information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- HHS releases cyber guides for healthcare orgs - The Department of
Health and Human Services rolled out new guidance to protect
organizations in the health care sector from cyberattacks.
FCC investigating major CenturyLink outage and 911 disruptions - A
nationwide CenturyLink outage has knocked out 911 voice calls in
parts of the US and affected everything from Verizon mobile data to
ATM withdrawals, lottery drawings, and hospital patient records.
Former Phillips 66 employee charged with trade secret theft -
Research engineer reportedly caught by energy firm following a
review of his computer activity - Phillips 66 spokesman Dennis Nuff
confirmed Monday that the company is cooperating with the Federal
Bureau of Investigation in an case involving a former Bartlesville
Hacking for the holidays: Healthcare Ransomware Edition - When
ransomware hits a hospital, lives are on the line. Ed Tittel looks
at how to deal with cyberattacks when lives are at stake.
NSA to demo open-source malware reverse engineer tool at RSA 2019 -
The National Security Agency (NSA) will demonstrate a free and
open-source tool for reverse engineering malware with the hopes of
improving security rather than undermining it.
National security center launches program to help US firms guard
against foreign hackers - The National Counterintelligence and
Security Center (NCSC) on Monday launched a program aimed at helping
U.S. companies protect themselves from cyber attacks or other
threats from foreign nation-state actors.
U.S. Supreme Court declines to hear Fiat Chrysler appeal in car
hacking case - The U.S. Supreme court Monday declined to hear Fiat
Chrysler’s appeal in a class action lawsuit claiming the automaker
knew its vehicles were vulnerable to cyberattacks as early as 2011.
Bridgeport, Conn., schools hit with ransomware - The Bridgeport,
Conn., school district was hit with a ransomware attack last
Neiman Marcus reaches $1.5M settlement over 2013 breach - Neiman
Marcus settled a class action lawsuit for $1.5 million that was
brought after the department store suffered a data breach in 2014.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Cybercriminals compromise website for Dublin tram system, post
ransom demand - Malicious hackers on Thursday defaced the website
for Luas, a public tram system based in Dublin Ireland, posting a
ransom demand that threatened to publish data they claim to have
stolen from the transport service.
Online security firm Abine suffers breach - The online privacy and
password management firm Abine reported a data breach that exposed
users names, emails and portions of their login credentials of those
using its Blur product.
Dental Center of NW Ohio feels bite of ransomware attack on IT
vendor - The Toledo-based Dental Center of Northwest Ohio has
disclosed that a ransomware attack affecting its local third-party
IT vendor may be endangered personal data belonging to current and
former patients and employees.
Cloud Hosting Provider DataResolution.net Battling Christmas Eve
Ransomware Attack - Cloud hosting provider Dataresolution.net is
struggling to bring its systems back online after suffering a
ransomware infestation on Christmas Eve, KrebsOnSecurity has
A list of employee names, work phone numbers and job titles
available to government employees through the Victorian Government
directory was reportedly accessed by an unauthorized third party.
According to the Australian Broadcasting Corporation (ABC),
information on approximately 30,000 Victorian public servants was
stolen in a data breach, after an unknown party downloaded a portion
of the directory.
Malware suspected of hobbling several newspapers' production - Virus
interferes with publishing at Southern California printing plant. A
malware attack is suspected of preventing production on Saturday of
several newspapers, including the Wall Street Journal and Los
Humana says Bankers Life breach exposed PII on insurance policy
applicants - Managed health care provider Humana said an
unauthorized third party accessed system credentials of some
employees at health insurance company Bankers Life, exposing
“limited, personal information” of people who had applied for a
5M passports accessed in Marriott breach were unencrypted - Marriott
International may have bumped down the number of records affected by
a breach of its Starwood division to 383 million, but the hotel
chain admitted that five million passport numbers stolen in the
incident by an unknown hacker were unencrypted.
German politicians and other high profile citizens targeted in
massive data breach - Several German politicians, journalists, and
entertainers were targeted in a massive data breach that emerged on
Twitter in the form of an advent calendar last month.
Singapore Airlines ‘glitch’ exposes personal data on 285 frequent
flyers - The data on about 285 Singapore Airlines’ Krisflyer
frequent flyer program members was exposed after a software glitch
following a website update allowed frequent flyers see the data of
Emergency warning system compromised as hackers send text and email
messages to thousands - Hackers have infiltrated and used an
emergency warning system designed to alert thousands of Australians
to imminent dangers.
DePaul University group email exposes employees’ info - A group
email recently sent by DePaul University reportedly exposed the
names and email addresses of 656 employees who had completed the
school’s wellness program.
Kitchenware companies breached in dual attacks - A pair of recent
cyberattacks against kitchen product companies may bring forth
visions of microwave ovens being set to expel X-rays or Wi-Fi
enabled refrigerators being hacked and set to 100 degrees, but
instead, in each case, the result was a data breach.
Return to the top
of the newsletter
WEB SITE COMPLIANCE - We
continue our review of the FDIC paper "Risk Assessment Tools and
Practices or Information System Security."
INTRUSION DETECTION SYSTEMS
Vulnerability assessments and penetration analyses help ensure
that appropriate security precautions have been implemented and that
system security configurations are appropriate. The next step is to
monitor the system for intrusions and unusual activities. Intrusion
detection systems (IDS) may be useful because they act as a burglar
alarm, reporting potential intrusions to appropriate personnel. By
analyzing the information generated by the systems being guarded,
IDS help determine if necessary safeguards are in place and are
protecting the system as intended. In addition, they can be
configured to automatically respond to intrusions.
Computer system components or applications can generate detailed,
lengthy logs or audit trails that system administrators can manually
review for unusual events. IDS automate the review of logs and audit
data, which increases the reviews' overall efficiency by reducing
costs and the time and level of skill necessary to review the logs.
Typically, there are three components to an IDS. First is an
agent, which is the component that actually collects the
information. Second is a manager, which processes the information
collected by the agents. Third is a console, which allows authorized
information systems personnel to remotely install and upgrade
agents, define intrusion detection scenarios across agents, and
track intrusions as they occur. Depending on the complexity of the
IDS, there can be multiple agent and manager components.
Generally, IDS products use three different methods to detect
intrusions. First, they can look for identified attack signatures,
which are streams or patterns of data previously identified as an
attack. Second, they can look for system misuse such as unauthorized
attempts to access files or disallowed traffic inside the firewall.
Third, they can look for activities that are different from the
users or systems normal pattern. These "anomaly-based" products
(which use artificial intelligence) are designed to detect subtle
changes or new attack patterns, and then notify appropriate
personnel that an intrusion may be occurring. Some anomaly-based
products are created to update normal use patterns on a regular
basis. Poorly designed anomaly-based products can trigger frequent
Although IDS may be an integral part of an institutions overall
system security, they will not protect a system from previously
unknown threats or vulnerabilities. They are not self-sufficient and
do not compensate for weak authentication procedures (e.g., when an
intruder already knows a password to access the system). Also, IDS
often have overlapping features with other security products, such
as firewalls. IDS provide additional protections by helping to
determine if the firewall programs are working properly and by
helping to detect internal abuses. Both firewalls and IDS need to be
properly configured and updated to combat new types of attacks. In
addition, management should be aware that the state of these
products is highly dynamic and IDS capabilities are evolving.
IDS tools can generate both technical and management reports,
including text, charts, and graphs. The IDS reports can provide
background information on the type of attack and recommend courses
of action. When an intrusion is detected, the IDS can automatically
begin to collect additional information on the attacker, which may
be needed later for documentation purposes.
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail your company a proposal. E-mail Kinney Williams at
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Public Key Infrastructure (Part 3 of 3)
When utilizing PKI policies and controls, financial institutions
need to consider the following:
! Defining within the certificate issuance policy the methods of
initial verification that are appropriate for different types of
certificate applicants and the controls for issuing digital
certificates and key pairs;
! Selecting an appropriate certificate validity period to minimize
transactional and reputation risk exposure - expiration provides an
opportunity to evaluate the continuing adequacy of key lengths and
encryption algorithms, which can be changed as needed before issuing
a new certificate;
! Ensuring that the digital certificate is valid by such means as
checking a certificate revocation list before accepting transactions
accompanied by a certificate;
! Defining the circumstances for authorizing a certificate's
revocation, such as the compromise of a user's private key or the
closure of user accounts;
! Updating the database of revoked certificates frequently,
ideally in real - time mode;
! Employing stringent measures to protect the root key including
limited physical access to CA facilities, tamper - resistant
security modules, dual control over private keys and the process of
signing certificates, as well as the storage of original and back -
up keys on computers that do not connect with outside networks;
! Requiring regular independent audits to ensure controls are in
place, public and private key lengths remain appropriate,
cryptographic modules conform to industry standards, and procedures
are followed to safeguard the CA system;
! Recording in a secure audit log all significant events performed
by the CA system, including the use of the root key, where each
entry is time/date stamped and signed;
! Regularly reviewing exception reports and system activity by the
CA's employees to detect malfunctions and unauthorized activities;
! Ensuring the institution's certificates and authentication
systems comply with widely accepted PKI standards to retain the
flexibility to participate in ventures that require the acceptance
of the financial institution's certificates by other CAs.
The encryption components of PKI are addressed more fully under
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
The ability to audit supports many of the controls presented in
this handbook. The following paragraphs describe some of the most
Policy. The most fundamental interdependency of audit trails
is with policy. Policy dictates who is authorized access to what
system resources. Therefore it specifies, directly or indirectly,
what violations of policy should be identified through audit trails.
Assurance. System auditing is an important aspect of
operational assurance. The data recorded into an audit trail is used
to support a system audit. The analysis of audit trail data and the
process of auditing systems are closely linked; in some cases, they
may even be the same thing. In most cases, the analysis of audit
trail data is a critical part of maintaining operational assurance.
Identification and Authentication. Audit trails are tools
often used to help hold users accountable for their actions. To be
held accountable, the users must be known to the system (usually
accomplished through the identification and authentication process).
However, as mentioned earlier, audit trails record events and
associate them with the perceived user (i.e., the user ID). If a
user is impersonated, the audit trail will establish events but not
the identity of the user.
Logical Access Control. Logical access controls restrict the
use of system resources to authorized users. Audit trails complement
this activity in two ways. First, they may be used to identify
breakdowns in logical access controls or to verify that access
control restrictions are behaving as expected, for example, if a
particular user is erroneously included in a group permitted access
to a file. Second, audit trails are used to audit use of resources
by those who have legitimate access. Additionally, to protect audit
trail files, access controls are used to ensure that audit trails
are not modified.
Contingency Planning. Audit trails assist in contingency
planning by leaving a record of activities performed on the system
or within a specific application. In the event of a technical
malfunction, this log can be used to help reconstruct the state of
the system (or specific files).
Incident Response. If a security incident occurs, such as
hacking, audit records and other intrusion detection methods can be
used to help determine the extent of the incident. For example, was
just one file browsed, or was a Trojan horse planted to collect
Cryptography. Digital signatures can be used to protect
audit trails from undetected modification. (This does not prevent
deletion or modification of the audit trail, but will provide an
alert that the audit trail has been altered.) Digital signatures can
also be used in conjunction with adding secure time stamps to audit
records. Encryption can be used if confidentiality of audit trail
information is important.