FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Measuring cyber risk - How do you measure risk? This is the reigning million-dollar question in infosec. We don’t have a clearcut answer to this question and that can make deciding what actions to take to improve the security of the organization a real challenge for many teams. https://www.scmagazine.com/home/opinion/measuring-risk/

To catch a cyberthief - Any long-time fan of Law & Order is intimately knowledgeable with how the American legal system operates – well at least on TV. Almost every episode starts out with some poor soul found dead, dying or badly beaten. https://www.scmagazine.com/home/security-news/cybercrime/to-catch-a-cyberthief/

Cybercrime pays…on both sides - Cybercrime, apparently, does pay. This is according to a few of the articles in this edition as well as many other news and feature reports we’ve done in the past based on any number of research papers that have sprung up over the last 12 to 18 months. https://www.scmagazine.com/home/opinion/cybercrime-pays-on-both-sides/

Hackers pounce on honeypot gateway to a ‘power station’ - While the cybercrime ecosystem usually conjures a 21st Century online bazaar for buying and selling credit card numbers, some hackers possess loftier goals. https://www.scmagazine.com/home/security-news/hackers-pounce-on-honeypot-gateway-to-a-power-station/

Apple Takes Drastic Measures to Stop a Nasty FaceTime Bug - It’s often hard to tell just how seriously to take reports of a new vulnerability. The jargon is inscrutable, and the skills needed to pull off the attacks are possessed only by highly skilled professionals. https://www.wired.com/story/apple-facetime-bug-group-chats/

SS7 exploited to intercept 2FA bank confirmation codes to raid accounts - Cybercriminals are exploiting flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world, to empty bank accounts by intercepting messages sent for two-factor-authentication(2FA). https://www.scmagazine.com/home/security-news/cybercriminals-are-exploiting-flaws-in-ss7-a-protocol-used-by-telecom-companies-to-coordinate-how-they-route-texts-and-calls-around-the-world-to-empty-bank-accounts/

Duke agreed to pay record fine for lax security - Duke Energy Corp. agreed to pay a record $10 million fine from regulators to settle 127 violations of security standards meant to protect the electric grid from catastrophic outages, according to multiple industry sources. https://www.eenews.net/stories/1060119265

$145 million funds frozen after death of cryptocurrency exchange admin - Highly unlikely that the exchange and its users will ever get access to these funds ever again. oughly $145 million worth of cryptocurrency funds are frozen in the cold (offline) wallet of a Canadian cryptocurrency exchange portal after the death of its owner. https://www.zdnet.com/article/145-million-funds-frozen-after-death-of-cryptocurrency-exchange-admin/

Setting up for success when buying cyber insurance - When is a war really a not a war, at least as far as an insurance company is concerned? https://www.scmagazine.com/home/security-news/setting-up-for-success-when-buying-cyber-insurance/

Remote Desktop Protocol flaws could be exploited to attack RDP clients - A research firm has disclosed multiple vulnerabilities in the Remote Desktop Protocol that, if left unpatched, could allow compromised or infected machines to attack the RDP clients that remotely connect to them. https://www.scmagazine.com/home/network-security/remote-desktop-protocol-flaws-could-be-exploited-to-attack-rdp-clients/

For DPOs, knowing where company data resides at all times is a challenge - GDPR presents a number of challenges for business owners, but one of the greatest hurdles is the requirement that the business take full account of all the data stored by the company. Most of the time, this duty falls on the shoulders of the data protection officer (DPO). https://www.scmagazine.com/home/opinion/for-dpos-knowing-where-company-data-resides-at-all-times-is-a-challenge/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 2.2 billion emails found in new Collection data dumps - The German firm Heise Security has found 2.2 billion email addresses and associated passwords, which it is labeling Collection 2-5, available for free on the web. https://www.scmagazine.com/home/security-news/2-2-billion-emails-found-in-new-collection-data-dumps/

Possible ransomware attack disturbs Altran Technologies’ European operations - French engineering research and consulting firm Altran Technologies disclosed this week that a Jan. 24 cyberattack impacted its operations in certain European countries. https://www.scmagazine.com/home/security-news/possible-ransomware-attack-disturbs-altran-technologies-european-operations/

Airbus data breach impacts employees in Europe - Aircraft manufacturer still investigating the breach. Did not reveal any other information. https://www.zdnet.com/article/airbus-data-breach-impacts-employees-in-europe/

Double exposure: 24 million loan records also exposed on open Amazon S3 bucket - The original mortgage and credit documents involved in the 24 million Elasticsearch data breach that was revealed earlier this week also have been found residing in an open Amazon S3 bucket by the cyber researcher behind the original discovery. https://www.scmagazine.com/home/security-news/data-breach/double-exposure-24-million-loan-records-also-exposed-on-open-amazon-s3-bucket/

Huddle House hit with point-of-sale data breach - The Huddle House restaurant chain reported it has closed a point-of-sale data breach that existed one of its third-party vendors from August 2017 until now. https://www.scmagazine.com/home/security-news/data-breach/huddle-house-hit-with-point-of-sale-data-breach/

60,000 EU data breaches filed under GDPR - The EU’s GDPR regulation and its attached fines appears to be encouraging data breach reports with almost 60,000 such reports being filed since the privacy law went into effect in May, but the number of fines imposed lag far behind. https://www.scmagazine.com/home/security-news/privacy-compliance/60000-eu-data-breaches-filed-under-gdpr/

Unauthorized intruder preys on Bayside Covenant Church - The Bayside Covenant Church of Roseville, Calif. reported that for three months last year unauthorized personnel accessed some employee information. https://www.scmagazine.com/home/security-news/data-breach/bayside-covenant-church-phished-and-breached/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Security Controls 
  
  While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking. This should include establishing appropriate authorization privileges and authentication measures, logical and physical access controls, adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities and data integrity of transactions, records and information. In addition, the existence of clear audit trails for all e-banking transactions should be ensured and measures to preserve confidentiality of key e-banking information should be appropriate with the sensitivity of such information. 
  
  Although customer protection and privacy regulations vary from jurisdiction to jurisdiction, banks generally have a clear responsibility to provide their customers with a level of comfort.  Regarding information disclosures, protection of customer data and business availability that approaches the level they can expect when using traditional banking distribution channels. To minimize legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should make adequate disclosure of information on their web sites and take appropriate measures to ensure adherence to customer privacy requirements applicable in the jurisdictions to which the bank is providing e-banking services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  
  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
  
  Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 1 of 2)
  
  All authentication methodologies display weaknesses. Those weaknesses are of both a technical and a nontechnical nature. Many of the weaknesses are common to all mechanisms. Examples of common weaknesses include warehouse attacks, social engineering, client attacks, replay attacks, and hijacking.
  
  Warehouse attacks result in the compromise of the authentication storage system, and the theft of the authentication data. Frequently, the authentication data is encrypted; however, dictionary attacks make decryption of even a few passwords in a large group a trivial task. A dictionary attack uses a list of likely authenticators, such as passwords, runs the likely authenticators through the encryption algorithm, and compares the result to the stolen, encrypted authenticators. Any matches are easily traceable to the pre-encrypted authenticator.
  
  Dictionary and brute force attacks are viable due to the speeds with which comparisons are made. As microprocessors increase in speed, and technology advances to ease the linking of processors across networks, those attacks will be even more effective. Because those attacks are effective, institutions should take great care in securing their authentication databases. Institutions that use one - way hashes should consider the insertion of secret bits (also known as "salt") to increase the difficulty of decrypting the hash. The salt has the effect of increasing the number of potential authenticators that attackers must check for validity, thereby making the attacks more time consuming and creating more opportunity for the institution to identify and react to the attack.
  
  Warehouse attacks typically compromise an entire authentication mechanism. Should such an attack occur, the financial institution might have to deny access to all or nearly all users until new authentication devices can be issued (e.g. new passwords). Institutions should consider the effects of such a denial of access, and appropriately plan for large-scale re-issuances of authentication devices.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.1.1 Secret Key Cryptography

In secret key cryptography, two (or more) parties share the same key, and that key is used to encrypt and decrypt data. As the name implies, secret key cryptography relies on keeping the key secret. If the key is compromised, the security offered by cryptography is severely reduced or eliminated. Secret key cryptography assumes that the parties who share a key rely upon each other not to disclose the key and protect it against modification.

The best known secret key system is the Data Encryption Standard (DES), published by NIST as Federal Information Processing Standard (FIPS) 46-2. Although the adequacy of DES has at times been questioned, these claims remain unsubstantiated, and DES remains strong. It is the most widely accepted, publicly available cryptographic system today. The American National Standards Institute (ANSI) has adopted DES as the basis for encryption, integrity, access control, and key management standards.

The Escrowed Encryption Standard, published as FIPS 185, also makes use of a secret key system.

19.1.2 Public Key Cryptography

Whereas secret key cryptography uses a single key shared by two (or more) parties, public key cryptography uses a pair of keys for each party. One of the keys of the pair is "public" and the other is "private." The public key can be made known to other parties; the private key must be kept confidential and must be known only to its owner. Both keys, however, need to be protected against modification.

Public key cryptography is particularly useful when the parties wishing to communicate cannot rely upon each other or do not share a common key. There are several public key cryptographic systems. One of the first public key systems is RSA, which can provide many different security services. The Digital Signature Standard (DSS), described later in the chapter, is another example of a public key system.