bits (also known as "salt") to increase the difficulty of decrypting the hash. The salt has the effect of increasing the number of potential authenticators that attackers must check for validity, thereby making the attacks more time consuming and creating more opportunity for the institution to identify and react to the attack.
   
   Warehouse attacks typically compromise an entire authentication mechanism. Should such an attack occur, the financial institution might have to deny access to all or nearly all users until new authentication devices can be issued (e.g. new passwords). Institutions should consider the effects of such a denial of access, and appropriately plan for large-scale re-issuances of authentication devices

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

 Chapter 17 - LOGICAL ACCESS CONTROL
 
 This chapter first discusses basic criteria that can be used to decide whether a particular user should be granted access to a particular system resource. It then reviews the use of these criteria by those who set policy (usually system-specific policy), commonly used technical mechanisms for implementing logical access control, and issues related to administration of access controls.
 
 Controlling access is normally thought of as applying to human users (e.g., will technical access be provided for user JSMITH to the file "payroll.dat") but access can be provided to other computer systems. Also, access controls are often incorrectly thought of as only applying to files. However, they also protect other system resources such as the ability to place an outgoing long-distance phone call through a system modem (as well as, perhaps, the information that can be sent over such a call). Access controls can also apply to specific functions within an application and to specific fields of a file.
 
 17.1 Access Criteria
 
 In deciding whether to permit someone to use a system resource logical access controls examine whether the user is authorized for the type of access requested. (Note that this inquiry is usually distinct from the question of whether the user is authorized to use the system at all, which is usually addressed in an identification and authentication process.)
 
 The system uses various criteria to determine if a request for access will be granted. They are typically used in some combination. Many of the advantages and complexities involved in implementing and managing access control are related to the different kinds of user accesses supported.
 
 When determining what kind of technical access to allow to specific data, programs, devices, and resources, it is important to consider who will have access and what kind of access they will be allowed. It may be desirable for everyone in the organization to have access to some information on the system, such as the data displayed on an organization's daily calendar of nonconfidential meetings. The program that formats and displays the calendar, however, might be modifiable by only a very few system administrators, while the operating system controlling that program might be directly accessible by still fewer.