technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- Number of cyber incidents doubled in 2017, yet 93 percent could
easily have been prevented - Out of nearly 160,000 reported cyber
incidents affecting businesses in 2017, 93 percent could have been
prevented by following basic security measures such as regularly
updating software, blocking fake email messages, using email
authentication, and training employees, a new report claims.
Tech firms let Russia probe software widely used by U.S. government
- Major global technology providers SAP (SAPG.DE), Symantec (SYMC.O)
and McAfee have allowed Russian authorities to hunt for
vulnerabilities in software deeply embedded across the U.S.
government, a Reuters investigation has found.
On this episode of Women of Washington, host Gigi Schumm welcomed
Donna Dodson, chief cybersecurity officer at the National Institute
of Standards and Technology. Dodson also serves as associate
director of the Information Technology Laboratory and director of
the National Cybersecurity Center of Excellence.
Baby boomers more cybersecurity savvy than Gen-Z, study - Generation
Z are the least ransomware savvy generation while baby boomers were
more likely to accurately define ransomware and were the savviest
when it comes to not forwarding emails from unknown senders.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Millions of machines download XMRig cryptominer after users click
on devious links - A newly discovered malicious URL redirection
campaign that infects users with the XMRig Monero cryptocurrency
miner has already victimized users between 15 and 30 million times,
researchers have reported.
Bell Canada Canucks it up again: Second hack in just eight months -
Subscriber database plundered by miscreants once again - Executives
at Bell Canada have been left with faces redder than their nation's
flag – after their subscriber database was hacked for the second
time in eight months.
Report: In a U.S. first, jackpotting attacks are forcing ATMs to
'make it rain' - Organized criminals are physically accessing ATM
machines and infecting them with malware that makes them spit out
cash, in what reports are calling the first-ever confirmed case of
"jackpotting" attacks in the U.S.
Texas county nearly duped out of $888,000 in Hurricane Harvey
phishing scam - The most populous county in Texas nearly lost
$888,000 last year, after a local government employee fell for a
spear phishing campaign that used Hurricane Harvey as a lure, the
Houston Chronicle has reported.
Data from soldiers' fitness trackers reveal sensitive locations,
routines - A heatmap of two years' worth of fitness tracker Strava's
global data, released last November but discovered more recently by
an Australian student, inadvertently revealed the location of U.S.
military facilities in war zones.
More than 2,000 WordPress websites are infected with a keylogger -
Malicious script logs passwords and just about anything else admins
or visitors type. More than 2,000 websites running the open source
WordPress content management system are infected with malware,
researchers warned late last week. The malware in question logs
passwords and just about anything else an administrator or visitor
Charlotte Housing Authority hit with W-2 tax breach - The Charlotte,
N.C., Housing Authority was hit with one of the tax season's earlier
W-2 breaches, which was identified 10-days before the Federal Trade
Commission's Tax Identity Theft Awareness Week kicked off.
Security experts play script doctor, as Grey's Anatomy resolves
hospital hacker plot - Previously on Grey's Anatomy… Grey Sloan
Memorial Hospital's network was taken over by a hacker who demanded
millions in Bitcoin, in what was essentially a ransomware attack.
Spartanburg, S.C., library system hit with ransomware attack - The
Spartanburg, S.C., Public Library system was shut down earlier this
week after it was hit with a ransomware attack.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
\Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Oversight of
Monitor Contract Compliance and Revision Needs
• Review invoices to assure
proper charges for services rendered, the appropriateness of
rate changes and new service charges.
• Periodically, review the service provider’s performance
relative to service level agreements, determine whether other
contractual terms and conditions are being met, and whether any
revisions to service level expectations or other terms are
needed given changes in the institution’s needs and
• Maintain documents and records regarding contract compliance,
revision and dispute resolution.
Resumption Contingency Plans
• Review the service provider’s
business resumption contingency plans to ensure that any
services considered mission critical for the institution can be
restored within an acceptable timeframe.
• Review the service provider’s program for contingency plan
testing. For many critical services, annual or more frequent
tests of the contingency plan are typical.
• Ensure service provider interdependencies are considered for
mission critical services and applications.
the top of the newsletter
FFIEC IT SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Logical Access Controls
primary concern in controlling system access is the safeguarding of
user IDs and passwords. The Internet presents numerous issues to
consider in this regard. Passwords can be obtained through deceptive
"spoofing" techniques such as redirecting users to false Web sites
where passwords or user names are entered, or creating shadow copies
of Web sites where attackers can monitor all activities of a user.
Many "spoofing" techniques are hard to identify and guard against,
especially for an average user, making authentication processes an
important defense mechanism.
The unauthorized or unsuspected acquisition of data such as
passwords, user IDs, e-mail addresses, phone numbers, names, and
addresses, can facilitate an attempt at unauthorized access to a
system or application. If passwords and user IDs are a derivative of
someone's personal information, malicious parties could use the
information in software programs specifically designed to generate
possible passwords. Default files on a computer, sometimes called
"cache" files, can automatically retain images of such data received
or sent over the Internet, making them a potential target for a
Security Flaws and Bugs / Active Content Languages
in software and hardware design also represent an area of concern.
Security problems are often identified after the release of a new
product, and solutions to correct security flaws commonly contain
flaws themselves. Such vulnerabilities are usually widely
publicized, and the identification of new bugs is constant. These
bugs and flaws are often serious enough to compromise system
integrity. Security flaws and exploitation guidelines are also
frequently available on hacker Web sites. Furthermore, software
marketed to the general public may not contain sufficient security
controls for financial institution applications.
Newly developed languages and technologies present similar
security concerns, especially when dealing with network software or
active content languages which allow computer programs to be
attached to Web pages (e.g., Java, ActiveX). Security flaws
identified in Web browsers (i.e., application software used to
navigate the Internet) have included bugs which, theoretically, may
allow the installation of programs on a Web server, which could then
be used to back into the bank's system. Even if new technologies are
regarded as secure, they must be managed properly. For example, if
controls over active content languages are inadequate, potentially
hostile and malicious programs could be automatically downloaded
from the Internet and executed on a system.
Viruses / Malicious Programs
Viruses and other malicious programs pose a threat to systems or
networks that are connected to the Internet, because they may be
downloaded directly. Aside from causing destruction or damage to
data, these programs could open a communication link with an
external network, allowing unauthorized system access, or even
initiating the transmission of data.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND
Media control may be transferred both within the organization and to
outside elements. Possibilities for securing such transmittal
include sealed and marked envelopes, authorized messenger or
courier, or U.S. certified or registered mail.
When media is disposed of, it may be important to ensure that
information is not improperly disclosed. This applies both to media
that is external to a computer system (such as a diskette) and to
media inside a computer system, such as a hard disk. The process of
removing information from media is called sanitization.
Three techniques are commonly used for media sanitization:
overwriting, degaussing, and destruction. Overwriting is an
effective method for clearing data from magnetic media. As the name
implies, overwriting uses a program to write (1s, 0s, or a
combination) onto the media. Common practice is to overwrite the
media three times. Overwriting should not be confused with merely
deleting the pointer to a file (which typically happens when a
delete command is used). Overwriting requires that the media be in
working order. Degaussing is a method to magnetically erase data
from magnetic media. Two types of degausser exist: strong permanent
magnets and electric degaussers. The final method of sanitization is
destruction of the media by shredding or burning.
Many people throw away old diskettes, believing that erasing the
files on the diskette has made the data un-retrievable. In reality,
however, erasing a file simply removes the pointer to that file. The
pointer tells the computer where the file is physically stored.
Without this pointer, the files will not appear on a directory
listing. This does not mean that the file was removed. Commonly
available utility programs can often retrieve information that is