information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Insurer refuses payout to DLA Piper over NotPetya cyberattack -
Multinational law firm DLA Piper was hit in the crossfire of a
Russia-back ransomware attack which wiped out systems and costs the
firm 15,000 hours of extra overtime for its IT staff.
Domino's and other businesses sued over websites that aren't
accessible to blind - In thousands of cases that are testing the
limits of the law and cyberspace, businesses are increasingly facing
lawsuits that contend their websites aren't accessible to people who
are blind and are in violation of federal disability mandates.
GAO - Areas for Improvement in the Federal Reserve Banks'
Information System Controls:
NIST pushes new encryption protocols for quantum, connected devices
- The National Institute of Standards and Technology is inching
closer to developing two new encryption standards designed to
protect the federal government from new and emerging cybersecurity
The death of the VPN – It’s time to say goodbye - Virtual private
networks, VPNs, have often been referred to as the “backbone of the
Hedge fund manager sentenced to 60 months security fraud, hacking
scheme - A hedge fund manager convicted of conspiracy to commit
securities fraud and computer intrusion, among other, crimes was
sentenced in U.S. District Court to 60 months in prison Thursday.
New Jersey bill would broaden PII requiring breach notification - If
signed into law, a bipartisan bill sent by New Jersey legislators to
Gov. Phil Murphy would expand data breach notification in the state,
requiring companies to alert citizens to breaches of a wider range
of personal identifiable information (PII), including user names,
passwords, email addresses and security questions.
Australia's Intelligence Agency Publishes its Vulnerability
Disclosure Process - The Australian Signals Directorate (ASD),
Australia's intelligence agency responsible for foreign signals
intelligence, has joined America's NSA and the UK's GCHQ in
publishing an account of its vulnerabilities disclosure process. All
three agencies are part of the Five Eyes western intelligence
alliance -- the remaining being Canada and New Zealand.
GAO - Data Breaches: Range of Consumer Risks Highlights Limitations
of Identity Theft Services:
GAO takes Fiscal Services to task over new and old cyber problems -
The General Accounting Office (GAO) criticized the Bureau of the
Fiscal Service, which is part of the U.S. Department of the
Treasury, over new and old cybersecurity problems in a new audit.
UConn Health Center hit with $5M suite over breach - The University
of Connecticut Health Center is being hit with a class action
lawsuit over a data breach that exposed 326,000 current and former
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Facebook stored hundreds of millions of user passwords in plain
text - Facebook is once again making headlines after the company
discovered it had been storing hundreds of millions of users
passwords in plain text for years.
Report: Uber employee used data-scraping tool to gather info on
Australian competitor - An Uber employee used a data-scraping tool
to round up online data concerning an Australian competitor in order
to poach drivers from its business, according to a report this week
from ABC News in Australia.
Tesla suing self-driving startup Zoox and former employees for data
theft - Tesla is accusing self-driving car startup Zoox and former
employees of stealing trade secrets.
Brit Police Federation cops to ransomware attack on HQ systems - The
Police Federation of England and Wales (PFEW), a sort-of trade union
for police workers, has been battling to contain a ransomware strike
on the group's computer systems, it confessed this afternoon.
Phishing scam stings Oregon Dept. of Human Services, compromises
emails containing resident data - The Oregon Department of Human
Services (DHS) was the victim of a phishing campaign earlier this
year, resulting in a data breach that reportedly involves the
records of up to 1.6 million state residents.
Two U.S. chemical companies disclose cyberattack, LockerGoga
suspected - Just days after a ransomware attack disrupted operations
at Norwegian aluminium company Norsk Hydro, two U.S.-based chemical
companies last Friday disclosed that they were affected by an
unspecified network security incident that blocked access to certain
IT systems and data.
Kanopy.com ElasticSearch database left unsecured - The movie
streaming service Kanopy has been leaking access and API logs
through an unsecured ElasticSearch database, according to a
FEMA shared personal data on more than 2M disaster survivors - A
“major privacy breach” at Federal Emergency Management Agency (FEMA)
shared information with a contractor – including banking details –
on more than two million Americans who were victims of disaster
according to the Department of Homeland Security (DHS) Office of the
Damages from ransomware attack on Norsk Hydro reach as high as $40M
- Aluminum company Norsk Hydro has already lost as much as $40.6
million since it was attacked by LockerGoga ransomware on March 19,
but at least most of its operations are back running at normal
capacity, the company said in a news update yesterday.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our series on the FFIEC
interagency Information Security Booklet.
CONTROLS TO PROTECT AGAINST MALICIOUS CODE
Typical controls to protect against malicious code use technology,
policies and procedures, and training. Prevention and detection of
malicious code typically involves anti-virus and other detection
products at gateways, mail servers, and workstations. Those products
generally scan messages for known signatures of a variety of
malicious code, or potentially dangerous behavioral characteristics.
Differences between products exist in detection capabilities and the
range of malicious code included in their signatures. Detection
products should not be relied upon to detect all malicious code.
Additionally, anti-virus and other products that rely on signatures
generally are ineffective when the malicious code is encrypted. For
example, VPNs, IPSec, and encrypted e-mail will all shield malicious
code from detection.
Signature-based anti-virus products scan for unique components of
certain known malicious code. Since new malicious code is created
daily, the signatures need to be updated continually. Different
vendors of anti-virus products update their signatures on different
frequencies. When an update appears, installing the update on all of
an institution's computers may involve automatically pushing the
update to the computers, or requesting users to manually obtain the
Heuristic anti - virus products generally execute code in a
protected area of the host to analyze and detect any hostile intent.
Heuristic products are meant to defend against previously unknown or
disguised malicious code.
Malicious code may be blocked at the firewall or gateway. For
example, a general strategy might be to block all executable e-mail
attachments, as well as any Active-X or Java applets. A more refined
strategy might block based on certain characteristics of known code.
Protection of servers involves examining input from users and only
accepting that input which is expected. This activity is called
filtering. If filtering is not employed, a Web site visitor, for
instance, could employ an attack that inserts code into a response
form, causing the server to perform certain actions. Those actions
could include changing or deleting data and initiating fund
Protection from malicious code also involves limiting the
capabilities of the servers and Web applications to only include
functions necessary to support operations. See "Systems Development,
Acquisition, and Maintenance."
Anti-virus tools and code blocking are not comprehensive
solutions. New malicious code could have different signatures, and
bypass other controls. Protection against newly developed malicious
code typically comes in the form of policies, procedures, and user
awareness and training. For example, policies could prohibit the
installation of software by unauthorized employees, and regular
reviews for unauthorized software could take place. System users
could be trained not to open unexpected messages, not to open any
executables, and not to allow or accept file transfers in P2P
communications. Additional protection may come from disconnecting
and isolating networks from each other or from the Internet in the
face of a fast-moving malicious code attack.
An additional detection control involves network and host
intrusion detection devices. Network intrusion detection devices can
be tuned to alert when known malicious code attacks occur. Host
intrusion detection can be tuned to alert when they recognize
abnormal system behavior, the presence of unexpected files, and
changes to other files.
the top of the newsletter
FFIEC IT SECURITY -
We continue our
review of the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
PENETRATION ANALYSIS (Part 1 of 2)
After the initial risk assessment is completed, management may
determine that a penetration analysis (test) should be conducted.
For the purpose of this paper, "penetration analysis" is broadly
defined. Bank management should determine the scope and objectives
of the analysis. The scope can range from a specific test of a
particular information systems security or a review of multiple
information security processes in an institution.
A penetration analysis usually involves a team of experts who
identify an information systems vulnerability to a series of
attacks. The evaluators may attempt to circumvent the security
features of a system by exploiting the identified vulnerabilities.
Similar to running vulnerability scanning tools, the objective of a
penetration analysis is to locate system vulnerabilities so that
appropriate corrective steps can be taken.
The analysis can apply to any institution with a network, but
becomes more important if system access is allowed via an external
connection such as the Internet. The analysis should be independent
and may be conducted by a trusted third party, qualified internal
audit team, or a combination of both. The information security
policy should address the frequency and scope of the analysis. In
determining the scope of the analysis, items to consider include
internal vs. external threats, systems to include in the test,
testing methods, and system architectures.
A penetration analysis is a snapshot of the security at a point in
time and does not provide a complete guaranty that the system(s)
being tested is secure. It can test the effectiveness of security
controls and preparedness measures. Depending on the scope of the
analysis, the evaluators may work under the same constraints applied
to ordinary internal or external users. Conversely, the evaluators
may use all system design and implementation documentation. It is
common for the evaluators to be given just the IP address of the
institution and any other public information, such as a listing of
officers that is normally available to outside hackers. The
evaluators may use vulnerability assessment tools, and employ some
of the attack methods discussed in this paper such as social
engineering and war dialing. After completing the agreed-upon
analysis, the evaluators should provide the institution a detailed
written report. The report should identify vulnerabilities,
prioritize weaknesses, and provide recommendations for corrective
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail your company a proposal. E-mail Kinney Williams at
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
19.3.4 Security of Cryptography Modules
Security Requirements for Cryptographic Modules,
specifies the physical and logical security requirements for
cryptographic modules. The standard defines four security
levels for cryptographic modules, with each level providing
a significant increase in security over the preceding level.
The four levels allow for cost-effective solutions that are
appropriate for different degrees of data sensitivity and
different application environments. The user can select the
best module for any given application or system, avoiding
the cost of unnecessary security features.
Cryptography is typically
implemented in a module of software, firmware, hardware, or
some combination thereof. This module contains the cryptographic
algorithm(s), certain control parameters, and temporary storage
facilities for the key(s) being used by the algorithm(s). The proper
functioning of the cryptography requires the secure design,
implementation, and use of the cryptographic module. This includes
protecting the module against tampering.
19.3.5 Applying Cryptography to
The use of cryptography within
networking applications often requires special considerations. In
these applications, the suitability of a cryptographic module may
depend on its capability for handling special requirements imposed
by locally attached communications equipment or by the network
protocols and software.
Encrypted information, MACs, or
digital signatures may require transparent communications protocols
or equipment to avoid being misinterpreted by the communications
equipment or software as control information. It may be necessary to
format the encrypted information, MAC, or digital signature to
ensure that it does not confuse the communications equipment or
software. It is essential that cryptography satisfy the requirements
imposed by the communications equipment and does not interfere with
the proper and efficient operation of the network.
Data is encrypted on a network using
either link or end-to-end encryption. In general, link encryption
is performed by service providers, such as a data communications
provider. Link encryption encrypts all of the data along a
communications path (e.g., a satellite link, telephone circuit, or
T1 line). Since link encryption also encrypts routing data,
communications nodes need to decrypt the data to continue routing.
End-to-end encryption is generally performed by the end-user
organization. Although data remains encrypted when being passed
through a network, routing information remains visible. It is
possible to combine both types of encryption.