information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Data breaches up 400 percent, 15 billion records compromised:
report - The number of data breaches increased more than 400 percent
in 2018 exposing almost 15 billion records, according to the
identity intelligence company 4iQ.
Equifax neglected cybersecurity prior to breach, Senate report finds
- On the eve of executives from Equifax CEO and Marriott appearing
before the Senate Permanent Subcommittee on Investigations to
discuss the lessons learned from a pair of major breaches, the
subcommittee released a scathing report accusing Equifax of neglect
and “failing to prioritize cybersecurity,” which led to a 2017
breach that affected 145 million people.
Comptroller Questions Priority Given by Agency Heads to
Cybersecurity Issues - U.S. Comptroller General Gene Dodaro, who
heads the Government Accountability Office (GAO), today publicly
questioned the priority given by Federal agency heads to
cybersecurity issues that have long been flagged by GAO on its “High
Risk List,” the latest biennial edition of which was issued by the
Improving security with micro-segmentation: Where do I start? - The
irreversible movement from on-premise data centers to virtualized,
hybrid-cloud infrastructures has raised a major security challenge
for enterprises: how to protect mission-critical applications and
workloads from threats lurking within the data center.
Meeting GDPR standards doesn’t guarantee Calif. privacy law
compliance, experts warn - Soon to be the most restrictive privacy
law in the U.S., the California Consumer Privacy Act is set to take
effect in January 2020. And companies that sit back and assume their
compliance with GDPR is enough to meet the new legislation’s high
expectations are in for a rude awakening, warned a panel of privacy
executives at RSA 2019.
Germany planning 'trustworthy' supplier requirement for all networks
and 5G - A draft of updated security requirements is set to appear
in Northern Hemisphere's spring.
GAO - Cybersecurity Workforce: Agencies Need to Accurately
Categorize Positions to Effectively Identify Critical Staffing Needs
NYU, NYC Cyber Command conduct inaugurate training exercise in new
Brooklyn cyber range - Normally, it’s the job of the New York City
Cyber Command (NYC3) to defend the city from online threats. But
yesterday, its members were actually the ones dishing out the
punishment, lobbing a series of attacks at a group of 25-30 New York
University cybersecurity graduate students.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Unprotected MongoDB database exposes 763M unique email addresses,
‘business intel’ - Verifications.io has taken down an unprotected
MongoDB database found by researchers last week to contain
150GB-worth of plaintext marketing data including 763 million unique
email addresses and various corporations’ revenue data.
Software maker Citrix hacked, business documents removed - Acting on
a tip from the FBI, Citrix has investigated and confirmed that its
network has been penetrated and data had been exfiltrated by an
Columbia Surgical Specialists pay $15,000 ransom to unlock files -
Columbia Surgical Specialists paid an almost $15,000 ransom to
regain access to files encrypted during a ransomware attack.
Jackson County, Georgia pays $400,000 ransom to release files -
Jackson County, Ga., is the latest ransomware victim to fork over a
payment to its attackers in order to regain access to its encrypted
Ransomware attack targets college admissions data - Threat actors
launched ransomware attacks against three U.S. colleges seizing the
data on students applying for admission to the schools and demanded
1 Bitcoin or approximately $3,800 from students to retrieve their
“entire admission file.”
Hackers Break into System That Houses College Application Data -
More than 900 colleges and universities use Slate, owned by
Technolutions, to collect and manage information on applicants.
Dozens of high-profile Box accounts found leaking sensitive data -
Adversis researchers have discovered that dozens of companies have
leaked sensitive data as a result of misconfigured Box accounts.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Risk management principles (Part 2 of 2)
The Committee recognizes that banks will need to develop risk
management processes appropriate for their individual risk profile,
operational structure and corporate governance culture, as well as
in conformance with the specific risk management requirements and
policies set forth by the bank supervisors in their particular
jurisdiction(s). Further, the numerous e-banking risk management
practices identified in this Report, while representative of current
industry sound practice, should not be considered to be
all-inclusive or definitive, since many security controls and other
risk management techniques continue to evolve rapidly to keep pace
with new technologies and business applications.
This Report does not attempt to dictate specific technical
solutions to address particular risks or set technical standards
relating to e-banking. Technical issues will need to be addressed on
an on-going basis by both banking institutions and various
standards-setting bodies as technology evolves. Further, as the
industry continues to address e-banking technical issues, including
security challenges, a variety of innovative and cost efficient risk
management solutions are likely to emerge. These solutions are also
likely to address issues related to the fact that banks differ in
size, complexity and risk management culture and that jurisdictions
differ in their legal and regulatory frameworks.
For these reasons, the Committee does not believe that a "one size
fits all" approach to e-banking risk management is appropriate, and
it encourages the exchange of good practices and standards to
address the additional risk dimensions posed by the e-banking
delivery channel. In keeping with this supervisory philosophy, the
risk management principles and sound practices identified in this
Report are expected to be used as tools by national supervisors and
implemented with adaptations to reflect specific national
requirements where necessary, to help promote safe and secure
e-banking activities and operations.
The Committee recognizes that each bank's risk profile is
different and requires a risk mitigation approach appropriate for
the scale of the e-banking operations, the materiality of the risks
present, and the willingness and ability of the institution to
manage these risks. These differences imply that the risk management
principles presented in this Report are intended to be flexible
enough to be implemented by all relevant institutions across
jurisdictions. National supervisors will assess the materiality of
the risks related to e-banking activities present at a given bank
and whether, and to what extent, the risk management principles for
e-banking have been adequately met by the bank's risk management
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Protocols and Ports (Part 2 of 3)
Other common protocols in a TCP/IP network include the following
! Address resolution protocol (ARP) - Obtains the hardware address
of connected devices and matches that address with the IP address
for that device. The hardware address is the Ethernet card's
address, technically referred to as the "media access control" (MAC)
address. Ethernet systems route messages by the MAC address,
requiring a router to obtain both the IP address and the MAC address
of connected devices. Reverse ARP (RARP) also exists as a protocol.
! Internet control message protocol (ICMP) - Used to send messages
about network health between devices, provides alternate routing
information if trouble is detected, and helps to identify problems
with a routing.
! File transfer protocol (FTP) - Used to browse directories and
transfer files. Although access can be authenticated or anonymous,
FTP does not support encrypted authentication. Conducting FTP within
encrypted channels, such as a Virtual Private Network (VPN), secure
shell (SSH) or secure sockets layer (SSL) sessions can improve
! Trivial file transfer protocol (TFTP) - A file transfer protocol
with no file - browsing ability, and no support for authentication.
! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail
systems to send mail.
! Post office protocol (POP) - Commonly used to receive e-mail.
! Hypertext transport protocol (HTTP) - Used for Web browsing.
! Secure shell (SSH) - Encrypts communications sessions,
typically used for remote administration of servers.
! Secure sockets layer (SSL) - Typically used to encrypt
Webbrowsing sessions, sometimes used to secure e-mail transfers and
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
19.2.4 User Authentication
Cryptography can increase security
in user authentication techniques. As discussed in Chapter 16,
cryptography is the basis for several advanced authentication
methods. Instead of communicating passwords over an open network,
authentication can be performed by demonstrating knowledge of a
cryptographic key. Using these methods, a one-time password, which
is not susceptible to eavesdropping, can be used. User
authentication can use either secret or public key cryptography.
19.3 Implementation Issues
This section explores several
important issues that should be considered when using (e.g.,
designing, implementing, integrating) cryptography in a computer
19.3.1 Selecting Design and
Applicable security standards
provide a common level of security and interoperability
NIST and other organizations have
developed numerous standards for designing, implementing, and using
cryptography and for integrating it into automated systems. By using
these standards, organizations can reduce costs and protect their
investments in technology. Standards provide solutions that have
been accepted by a wide community and that have been reviewed by
experts in relevant areas. Standards help ensure interopability
among different vendors' equipment, thus allowing an organization to
select from among various products in order to find cost-effective
Managers and users of computer
systems will have to select among various standards when deciding to
use cryptography. Their selection should be based on
cost-effectiveness analysis, trends in the standard's acceptance,
and interoperability requirements. In addition, each standard should
be carefully analyzed to determine if it is applicable to the
organization and the desired application. For example, the Data
Encryption Standard and the Escrowed Encryption Standard are both
applicable to certain applications involving communications of data
over commercial modems. Some federal standards are mandatory for
federal computer systems, including DES (FIPS 46-2) and the DSS