technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- Digital Copiers are Computers, Too - The Importance of Securing
Physical Documents - The U.S. Federal Trade Commission doesn't mince
words when it comes multifunction printers (MFPs): “Digital copiers
are computers,” they say, complete with hard drives, embedded
firmware, and the ability to communicate with other network systems.
Without the proper security measures in place, MFPs present a
significant business risk.
Enter boardroom, set hair on fire. How not to tackle incident
response - Event anomalies can be an indicator of attack, but they
can also just be an IT problem. New research suggests the latter
might be more common than you think.
From ransomware to social media to the cloud: The Top 5 phishing
challenges for 2018 - By many measures, 2017 was a rough year for
cybersecurity with large, brazen phishing attacks negatively
impacting governments and companies around the world.
Counterfeit Code Signing Certificates uses increasing: Recorded
Future - An analysis of counterfeit code signing certificates found
that while usage is rising, the amount being charged by the
malicious vendors is currently high enough from stopping the service
from going mainstream.
Colorado DOT, Allentown, Pa. in recovery mode after costly
cyberattacks - The Colorado Department of Transportation (CDOT) and
the city of Allentown, Pa., are in the process of digging themselves
out from two separate cyberattacks that hit in the last few weeks.
FTC warning users to do homework before using VPN apps - The FTC is
warning users to read the fine print and do their homework before
purchasing a VPN app as users could be opening themselves up to the
very exploits they are looking to avoid.
Attorney General Jeff Sessions announced a new cybersecurity task
force on Tuesday that aims to appraise the way the Department of
Justice handles cases that involve the internet.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 2,000 UVA Health System patients' information compromised - The
University of Virginia Health System is letting almost 2,000
patients know that their health records may have been exposed when
an unauthorized third party gained access to a staffer's computer
several years ago.
Tesla cloud resources are hacked to run cryptocurrency-mining
malware - Crooks find poorly secured access credentials, use them to
install stealth miner.
uTorrent apps found vulnerable to remote code execution, information
disclosure - The developer of uTorrent for Windows and uTorrent Web
has been scrambling to issue patched versions of the BitTorrent-based
peer-to-peer fire-sharing apps after Google Project Zero researcher
Tavis Ormandy found critical vulnerabilities that can result in
remote code execution and information disclosure upon visiting
Mass. tax collector breach victims double original estimate - As
typical with most data breaches initially underestimating the
overall impact of a cybersecurity “incident,” the hack of the
Massachusetts Department of Revenue disclosed last week was more
twice as large than originally anticipated by the tax-collecting
Chase 'glitch' grants customers access to random accounts - Multiple
Chase Bank customer accounts were exposed after what was described
as a “glitch” granted customers looking to log into their own
accounts access to the accounts of random customers instead.
UK think tanks hacked by groups in China, cyber-security firm says -
Some UK think tanks were hacked by China-based groups last year, a
US cyber-security company which said it investigated the breaches
Data breach site adds 80M new records, updates 'Pwned Passwords'
service - Data breach aficionado Troy Hunt has significantly updated
his "Have I Been Pwned?" website in recent days, adding a data set
of 2,844 breach incidents involving 80 million stolen records, and
introducing version two of his Pwned Passwords service.
Malware forces closure of hundreds of Tim Hortons outlets across
Canada - A mysterious malware has taken out the cash registers of
hundreds of Tim Hortons restaurants across Canada forcing many of
them to close prompting legal action from franchise owners.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 4 of 10)
A. RISK DISCUSSION
If the third party has a name similar to that of the financial
institution, there is an increased likelihood of confusion for the
customer and increased exposure to reputation risk for the financial
institution. For example, if customers access a similarly named
broker from the financial institution's website, they may believe
that the financial institution is providing the brokerage service or
that the broker's products are federally insured.
The use of frame technology and other similar technologies may
confuse customers about which products and services the financial
institution provides and which products and services third parties,
including affiliates, provide. If frames are used, when customers
link to a third-party website through the institution-provided link,
the third-party webpages open within the institution's master
webpage frame. For example, if a financial institution provides
links to a discount broker and the discount broker's webpage opens
within the institution's frame, the appearance of the financial
institution's logo on the frame may give the impression that the
financial institution is providing the brokerage service or that the
two entities are affiliated. Customers may believe that their funds
are federally insured, creating potential reputation risk to the
financial institution in the event the brokerage service should fail
or the product loses value.
The compliance risk to an institution linking to a
third-party's website depends on several factors. These factors
include the nature of the products and services provided on the
third-party's website, and the nature of the institution's business
relationship with the third party. This is particularly true with
respect to compensation arrangements for links. For example, a
financial institution that receives payment for offering
advertisement-related weblinks to a settlement service provider's
website should carefully consider the prohibition against kickbacks,
unearned fees, and compensated referrals under the Real Estate
Settlement Procedures Act (RESPA).
The financial institution has compliance risk as well as
reputation risk if linked third parties offer less security and
privacy protection than the financial institution. Third-party sites
may have less secure encryption policies, or less stringent policies
regarding the use and security of their customer's information. The
customer may be comfortable with the financial institution's
policies for privacy and security, but not with those of the linked
third party. If the third-party's policies and procedures create
security weaknesses or apply privacy standards that permit the third
party to release confidential customer information, customers may
blame the financial institution.
the top of the newsletter
FFIEC IT SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Digital signatures authenticate the identity of a sender, through
the private, cryptographic key. In addition, every digital
signature is different because it is derived from the content of the
message itself. T he combination of identity authentication and
singularly unique signatures results in a transmission that cannot
Digital signatures can be applied to any data transmission,
including e-mail. To generate a digital signature, the original,
unencrypted message is run through a mathematical algorithm that
generates what is known as a message digest (a unique, character
representation of the data). This process is known as the "hash."
The message digest is then encrypted with a private key, and sent
along with the message. The recipient receives both the message and
the encrypted message digest. The recipient decrypts the message
digest, and then runs the message through the hash function again.
If the resulting message digest matches the one sent with the
message, the message has not been altered and data integrity is
verified. Because the message digest was encrypted with a private
key, the sender can be identified and bound to the specific
message. The digital signature cannot be reused, because it is
unique to the message. In the above example, data privacy and
confidentiality could also be achieved by encrypting the message
itself. The strength and security of a digital signature system is
determined by its implementation, and the management of the
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY
This chapter first discusses the benefits of physical security
measures, and then presents an overview of common physical and
environmental security controls. Physical and environmental security
measures result in many benefits, such as protecting employees. This
chapter focuses on the protection of computer systems from the
Interruptions in Providing Computer Services. An external
threat may interrupt the scheduled operation of a system. The
magnitude of the losses depends on the duration and timing of the
service interruption and the characteristics of the operations end
Physical Damage. If a system's hardware is damaged or
destroyed, it usually has to be repaired or replaced. Data may be
destroyed as an act of sabotage by a physical attack on data storage
media (e.g., rendering the data unreadable or only partly readable).
If data stored by a system for operational use is destroyed or
corrupted, the data needs to be restored from back-up copies or from
the original sources before the system can be used. The
magnitude of loss from physical damage depends on the cost to repair
or replace the damaged hardware and data, as well as costs arising
from service interruptions.
Unauthorized Disclosure of Information. The physical
characteristics of the facility housing a system may permit an
intruder to gain access both to media external to system hardware
(such as diskettes, tapes and printouts) and to media within system
components (such as fixed disks), transmission lines or display
screens. All may result in loss of disclosure-sensitive information.
Loss of Control over System Integrity. If an intruder gains
access to the central processing unit, it is usually possible to
reboot the system and bypass logical access controls. This can lead
to information disclosure, fraud, replacement of system and
application software, introduction of a Trojan horse, and more.
Moreover, if such access is gained, it may be very difficult to
determine what has been modified, lost, or corrupted.
Physical Theft. System hardware may be stolen. The magnitude
of the loss is determined by the costs to replace the stolen
hardware and restore data stored on stolen media. Theft may also
result in service interruptions.
This chapter discusses seven major areas of physical and
environmental security controls:
1) physical access controls,
2) fire safety,
3) supporting utilities,
4) structural collapse,
5) plumbing leaks,
6) interception of data, and
7) mobile and portable systems.