technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
IT pros don't learn from cyberattacks, study -
Unfortunately the same doesn't apply to IT professionals, regardless
of which state they're in, since they appear to be setting
themselves up to be fooled again as a recent study found 46 percent
of IT professionals don't change their security strategy after a
Equifax breach worse than thought, consumers
affected now total 147.9M - Equifax has once again bumped up the
estimated number of U.S. consumers affected by its massive breach –
now saying that data on 147.9 million was somehow exposed.
Healthcare sector's biggest threats come from insiders, report -
Healthcare is the only industry in which internal threat actors are
the biggest threat to an organization, a recent study posits.
After 'isolated' hack, Germany says government computers are secure
- The German government said on Wednesday that hackers had breached
the network of government computers with an isolated attack that had
been brought under control and which was being investigated by
Penn. AG sues Uber over breach, delayed notification -
Pennsylvania's attorney general is suing Uber for delaying
disclosure for more than a year of a breach that exposed the
personal information, such as driver's licenses, of 57 million
customers and drivers.
Google gets sued for denying "right to be forgotten" request - A
businessman, whose "right to be forgotten" request was denied by
Google to "defend the public's right to access lawful information",
has filed a lawsuit in the high court in a bid to make Google remove
references to his criminal past.
ComboJack malware steals digital payments, cryptocurrency, by
modifying info saved to clipboards - Researchers have discovered a
new malware that steals cryptocurrency and other electronic funds by
surreptitiously modifying wallet or payment information whenever
victims copy it to their devices' clipboards.
Millennial Habits May Bring an End to the Password Era - The use of
passwords as a single method to prove identity is increasingly
becoming obsolete – and for good reason. With major data breaches
opening the floodgates on our personal information and the
increasing availability of password hacking tools, passwords are no
longer effective at keeping our personal identities secured.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Marine Forces Reserve data breach leaks data of about 21K - The
personal information of thousands of Marines, sailors, and civilians
was compromised after an unencrypted email was sent to the wrong
email distribution list Monday morning.
GitHub hit with the largest DDoS attack ever seen - DDoS attackers
have found a new way of magnifying their attacks, with experts
warning that bigger attacks are likely.
German government confirms hackers blitzkrieged its servers to steal
data - The German Interior ministry has confirmed that it has
identified a serious attack against its servers, amidst reports that
the culprits were the Russian APT28 – aka Fancy Bear – hacking
Malware forces closure of hundreds of Tim Hortons outlets across
Canada - A mysterious malware has taken out the cash registers of
hundreds of Tim Hortons restaurants across Canada forcing many of
them to close prompting legal action from franchise owners.
GitHub rides out record-breaking DDoS attack that leveraged
memcached servers - GitHub on Wednesday withstood the largest-ever
recorded distributed denial of service attack in history,
experiencing roughly 10 minutes of disruption during the onslaught,
which was amplified using exposed memcached servers -- a vector that
has seen a significant increase in abuse since last month.
FS-ISAC hit with phishing attacks - A Financial Services Information
Sharing and Analysis Center (FS-ISAC) employee fell victim to a
phishing attack that compromised login credentials enabling
additional phishing attacks.
Rockdale ISD his with W-2 scam - Every employee with the Rockdale,
Texas Independent School District had their W-2 tax form information
stolen in a spearphishing attack.
167 Applebee's locations across 15 states hit with POS breach - RMH
Franchise Holdings, which claims to be the second largest Applebee's
franchisee, is warning Applebee's customers that point-of-sale
malware affected 167 restaurants in 15 states.
Fresno State data breach, 15,000 affected - A stolen external hard
drive has led to the personal information of more than 15,000 people
formerly and currently associated with California State University
at Fresno athletic department.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 5 of 10)
B. RISK MANAGEMENT TECHNIQUES
Management must effectively plan, implement, and monitor the
financial institution's weblinking relationships. This includes
situations in which the institution has a third-party service
provider create, arrange, or manage its website. There are several
methods of managing a financial institution's risk exposure from
third-party weblinking relationships. The methods adopted to manage
the risks of a particular link should be appropriate to the level of
risk presented by that link as discussed in the prior section.
Planning Weblinking Relationships
In general, a financial institution planning the use of
weblinks should review the types of products or services and the
overall website content made available to its customers through the
weblinks. Management should consider whether the links support the
institution's overall strategic plan. Tools useful in planning
weblinking relationships include:
1) due diligence with respect to third parties to which the
financial institution is considering links; and
2) written agreements with significant third parties.
the top of the newsletter
FFIEC IT SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Certificate Authorities and Digital Certificates
Certificate authorities and digital certificates are emerging to
further address the issues of authentication, non‑repudiation, data
privacy, and cryptographic key management. A certificate authority
(CA) is a trusted third party that verifies the identity of a party
to a transaction . To do this, the CA vouches for the identity of a
party by attaching the CA's digital signature to any messages,
public keys, etc., which are transmitted. Obviously, the CA must be
trusted by the parties involved, and identities must have been
proven to the CA beforehand. Digital certificates are messages that
are signed with the CA's private key. They identify the CA, the
represented party, and could even include the represented party's
The responsibilities of CAs and their position among emerging
technologies continue to develop. They are likely to play an
important role in key management by issuing, retaining, or
distributing public/private key pairs.
The implementation and use of encryption technologies, digital
signatures, certificate authorities, and digital certificates can
vary. The technologies and methods can be used individually, or in
combination with one another. Some techniques may merely encrypt
data in transit from one location to another. While this keeps the
data confidential during transmission, it offers little in regard to
authentication and non-repudiation. Other techniques may utilize
digital signatures, but still require the encrypted submission of
sensitive information, like credit card numbers. Although protected
during transmission, additional measures would need to be taken to
ensure the sensitive information remains protected once received and
The protection afforded by the above security measures will be
governed by the capabilities of the technologies, the
appropriateness of the technologies for the intended use, and the
administration of the technologies utilized. Care should be taken
to ensure the techniques utilized are sufficient to meet the
required needs of the institution. All of the technical and
implementation differences should be explored when determining the
most appropriate package.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY
15.1 Physical Access Controls
Physical access controls restrict the entry and exit of personnel
(and often equipment and media) from an area, such as an office
building, suite, data center, or room containing a LAN server.
The control over physical access to the elements of a system can
include controlled areas, barriers that isolate each area, entry
points in the barriers that isolate each area, entry points in the
barriers, and screening measures at each of the entry points. In
addition, staff members who work in a restricted area serve an
important role in providing physical security, as they can be
trained to challenge people they do not recognize.
Physical access controls should address not only the area containing
system hardware, but also locations of wiring used to connect
elements of the system, the electric power service, the air
conditioning and heating plant, telephone and data lines, backup
media and source documents, and any other elements required system's
operation. This means that all the areas in the building(s) that
contain system elements must be identified.
There are many types of physical access controls, including badges,
memory cards, guards, keys, true-floor-to-true-ceiling wall
construction, fences, and locks.
It is also important to review the effectiveness of physical access
controls in each area, both during normal business hours, and at
other times-particularly when an area may be unoccupied.
Effectiveness depends on both the characteristics of the control
devices used (e.g., keycard-controlled doors) and the implementation
and operation. Statements to the effect that "only authorized
persons may enter this area" are not particularly effective.
Organizations should determine whether intruders can easily defeat
the controls, the extent to which strangers are challenged, and the
effectiveness of other control procedures. Factors like these modify
the effectiveness of physical controls.
The feasibility of surreptitious entry also needs to be considered.
For example, it may be possible to go over the top of a partition
that stops at the underside of a suspended ceiling or to cut a hole
in a plasterboard partition in a location hidden by furniture. If a
door is controlled by a combination lock, it may be possible to
observe an authorized person entering the lock combination. If
keycards are not carefully controlled, an intruder may be able to
steal a card left on a desk or use a card passed back by an
Corrective actions can address any of the factors listed above.
Adding an additional barrier reduces the risk to the areas behind
the barrier. Enhancing the screening at an entry point can reduce
the number of penetrations. For example, a guard may provide a
higher level of screening than a keycard-controlled door, or an
anti-pass back feature can be added. Reorganizing traffic patterns,
work flow, and work areas may reduce the number of people who need
access to a restricted area. Physical modifications to barriers can
reduce the vulnerability to surreptitious entry. Intrusion
detectors, such as closed-circuit television cameras, motion
detectors, and other devices, can detect intruders in unoccupied
It is important to understand that the objectives of physical access
controls may be in conflict with those of life safety. Simply
stated, life safety focuses on providing easy exit from a facility,
particularly in an emergency, while physical security strives to
control entry. In general, life safety must be given first
consideration, but it is usually possible to achieve an effective
balance between the two goals.
For example, it is often possible to equip emergency exit doors with
a time delay. When one pushes on the panic bar, a loud alarm sounds,
and the door is released after a brief delay. The expectation is
that people will be deterred from using such exits improperly, but
will not be significantly endangered during an emergency evacuation.