technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- Top Security Challenges for 2018 - In 2018, we anticipate that
cybercriminals will look to target and exploit more security
software. By targeting trusted programs and the software and
hardware supply chain, attackers can take control of devices and
wholeheartedly manipulate users.
Gov't agencies adopting DMARC more quickly, but still have a ways to
go - With less than two weeks left until federal agencies must adopt
the Domain-based Message Authentication, Reporting, and Conformance
(DMARC) tool per the Binding Operational Directive (BOD) 18-01
issued by the Department of Homeland Security (DHS) in October, 47
percent of agencies have already adopted a DMARC policy and many
more are expected to follow.
Source code for Apple’s historic Lisa OS to be made available in
2018 - Apple is reviewing the code thanks to the Computer History
Museum. If you've ever been curious to test out Apple's original
Lisa operating system, you'll get the chance to do so next year
using the original source code.
Vulnerability Affects Hundreds of Thousands of IoT Devices - Here's
something to be cheery on Christmas Day - a vulnerability affecting
a web server that's been embedded in hundreds of thousands of IoT
Man Threatened Company with Cyber Attack to Fire Employee and Hire
Him Instead - A North Carolina judge sentenced a Washington man this
week to 37 months in prison for threatening a company with attacks
unless they fire one of their employees and hire him instead.
Ukraine a "training ground" for Russian hacking attacks on west -
Ukraine has become a "training ground" for Russian hackers wishing
to perpetrate cyber-attacks on the west, a Kyiv security expert has
Cybercriminals favored non-malware attacks in 2017 -
Non-malware-based cyberattacks were behind the majority of cyber
incidents reported in 2017, despite proliferation of malware
available to both the professional and amateur hacker.
Consumers worry about their data, but don't bother much with
security - A recent worldwide consumer survey found a major
disconnect between general fears about cybersecurity and the actions
taken to protect not only their personal information, but their
families from cyberattacks.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Major Intel, Arm chip security flaw puts your PCs, phones at risk
- Security researchers say a common processor design used by Intel
and mobile chip tech designer Arm may leave the door open to
exposing sensitive system data.
Ancestry.com's RootsWeb forum breached, 300,000 records compromised
- About 300,000 Ancestry.com members that use its RootsWeb
genealogical community had their email/usernames and passwords
Australian loses $1 million in 'catphish' whaling scam - A London
court heard a case earlier this month in which one of Australia's
richest people tried to recover $1 million scammed from him in a
convoluted ruse that combined traditional phishing with the
“Catfish” online phenomenon preying on lonely people looking for
Cyberattack forces New York State hospital to run on downtime
procedures - A cyberattack disrupted computer systems at Jones
Memorial Hospital (JMH) in Wellsville, N.Y. on Thursday, the
Buffalo-area health care facility has announced on its website.
Migos' Offset iCloud hacked, images of fiancé Cardi B leaked -
Rapper Cardi B is threatening legal action after hackers broke into
her fiancé Offset's iCloud account and posted videos of the female
MC along with video of the Migos' rapper with a separate
Forever 21 blames POS malware, lapses in encryption, for payment
card data compromise - A point-of-sale malware infection was
responsible for compromising payment card data collected at certain
Forever 21 stores last year – an attack that was exacerbated by a
lack of encryption on some devices, the apparel retailer stated last
week in its update to a previous incident disclosure.
SSM Health call center agent with access to records allegedly
violated patient privacy - A one-time employee of Midwestern health
care system SSM Health with legitimate access to thousands of
patients' records allegedly violated HIPAA privacy regulations in a
data breach incident, the St. Louis-based company disclosed on Dec.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
The institution should consider including in the contract a
provision for a dispute resolution process that attempts to resolve
problems in an expeditious manner as well as provide for
continuation of services during the dispute resolution period.
Indemnification provisions generally require the financial
institution to hold the service provider harmless from liability for
the negligence of the institution, and vice versa. These provisions
should be reviewed to reduce the likelihood of potential situations
in which the institution may be liable for claims arising as a
result of the negligence of the service provider.
Limitation of Liability
Some service provider standard contracts may contain clauses
limiting the amount of liability that can be incurred by the service
provider. If the institution is considering such a contract,
consideration should be given to whether the damage limitation bears
an adequate relationship to the amount of loss the financial
institution might reasonably experience as a result of the service
provider’s failure to perform its obligations.
the top of the newsletter
FFIEC IT SECURITY -
We begin a new series from the FDIC "Security Risks
Associated with the Internet."
This FDIC paper alerts financial institutions to the fundamental technological risks presented by use of the Internet. Regardless of whether systems are maintained in?house or services are outsourced, bank management is responsible for protecting systems and data from compromise.
The Internet is inherently insecure. By design, it is an open network which facilitates the flow of information between computers. Technologies are being developed so the Internet may be used for secure electronic commerce transactions, but failure to review and address the inherent risk factors increases the likelihood of system or data compromise. Five areas of concern relating to both transactional and system security issues, as discussed below, are: Data Privacy and Confidentiality, Data Integrity, Authentication,
Non-repudiation, and Access Control/System Design.
Data Privacy and Confidentiality
Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be monitored or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, or loans) or passwords.
Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND
14.1 User Support
In many organizations, user support takes place through a Help Desk.
Help Desks can support an entire organization, a subunit, a specific
system, or a combination of these. For smaller systems, the system
administrator normally provides direct user support. Experienced
users provide informal user support on most systems.
User support should be closely linked to the organization's incident
handling capability. In many cases, the same personnel perform these
An important security consideration for user support personnel is
being able to recognize which problems (brought to their attention
by users) are security-related. For example, users' inability to log
onto a computer system may result from the disabling of their
accounts due to too many failed access attempts. This could indicate
the presence of hackers trying to guess users' passwords.
In general, system support and operations staff need to be able to
identify security problems, respond appropriately, and inform
appropriate individuals. A wide range of possible security problems
exist. Some will be internal to custom applications, while others
apply to off-the-shelf products. Additionally, problems can be
software- or hardware-based.
The more responsive and knowledgeable system support and operation
staff personnel are, the less user support will be provided
informally. The support other users provide is important, but they
may not be aware of the "whole picture."
Small systems are especially susceptible to viruses, while networks
are particularly susceptible to hacker attacks, which can be
targeted at multiple systems. System support personnel should be
able to recognize attacks and know how to respond.