FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - DHS issues emergency directive to protect federal domains from DNS hijacking campaign - The Department of Homeland Security’s newly created Cybersecurity and Infrastructure Security Agency (CISA) issued its first-ever emergency directive on Tuesday, instructing federal government agencies to take preventative measures against an ongoing DNS hijacking campaign that has recently affected several executive branch domains. https://www.scmagazine.com/home/security-news/government-and-defense/dhs-issues-emergency-directive-to-protect-federal-domains-from-dns-hijacking-campaign/

Pentagon Aims to Close the GAPS for Sensitive Data in the Cloud - Data can travel around the world in a blink of an eye and show up on practically any device, be it a networked PC, a phone, or some other mobile component. https://www.meritalk.com/articles/pentagon-aims-to-close-the-gaps-for-sensitive-data-in-the-cloud/

House Passes Bill to Help Identify Cybersecurity Vulnerabilities - By a vote of 377-3, the House passed the Hack Your State Department Act late Tuesday evening. https://www.meritalk.com/articles/house-passes-bill-to-help-identify-cybersecurity-vulnerabilities/

FCC wraps up its first 5G auction with nearly 3,000 licenses won -The Federal Communications Commission has concluded bidding in its auction of spectrum for 5G, a next-generation wireless technology that promises super-fast speeds. https://www.cnet.com/news/fcc-wraps-up-its-first-5g-auction-with-nearly-3000-licenses-won/

Illinois Supreme Court: Six Flags violated state’s Biometric Information Privacy Act - In a test of the enforceability of the Illinois Biometric Information Privacy Act, the Illinois Supreme Court ruled that a 14-year-old boy was entitled to statutory damages – between $1,000 to $5,000 – after a Six Flags amusement park issuing a season pass didn’t get his express permission before fingerprinting him. https://www.scmagazine.com/home/security-news/illinois-supreme-court-six-flags-violated-states-biometric-information-privacy-act/

Japanese government plans to hack into citizens' IoT devices - Japanese government wants to secure IoT devices before Tokyo 2020 Olympics and avoid Olympic Destroyer and VPNFilter-like attacks. https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/

Security Isn't Enough. Silicon Valley Needs 'Abusability' Testing - Technology has never limited its effects to those its creators intended: It disrupts, reshapes, and backfires. https://www.wired.com/story/abusability-testing-ashkan-soltani/

Top convictions, guilty pleas and sentences for 2018 - Attribution is difficult and sometimes it seems that cybercriminals are beyond the long arm of the law. But hackers – some even foreign nationals – were increasingly brought to justice on both sides of the Atlantic in 2018 for various cybercrimes. https://www.scmagazine.com/home/security-news/top-convictions-guilty-pleas-and-sentences-for-2019/

Cloud access governance -– Because the best defense is a good offense - As enterprises move their data and apps to the cloud, security controls that really “matter” are changing. https://www.scmagazine.com/home/opinion/cloud-access-governance-because-the-best-defense-is-a-good-offense/

Judge rejects Yahoo’s data breach settlement proposal - A federal judge in San Jose, California rejected Yahoo’s proposed data breach settlement offer faulting Yahoo’s lack of transparency. https://www.scmagazine.com/home/security-news/u-s-district-judge-lucy-koh-in-san-jose-california-rejected-yahoos-proposed-data-breach-settlement-offer-faulting-yahoos-lack-of-transparency/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Patient data of 70,000 compromised in Kansas-based Valley Hope Association breach - Kansas-based Valley Hope Association addiction treatment centers are notifying patients their personal information may have been compromised in a phishing attack which granted unauthorized access to an employee’s email account. https://www.scmagazine.com/home/security-news/kansas-based-valley-hope-association-addiction-treatment-centers-are-notifying-patients-their-personal-information-may-have-been-compromised/

24 million credit and mortgage records exposed on Elasticsearch database - An open Elasticsearch database has again been found this time exposing 24.3 million mortgage and credit reports. https://www.scmagazine.com/home/security-news/data-breach/24-million-credit-and-mortgage-records-exposed-on-elasticsearch-database/

Ransomware attacks take down Sammamish city hall and Salisbury PD - Two municipalities were hit with ransomware attacks that effectively shut down large portions of their computer networks, restricting access to many records. https://www.scmagazine.com/home/security-news/ransomware/ransomware-attacks-take-down-sammamish-city-hall-and-salisbury-pd/

Spammers Abused Weakness at GoDaddy.com - Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing email scam and a hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned. https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/

U.K. home supply giant leaves offender database open - U.K. home supply chain B&Q exposed the information of 70,000 people allegedly involved in some type of criminal activity in one of the chain’s stores. https://www.scmagazine.com/home/security-news/u-k-home-supply-giant-leaves-offender-database-open/

Discover Financial Services notifies customers of data breach incident - Discover Financial Services has filed a data breach incident notification with the California attorney general’s office that some of its cardholders maybe have had their account information compromised. https://www.scmagazine.com/home/security-news/data-breach/discover-financial-services-notifies-customers-of-data-breach-incident/

Double exposure: 24 million loan records also exposed on open Amazon S3 bucket - The original mortgage and credit documents involved in the 24 million Elasticsearch data breach that was revealed earlier this week also have been found residing in an open Amazon S3 bucket by the cyber researcher behind the original discovery. https://www.scmagazine.com/home/security-news/data-breach/double-exposure-24-million-loan-records-also-exposed-on-open-amazon-s3-bucket/

FaceTime bug lets callers eavesdrop on recipients - A FaceTime bug that lets a caller listen to the audio of the recipient before he or she answers the phone will be addressed in an update later in the week, Apple said Monday night. https://www.scmagazine.com/home/security-news/facetime-bug-lets-callers-eavesdrop-on-recipients/

Hundreds of Delaware residents among the victims of BenefitMall breach - Delaware’s Department of Insurance announced yesterday that 650 residents and five companies located within the state were impacted by a 2018 data breach of BenefitMall, a third-party HR services administrator for health insurance companies. https://www.scmagazine.com/home/security-news/data-breach/hundreds-of-delaware-residents-among-the-victims-of-benefitmall-breach/

Possible ransomware attack disturbs Altran Technologies’ European operations - French engineering research and consulting firm Altran Technologies disclosed this week that a Jan. 24 cyberattack impacted its operations in certain European countries. https://www.scmagazine.com/home/security-news/possible-ransomware-attack-disturbs-altran-technologies-european-operations/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  
  PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 1 of 2)
  
  Hardware and software located in a user department are often less secure than that located in a computer room. Distributed hardware and software environments (e.g., local area networks or LANs) that offer a full range of applications for small financial institutions as well as larger organizations are commonly housed throughout the organization, without special environmental controls or raised flooring. In such situations, physical security precautions are often less sophisticated than those found in large data centers, and overall building security becomes more important. Internal control procedures are necessary for all hardware and software deployed in distributed, and less secure, environments. The level of security surrounding any IS hardware and software should depend on the sensitivity of the data that can be accessed, the significance of applications processed, the cost of the equipment, and the availability of backup equipment.
  
  Because of their portability and location in distributed environments, PCs often are prime targets for theft and misuse. The location of PCs and the sensitivity of the data and systems they access determine the extent of physical security required. For PCs in unrestricted areas such as a branch lobby, a counter or divider may provide the only barrier to public access. In these cases, institutions should consider securing PCs to workstations, locking or removing disk drives, and using screensaver passwords or automatic timeouts. Employees also should have only the access to PCs and data they need to perform their job. The sensitivity of the data processed or accessed by the computer usually dictates the level of control required. The effectiveness of security measures depends on employee awareness and enforcement of these controls.
  
  An advantage of PCs is that they can operate in an office environment, providing flexible and informal operations. However, as with larger systems, PCs are sensitive to environmental factors such as smoke, dust, heat, humidity, food particles, and liquids. Because they are not usually located within a secure area, policies should be adapted to provide protection from ordinary contaminants.
  
  Other environmental problems to guard against include electrical power surges and static electricity. The electrical power supply in an office environment is sufficient for a PC's requirements. However, periodic fluctuations in power (surges) can cause equipment damage or loss of data. PCs in environments that generate static electricity are susceptible to static electrical discharges that can cause damage to PC components or memory.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."
 
 INFORMATION SECURITY PROGRAM
 
 A financial institution's board of directors and senior management should be aware of information security issues and be involved in developing an appropriate information security program. A comprehensive information security policy should outline a proactive and ongoing program incorporating three components: 
 
 1) Prevention 
 2) Detection 
 3) Response 
 
 Prevention measures include sound security policies, well-designed system architecture, properly configured firewalls, and strong authentication programs. This paper discusses two additional prevention measures: vulnerability assessment tools and penetration analyses. Vulnerability assessment tools generally involve running scans on a system to proactively detect known vulnerabilities such as security flaws and bugs in software and hardware. These tools can also detect holes allowing unauthorized access to a network, or insiders to misuse the system. Penetration analysis involves an independent party (internal or external) testing an institution's information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes. Using vulnerability assessment tools and performing regular penetration analyses will assist an institution in determining what security weaknesses exist in its information systems. 
 
 Detection measures involve analyzing available information to determine if an information system has been compromised, misused, or accessed by unauthorized individuals. Detection measures may be enhanced by the use of intrusion detection systems (IDSs) that act as a burglar alarm, alerting the bank or service provider to potential external break-ins or internal misuse of the system(s) being monitored.
 
 Another key area involves preparing a response program to handle suspected intrusions and system misuse once they are detected. Institutions should have an effective incident response program outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents, and establishes reporting requirements.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.1 Basic Cryptographic Technologies

Cryptography relies upon two basic components: an algorithm (or cryptographic methodology) and a key. In modern cryptographic systems, algorithms are complex mathematical formulae and keys are strings of bits. For two parties to communicate, they must use the same algorithm (or algorithms that are designed to work together). In some cases, they must also use the same key. Many cryptographic keys must be kept secret; sometimes algorithms are also kept secret.

There are two basic types of cryptography: secret key systems (also called symmetric systems) and public key systems (also called asymmetric systems). The table compares some of the distinct features of secret and public key systems. Both types of systems offer advantages and disadvantages. Often, the two are combined to form a hybrid system to exploit the strengths of each type. To determine which type of cryptography best meets its needs, an organization first has to identify its security requirements and operating environment.