technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- I will be on vacation next week from Wednesday February 14 through
Tuesday February 20. On my return Wednesday, February 21, we
will be scheduling pen-tests, as well as FFIEC/ADA web site audits.
NIST deadline looms for agencies to improve digital authentication
standards - As a deadline for implementation draws near, the
National Institute of Standards and Technology is working with
agencies to ensure their legacy systems are keeping up with its
latest standards in identity management and authentication
U.S. CERT posts cybersecurity suggestions for Pyeongchang Winter
Olympic attendees - With the torch lighting for the Winter Olympics
in Pyeongchang just over a week away U.S. CERT has issued
cybersecuirty guidelines for those visiting the games, tips that can
also be used in any public environment.
Lack of encryption in cloud applications rendering enterprises
vulnerable - Enterprises are developing and using enterprise
applications on a large scale for various purposes, but a lack of
encryption, coupled with serious security flaws in such
applications, is also rendering enterprises vulnerable.
Cloud-Based Security - This has been a strange and interesting
month. Our regular readers will note that we have the smallest crop
of products, probably ever. There is a reason for that. The field of
cloud-based security is small, new – emerging, really – and is
trying to define itself.
Gas station software flaws offer cheap gas, admin rights, and more -
A pair of researchers discovered vulnerabilities in an automated gas
station management system that allowed them to shut down fuel pumps,
steal credit card data and alter fuel prices.
What Should Businesses Expect in 2018? Five Data Breach Predictions
for the New Year - It was virtually impossible to ignore the
high-profile attacks and data breaches that dominated headlines in
Columbia University grad arrested for using key logger software - A
Columbia University grad student was arrested for leaving key logger
malware on USB sticks left throughout the campus.
Massachusetts attorney general adds online data breach report portal
- Massachusetts is trying to make it easier for businesses and
organizations to report a data breach by setting up an online
Defense, civilian contractors laying groundwork to implement NIST
information-sharing framework - It’s a long road ahead, but federal
agencies and contractors are laying the groundwork to implement the
National Institute of Standards and Technology’s latest framework
aimed at protecting federal information that’s shared on systems not
owned by the federal government.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Stolen adult site login credentials help fuel dark web economy -
Cybercriminals have been using adult content as a lure to spread
malware and steal information since adult content hit the internet,
but recent research shows that access to legitimate sites are also
fueling a lucrative trade on the dark web.
Massive Smominru Cryptocurrency Botnet Rakes In Millions - Criminals
behind the cryptocurrency miner Smominru have raked in between $2.8
to $3.6 million since May. The payday is impressive, say researchers
at Proofpoint, who report that operators have amassed a formidable
botnet of infected servers pumping out 24 Monero daily, or the
equivalent of $8,500.
Phishing emails impersonate FBI's Internet Crime Complaint Center -
The FBI on Thursday issued a warning that scammers have been
crafting phishing emails that impersonate the agency's Internet
Crime Complaint Center (IC3), claiming recipients were recently
defrauded, and in some cases even offering restitution if the
individuals provide personal information.
Misconfigured Amazon Web Services bucket exposes 12,000 social media
influencers - Another misconfigured Amazon Web Services (AWS) S3
cloud storage bucket has been left insecure this time exposing the
sensitive data of 12,000 social media influencers, most of whom were
Phishing scam exposes W-2 forms of Keokuk, Iowa employees and
officials - The small Iowan city of Keokuk has disclosed that a
cybercriminal used a phishing scam to fraudulently obtain an
electronic file containing the 2017 W-2 tax forms of current and
former employees and elected officials.
DHS employee fumbled classified Super Bowl security documents - A
Department of Homeland Security staffer fumbled several classified
documents in December creating a physical data breach.
Final Fantasy network recovers after losing health points to DDoS
attack - The network hosting the role-playing video game Final
Fantasy XIV experienced significant disruptions for three hours
yesterday as the result of a distributed denial of service (DDoS)
Business Wire under sustained DDoS attack, traffic slowed - A
persistent distributed denial of service (DDoS) attack over the past
week has prompted a slowdown on the Business Wire website, but
seemingly hasn't exposed client data, company Chief Operating
Officer (COO) Richard DeLeo told customers in a Tuesday alert.
Malicious Reddit 'twin' discovered - The internet now has two front
pages, but one is a fake created as a typosquatter to scam Reddit
fans or as phishing bait.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We begin this week reviewing the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques." (Part 1 of
A. RISK DISCUSSION
A significant number of financial institutions regulated by the
financial institution regulatory agencies (Agencies) maintain sites
on the World Wide Web. Many of these websites contain weblinks to
other sites not under direct control of the financial institution.
The use of weblinks can create certain risks to the financial
institution. Management should be aware of these risks and take
appropriate steps to address them. The purpose of this guidance is
to discuss the most significant risks of weblinking and how
financial institutions can mitigate these risks.
When financial institutions use weblinks to connect to third-party
websites, the resulting association is called a "weblinking
relationship." Financial institutions with weblinking relationships
are exposed to several risks associated with the use of this
technology. The most significant risks are reputation risk and
Generally, reputation risk arises when a linked third party
adversely affects the financial institution's customer and, in turn,
the financial institution, because the customer blames the financial
institution for problems experienced. The customer may be under a
misimpression that the institution is providing the product or
service, or that the institution recommends or endorses the
third-party provider. More specifically, reputation risk could arise
in any of the following ways:
- customer confusion in
distinguishing whether the financial institution or the linked
third party is offering products and services;
dissatisfaction with the quality of products or services
obtained from a third party; and
- customer confusion as
to whether certain regulatory protections apply to third-party
products or services.
the top of the newsletter
FFIEC IT SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Utilization of the Internet presents numerous issues and risks
which must be addressed. While many aspects of system performance
will present additional challenges to the bank, some will be beyond
the bank's control. The reliability of the Internet continues to
improve, but situations including delayed or misdirected
transmissions and operating problems involving Internet Service
Providers (ISPs) could also have an effect on related aspects of the
The risks will not remain static. As technologies evolve, security
controls will improve; however, so will the tools and methods used
by others to compromise data and systems. Comprehensive security
controls must not only be implemented, but also updated to guard
against current and emerging threats. Security controls that address
the risks will be presented over the next few weeks.
The FDIC paper discusses the primary interrelated technologies,
standards, and controls that presently exist to manage the risks of
data privacy and confidentiality, data integrity, authentication,
Encryption, Digital Signatures, and Certificate Authorities
Encryption techniques directly address the security issues
surrounding data privacy, confidentiality, and data integrity.
Encryption technology is also employed in digital signature
processes, which address the issues of authentication and
non-repudiation. Certificate authorities and digital certificates
are emerging to address security concerns, particularly in the area
of authentication. The function of and the need for encryption,
digital signatures, certificate authorities, and digital
certificates differ depending on the particular security issues
presented by the bank's activities. The technologies,
implementation standards, and the necessary legal infrastructure
continue to evolve to address the security needs posed by the
Internet and electronic commerce.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND
Media control may be transferred both within the organization and to
outside elements. Possibilities for securing such transmittal
include sealed and marked envelopes, authorized messenger or
courier, or U.S. certified or registered mail.
When media is disposed of, it may be important to ensure that
information is not improperly disclosed. This applies both to media
that is external to a computer system (such as a diskette) and to
media inside a computer system, such as a hard disk. The process of
removing information from media is called sanitization.
Three techniques are commonly used for media sanitization:
overwriting, degaussing, and destruction. Overwriting is an
effective method for clearing data from magnetic media. As the name
implies, overwriting uses a program to write (1s, 0s, or a
combination) onto the media. Common practice is to overwrite the
media three times. Overwriting should not be confused with merely
deleting the pointer to a file (which typically happens when a
delete command is used). Overwriting requires that the media be in
working order. Degaussing is a method to magnetically erase data
from magnetic media. Two types of degausser exist: strong permanent
magnets and electric degaussers. The final method of sanitization is
destruction of the media by shredding or burning.
Many people throw away old diskettes, believing that erasing the
files on the diskette has made the data un-retrievable. In reality,
however, erasing a file simply removes the pointer to that file. The
pointer tells the computer where the file is physically stored.
Without this pointer, the files will not appear on a directory
listing. This does not mean that the file was removed. Commonly
available utility programs can often retrieve information that is