information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Phishing emails imitate North American banks to infect recipients
with TrickBot - An spam-based phishing campaign recently targeted
North American banking customers with malicious Excel documents
designed to infect victims with a new variant of the
information-stealing TrickBot banking trojan, researchers reported
earlier this week.
Reversing the Rachio Smart Sprinkler Controller - A new smart device
that “takes the guesswork out of watering.” An IoT device that
extends the boundaries of your smart home into the yard? Sure, what
could go wrong? Turns out, sometimes, when things are designed with
security in mind, not as much.
South African Power Firm Eskom Fails To Secure Customer Data - A
security researcher resorted to a public tweet about a serious data
breach involving customer data, after a South African electricity
provider ignored all other pleas to resolve the leak.
Bipartisan bill would create public-private cyber workforce exchange
- Sens. Amy Klobuchar (D-Minn.) and John Thune (R-S.D.) on Monday
introduced a bipartisan bill to create an exchange program between
the federal government and private firms aimed at bringing more
cybersecurity expertise to the federal workforce.
Report: Details on 617 million user accounts up for sale on dark web
- A dark web marketplace this week reportedly began selling stolen
data linked to roughly 617 million user accounts from 16 different
The key to protecting against internet traffic hijacking - Recently,
reports emerged that a large Asian telecommunications company has
been covertly hijacking global internet traffic for nearly 30
31 AGs ask FTC to update Identity Theft Rules - Attorneys general
from 31 states have asked the Federal Trade Commission (FTC) to
update its Identity Theft Rules.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Movie and TV-tracking service Trakt belatedly discovers 2014
breach - An unauthorized party illegally accessed data from TV and
movie “scrobbling” service Trakt more than four years ago, but only
now are users learning about it.
Unauthorized intruder preys on Bayside Covenant Church - The Bayside
Covenant Church of Roseville, Calif. reported that for three months
last year unauthorized personnel accessed some employee information.
Some Airline Flight Online Check-in Links Expose Passenger Data -
Several airlines send unencrypted links to passengers for flight
check-in that could be intercepted by attackers to view passenger
and other data, researchers found.
Dunkin’ Donuts target of credentials stuffing for second time - or
the second time in three months, Dunkin’ Donuts has been the target
of credentials stuffing attacks.
Credential-stuffing hackers reportedly break hearts, accounts at
OkCupid - Dating can make people feel vulnerable enough, especially
in the run up to Valentine’s Day, without hackers blocking access to
their OkCupid accounts and potentially tapping their personal
Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions
- A highly targeted, malware-laced phishing campaign landed in the
inboxes of multiple credit unions last week.
Big trouble Down Under as Australian MPs told to reset their
passwords amid hack attack fears - 'No evidence that any data has
been accessed time' say Australian officials as fingers pointed at
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Legal and Reputational Risk Management
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with high customer expectations for constant and
rapid availability and potentially high transaction demand. The bank
must have the ability to deliver e-banking services to all end-users
and be able to maintain such availability in all circumstances.
Effective incident response mechanisms are also critical to minimize
operational, legal and reputational risks arising from unexpected
events, including internal and external attacks, that may affect the
provision of e-banking systems and services. To meet customers'
expectations, banks should therefore have effective capacity,
business continuity and contingency planning. Banks should also
develop appropriate incident response plans, including communication
strategies, that ensure business continuity, control reputation risk
and limit liability associated with disruptions in their e-banking
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Examples of Common Authentication Weaknesses,
Attacks, and Offsetting Controls (Part 2 of 2)
Social engineering involves an attacker obtaining
authenticators by simply asking for them. For instance, the attacker
may masquerade as a legitimate user who needs a password reset, or a
contractor who must have immediate access to correct a system
performance problem. By using persuasion, being aggressive, or using
other interpersonal skills, the attackers encourage a legitimate
user or other authorized person to give them authentication
credentials. Controls against these attacks involve strong
identification policies and employee training.
Client attacks are an area of vulnerability common to all
authentication mechanisms. Passwords, for instance, can be captured
by hardware - or software - based keystroke capture mechanisms. PKI
private keys could be captured or reverse - engineered from their
tokens. Protection against these attacks primarily consists of
physically securing the client systems, and, if a shared secret is
used, changing the secret on a frequency commensurate with risk.
While physically securing the client system is possible within areas
under the financial institution's control, client systems outside
the institution may not be similarly protected.
Replay attacks occur when an attacker eavesdrops and records
the authentication as it is communicated between a client and the
financial institution system, then later uses that recording to
establish a new session with the system and masquerade as the true
user. Protections against replay attacks include changing
cryptographic keys for each session, using dynamic passwords,
expiring sessions through the use of time stamps, expiring PKI
certificates based on dates or number of uses, and implementing
liveness tests for biometric systems.
is an attacker's use of an authenticated user's session to
communicate with system components. Controls against hijacking
include encryption of the user's session and the use of encrypted
cookies or other devices to authenticate each communication between
the client and the server.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
19.1.3 Hybrid Cryptographic
Secret key systems are often
used for bulk data encryption and public key systems for
automated key distribution.
Public and secret key cryptography
have relative advantages and disadvantages. Although public key
cryptography does not require users to share a common key, secret
key cryptography is much faster: equivalent implementations of
secret key cryptography can run 1,000 to 10,000 times faster than
public key cryptography.
To maximize the advantages and
minimize the disadvantages of both secret and public key
cryptography, a computer system can use both types in a
complementary manner, with each performing different functions.
Typically, the speed advantage of secret key cryptography means that
it is used for encrypting data. Public key cryptography is used for
applications that are less demanding to a computer system's
resources, such as encrypting the keys used by secret key
cryptography (for distribution) or to sign messages.
19.1.4 Key Escrow
Because cryptography can provide
extremely strong encryption, it can thwart the government's efforts
to lawfully perform electronic surveillance. For example, if strong
cryptography is used to encrypt a phone conversation, a
court-authorized wiretap will not be effective. To meet the needs of
the government and to provide privacy, the federal government
has adopted voluntary key escrow cryptography. This technology
allows the use of strong encryption, but also allows the government
when legally authorized to obtain decryption keys held by escrow
agents. NIST has published the Escrowed Encryption Standard
as FIPS 185. Under the federal government's voluntary key escrow
initiative, the decryption keys are split into parts and given to
separate escrow authorities. Access to one part of the key does
not help decrypt the data; both keys must be obtained.