FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Proper Disposal of Electronic Devices - Why is it important to dispose of electronic devices safely? - In addition to effectively securing sensitive information on electronic devices, it is important to follow best practices for electronic device disposal. Computers, smartphones, and cameras allow you to keep a great deal of information at your fingertips, but when you dispose of, donate, or recycle a device you may inadvertently disclose sensitive information which could be exploited by cyber criminals. https://www.us-cert.gov/ncas/tips/ST18-005

FDIC Still Isn’t Protecting Its Sensitive Information, Audit Finds - The agency isn’t patching vulnerabilities quickly enough or fixing longstanding information security weaknesses.
https://www.nextgov.com/cybersecurity/2018/10/fdic-still-isnt-protecting-its-sensitive-information-audit-finds/152465/
https://www.fdicoig.gov/sites/default/files/publications/19-001.pdf

Pinpointing risky employee behaviors enables IT leaders to reduce risk - In the first half of 2018, more than 4.5 billion digital records were compromised in data breaches, according to research from Gemalto’s “2018: Data Privacy and New Regulations Take Center Stage” report. https://www.scmagazine.com/home/security-news/pinpointing-risky-employee-behaviors-enables-it-leaders-to-reduce-risk/

Catching all Threats – Known, Unknown, and Unknown Unknown - Before They Can Harm You - At a news briefing in 2002, when then U.S. Secretary of Defense Donald Rumsfeld, famously broke down threats into three categories of “knowability”: “Known knowns,” are the threats we are fully aware of; “known unknowns,” are the things we know we don’t know; and finally, the “unknown unknowns” – those threats that we don’t even know we don’t know. https://www.scmagazine.com/home/opinions/catching-all-threats-known-unknown-and-unknown-unknown-before-they-can-harm-you/

Chicago, Galloway Township (N.J.) schools hit with cyberattacks - A pair of U.S. school districts were hit with two very different, but still damaging, cyberattacks in the last week. https://www.scmagazine.com/home/security-news/chicago-galloway-township-n-j-schools-hit-with-cyberattacks/

Dark web markets sell off victims’ account data for as little as a buck - Having your online account hacked is bad enough, but learning that your precious account details were sold for a little as $1 on the dark web adds insult to injury. https://www.scmagazine.com/home/security-news/dark-web-markets-sell-off-victims-account-data-for-as-little-as-a-buck/

Supreme Court rejects industry challenge of 2015 net neutrality rules - But lawsuits over Pai's net neutrality repeal and California law will continue. The US Supreme Court has declined to hear the broadband industry's challenge of Obama-era net neutrality rules. https://arstechnica.com/tech-policy/2018/11/supreme-court-wont-rule-on-legality-of-obama-era-net-neutrality-rules/

5 steps for securing connected medical devices - Patients expect hospitals to be safe havens, but more and more we’re seeing that the weakest and most critical assets in hospital networks are the very instruments needed to save lives: medical devices. With the increase in connected medical devices, the risk for malicious attacks is growing. https://www.scmagazine.com/home/security-news/5-steps-for-securing-connected-medical-devices/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Radisson Member Rewards program breached - The Radisson Hotel Group reported its Radisson Rewards program was hit with a data breach sometime before October 1 exposing member’s personally identifiable information. https://www.scmagazine.com/home/security-news/radisson-member-rewards-program-breached/

Aussie shipbuilder Austal hit with data breach - Australian shipbuilder Austal Limited’s data management system was hit with a data breach that exposed staff contact information, but the company does not believe any sensitive defense data was involved. https://www.scmagazine.com/home/security-news/aussie-shipbuilder-austal-hit-with-data-breach/

FIFA readies for data breach reveal - Football’s governing body FIFA is bracing for the release on Friday by a group of European media outlets of a report containing the details of a data breach the sports organization suffered in March 2018. https://www.scmagazine.com/home/security-news/fifa-readies-for-data-breach-reveal/

Mail mix up sends Michigan Medicine letters to the wrong people - For the second time this year healthcare provider Michigan Medicine is notifying patients that some of their personally identifiable information may have been exposed, this time due to a mailing error. https://www.scmagazine.com/home/security-news/mail-mix-up-sends-michigan-medicine-letters-to-the-wrong-people/

Magecart infiltrates U.K. online retailer Kitronik payment system - U.K. electronics retailer Kitronik has told customers the Magecart gang managed to infiltrate the company’s payment system gaining access to some of their information. https://www.scmagazine.com/home/security-news/uk-online-retailer-kitronik/

30 spies dead after Iran cracked CIA comms network with, er, Google search - new claim - Uncle Sam's snoops got sloppy with online chat, it seems - Iran apparently infiltrated the communications network of CIA agents who allowed their secret websites, used to exchange messages with informants, to be crawled by Google. https://www.theregister.co.uk/2018/11/02/iran_cracked_cia_google/

HSBC suffers data breach, customer banking info exposed - HSBC confirmed today it suffered a data breach last month affecting about one percent of its U.S. accounts and exposing an extensive amount of customer information. https://www.scmagazine.com/home/security-news/hsbc-suffers-data-breach-customer-banking-info-exposed/

Leaky MongoDB server exposes personal info on 700K Amex India customers - An unsecured MongoDB server has exposed personal data on 689,272 American Express India customers. https://www.scmagazine.com/home/security-news/leaky-mongodb-server-exposes-personal-info-on-700k-amex-india-customers/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."
  
  RISK ASSESSMENT/MANAGEMENT
  
  A thorough and proactive risk assessment is the first step in establishing a sound security program. This is the ongoing process of evaluating threats and vulnerabilities, and establishing an appropriate risk management program to mitigate potential monetary losses and harm to an institution's reputation. Threats have the potential to harm an institution, while vulnerabilities are weaknesses that can be exploited.
  
  The extent of the information security program should be commensurate with the degree of risk associated with the institution's systems, networks, and information assets. For example, compared to an information-only Web site, institutions offering transactional Internet banking activities are exposed to greater risks. Further, real-time funds transfers generally pose greater risks than delayed or batch-processed transactions because the items are processed immediately. The extent to which an institution contracts with third-party vendors will also affect the nature of the risk assessment program.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  
  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
  
  Access Rights Administration (4 of 5)
  
  The access rights process programs the system to allow the users only the access rights they were granted. Since access rights do not automatically expire or update, periodic updating and review of access rights on the system is necessary. Updating should occur when an individual's business needs for system use changes. Many job changes can result in an expansion or reduction of access rights. Job events that would trigger a removal of access rights include transfers, resignations, and terminations. Institutions should take particular care to remove promptly the access rights for users who have remote access privileges, and those who administer the institution's systems.
  
  Because updating may not always be accurate, periodic review of user accounts is a good control to test whether the access right removal processes are functioning, and whether users exist who should have their rights rescinded or reduced. Financial institutions should review access rights on a schedule commensurate with risk.
  
  Access rights to new software and hardware present a unique problem. Typically, hardware and software are installed with default users, with at least one default user having full access rights. Easily obtainable lists of popular software exist that identify the default users and passwords, enabling anyone with access to the system to obtain the default user's access. Default user accounts should either be disabled, or the authentication to the account should be changed.  Additionally, access to these default accounts should be monitored more closely than other accounts.
  
  Sometimes software installs with a default account that allows anonymous access. Anonymous access is appropriate, for instance, where the general public accesses an informational web server. Systems that allow access to or store sensitive information, including customer information, should be protected against anonymous access.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 18.1 Benefits and Objectives
 
 18.1.2 Reconstruction of Events
 
 Audit trails can also be used to reconstruct events after a problem has occurred. Damage can be more easily assessed by reviewing audit trails of system activity to pinpoint how, when, and why normal operations ceased. Audit trail analysis can often distinguish between operator-induced errors (during which the system may have performed exactly as instructed) or system-created errors (e.g., arising from a poorly tested piece of replacement code). If, for example, a system fails or the integrity of a file (either program or data) is questioned, an analysis of the audit trail can reconstruct the series of steps taken by the system, the users, and the application. Knowledge of the conditions that existed at the time of, for example, a system crash, can be useful in avoiding future outages. Additionally, if a technical problem occurs (e.g., the corruption of a data file) audit trails can aid in the recovery process (e.g., by using the record of changes made to reconstruct the file).
 
 18.1.3 Intrusion Detection
 
 Intrusion detection refers to the process of identifying attempts to penetrate a system and gain unauthorized access.
 
 If audit trails have been designed and implemented to record appropriate information, they can assist in intrusion detection. Although normally thought of as a real-time effort, intrusions can be detected in real time, by examining audit records as they are created (or through the use of other kinds of warning flags/notices), or after the fact (e.g., by examining audit records in a batch process).
 
 Real-time intrusion detection is primarily aimed at outsiders attempting to gain unauthorized access to the system. It may also be used to detect changes in the system's performance indicative of, for example, a virus or worm attack. There may be difficulties in implementing real-time auditing, including unacceptable system performance.
 
 After-the-fact identification may indicate that unauthorized access was attempted (or was successful). Attention can then be given to damage assessment or reviewing controls that were attacked.