information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Mondelez sues Zurich over $100m cyberhack insurance claim - Zurich
refused to pay out for NotPetya attack, relying on war exclusion -
Mondelez, the US food company that owns the Oreo and Cadbury brands,
is suing its insurance company, Zurich, for refusing to pay out on a
$100 million claim for damage caused by the NotPetya cyberattack.
Modlishka pen testing tool could be used for real attacks - A Polish
cybersecurity researcher has released an automated tool designed for
pen testers that has the ability intercept data in real-time and
even swipe 2FA credentials, a move that has some in the industry
concerned that it could be used for nefarious purposes.
Hyatt Hotels implements bug bounty program - Hyatt Hotels has
partnered with HackerOne to launch a bug bounty program to help
stave off cyberattacks similar to what the hotel chain suffered in
2017 and the much larger Marriott breach that exposed millions of
Exclusive: How a Russian firm helped catch an alleged NSA data thief
- The U.S. has accused Kaspersky Lab of working with Russian spies.
But sources say the company exposed a massive breach that U.S.
Massachusetts rolls out free credit monitoring for breach victims -
Massachusetts Governor Charlie Baker has signed into law legislation
requiring that consumers victimized by a data breach receive free
security freezes and credit monitoring.
Report: Flaws in PremiSys access system could literally open door
for physical intruders - In a case of cybersecurity converging with
physical security, researchers have disclosed four vulnerabilities
in IDenticard Corp.’s PremiSys building access control system that
attackers could exploit to sneak into restricted locations.
How to Stop the Insider Threat from Switching Off Your Security
Lights - You’ve spent millions on security. You have the latest and
smartest firewalls installed. You have deployed cutting-edge
AI-powered antivirus solutions.
West African banks targeted in multi-wave attack - In a somewhat
unusual step cybercriminals are targeting banks in several western
African nations using off the shelf malware to gain entry, gain
persistence and exfiltrate data along with “living off the land”
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Kitchenware companies breached in dual attacks - A pair of recent
cyberattacks against kitchen product companies may bring forth
visions of microwave ovens being set to expel X-rays or Wi-Fi
enabled refrigerators being hacked and set to 100 degrees, but
instead, in each case, the result was a data breach.
First National 'dealing with authorities' after reported information
leak - Cover letters and CVs of job applicants have allegedly
appeared online. Australian real estate network First National has
reportedly had information it held on job applicants leaked online.
Amazon’s Ring allegedly let employees access customer video feeds -
Amazon’s Ring devices reportedly granted the company’s Ukraine-based
research and development team as well as U.S. executives and
engineers virtually unfettered round the clock access to live feeds
from some customer’s cameras, claims which Ring denies.
Del Rio, Texas ransomware attack knocks city offline - Last week,
the city of Del Rio, Texas was hit with a ransomware attack which
forced city officials to shut down the servers at its city hall and
deny employees access to the system, according to a Jan. 10 press
Amadeus booking system flaw could have exposed info on millions of
travelers - A recently discovered vulnerability in the Amadeus
online reservation system made it possible to access and change
reservations with just a booking number.
Collection 1’ breach exposes 773M unique emails, 21M passwords - The
large collection of files on the MEGA cloud service that exposed
nearly 773 million unique emails and 21 million unique passwords and
was posted on a hacking forum, came from a number of breaches and
sources, according to security researcher Troy Hunt, who dubbed the
breach “Collection 1.”
Fixed Fortnite flaws could have enabled account takeovers - A series
of vulnerabilities in the hugely popular online survival game
Fortnite could have allowed malicious actors to take over players’
accounts, prompting developer Epic Games to fix the issues before a
major incident transpired, according to researchers who discovered
Oklahoma Dept. of Securities server exposes millions of files - An
unsecured storage server belonging to the Oklahoma Department of
Securities exposed millions of files, containing personal data,
systems credentials and internal commission documents as well as
communications meant for the Oklahoma Securities Commission.
Click2Gov breach threatens credit card data of Hanover County
residents - A data breach of an third-party online payment system
has compromised the personal information of Hanover County,
Return to the top
of the newsletter
WEB SITE COMPLIANCE - We
conclude our review of the FDIC paper "Risk Assessment Tools and
Practices of Information System Security." We hope you have found
this series useful.
INCIDENT RESPONSE - Discusses implementing an incident
response strategy for the response component of an institution's
information security program. After implementing a defense strategy
and monitoring for new attacks, hacker activities, and unauthorized
insider access, management should develop a response strategy. The
sophistication of an incident response plan will vary depending on
the risks inherent in each system deployed and the resources
available to an institution. In developing a response strategy or
plan, management should consider the following:
1) The plan should provide a platform from which an institution
can prepare for, address, and respond to intrusions or unauthorized
activity. The beginning point is to assess the systems at risk, as
identified in the overall risk assessment, and consider the
potential types of security incidents.
2) The plan should identify what constitutes a break-in or system
misuse, and incidents should be prioritized by the seriousness of
the attack or system misuse.
3) Individuals should be appointed and empowered with the latitude
and authority to respond to an incident. The plan should include
what the appropriate responses may be for potential intrusions or
4) A recovery plan should be established, and in some cases, an
incident response team should be identified.
5) The plan should include procedures to officially report the
incidents to senior management, the board of directors, legal
counsel, and law enforcement agents as appropriate.
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail your company a proposal. E-mail Kinney Williams at
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Biometrics (Part 1 of 2)
Biometrics can be implemented in many forms, including tokens.
Biometrics verifies the identity of the user by reference to unique
physical or behavioral characteristics. A physical characteristic
can be a thumbprint or iris pattern. A behavioral characteristic is
the unique pattern of key depression strength and pauses made on a
keyboard when a user types a phrase. The strength of biometrics is
related to the uniqueness of the physical characteristic selected
for verification. Biometric technologies assign data values to the
particular characteristics associated with a certain feature. For
example, the iris typically provides many more characteristics to
store and compare, making it more unique than facial
characteristics. Unlike other authentication mechanisms, a biometric
authenticator does not rely on a user's memory or possession of a
token to be effective. Additional strengths are that biometrics do
not rely on people to keep their biometric secret or physically
secure their biometric. Biometrics is the only authentication
methodology with these advantages.
Enrollment is a critical process for the use of biometric
authentication. The user's physical characteristics must be reliably
recorded. Reliability may require several samples of the
characteristic and a recording device free of lint, dirt, or other
interference. The enrollment device must be physically secure from
tampering and unauthorized use.
When enrolled, the user's biometric is stored as a template.
Subsequent authentication is accomplished by comparing a submitted
biometric against the template, with results based on probability
and statistical confidence levels. Practical usage of biometric
solutions requires consideration of how precise systems must be for
positive identification and authentication. More precise solutions
increase the chances a person is falsely rejected. Conversely, less
precise solutions can result in the wrong person being identified or
authenticated as a valid user (i.e., false acceptance rate). The
equal error rate (EER) is a composite rating that considers the
false rejection and false acceptance rates. Lower EERs mean more
consistent operations. However, EER is typically based upon
laboratory testing and may not be indicative of actual results due
to factors that can include the consistency of biometric readers to
capture data over time, variations in how a user presents their
biometric sample (e.g., occasionally pressing harder on a finger
scanner), and environmental factors.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
Audit trails involve many costs. First, some system overhead is
incurred recording the audit trail. Additional system overhead will
be incurred storing and processing the records. The more detailed
the records, the more overhead is required. Another cost involves
human and machine time required to do the analysis. This can be
minimized by using tools to perform most of the analysis. Many
simple analyzers can be constructed quickly (and cheaply) from
system utilities, but they are limited to audit reduction and
identifying particularly sensitive events. More complex tools that
identify trends or sequences of events are slowly becoming available
as off-the-shelf software. (If complex tools are not available for a
system, development may be prohibitively expensive. Some intrusion
detection systems, for example, have taken years to develop.)
The final cost of audit trails is the cost of investigating
anomalous events. If the system is identifying too many events as
suspicious, administrators may spend undue time reconstructing
events and questioning personnel.