FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Ethical hacking growing in popularity as data breaches increase, report - As the idea of ethical hacking begins to resonate more with the general public, it has inspired more people ranging from aspiring hackers to seasoned security professionals to join the hacking community and seek out crowdsourced security testing programs to hunt bug bounties. https://www.scmagazine.com/home/security-news/the-year-end-report-from-bugcrowd-found-the-top-three-reasons-for-bug-hunting-were-for-the-challenge-professional-development-and-education/

Massive email bomb threat extortion scam spamming U.S. inboxes - A nationwide wave of bomb threat emails demanding a bitcoin payment to halt the explosion are being received by schools, government agencies and private organizations. https://www.scmagazine.com/home/security-news/email-bomb-threat-scam-hits-u-s/

Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory - 'Entirely preventable' theft down to traffic-monitoring certificate left expired for 19 months - Updated A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure. https://www.theregister.co.uk/2018/12/11/equifax_megaleak_report/

US elections watchdog says it's OK to spend surplus campaign cash on cybersecurity gear - Congresscritters now have one less excuse for getting pwned - The US Federal Election Commission has officially voted to allow members of Congress to use their campaign funds on cybersecurity protection. https://www.theregister.co.uk/2018/12/13/us_elections_campaign_cybersecurity/

U.S. Ballistic Missile Defense System Rife with Security Holes - Widespread, unpatched vulnerabilities are just one set of problems uncovered by a Department of Defense audit. https://threatpost.com/ballistic-missile-security-holes/140019/

GAO - Agencies Need to Improve Implementation of Federal Approach to Securing Systems and Protecting against Intrusions. https://www.gao.gov/products/GAO-19-105

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Exposed S3 bucket compromises 120 million Brazilian citizens - More than 120 million unique identification numbers issued by the Brazilian Federal Reserve to Brazilian citizens and tied to tax-paying resident aliens, spent months earlier this year publicly exposed on the internet. https://www.scmagazine.com/home/security-news/exposed-s3-bucket-compromises-120-million-brazilian-citizens/

Cyberattack sidelines Middle East servers of Italian energy contractor Saipem - Italian oil and gas industry contractor Saipem S.p.A. has reportedly confirmed that a Monday cyberattack impacted its servers and infrastructure in the Middle East as well as in Scotland. https://www.scmagazine.com/home/security-news/cyberattack-sidelines-middle-east-servers-of-italian-energy-contractor-saipem/

Save the Children loses $1 million to BEC scam - Save the Children was hit last year with a business email compromise scam that cost the charity $1 million. https://www.scmagazine.com/home/security-news/save-the-children-loses-1-million-to-bec-scam/

Report: Boomoji app developer leaves customer data exposed on open database - The developers of make-your-own-avatar app Boomoji reportedly neglected to password-protect two of their internet-connected databases, thus publicly exposing the personal data of roughly 5.3 million users. https://www.scmagazine.com/home/security-news/report-boomoji-app-developer-leaves-customer-data-exposed-on-open-database/

Ransomware strikes University of Maryland Medical System - The University of Maryland Medical System was hit with a ransomware attack earlier this week that affected a small number of its medical devices offline. https://www.scmagazine.com/home/security-news/ransomware-strikes-university-of-maryland-medical-system/

Schenectady County gov’t website knocked offline by cyberattack - Schenectady County, N.Y. had to shut down its government website as it tries to dig out from a cyberattack. https://www.scmagazine.com/home/security-news/schenectady-county-govt-website-knocked-offline-by-cyberattack/

Hacker forces thousands of printers to churn out PewDiePie support message - For the second time in less than three weeks, a hacker has forced thousands of internet-connected printers to spit out messages in support of Swedish video game commentator and YouTube star PewDiePie. https://www.scmagazine.com/home/security-news/hacker-forces-thousands-of-printers-to-churn-out-pewdiepie-support-message/

Vermont, Dallas medical facilities suffer email account breaches - In separate incidents, two U.S. health care facilities have publicly disclosed data breaches that resulted from the unauthorized access of an employee’s email. https://www.scmagazine.com/home/security-news/vermont-dallas-medical-facilities-suffer-email-account-breaches/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
  
  Host-Versus Network-Based Vulnerability Assessment Tools
  
  As in intrusion detection systems, which are discussed later in this appendix, there are generally two types of vulnerability assessment tools: host-based and network-based.  Another category is sometimes used for products that assess vulnerabilities of specific applications (application-based) on a host.  A host is generally a single computer or workstation that can be connected to a computer network.  Host-based tools assess the vulnerabilities of specific hosts.  They usually reside on servers, but can be placed on specific desktop computers, routers, or even firewalls. 
  
  Network-based vulnerability assessment tools generally reside on the network, specifically analyzing the network to determine if it is vulnerable to known attacks.  Both host- and network-based products offer valuable features, and the risk assessment process should help an institution determine which is best for its needs.  Information systems personnel should understand the types of tools available, how they operate, where they are located, and the output generated from the tools.
  
  Host-based vulnerability assessment tools are effective at identifying security risks that result from internal misuse or hackers using a compromised system.  They can detect holes that would allow access to a system such as unauthorized modems, easily guessed passwords, and unchanged vendor default passwords.  The tools can detect system vulnerabilities such as poor virus protection capabilities; identify hosts that are configured improperly; and provide basic information such as user log-on hours, password/account expiration settings, and users with dial-in access.  The tools may also provide a periodic check to confirm that various security policies are being followed.  For instance, they can check user permissions to access files and directories, and identify files and directories without ownership.
  
  Network-based vulnerability assessment tools are more effective than host-based at detecting network attacks such as denial of service and Internet Protocol (IP) spoofing.  Network tools can detect unauthorized systems on a network or insecure connections to business partners.  Running a host-based scan does not consume network overhead, but can consume processing time and available storage on the host.  Conversely, frequently running a network-based scan as part of daily operations increases network traffic during the scan.  This may cause inadvertent network problems such as router crashes.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  
  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
  
  AUTHENTICATION - Token Systems (2 of 2)
  
  Weaknesses in token systems relate to theft of the token, ease in guessing any password generating algorithm within the token, ease of successfully forging any authentication credential that unlocks the token, and reverse engineering, or cloning, of the token. Each of these weaknesses can be addressed through additional control mechanisms. Token theft generally is protected against by policies that require prompt reporting and cancellation of the token's ability to allow access to the system. Additionally, the impact of token theft is reduced when the token is used in multi - factor authentication; for instance, the password from the token is paired with a password known only by the user and the system. This pairing reduces the risk posed by token loss, while increasing the strength of the authentication mechanism. Forged credentials are protected against by the same methods that protect credentials in non - token systems. Protection against reverse engineering requires physical and logical security in token design. For instance, token designers can increase the difficulty of opening a token without causing irreparable damage, or obtaining information from the token either by passive scanning or active input/output.
  
  Token systems can also incorporate public key infrastructure, and biometrics.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 18.3 Implementation Issues
 
 Audit trail data requires protection, since the data should be available for use when needed and is not useful if it is not accurate. Also, the best planned and implemented audit trail is of limited value without timely review of the logged data. Audit trails may be reviewed periodically, as needed (often triggered by occurrence of a security event), automatically in realtime, or in some combination of these. System managers and administrators, with guidance from computer security personnel, should determine how long audit trail data will be maintained -- either on the system or in archive files.
 Following are examples of implementation issues that may have to be addressed when using audit trails.
 
 18.3.1 Protecting Audit Trail Data
 
 Access to on-line audit logs should be strictly controlled. Computer security managers and system administrators or managers should have access for review purposes; however, security and/or administration personnel who maintain logical access functions may have no need for access to audit logs.
 
 It is particularly important to ensure the integrity of audit trail data against modification. One way to do this is to use digital signatures. Another way is to use write-once devices. The audit trail files needs to be protected since, for example, intruders may try to "cover their tracks" by modifying audit trail records. Audit trail records should be protected by strong access controls to help prevent unauthorized access. The integrity of audit trail information may be particularly important when legal issues arise, such as when audit trails are used as legal evidence. (This may, for example, require daily printing and signing of the logs.) Questions of such legal issues should be directed to the cognizant legal counsel.
 
 The confidentiality of audit trail information may also be protected, for example, if the audit trail is recording information about users that may be disclosure-sensitive such as transaction data containing personal information (e.g., "before" and "after" records of modification to income tax data). Strong access controls and encryption can be particularly effective in preserving confidentiality.