information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- DHS issues emergency directive to protect federal domains from DNS
hijacking campaign - The Department of Homeland Security on Tuesday
issued an emergency directive instructing federal government
agencies to take preventative measures against an ongoing DNS
hijacking campaign that has recently affected several executive
Data breaches, cyberattacks are top global risks alongside natural
disasters and climate change - Increased connectivity in society and
rapidly evolving threats are leaving the world open to damaging
large-scale cyberattacks, warns the World Economic Forum.
ACLU suit seeks social media surveillance records from seven fed
agencies - The U.S. government’s social media surveillance
activities, including the monitoring of immigrants and visa
applications under the Trump administration’s extreme vetting
effort, are in the crosshairs of a Freedom of Information (FOIA)
lawsuit filed by the American Civil Liberties Union (ACLU) and the
ACLU of Northern California.
Why modernize the enterprise security stack? Recent breaches point
the way - Cathay Pacific, Eurostar, British Airways – it’s fair to
say last October was a bit of a nightmare for security departments
across the world, and for consumers.
Security firm identifies cyberattacks on West African financial
groups - A cybersecurity firm has identified four different
cyberattack campaigns against various banks and other financial
institutions in West African countries.
Senators worry that new D.C. Metro railcars could carry cyber risk -
Senators who represent the Washington, D.C., area have raised
concerns about added cybersecurity risks in the region’s Metro
system after reports that a Chinese state-owned manufacturing
company could win a $1 billion procurement for railcars.
Balancing AI with Human Intelligence in Cybersecurity - Although
artificial intelligence (AI) has been around for more than half a
century, the advancements and hype surrounding the technology over
the past couple of decades have led to much discussion and confusion
about whether machines will someday replace humans in the workforce.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Collection 1 breach prompts calls for security
updates, investment - While the Collection 1 data dump – a whopping
773 million unique emails – dazzled with its size, it also
underscored the need to shift away from reliance on passwords and
renewed calls for investments in more up-to-date and reliable
South Korea reckons mystery hackers cracked open advanced weapons
servers - No idea who could have been behind this one... The South
Korea Ministry of National Defense says 10 of its internal PCs have
been compromised by North Korea unknown hackers.
Oklahoma gov data leak exposes FBI investigation records, millions
of department files - Updated: An Oklahoma Department of Securities
server allowed anyone to download government files. esearchers have
disclosed the existence of a server exposed to the public which not
only contained terabytes of confidential government data but
information relating to FBI investigations.
Amadeus booking system flaw could have exposed info on millions of
travelers - A recently discovered vulnerability in the Amadeus
online reservation system made it possible to access and change
reservations with just a booking number.
Cyberattack forces Health Sciences North to place systems on
downtime at 24 hospitals - A cyberattack on Health Sciences North in
Sudbury, Ontario, yesterday has reportedly disrupted multiple
systems at 24 of the Canadian health provider’s hospital facilities
in the northeastern part of the province.
Popular WordPress plugin hacked by angry former employee - Hacker
defaced the company's website and sent a mass email to all its
customers, alleging unpatched security holes.
Microsoft partner portal 'exposes 'every' support request filed
worldwide' today - Exclusive Alarmed Microsoft support partners can
currently view support tickets submitted from all over the world, in
what appears to be a very wide-ranging blunder by the Redmond-based
4M applications for youth org internships exposed - An unprotected
Elasticsearch database exposed at least four million “opportunity
applications” for internships at AIESEC, billed as “the world’s
largest youth-run organization” with more than 100,000 members in
Online gamblers lose big as casinos leave Elasticsearch database
open - An unknown number of online gamblers lost more than a few
bucks when several unnamed online casinos left an Elasticsearch
database open exposing the details of 108 million bets.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Over the next few weeks, we will
cover some of the issues discussed in the "Risk Management
Principles for Electronic Banking" published by the Basel Committee
on Bank Supervision.
Continuing technological innovation and competition among
existing banking organizations and new entrants have allowed for a
much wider array of banking products and services to become
accessible and delivered to retail and wholesale customers through
an electronic distribution channel collectively referred to as
e-banking. However, the rapid development of e-banking capabilities
carries risks as well as benefits.
The Basel Committee on Banking Supervision expects such risks to be
recognized, addressed and managed by banking institutions in a
prudent manner according to the fundamental characteristics and
challenges of e-banking services. These characteristics include the
unprecedented speed of change related to technological and customer
service innovation, the ubiquitous and global nature of open
electronic networks, the integration of e-banking applications with
legacy computer systems and the increasing dependence of banks on
third parties that provide the necessary information technology.
While not creating inherently new risks, the Committee noted that
these characteristics increased and modified some of the traditional
risks associated with banking activities, in particular strategic,
operational, legal and reputational risks, thereby influencing the
overall risk profile of banking.
Based on these conclusions, the Committee considers that while
existing risk management principles remain applicable to e-banking
activities, such principles must be tailored, adapted and, in some
cases, expanded to address the specific risk management challenges
created by the characteristics of e-banking activities. To this end,
the Committee believes that it is incumbent upon the Boards of
Directors and banks' senior management to take steps to ensure that
their institutions have reviewed and modified where necessary their
existing risk management policies and processes to cover their
current or planned e-banking activities. The Committee also believes
that the integration of e-banking applications with legacy systems
implies an integrated risk management approach for all banking
activities of a banking institution.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Biometrics (Part 2 of 2)
Weaknesses in biometric systems relate to the ability of an
attacker to submit false physical characteristics, or to take
advantage of system flaws to make the system erroneously report a
match between the characteristic submitted and the one stored in the
system. In the first situation, an attacker might submit to a
thumbprint recognition system a copy of a valid user's thumbprint.
The control against this attack involves ensuring a live thumb was
used for the submission. That can be done by physically controlling
the thumb reader, for instance having a guard at the reader to make
sure no tampering or fake thumbs are used. In remote entry
situations, logical liveness tests can be performed to verify that
the submitted data is from a live subject.
Attacks that involve making the system falsely deny or accept a
request take advantage of either the low degrees of freedom in the
characteristic being tested, or improper system tuning. Degrees of
freedom relate to measurable differences between biometric readings,
with more degrees of freedom indicating a more unique biometric.
Facial recognition systems, for instance, may have only nine degrees
of freedom while other biometric systems have over one hundred.
Similar faces may be used to fool the system into improperly
authenticating an individual. Similar irises, however, are difficult
to find and even more difficult to fool a system into improperly
Attacks against system tuning also exist. Any biometric system has
rates at which it will falsely accept a reading and falsely reject a
reading. The two rates are inseparable; for any given system
improving one worsens the other. Systems that are tuned to maximize
user convenience typically have low rates of false rejection and
high rates of false acceptance. Those systems may be more open to
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
Cryptography is a branch of mathematics based on the transformation
of data. It provides an important tool for protecting information
and is used in many aspects of computer security. For example,
cryptography can help provide data confidentiality, integrity,
electronic signatures, and advanced user authentication. Although
modern cryptography relies upon advanced mathematics, users can reap
its benefits without understanding its mathematical underpinnings.
This chapter describes cryptography as a tool for satisfying a wide
spectrum of computer security needs and requirements. It describes
fundamental aspects of the basic cryptographic technologies and some
specific ways cryptography can be applied to improve security. The
chapter also explores some of the important issues that should be
considered when incorporating cryptography into computer systems.
Cryptography is traditionally associated only with keeping data
secret. However, modern cryptography can be used to provide many
security services, such as electronic signatures and ensuring that
data has not been modified.