Virtual/remote IT audits - I am performing virtual/remote FFIEC IT audits for banks and credit unions.  I am a former bank examiner with years of IT auditing experience.  Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees.  All correspondence is confidential.

FYI - Is the US financial industry ready for a secure central bank digital currency? - In recent months, cryptocurrencies have quickly moved from an edgy, alt-payment with a dubious following, to verging on becoming a national bank-backed, credible vehicle for legitimate transactions, a so-called “central bank digital currency” (CBDC) in China, Sweden and various Central and South American and African countries. https://www.scmagazine.com/analysis/cryptocurrency/is-the-us-financial-industry-ready-for-a-secure-central-bank-digital-currency

Bill proposes large financial institutions to report ransomware attacks, cap payments - A new House bill would place enhanced restrictions on some financial institutions when it comes to paying ransomware groups. https://www.scmagazine.com/analysis/legislation/bill-proposes-large-financial-institutions-to-report-ransomware-attacks-cap-payments

There's no Huawei back now: Biden signs law that forbids US buyers acquiring kit on naughty list - US President Joe Biden signed The Secure Equipment Act on Thursday. The legislation prevents US regulators from even considering the issuance of new telecom equipment licenses for companies deemed security threats – which means the likes of China's Huawei and ZTE. https://www.theregister.com/2021/11/12/biden_signs_the_secure_equipment/

Asset inventory has become a serious security problem - Modern enterprises have a major problem: They use broken processes for tracking and securing their IT assets. https://www.scmagazine.com/perspective/asset-management/asset-inventory-has-become-a-serious-security-problem

Tech, cyber innovations increasingly outpacing financial regulations - U.S. financial industry regulators have long struggled to catch up with the rapid pace of technology, especially cybersecurity technology. https://www.scmagazine.com/analysis/cryptocurrency/tech-cyber-innovations-increasingly-outpacing-financial-regulations

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers undetected on Queensland water supplier server for 9 months - Hackers stayed hidden for nine months on a server holding customer information for a Queensland water supplier, illustrating the need of better cyberdefenses for critical infrastructure. https://www.bleepingcomputer.com/news/security/hackers-undetected-on-queensland-water-supplier-server-for-9-months/

Former Broadcom engineer accused of pinching chip tech to share with new Chinese employer - A federal grand jury has charged a former Broadcom engineer with stealing trade secrets and using them while working at a new employer – a Chinese chip start-up. https://www.theregister.com/2021/11/10/broadcom_engineer_trade_secrets_theft_allegation/

Two healthcare vendors to pay $190K settlement over breach, HIPAA failure - For the second time in a month, the New Jersey attorney general announced a settlement over the compromise of protected health information and potential violations of the New Jersey Consumer Fraud Act and the Health Insurance Portability and Accountability Act. https://www.scmagazine.com/analysis/breach/two-healthcare-vendors-to-pay-190k-settlement-over-breach-hipaa-failure

Ohio hospital diverting ambulances, canceling appointments amid cyberattack - Southern Ohio Medical Center was hit with a cyberattack early Thursday, Nov. 11, which forced the nonprofit provider into electronic health record (EHR) downtime procedures. https://www.scmagazine.com/analysis/breach/ohio-hospital-diverting-ambulances-canceling-appointments-amid-cyberattack

Hoax Email Blast Abused Poor Coding in FBI Website - The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/

Ohio hospital diverting ambulances, canceling appointments amid cyberattack - Southern Ohio Medical Center was hit with a cyberattack early Thursday, Nov. 11, which forced the nonprofit provider into electronic health record (EHR) downtime procedures. https://www.scmagazine.com/analysis/breach/ohio-hospital-diverting-ambulances-canceling-appointments-amid-cyberattack

Costco says card skimmers were found at Chicago-area warehouses, less than 500 people affected - The skimmers could read card information from the magnetic stripe of a payment card. In August, Costco found five skimmers on payment card devices in four of their warehouses. https://www.zdnet.com/article/costco-says-card-skimmers-were-found-at-chicago-area-warehouses-less-than-500-people-affected/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
  Board and Management Oversight - Principle 6: Banks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems, databases and applications.
    
    Segregation of duties is a basic internal control measure designed to reduce the risk of fraud in operational processes and systems and ensure that transactions and company assets are properly authorized, recorded and safeguarded. Segregation of duties is critical to ensuring the accuracy and integrity of data and is used to prevent the perpetration of fraud by an individual. If duties are adequately separated, fraud can only be committed through collusion.
    
    E-banking services may necessitate modifying the ways in which segregation of duties are established and maintained because transactions take place over electronic systems where identities can be more readily masked or faked. In addition, operational and transaction-based functions have in many cases become more compressed and integrated in e-banking applications. Therefore, the controls traditionally required to maintain segregation of duties need to be reviewed and adapted to ensure an appropriate level of control is maintained. Because access to poorly secured databases can be more easily gained through internal or external networks, strict authorization and identification procedures, safe and sound architecture of the straight-through processes, and adequate audit trails should be emphasized.
    
    Common practices used to establish and maintain segregation of duties within an e-banking environment include the following:
    
    1)  Transaction processes and systems should be designed to ensure that no single employee/outsourced service provider could enter, authorize and complete a transaction.
    
    2)  Segregation should be maintained between those initiating static data (including web page content) and those responsible for verifying its integrity.
    
    3)  E-banking systems should be tested to ensure that segregation of duties cannot be bypassed.
    
    4)  Segregation should be maintained between those developing and those administrating e-banking systems.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
   
   Network Configuration
   
   Computer networks often extend connectivity far beyond the financial institution and its data center. Networks provide system access and connectivity between business units, affiliates, TSPs, business partners, customers, and the public. This increased connectivity requires additional controls to segregate and restrict access between various groups and information users.
   
   A typical approach to securing a large network involves dividing the network into logical security domains. A logical security domain is a distinct part of a network with security policies that differ from other domains. The differences may be far broader than network controls, encompassing personnel, host, and other issues.
   
   Typical network controls that distinguish security domains include access control software permissions, dedicated lines, filtering routers, firewalls, remote-access servers, and virtual private networks. This booklet will discuss additional access controls within the applications and operating systems residing on the network in other sections. Before selecting the appropriate controls, financial institutions should map and configure the network to identify and control all access control points. Network configuration considerations could include the following actions:
   
   ! Identifying the various applications and user-groups accessed via the network;
   
   ! Identifying all access points to the network including various telecommunications channels (e.g., wireless, Ethernet, frame relay, dedicated lines, remote dial - up access, extranets, Internet);
   
   ! Mapping the internal and external connectivity between various network segments;
   
   ! Defining minimum access requirements for network services (i.e., most often referenced as a network services access policy); and
   
   ! Determining the most appropriate network configuration to ensure adequate security and performance.
   
   With a clear understanding of network connectivity, the financial institution can avoid introducing security vulnerabilities by minimizing access to less - trusted domains and employing encryption for less secure connections. Institutions can then determine the most effective deployment of protocols, filtering routers, firewalls, gateways, proxy servers, and/or physical isolation to restrict access. Some applications and business processes may require complete segregation from the corporate network (e.g., no connectivity between corporate network and wire transfer system). Others may restrict access by placing the services that must be accessed by each zone in their own security domain, commonly called a "demilitarized zone" (DMZ).

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 17 - LOGICAL ACCESS CONTROL
  
  17.1.7 Common Access Modes
  
  In addition to considering criteria for when access should occur, it is also necessary to consider the types of access, or access modes. The concept of access modes is fundamental to access control. Common access modes, which can be used in both operating or application systems, include the following:
  
  1)  Read access provides users with the capability to view information in a system resource (such as a file, certain records, certain fields, or some combination thereof), but not to alter it, such as delete from, add to, or modify in any way. One must assume that information can be copied and printed if it can be read (although perhaps only manually, such as by using a print screen function and retyping the information into another file).
  
  2)  Write access allows users to add to, modify, or delete information in system resources (e.g., files, records, programs). Normally user has read access to anything they have write access to.
  
  3)  Execute privilege allows users to run programs.
  
  4)  Delete access allows users to erase system resources (e.g., files, records, fields, programs). Note that if users have write access but not delete access, they could overwrite the field or file with gibberish or otherwise inaccurate information and, in effect, delete the information.
  
  Other specialized access modes (more often found in applications) include:
  
  1)  Create access allows users to create new files, records, or fields.
  
  2)  Search access allows users to list the files in a directory.
  
  Of course, these criteria can be used in conjunction with one another. For example, an organization may give authorized individuals write access to an application at any time from within the office but only read access during normal working hours if they dial-in.
  
  Depending upon the technical mechanisms available to implement logical access control, a wide variety of access permissions and restrictions are possible. No discussion can present all possibilities.We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 17 - LOGICAL ACCESS CONTROL
  
  17.1.7 Common Access Modes
  
  In addition to considering criteria for when access should occur, it is also necessary to consider the types of access, or access modes. The concept of access modes is fundamental to access control. Common access modes, which can be used in both operating or application systems, include the following:
  
  1)  Read access provides users with the capability to view information in a system resource (such as a file, certain records, certain fields, or some combination thereof), but not to alter it, such as delete from, add to, or modify in any way. One must assume that information can be copied and printed if it can be read (although perhaps only manually, such as by using a print screen function and retyping the information into another file).
  
  2)  Write access allows users to add to, modify, or delete information in system resources (e.g., files, records, programs). Normally user has read access to anything they have write access to.
  
  3)  Execute privilege allows users to run programs.
  
  4)  Delete access allows users to erase system resources (e.g., files, records, fields, programs). Note that if users have write access but not delete access, they could overwrite the field or file with gibberish or otherwise inaccurate information and, in effect, delete the information.
  
  Other specialized access modes (more often found in applications) include:
  
  1)  Create access allows users to create new files, records, or fields.
  
  2)  Search access allows users to list the files in a directory.
  
  Of course, these criteria can be used in conjunction with one another. For example, an organization may give authorized individuals write access to an application at any time from within the office but only read access during normal working hours if they dial-in.
  
  Depending upon the technical mechanisms available to implement logical access control, a wide variety of access permissions and restrictions are possible. No discussion can present all possibilities.