information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Measuring cyber risk - How do you measure risk? This is the
reigning million-dollar question in infosec. We don’t have a
clearcut answer to this question and that can make deciding what
actions to take to improve the security of the organization a real
challenge for many teams.
To catch a cyberthief - Any long-time fan of Law & Order is
intimately knowledgeable with how the American legal system operates
– well at least on TV. Almost every episode starts out with some
poor soul found dead, dying or badly beaten.
Cybercrime pays…on both sides - Cybercrime, apparently, does pay.
This is according to a few of the articles in this edition as well
as many other news and feature reports we’ve done in the past based
on any number of research papers that have sprung up over the last
12 to 18 months.
Hackers pounce on honeypot gateway to a ‘power station’ - While the
cybercrime ecosystem usually conjures a 21st Century online bazaar
for buying and selling credit card numbers, some hackers possess
Apple Takes Drastic Measures to Stop a Nasty FaceTime Bug - It’s
often hard to tell just how seriously to take reports of a new
vulnerability. The jargon is inscrutable, and the skills needed to
pull off the attacks are possessed only by highly skilled
SS7 exploited to intercept 2FA bank confirmation codes to raid
accounts - Cybercriminals are exploiting flaws in SS7, a protocol
used by telecom companies to coordinate how they route texts and
calls around the world, to empty bank accounts by intercepting
messages sent for two-factor-authentication(2FA).
Duke agreed to pay record fine for lax security - Duke Energy Corp.
agreed to pay a record $10 million fine from regulators to settle
127 violations of security standards meant to protect the electric
grid from catastrophic outages, according to multiple industry
$145 million funds frozen after death of cryptocurrency exchange
admin - Highly unlikely that the exchange and its users will ever
get access to these funds ever again. oughly $145 million worth of
cryptocurrency funds are frozen in the cold (offline) wallet of a
Canadian cryptocurrency exchange portal after the death of its
Setting up for success when buying cyber insurance - When is a war
really a not a war, at least as far as an insurance company is
Remote Desktop Protocol flaws could be exploited to attack RDP
clients - A research firm has disclosed multiple vulnerabilities in
the Remote Desktop Protocol that, if left unpatched, could allow
compromised or infected machines to attack the RDP clients that
remotely connect to them.
For DPOs, knowing where company data resides at all times is a
challenge - GDPR presents a number of challenges for business
owners, but one of the greatest hurdles is the requirement that the
business take full account of all the data stored by the company.
Most of the time, this duty falls on the shoulders of the data
protection officer (DPO).
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 2.2 billion emails found in new Collection data dumps - The German
firm Heise Security has found 2.2 billion email addresses and
associated passwords, which it is labeling Collection 2-5, available
for free on the web.
Possible ransomware attack disturbs Altran Technologies’ European
operations - French engineering research and consulting firm Altran
Technologies disclosed this week that a Jan. 24 cyberattack impacted
its operations in certain European countries.
Airbus data breach impacts employees in Europe - Aircraft
manufacturer still investigating the breach. Did not reveal any
Double exposure: 24 million loan records also exposed on open Amazon
S3 bucket - The original mortgage and credit documents involved in
the 24 million Elasticsearch data breach that was revealed earlier
this week also have been found residing in an open Amazon S3 bucket
by the cyber researcher behind the original discovery.
Huddle House hit with point-of-sale data breach - The Huddle House
restaurant chain reported it has closed a point-of-sale data breach
that existed one of its third-party vendors from August 2017 until
60,000 EU data breaches filed under GDPR - The EU’s GDPR regulation
and its attached fines appears to be encouraging data breach reports
with almost 60,000 such reports being filed since the privacy law
went into effect in May, but the number of fines imposed lag far
Unauthorized intruder preys on Bayside Covenant Church - The Bayside
Covenant Church of Roseville, Calif. reported that for three months
last year unauthorized personnel accessed some employee information.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
While the Board of Directors has the responsibility for ensuring
that appropriate security control processes are in place for
e-banking, the substance of these processes needs special management
attention because of the enhanced security challenges posed by
e-banking. This should include establishing appropriate
authorization privileges and authentication measures, logical and
physical access controls, adequate infrastructure security to
maintain appropriate boundaries and restrictions on both internal
and external user activities and data integrity of transactions,
records and information. In addition, the existence of clear audit
trails for all e-banking transactions should be ensured and measures
to preserve confidentiality of key e-banking information should be
appropriate with the sensitivity of such information.
Although customer protection and privacy regulations vary from
jurisdiction to jurisdiction, banks generally have a clear
responsibility to provide their customers with a level of comfort.
Regarding information disclosures, protection of customer data and
business availability that approaches the level they can expect when
using traditional banking distribution channels. To minimize legal
and reputational risk associated with e-banking activities conducted
both domestically and cross-border, banks should make adequate
disclosure of information on their web sites and take appropriate
measures to ensure adherence to customer privacy requirements
applicable in the jurisdictions to which the bank is providing
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Examples of Common Authentication Weaknesses, Attacks, and
Offsetting Controls (Part 1 of 2)
All authentication methodologies display weaknesses. Those
weaknesses are of both a technical and a nontechnical nature. Many
of the weaknesses are common to all mechanisms. Examples of common
weaknesses include warehouse attacks, social engineering, client
attacks, replay attacks, and hijacking.
Warehouse attacks result in the compromise of the authentication
storage system, and the theft of the authentication data.
Frequently, the authentication data is encrypted; however,
dictionary attacks make decryption of even a few passwords in a
large group a trivial task. A dictionary attack uses a list of
likely authenticators, such as passwords, runs the likely
authenticators through the encryption algorithm, and compares the
result to the stolen, encrypted authenticators. Any matches are
easily traceable to the pre-encrypted authenticator.
Dictionary and brute force attacks are viable due to the speeds
with which comparisons are made. As microprocessors increase in
speed, and technology advances to ease the linking of processors
across networks, those attacks will be even more effective. Because
those attacks are effective, institutions should take great care in
securing their authentication databases. Institutions that use one -
way hashes should consider the insertion of secret bits (also known
as "salt") to increase the difficulty of decrypting the hash. The
salt has the effect of increasing the number of potential
authenticators that attackers must check for validity, thereby
making the attacks more time consuming and creating more opportunity
for the institution to identify and react to the attack.
Warehouse attacks typically compromise an entire authentication
mechanism. Should such an attack occur, the financial institution
might have to deny access to all or nearly all users until new
authentication devices can be issued (e.g. new passwords).
Institutions should consider the effects of such a denial of access,
and appropriately plan for large-scale re-issuances of
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
19.1.1 Secret Key
In secret key
cryptography, two (or more) parties share the same key, and that key
is used to encrypt and decrypt data. As the name implies, secret key
cryptography relies on keeping the key secret. If the key is
compromised, the security offered by cryptography is severely
reduced or eliminated. Secret key cryptography assumes that the
parties who share a key rely upon each other not to disclose the key
and protect it against modification.
Secret key cryptography has
been in use for centuries. Early forms merely transposed the
written characters to hide the message.
The best known secret key system is
the Data Encryption Standard (DES), published by NIST as
Federal Information Processing Standard (FIPS) 46-2. Although the
adequacy of DES has at times been questioned, these claims remain
unsubstantiated, and DES remains strong. It is the most widely
accepted, publicly available cryptographic system today. The
American National Standards Institute (ANSI) has adopted DES as the
basis for encryption, integrity, access control, and key management
The Escrowed Encryption Standard,
published as FIPS 185, also makes use of a secret key system.
19.1.2 Public Key Cryptography
Public key cryptography is a
modern invention and requires the use of advanced
Whereas secret key cryptography uses
a single key shared by two (or more) parties, public key
cryptography uses a pair of keys for each party. One of the
keys of the pair is "public" and the other is "private." The public
key can be made known to other parties; the private key must be kept
confidential and must be known only to its owner. Both keys,
however, need to be protected against modification.
Public key cryptography is
particularly useful when the parties wishing to communicate cannot
rely upon each other or do not share a common key. There are several
public key cryptographic systems. One of the first public key
systems is RSA, which can provide many different security services.
The Digital Signature Standard (DSS), described later in the
chapter, is another example of a public key system.