information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Inside Security: Plan for That One Unintended Click - What’s at
the top of the food chain when it comes to security breaches?
People. And, no amount of security awareness training can completely
protect an organization against a phishing attack. Even the most
security-conscious end user can accidentally click on a suspicious
link by accident.
U.S. Navy taken to task for cybersecurity flaws - The U.S. Navy is
prepared to face and defeat the nation’s enemies in all physical
environments, but is losing an on-going cyberwar with China,
according to its own assessment of the situation.
House Dem introduces bill requiring public firms to disclose
cybersecurity expertise in leadership - A Democrat on the House
Intelligence Committee introduced a bill on Wednesday that would
require publicly traded companies to disclose to investors whether
any members of their board of directors have cybersecurity expertise
amid growing cyberattacks targeting U.S. companies.
How a wireless keyboard lets hackers take full control of connected
computers - There’s a critical vulnerability in a model of Fujitsu
wireless keyboard that makes it easy for hackers to take full
control of connected computers, security researchers warned on
Friday. Anyone using the keyboard model should strongly consider
replacing it immediately.
Cyberattack shuts down Committee for Public Counsel Services
network, leaving bar advocates unpaid - The Massachusetts public
defender agency has been unable to access its IT network for weeks,
following a cyber attack that forced the shutdown of its email
GAO - Including Users Early and Often in Software Development Could
Benefit Programs -
Top 12 phishing email subject lines - Cybercriminals often try to
create a sense of urgency in their phony attempts to swindle
unsuspecting users out of crucial information with subject lines
that would compel the unsuspecting user into opening the phony email
and potentially downloading malicious attachments.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Stolen email credentials being used to pry into cloud accounts -
Malicious actors are using the massive supply of previously stolen
login credentials to help brute force their way into high-profile
cloud-based business systems that cannot easily use two-factor
authentication for security.
Report: Chinese e-retailer Gearbest leaves database exposed,
endangering 1.5 million records - The parent company of Chinese
e-retailing giant Gearbest has been operating a completely unsecured
corporate database, leaving roughly 1.5 million customer records
unencrypted and exposed to the public, a new report warns.
Reports: Israeli officials’ devices hacked; data possessed by Iran -
Hackers stole information from former Israeli prime minister Ehud
Barak’s computer and phone months ago and sold it to Iran, according
to multiple news outlets, citing a TV report by Israel’s Channel 12
this past weekend.
Norwegian aluminum producer Norsk Hydro hit by an unspecified
cyberattack - Norwegian aluminum producer Norsk Hydro was hit by a
cyber attack which began Monday evening and escalated into the
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Risk Management Principles for Electronic Banking
The e-banking risk management principles identified in this
Report fall into three broad, and often overlapping, categories of
issues. However, these principles are not weighted by order of
preference or importance. If only because such weighting might
change over time, it is preferable to remain neutral and avoid such
A. Board and Management Oversight (Principles 1 to 3):
1. Effective management oversight of e-banking activities.
2. Establishment of a comprehensive security control process.
3. Comprehensive due diligence and management oversight process
for outsourcing relationships and other third-party dependencies.
B. Security Controls (Principles 4 to 10):
4. Authentication of e-banking customers.
5. Non-repudiation and accountability for e-banking transactions.
6. Appropriate measures to ensure segregation of duties.
7. Proper authorization controls within e-banking systems,
databases and applications.
8. Data integrity of e-banking transactions, records, and
9. Establishment of clear audit trails for e-banking
10. Confidentiality of key bank information.
C. Legal and Reputational Risk Management (Principles 11 to
11. Appropriate disclosures for e-banking services.
12. Privacy of customer information.
13. Capacity, business continuity and contingency planning to
ensure availability of e-banking systems and services.
14. Incident response planning.
Each of the above principles will be cover over the next few
weeks, as they relate to e-banking and the underlying risk
management principles that should be considered by banks to address
the top of the newsletter
FFIEC IT SECURITY -
We continue our
series on the FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION -
Protocols and Ports (Part 3 of 3)
are built in conformance with the protocols to provide services from
hosts to clients. Because clients must have a standard way of
accessing the services, the services are assigned to standard host
ports. Ports are logical not physical locations that are either
assigned or available for specific network services. Under TCP/IP,
65536 ports are available, and the first 1024 ports are commercially
accepted as being assigned to certain services. For instance, Web
servers listen for requests on port 80, and secure socket layer Web
servers listen on port 443. A complete list of the commercially
accepted port assignments is available at
www.iana.org. Ports above 1024
are known as high ports, and are user - assignable. However, users
and administrators have the freedom to assign any port to any
service, and to use one port for more than one service.
Additionally, the service listening on one port may only proxy a
connection for a separate service. For example, a Trojan horse
keystroke - monitoring program can use the Web browser to send
captured keystroke information to port 80 of an attacker's machine.
In that case, monitoring of the packet headers from the compromised
machine would only show a Web request to port 80 of a certain IP
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
19.3.2 Deciding on Hardware vs.
The trade-offs among security, cost,
simplicity, efficiency, and ease of implementation need to be
studied by managers acquiring various security products meeting a
standard. Cryptography can be implemented in either hardware or
software. Each has its related costs and benefits.
In general, software is less
expensive and slower than hardware, although for large applications,
hardware may be less expensive. In addition, software may be less
secure, since it is more easily modified or bypassed than equivalent
hardware products. Tamper resistance is usually considered better in
In many cases, cryptography is
implemented in a hardware device (e.g., electronic chip,
ROM-protected processor) but is controlled by software. This
software requires integrity protection to ensure that the hardware
device is provided with correct information (i.e., controls, data)
and is not bypassed. Thus, a hybrid solution is generally provided,
even when the basic cryptography is implemented in hardware.
Effective security requires the correct management of the entire
19.3.3 Managing Keys
The proper management of
cryptographic keys is essential to the effective use of cryptography
for security. Ultimately, the security of information protected by
cryptography directly depends upon the protection afforded to keys.
All keys need to be protected
against modification, and secret keys and private keys need
protection against unauthorized disclosure. Key management involves
the procedures and protocols, both manual and automated, used
throughout the entire life cycle of the keys. This includes the
generation, distribution, storage, entry, use, destruction, and
archiving of cryptographic keys.
With secret key cryptography, the
secret key(s) should be securely distributed (i.e., safeguarded
against unauthorized replacement, modification, and disclosure) to
the parties wishing to communicate. Depending upon the number and
location of users, this task may not be trivial. Automated
techniques for generating and distributing cryptographic keys can
ease overhead costs of key management, but some resources have to be
devoted to this task. FIPS 171, Key Management Using ANSI X9.17,
provides key management solutions for a variety of operational
Public key cryptography users also
have to satisfy certain key management requirements. For example,
since a private-public key pair is associated with (i.e., generated
or held by) a specific user, it is necessary to bind the
public part of the key pair to the user.
In a small community of users,
public keys and their "owners" can be strongly bound by simply
exchanging public keys (e.g., putting them on a CD-ROM or other
media). However, conducting electronic business on a larger scale,
potentially involving geographically and organizationally
distributed users, necessitates a means for obtaining public keys
electronically with a high degree of confidence in their integrity
and binding to individuals. The support for the binding between a
key and its owner is generally referred to as a public key
Users also need to be able enter the
community of key holders, generate keys (or have them generated on
their behalf), disseminate public keys, revoke keys (in case, for
example, of compromise of the private key), and change keys. In
addition, it may be necessary to build in time/date stamping and to
archive keys for verification of old signatures.