FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Digital Copiers are Computers, Too - The Importance of Securing Physical Documents - The U.S. Federal Trade Commission doesn't mince words when it comes multifunction printers (MFPs): “Digital copiers are computers,” they say, complete with hard drives, embedded firmware, and the ability to communicate with other network systems. Without the proper security measures in place, MFPs present a significant business risk. https://www.scmagazine.com/digital-copiers-are-computers-too--the-importance-of-securing-physical-documents/article/742255/

Enter boardroom, set hair on fire. How not to tackle incident response - Event anomalies can be an indicator of attack, but they can also just be an IT problem. New research suggests the latter might be more common than you think. https://www.scmagazine.com/enter-boardroom-set-hair-on-fire-how-not-to-tackle-incident-response/article/745932/

From ransomware to social media to the cloud: The Top 5 phishing challenges for 2018 - By many measures, 2017 was a rough year for cybersecurity with large, brazen phishing attacks negatively impacting governments and companies around the world. https://www.scmagazine.com/from-ransomware-to-social-media-to-the-cloud-the-top-5-phishing-challenges-for-2018/article/742252/

Counterfeit Code Signing Certificates uses increasing: Recorded Future - An analysis of counterfeit code signing certificates found that while usage is rising, the amount being charged by the malicious vendors is currently high enough from stopping the service from going mainstream. https://www.scmagazine.com/counterfeit-code-signing-certificates-uses-increasing-recorded-future/article/746140/

Colorado DOT, Allentown, Pa. in recovery mode after costly cyberattacks - The Colorado Department of Transportation (CDOT) and the city of Allentown, Pa., are in the process of digging themselves out from two separate cyberattacks that hit in the last few weeks. https://www.scmagazine.com/colorado-dot-allentown-pa-in-recovery-mode-after-costly-cyberattacks/article/746109/

FTC warning users to do homework before using VPN apps - The FTC is warning users to read the fine print and do their homework before purchasing a VPN app as users could be opening themselves up to the very exploits they are looking to avoid. https://www.scmagazine.com/vpn-shoppers-warned-to-do-their-homework-before-using-vpn-apps/article/746475/

Attorney General Jeff Sessions announced a new cybersecurity task force on Tuesday that aims to appraise the way the Department of Justice handles cases that involve the internet. https://www.cyberscoop.com/doj-cyber-task-force/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 2,000 UVA Health System patients' information compromised - The University of Virginia Health System is letting almost 2,000 patients know that their health records may have been exposed when an unauthorized third party gained access to a staffer's computer several years ago. https://www.scmagazine.com/2000-uva-health-system-patients-information-compromised/article/745936/

Tesla cloud resources are hacked to run cryptocurrency-mining malware - Crooks find poorly secured access credentials, use them to install stealth miner. https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/

uTorrent apps found vulnerable to remote code execution, information disclosure - The developer of uTorrent for Windows and uTorrent Web has been scrambling to issue patched versions of the BitTorrent-based peer-to-peer fire-sharing apps after Google Project Zero researcher Tavis Ormandy found critical vulnerabilities that can result in remote code execution and information disclosure upon visiting malicious websites. https://www.scmagazine.com/utorrent-apps-found-vulnerable-to-remote-code-execution-information-disclosure/article/745937/

Mass. tax collector breach victims double original estimate - As typical with most data breaches initially underestimating the overall impact of a cybersecurity “incident,” the hack of the Massachusetts Department of Revenue disclosed last week was more twice as large than originally anticipated by the tax-collecting agency. https://www.scmagazine.com/mass-tax-collector-breach-victims-double-original-estimate/article/746472/

Chase 'glitch' grants customers access to random accounts - Multiple Chase Bank customer accounts were exposed after what was described as a “glitch” granted customers looking to log into their own accounts access to the accounts of random customers instead. https://www.scmagazine.com/chase-customer-accounts-were-exposed-after-what-was-described-as-a-glitch-allowed-customers-to-access-random-accounts/article/746459/

UK think tanks hacked by groups in China, cyber-security firm says - Some UK think tanks were hacked by China-based groups last year, a US cyber-security company which said it investigated the breaches has claimed. http://www.bbc.com/news/uk-43172371

Data breach site adds 80M new records, updates 'Pwned Passwords' service - Data breach aficionado Troy Hunt has significantly updated his "Have I Been Pwned?" website in recent days, adding a data set of 2,844 breach incidents involving 80 million stolen records, and introducing version two of his Pwned Passwords service. https://www.scmagazine.com/data-breach-site-adds-80m-new-records-updates-pwned-passwords-service/article/747096/

Malware forces closure of hundreds of Tim Hortons outlets across Canada - A mysterious malware has taken out the cash registers of hundreds of Tim Hortons restaurants across Canada forcing many of them to close prompting legal action from franchise owners. https://www.scmagazine.com/tim-hortons-hit-with-malware-forcing-hundreds-to-close/article/747271/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 4 of 10)
  
  A. RISK DISCUSSION
  
  Reputation Risk
  
  Trade Names
  
  If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.
  
  Website Appearance
  
  The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.
  
  Compliance Risk
  
  The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).
  
  The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  SECURITY MEASURES
  
  Digital Signatures 
  
  Digital signatures authenticate the identity of a sender, through the private, cryptographic key.  In addition, every digital signature is different because it is derived from the content of the message itself. T he combination of identity authentication and singularly unique signatures results in a transmission that cannot be repudiated. 
  
  Digital signatures can be applied to any data transmission, including e-mail.  To generate a digital signature, the original, unencrypted message is run through a mathematical algorithm that generates what is known as a message digest (a unique, character representation of the data).  This process is known as the "hash."  The message digest is then encrypted with a private key, and sent along with the message.  The recipient receives both the message and the encrypted message digest.  The recipient decrypts the message digest, and then runs the message through the hash function again.  If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified.  Because the message digest was encrypted with a private key, the sender can be identified and bound to the specific message.  The digital signature cannot be reused, because it is unique to the message.  In the above example, data privacy and confidentiality could also be achieved by encrypting the message itself. The strength and security of a digital signature system is determined by its implementation, and the management of the cryptographic keys.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY

This chapter first discusses the benefits of physical security measures, and then presents an overview of common physical and environmental security controls. Physical and environmental security measures result in many benefits, such as protecting employees. This chapter focuses on the protection of computer systems from the following:

Interruptions in Providing Computer Services. An external threat may interrupt the scheduled operation of a system. The magnitude of the losses depends on the duration and timing of the service interruption and the characteristics of the operations end users perform.

Physical Damage. If a system's hardware is damaged or destroyed, it usually has to be repaired or replaced. Data may be destroyed as an act of sabotage by a physical attack on data storage media (e.g., rendering the data unreadable or only partly readable). If data stored by a system for operational use is destroyed or corrupted, the data needs to be restored from back-up copies or from the original sources before the system can be used.  The magnitude of loss from physical damage depends on the cost to repair or replace the damaged hardware and data, as well as costs arising from service interruptions.

Unauthorized Disclosure of Information. The physical characteristics of the facility housing a system may permit an intruder to gain access both to media external to system hardware (such as diskettes, tapes and printouts) and to media within system components (such as fixed disks), transmission lines or display screens. All may result in loss of disclosure-sensitive information.

Loss of Control over System Integrity. If an intruder gains access to the central processing unit, it is usually possible to reboot the system and bypass logical access controls. This can lead to information disclosure, fraud, replacement of system and application software, introduction of a Trojan horse, and more. Moreover, if such access is gained, it may be very difficult to determine what has been modified, lost, or corrupted.

Physical Theft. System hardware may be stolen. The magnitude of the loss is determined by the costs to replace the stolen hardware and restore data stored on stolen media. Theft may also result in service interruptions.

This chapter discusses seven major areas of physical and environmental security controls:

1)  physical access controls,
2)  fire safety,
3)  supporting utilities,
4)  structural collapse,
5)  plumbing leaks,
6)  interception of data, and
7)  mobile and portable systems.