FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Mondelez sues Zurich over $100m cyberhack insurance claim - Zurich refused to pay out for NotPetya attack, relying on war exclusion - Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100 million claim for damage caused by the NotPetya cyberattack. https://www.irishtimes.com/business/technology/mondelez-sues-zurich-over-100m-cyberhack-insurance-claim-1.3753475

Modlishka pen testing tool could be used for real attacks - A Polish cybersecurity researcher has released an automated tool designed for pen testers that has the ability intercept data in real-time and even swipe 2FA credentials, a move that has some in the industry concerned that it could be used for nefarious purposes. https://www.scmagazine.com/home/security-news/modlishka-pen-testing-tool-could-be-used-for-real-attacks/

Hyatt Hotels implements bug bounty program - Hyatt Hotels has partnered with HackerOne to launch a bug bounty program to help stave off cyberattacks similar to what the hotel chain suffered in 2017 and the much larger Marriott breach that exposed millions of customers data. https://www.scmagazine.com/home/security-news/hyatt-hotels-implements-bug-bounty-program/

Exclusive: How a Russian firm helped catch an alleged NSA data thief - The U.S. has accused Kaspersky Lab of working with Russian spies. But sources say the company exposed a massive breach that U.S. authorities missed. https://www.politico.com/story/2019/01/09/russia-kaspersky-lab-nsa-cybersecurity-1089131

Massachusetts rolls out free credit monitoring for breach victims - Massachusetts Governor Charlie Baker has signed into law legislation requiring that consumers victimized by a data breach receive free security freezes and credit monitoring. https://www.scmagazine.com/home/security-news/government-and-defense/massachusetts-rolls-out-free-credit-monitoring-for-breach-victims/

Report: Flaws in PremiSys access system could literally open door for physical intruders - In a case of cybersecurity converging with physical security, researchers have disclosed four vulnerabilities in IDenticard Corp.’s PremiSys building access control system that attackers could exploit to sneak into restricted locations.
https://www.scmagazine.com/home/security-news/report-flaws-in-premisys-access-system-could-literally-open-door-for-physical-intruders/
https://www.zdnet.com/article/details-published-about-vulnerabilities-in-popular-building-access-system/

How to Stop the Insider Threat from Switching Off Your Security Lights - You’ve spent millions on security. You have the latest and smartest firewalls installed. You have deployed cutting-edge AI-powered antivirus solutions. https://www.scmagazine.com/home/opinion/how-to-stop-the-insider-threat-from-switching-off-your-security-lights/

West African banks targeted in multi-wave attack - In a somewhat unusual step cybercriminals are targeting banks in several western African nations using off the shelf malware to gain entry, gain persistence and exfiltrate data along with “living off the land” tactics. https://www.scmagazine.com/home/security-news/west-african-banks-targeted-in-multi-wave-attack/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Kitchenware companies breached in dual attacks - A pair of recent cyberattacks against kitchen product companies may bring forth visions of microwave ovens being set to expel X-rays or Wi-Fi enabled refrigerators being hacked and set to 100 degrees, but instead, in each case, the result was a data breach. https://www.scmagazine.com/home/security-news/kitchenware-companies-breached-in-dual-attacks/

First National 'dealing with authorities' after reported information leak - Cover letters and CVs of job applicants have allegedly appeared online. Australian real estate network First National has reportedly had information it held on job applicants leaked online. https://www.zdnet.com/article/first-national-dealing-with-authorities-after-reported-information-leak/

Amazon’s Ring allegedly let employees access customer video feeds - Amazon’s Ring devices reportedly granted the company’s Ukraine-based research and development team as well as U.S. executives and engineers virtually unfettered round the clock access to live feeds from some customer’s cameras, claims which Ring denies. https://www.scmagazine.com/home/security-news/amazons-ring-reportedly-granted-some-of-its-employees-virtually-unfettered-round-the-clock-access-to-live-feeds-from-some-customers-cameras/

Del Rio, Texas ransomware attack knocks city offline - Last week, the city of Del Rio, Texas was hit with a ransomware attack which forced city officials to shut down the servers at its city hall and deny employees access to the system, according to a Jan. 10 press release. https://www.scmagazine.com/home/security-news/another-city-was-hit-with-a-ransomware-attack-which-knocked-daily-services-back-into-the-era-of-the-pen-and-pad/

Amadeus booking system flaw could have exposed info on millions of travelers - A recently discovered vulnerability in the Amadeus online reservation system made it possible to access and change reservations with just a booking number. https://www.scmagazine.com/home/security-news/amadeus-booking-system-flaw-could-have-exposed-info-on-millions-of-travelers/

Collection 1’ breach exposes 773M unique emails, 21M passwords - The large collection of files on the MEGA cloud service that exposed nearly 773 million unique emails and 21 million unique passwords and was posted on a hacking forum, came from a number of breaches and sources, according to security researcher Troy Hunt, who dubbed the breach “Collection 1.” https://www.scmagazine.com/home/security-news/collection-1-breach-exposes-773m-unique-emails-21m-passwords/

Fixed Fortnite flaws could have enabled account takeovers - A series of vulnerabilities in the hugely popular online survival game Fortnite could have allowed malicious actors to take over players’ accounts, prompting developer Epic Games to fix the issues before a major incident transpired, according to researchers who discovered the program. https://www.scmagazine.com/home/security-news/gaming/fixed-fortnite-flaws-could-have-enabled-account-takeovers/

Oklahoma Dept. of Securities server exposes millions of files - An unsecured storage server belonging to the Oklahoma Department of Securities exposed millions of files, containing personal data, systems credentials and internal commission documents as well as communications meant for the Oklahoma Securities Commission. https://www.scmagazine.com/home/security-news/oklahoma-dept-of-securities-server-exposes-millions-of-files/

Click2Gov breach threatens credit card data of Hanover County residents - A data breach of an third-party online payment system has compromised the personal information of Hanover County, Virginia, residents. https://www.scmagazine.com/home/security-news/click2gov-breach-threatens-credit-card-data-of-hanover-county-residents/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We conclude our review of the FDIC paper "Risk Assessment Tools and Practices of Information System Security." We hope you have found this series useful.
  
  INCIDENT RESPONSE - Discusses implementing an incident response strategy for the response component of an institution's information security program. After implementing a defense strategy and monitoring for new attacks, hacker activities, and unauthorized insider access, management should develop a response strategy. The sophistication of an incident response plan will vary depending on the risks inherent in each system deployed and the resources available to an institution. In developing a response strategy or plan, management should consider the following:
  
  1) The plan should provide a platform from which an institution can prepare for, address, and respond to intrusions or unauthorized activity. The beginning point is to assess the systems at risk, as identified in the overall risk assessment, and consider the potential types of security incidents.
  
  2) The plan should identify what constitutes a break-in or system misuse, and incidents should be prioritized by the seriousness of the attack or system misuse.
  
  3) Individuals should be appointed and empowered with the latitude and authority to respond to an incident. The plan should include what the appropriate responses may be for potential intrusions or system misuse.
  
  4) A recovery plan should be established, and in some cases, an incident response team should be identified.
  
  5) The plan should include procedures to officially report the incidents to senior management, the board of directors, legal counsel, and law enforcement agents as appropriate.
  
  FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  
  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
  
  AUTHENTICATION - Biometrics (Part 1 of 2)
  
  Biometrics can be implemented in many forms, including tokens. Biometrics verifies the identity of the user by reference to unique physical or behavioral characteristics. A physical characteristic can be a thumbprint or iris pattern. A behavioral characteristic is the unique pattern of key depression strength and pauses made on a keyboard when a user types a phrase. The strength of biometrics is related to the uniqueness of the physical characteristic selected for verification. Biometric technologies assign data values to the particular characteristics associated with a certain feature. For example, the iris typically provides many more characteristics to store and compare, making it more unique than facial characteristics. Unlike other authentication mechanisms, a biometric authenticator does not rely on a user's memory or possession of a token to be effective. Additional strengths are that biometrics do not rely on people to keep their biometric secret or physically secure their biometric. Biometrics is the only authentication methodology with these advantages.
  
  Enrollment is a critical process for the use of biometric authentication. The user's physical characteristics must be reliably recorded. Reliability may require several samples of the characteristic and a recording device free of lint, dirt, or other interference. The enrollment device must be physically secure from tampering and unauthorized use.
  
  When enrolled, the user's biometric is stored as a template. Subsequent authentication is accomplished by comparing a submitted biometric against the template, with results based on probability and statistical confidence levels. Practical usage of biometric solutions requires consideration of how precise systems must be for positive identification and authentication. More precise solutions increase the chances a person is falsely rejected. Conversely, less precise solutions can result in the wrong person being identified or authenticated as a valid user (i.e., false acceptance rate). The equal error rate (EER) is a composite rating that considers the false rejection and false acceptance rates. Lower EERs mean more consistent operations. However, EER is typically based upon laboratory testing and may not be indicative of actual results due to factors that can include the consistency of biometric readers to capture data over time, variations in how a user presents their biometric sample (e.g., occasionally pressing harder on a finger scanner), and environmental factors.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 18.5 Cost Considerations
 
 Audit trails involve many costs. First, some system overhead is incurred recording the audit trail. Additional system overhead will be incurred storing and processing the records. The more detailed the records, the more overhead is required. Another cost involves human and machine time required to do the analysis. This can be minimized by using tools to perform most of the analysis. Many simple analyzers can be constructed quickly (and cheaply) from system utilities, but they are limited to audit reduction and identifying particularly sensitive events. More complex tools that identify trends or sequences of events are slowly becoming available as off-the-shelf software. (If complex tools are not available for a system, development may be prohibitively expensive. Some intrusion detection systems, for example, have taken years to develop.)
 
 The final cost of audit trails is the cost of investigating anomalous events. If the system is identifying too many events as suspicious, administrators may spend undue time reconstructing events and questioning personnel.