information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- DHS issues emergency directive to protect federal domains from DNS
hijacking campaign - The Department of Homeland Security’s newly
created Cybersecurity and Infrastructure Security Agency (CISA)
issued its first-ever emergency directive on Tuesday, instructing
federal government agencies to take preventative measures against an
ongoing DNS hijacking campaign that has recently affected several
executive branch domains.
Pentagon Aims to Close the GAPS for Sensitive Data in the Cloud -
Data can travel around the world in a blink of an eye and show up on
practically any device, be it a networked PC, a phone, or some other
House Passes Bill to Help Identify Cybersecurity Vulnerabilities -
By a vote of 377-3, the House passed the Hack Your State Department
Act late Tuesday evening.
FCC wraps up its first 5G auction with nearly 3,000 licenses won
-The Federal Communications Commission has concluded bidding in its
auction of spectrum for 5G, a next-generation wireless technology
that promises super-fast speeds.
Illinois Supreme Court: Six Flags violated state’s Biometric
Information Privacy Act - In a test of the enforceability of the
Illinois Biometric Information Privacy Act, the Illinois Supreme
Court ruled that a 14-year-old boy was entitled to statutory damages
– between $1,000 to $5,000 – after a Six Flags amusement park
issuing a season pass didn’t get his express permission before
Japanese government plans to hack into citizens' IoT devices -
Japanese government wants to secure IoT devices before Tokyo 2020
Olympics and avoid Olympic Destroyer and VPNFilter-like attacks.
Security Isn't Enough. Silicon Valley Needs 'Abusability' Testing -
Technology has never limited its effects to those its creators
intended: It disrupts, reshapes, and backfires.
Top convictions, guilty pleas and sentences for 2018 - Attribution
is difficult and sometimes it seems that cybercriminals are beyond
the long arm of the law. But hackers – some even foreign nationals –
were increasingly brought to justice on both sides of the Atlantic
in 2018 for various cybercrimes.
Cloud access governance -– Because the best defense is a good
offense - As enterprises move their data and apps to the cloud,
security controls that really “matter” are changing.
Judge rejects Yahoo’s data breach settlement proposal - A federal
judge in San Jose, California rejected Yahoo’s proposed data breach
settlement offer faulting Yahoo’s lack of transparency.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Patient data of 70,000 compromised in Kansas-based Valley Hope
Association breach - Kansas-based Valley Hope Association addiction
treatment centers are notifying patients their personal information
may have been compromised in a phishing attack which granted
unauthorized access to an employee’s email account.
24 million credit and mortgage records exposed on Elasticsearch
database - An open Elasticsearch database has again been found this
time exposing 24.3 million mortgage and credit reports.
Ransomware attacks take down Sammamish city hall and Salisbury PD -
Two municipalities were hit with ransomware attacks that effectively
shut down large portions of their computer networks, restricting
access to many records.
Spammers Abused Weakness at GoDaddy.com - Two of the most disruptive
and widely-received spam email campaigns over the past few months —
including an ongoing email scam and a hoax that shut down dozens of
schools, businesses and government buildings late last year — were
made possible thanks to an authentication weakness at GoDaddy.com,
the world’s largest domain name registrar, KrebsOnSecurity has
U.K. home supply giant leaves offender database open - U.K. home
supply chain B&Q exposed the information of 70,000 people allegedly
involved in some type of criminal activity in one of the chain’s
Discover Financial Services notifies customers of data breach
incident - Discover Financial Services has filed a data breach
incident notification with the California attorney general’s office
that some of its cardholders maybe have had their account
Double exposure: 24 million loan records also exposed on open Amazon
S3 bucket - The original mortgage and credit documents involved in
the 24 million Elasticsearch data breach that was revealed earlier
this week also have been found residing in an open Amazon S3 bucket
by the cyber researcher behind the original discovery.
FaceTime bug lets callers eavesdrop on recipients - A FaceTime bug
that lets a caller listen to the audio of the recipient before he or
she answers the phone will be addressed in an update later in the
week, Apple said Monday night.
Hundreds of Delaware residents among the victims of BenefitMall
breach - Delaware’s Department of Insurance announced yesterday that
650 residents and five companies located within the state were
impacted by a 2018 data breach of BenefitMall, a third-party HR
services administrator for health insurance companies.
Possible ransomware attack disturbs Altran Technologies’ European
operations - French engineering research and consulting firm Altran
Technologies disclosed this week that a Jan. 24 cyberattack impacted
its operations in certain European countries.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS
(Part 1 of 2)
Hardware and software located in a user department are often less
secure than that located in a computer room. Distributed hardware
and software environments (e.g., local area networks or LANs) that
offer a full range of applications for small financial institutions
as well as larger organizations are commonly housed throughout the
organization, without special environmental controls or raised
flooring. In such situations, physical security precautions are
often less sophisticated than those found in large data centers, and
overall building security becomes more important. Internal control
procedures are necessary for all hardware and software deployed in
distributed, and less secure, environments. The level of security
surrounding any IS hardware and software should depend on the
sensitivity of the data that can be accessed, the significance of
applications processed, the cost of the equipment, and the
availability of backup equipment.
Because of their portability and location in distributed
environments, PCs often are prime targets for theft and misuse. The
location of PCs and the sensitivity of the data and systems they
access determine the extent of physical security required. For PCs
in unrestricted areas such as a branch lobby, a counter or divider
may provide the only barrier to public access. In these cases,
institutions should consider securing PCs to workstations, locking
or removing disk drives, and using screensaver passwords or
automatic timeouts. Employees also should have only the access to
PCs and data they need to perform their job. The sensitivity of the
data processed or accessed by the computer usually dictates the
level of control required. The effectiveness of security measures
depends on employee awareness and enforcement of these controls.
An advantage of PCs is that they can operate in an office
environment, providing flexible and informal operations. However, as
with larger systems, PCs are sensitive to environmental factors such
as smoke, dust, heat, humidity, food particles, and liquids. Because
they are not usually located within a secure area, policies should
be adapted to provide protection from ordinary contaminants.
Other environmental problems to guard against include electrical
power surges and static electricity. The electrical power supply in
an office environment is sufficient for a PC's requirements.
However, periodic fluctuations in power (surges) can cause equipment
damage or loss of data. PCs in environments that generate static
electricity are susceptible to static electrical discharges that can
cause damage to PC components or memory.
the top of the newsletter
FFIEC IT SECURITY -
We continue our review
of the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
INFORMATION SECURITY PROGRAM
A financial institution's board of directors and senior
management should be aware of information security issues and be
involved in developing an appropriate information security program.
A comprehensive information security policy should outline a
proactive and ongoing program incorporating three components:
Prevention measures include sound security policies,
well-designed system architecture, properly configured firewalls,
and strong authentication programs. This paper discusses two
additional prevention measures: vulnerability assessment tools and
penetration analyses. Vulnerability assessment tools generally
involve running scans on a system to proactively detect known
vulnerabilities such as security flaws and bugs in software and
hardware. These tools can also detect holes allowing unauthorized
access to a network, or insiders to misuse the system. Penetration
analysis involves an independent party (internal or external)
testing an institution's information system security to identify
(and possibly exploit) vulnerabilities in the system and surrounding
processes. Using vulnerability assessment tools and performing
regular penetration analyses will assist an institution in
determining what security weaknesses exist in its information
Detection measures involve analyzing available information
to determine if an information system has been compromised, misused,
or accessed by unauthorized individuals. Detection measures may be
enhanced by the use of intrusion detection systems (IDSs) that act
as a burglar alarm, alerting the bank or service provider to
potential external break-ins or internal misuse of the system(s)
Another key area involves preparing a response program to
handle suspected intrusions and system misuse once they are
detected. Institutions should have an effective incident response
program outlined in a security policy that prioritizes incidents,
discusses appropriate responses to incidents, and establishes
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
19.1 Basic Cryptographic Technologies
Cryptography relies upon two basic
components: an algorithm (or cryptographic methodology) and a
key. In modern cryptographic systems, algorithms are complex
mathematical formulae and keys are strings of bits. For two parties
to communicate, they must use the same algorithm (or algorithms that
are designed to work together). In some cases, they must also use
the same key. Many cryptographic keys must be kept secret; sometimes
algorithms are also kept secret.
There are two basic types of
cryptography: "secret key" and "public key."
There are two basic types of
cryptography: secret key systems (also called symmetric
systems) and public key systems (also called asymmetric
systems). The table compares some of the distinct features of secret
and public key systems. Both types of systems offer advantages and
disadvantages. Often, the two are combined to form a hybrid
system to exploit the strengths of each type. To determine which
type of cryptography best meets its needs, an organization first has
to identify its security requirements and operating environment.
|NUMBER OF KEYS
||Pair of keys.
|TYPES OF KEYS
||Key is secret.
||One key is
private, and one key is public.
modification for private keys and modification for public