technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- It's back! The CyberFirst Girls Competition 2018 - I think it’s
fair to say I did not expect to be running another CyberFirst Girls
Competition, but given the overwhelming response and unprecedented
amount of positive feedback we received following last year’s
competition, we really couldn't not run it again.
Ethical hackers can earn 16 times a software engineers' salary in
some countries - A recent HackerOne survey found that some bug
bounties bounty hunters are earning more than 16 times what they
would have earned as a software engineer in their own country.
House passes Cyber Diplomacy Act - A bipartisan group of Congressmen
cheered the passing of the Cyber Diplomacy Act (H.R. 3776) yesterday
by the House of Representatives.
Defense Dept. warns staffers against using personal email for
official business - Warning that the use of “non-official messaging
accounts” is illegal and runs counter to the Department of Defense's
(DoD's) official policy, Deputy Defense Secretary Patrick Shanahan
instructed agency employees to use their government email accounts
for government business.
Post-it with password spotted in online photo of Hawaii Emergency
Management Agency HQ - The Hawaii Emergency Management Agency has
had a lot of explaining to do after an employee pushed the wrong
button during a test and pushed out an alert warning residents that
a ballistic missile was headed their way, but now, the agency is now
catching heat after eagle-eyed internet users noticed a Post-It note
with a password stuck on a computer in a July photo taken at the
agency's Diamond Head headquarters.
Defense Dept. blocks 36M malicious emails daily, fends off 600 Gbps
DDoS attacks - That the Defense Department blocks 36 million
malicious emails daily aimed at accessing U.S. military systems, as
Defense Information Systems Agency Director of Operations David
Bennett recently said, underscores that attackers continue to
consider email an attractive attack vector and highlights the
stresses that security pros face daily trying to sort through
Aetna agrees to $17M to settle data breach - Aetna will pay a $17.1
million as part of a settlement for a July 2017 data breach that may
have compromised the personal health information of thousands of HIV
Complexity of DDoS attacks is rising says new report - DDoS attacks
plotted over the last year have stepped back from the
headline-grabbing events of 2016, but have become more stealthy and
intelligent, according to a new report.
Social engineering penetration testing: an overview - Social
engineering has proved to be extremely efficient hacking technique,
as it exploits both human weaknesses (greed, vanity, authority
worship) and virtues (compassion, willingness to help others).
South Dakota government advances data breach notification bill - The
South Dakota State Judiciary committee voted unanimously to advance
a bill that would require companies to inform state residents if
their PII was involved in a data breach.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hospital injects $60,000 into crims' coffers to cure malware
infection - Medics say they couldn't wait for backups to be pulled
as ransomware ransacked kit - A US hospital paid extortionists
roughly $60,000 to end a ransomware outbreak that forced staff to
use pencil-and-paper records.
Separate ransomware attacks strike New Mexico city, Indiana health
care provider - A New Mexican city of roughly 45,000 people and an
Indianan hospital operator have fallen victim to separate ransomware
attacks this month.
OnePlus breach may have compromised 40K users - An attack on
OnePlus.net may have affected up to 40,000 users, who the company
has notified by email.
Turkish hacktivist group hijacks ex-sheriff David Clarke Jr.'s
Twitter account - The same Turkish hacktivist group that last week
took over the Twitter accounts of conservative media figures Greta
Van Susteren, Eric Bolling, and Brit Hume.
Florida makes info on 1K Kansas voters public, lawmakers ask DHS to
clarify role regarding election integrity commission - Florida
released partial social security numbers for close to 1,000 Kansas
voters after receiving data from Kansas Secretary of State Kris
Kobach as part of the Crosscheck program that identifies double
Oh, baby! Infants' Social Security numbers spotted for sale on dark
web - Apparently, you're never too young to be on the dark web -- or
at least for your data to be hawked there. The personal identifiable
information (PII) of infants, including Social Security numbers,
were recently found advertised for sale on the dark web under the
sales pitch "get em befor tax seson [sic]."
Hacking initial coin offerings leading to the loss of millions in
cryptocurency - Initial coin offerings (ICO) are losing about 10
percent of all ICO funds generated to cyberattack due to poor
cybersecurity as malicious actors take advantage of the absence of a
centralized authority, blockchain transaction irreversibility and
information chaos that presides over this sector.
Bell Canada breach exposes names, emails of 100K customers - For the
second time in less than a year, Bell Canada has experienced a data
breach that exposed customer records.
Return to the top
of the newsletter
WEB SITE COMPLIANCE - Risk
Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Oversight of
Assess Quality of Service and Support
• Regularly review reports
documenting the service provider’s performance. Determine if the
reports are accurate and allow for a meaningful assessment of
the service provider’s performance.
• Document and follow up on any problem in service in a timely
manner. Assess service provider plans to enhance service levels.
• Review system update procedures to ensure appropriate change
controls are in effect, and ensure authorization is established
for significant system changes.
• Evaluate the provider’s ability to support and enhance the
institution’s strategic direction including anticipated business
development goals and objectives, service delivery requirements,
and technology initiatives.
• Determine adequacy of training provided to financial
• Review customer complaints on the products and services
provided by the service provider.
• Periodically meet with contract parties to discuss performance
and operational issues.
• Participate in user groups and other forums.
the top of the newsletter
FFIEC IT SECURITY -
continue the series from the
FDIC "Security Risks Associated with the Internet."
System Architecture and
The Internet can facilitate unchecked and/or undesired access to
internal systems, unless systems are appropriately designed and
controlled. Unwelcome system access could be achieved through IP
spoofing techniques, where an intruder may impersonate a local or
internal system and be granted access without a password. If access
to the system is based only on an IP address, any user could gain
access by masquerading as a legitimate, authorized user by
"spoofing" the user's address. Not only could any user of that
system gain access to the targeted system, but so could any system
that it trusts.
Improper access can also result from other technically permissible
activities that have not been properly restricted or secured. For
example, application layer protocols are the standard sets of rules
that determine how computers communicate across the Internet.
Numerous application layer protocols, each with different functions
and a wide array of data exchange capabilities, are utilized on the
Internet. The most familiar, Hyper Text Transfer Protocol (HTTP),
facilitates the movement of text and images. But other types of
protocols, such as File Transfer Protocol (FTP), permit the
transfer, copying, and deleting of files between computers. Telnet
protocol actually enables one computer to log in to another.
Protocols such as FTP and Telnet exemplify activities which may be
improper for a given system, even though the activities are within
the scope of the protocol architecture.
The open architecture of the Internet also makes it easy for
system attacks to be launched
against systems from anywhere in the world. Systems can even
be accessed and then used to launch attacks against other systems. A
typical attack would be a denial of service attack, which is
intended to bring down a server, system, or application. This might
be done by overwhelming a system with so many requests that it shuts
down. Or, an attack could be as simple as accessing and altering a
Web site, such as changing advertised rates on certificates of
Security Scanning Products
A number of software programs exist which run automated security
scans against Web servers, firewalls, and internal networks. These
programs are generally very effective at identifying weaknesses that
may allow unauthorized system access or other attacks against the
system. Although these products are marketed as security tools to
system administrators and information systems personnel, they are
available to anyone and may be used with malicious intent. In some
cases, the products are freely available on the Internet.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND
14.5.3 Integrity Verification
When electronically stored information is read into a computer
system, it may be necessary to determine whether it has been read
correctly or subject to any modification. The integrity of
electronic information can be verified using error detection and
correction or, if intentional modifications are a threat,
14.5.4 Physical Access Protection
Media can be stolen, destroyed, replaced with a look-alike copy, or
lost. Physical access controls, which can limit these problems,
include locked doors, desks, file cabinets, or safes.
If the media requires protection at all times, it may be necessary
to actually output data to the media in a secure location (e.g.,
printing to a printer in a locked room instead of to a
general-purpose printer in a common area).
Physical protection of media should be extended to backup copies
stored offsite. They generally should be accorded an equivalent
level of protection to media containing the same information stored
onsite. (Equivalent protection does not mean that the security
measures need to be exactly the same. The controls at the off-site
location are quite likely to be different from the controls at the
14.5.5 Environmental Protection
Magnetic media, such as diskettes or magnetic tape, require
environmental protection, since they are sensitive to temperature,
liquids, magnetism, smoke, and dust. Other media (e.g., paper and
optical storage) may have different sensitivities to environmental