FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Insurer refuses payout to DLA Piper over NotPetya cyberattack - Multinational law firm DLA Piper was hit in the crossfire of a Russia-back ransomware attack which wiped out systems and costs the firm 15,000 hours of extra overtime for its IT staff. https://www.scmagazine.com/home/security-news/cybercrime/multinational-law-firm-dla-piper-was-hit-in-the-crossfire-of-a-russia-back-ransomware-attack-which-wiped-out-systems-and-costs-the-firm-15000-hours-of-extra-overtime-for-its-it-staff/

Domino's and other businesses sued over websites that aren't accessible to blind - In thousands of cases that are testing the limits of the law and cyberspace, businesses are increasingly facing lawsuits that contend their websites aren't accessible to people who are blind and are in violation of federal disability mandates. https://www.usatoday.com/story/money/business/2019/03/23/lawsuits-dominos-playboy-websites-arent-accessible-to-the-blind/3210001002/

GAO - Areas for Improvement in the Federal Reserve Banks' Information System Controls: https://www.gao.gov/products/GAO-19-304R?utm_campaign=usgao_email&utm_content=topic_markets&utm_medium=email&utm_source=govdelivery

NIST pushes new encryption protocols for quantum, connected devices - The National Institute of Standards and Technology is inching closer to developing two new encryption standards designed to protect the federal government from new and emerging cybersecurity threats. https://fcw.com/articles/2019/03/20/nist-encryption-ispab-johnson.aspx

The death of the VPN – It’s time to say goodbye - Virtual private networks, VPNs, have often been referred to as the “backbone of the enterprise network.” https://www.scmagazine.com/home/opinion/the-death-of-the-vpn-its-time-to-say-goodbye/

Hedge fund manager sentenced to 60 months security fraud, hacking scheme - A hedge fund manager convicted of conspiracy to commit securities fraud and computer intrusion, among other, crimes was sentenced in U.S. District Court to 60 months in prison Thursday. https://www.scmagazine.com/home/security-news/hedge-fund-manager-sentenced-to-60-months-security-fraud-hacking-scheme/

New Jersey bill would broaden PII requiring breach notification - If signed into law, a bipartisan bill sent by New Jersey legislators to Gov. Phil Murphy would expand data breach notification in the state, requiring companies to alert citizens to breaches of a wider range of personal identifiable information (PII), including user names, passwords, email addresses and security questions. https://www.scmagazine.com/home/security-news/new-jersey-bill-would-broaden-pii-requiring-breach-notification/

Australia's Intelligence Agency Publishes its Vulnerability Disclosure Process - The Australian Signals Directorate (ASD), Australia's intelligence agency responsible for foreign signals intelligence, has joined America's NSA and the UK's GCHQ in publishing an account of its vulnerabilities disclosure process. All three agencies are part of the Five Eyes western intelligence alliance -- the remaining being Canada and New Zealand. https://www.securityweek.com/australias-intelligence-agency-publishes-its-vulnerability-disclosure-process

GAO - Data Breaches: Range of Consumer Risks Highlights Limitations of Identity Theft Services: https://www.gao.gov/products/GAO-19-230

GAO takes Fiscal Services to task over new and old cyber problems - The General Accounting Office (GAO) criticized the Bureau of the Fiscal Service, which is part of the U.S. Department of the Treasury, over new and old cybersecurity problems in a new audit. https://www.scmagazine.com/home/government/gao-takes-fiscal-services-to-task-over-new-and-old-cyber-problems/

UConn Health Center hit with $5M suite over breach - The University of Connecticut Health Center is being hit with a class action lawsuit over a data breach that exposed 326,000 current and former patients. https://www.scmagazine.com/home/security-news/data-breach/uconn-health-center-hit-with-5m-suite-over-breach/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Facebook stored hundreds of millions of user passwords in plain text - Facebook is once again making headlines after the company discovered it had been storing hundreds of millions of users passwords in plain text for years. https://www.scmagazine.com/home/security-news/privacy-compliance/facebook-is-once-again-making-headlines-after-the-company-discovered-it-had-been-storing-hundreds-of-millions-of-users-passwords-in-plain-text-for-years/

Report: Uber employee used data-scraping tool to gather info on Australian competitor - An Uber employee used a data-scraping tool to round up online data concerning an Australian competitor in order to poach drivers from its business, according to a report this week from ABC News in Australia. https://www.scmagazine.com/home/security-news/report-uber-employee-used-data-scraping-tool-to-gather-australian-competitors-driver-info/

Tesla suing self-driving startup Zoox and former employees for data theft - Tesla is accusing self-driving car startup Zoox and former employees of stealing trade secrets. https://www.scmagazine.com/legal/tesla-is-accusing-self-driving-car-startup-zoox-and-former-employees-of-stealing-trade-secrets/

Brit Police Federation cops to ransomware attack on HQ systems - The Police Federation of England and Wales (PFEW), a sort-of trade union for police workers, has been battling to contain a ransomware strike on the group's computer systems, it confessed this afternoon. https://www.theregister.co.uk/2019/03/21/police_federation_ransomware_attack/

Phishing scam stings Oregon Dept. of Human Services, compromises emails containing resident data - The Oregon Department of Human Services (DHS) was the victim of a phishing campaign earlier this year, resulting in a data breach that reportedly involves the records of up to 1.6 million state residents. https://www.scmagazine.com/home/security-news/phishing-scam-stings-oregon-dept-of-human-services-compromises-emails-containing-resident-data/

Two U.S. chemical companies disclose cyberattack, LockerGoga suspected - Just days after a ransomware attack disrupted operations at Norwegian aluminium company Norsk Hydro, two U.S.-based chemical companies last Friday disclosed that they were affected by an unspecified network security incident that blocked access to certain IT systems and data. https://www.scmagazine.com/home/security-news/ransomware/two-u-s-chemical-companies-disclose-cyberattack-lockergoga-ransomware-reportedly-the-culprit-following-norsk-hydro-ransomware-attack-two-u-s-chemical-companies-disclose-reportedly-similar-inciden/

Kanopy.com ElasticSearch database left unsecured - The movie streaming service Kanopy has been leaking access and API logs through an unsecured ElasticSearch database, according to a cybersecurity researcher. https://www.scmagazine.com/home/security-news/data-breach/kanopy-com-elasticsearch-database-left-unsecured/

FEMA shared personal data on more than 2M disaster survivors - A “major privacy breach” at Federal Emergency Management Agency (FEMA) shared information with a contractor – including banking details – on more than two million Americans who were victims of disaster according to the Department of Homeland Security (DHS) Office of the Inspector General. https://www.scmagazine.com/home/security-news/privacy-compliance/fema-shared-personal-data-on-more-than-2m-disaster-survivors-with-contractor-in-privacy-breach/

Damages from ransomware attack on Norsk Hydro reach as high as $40M - Aluminum company Norsk Hydro has already lost as much as $40.6 million since it was attacked by LockerGoga ransomware on March 19, but at least most of its operations are back running at normal capacity, the company said in a news update yesterday. https://www.scmagazine.com/home/security-news/damages-from-ransomware-attack-on-norsk-hydro-reach-as-high-as-40m/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  CONTROLS TO PROTECT AGAINST MALICIOUS CODE
  
  Typical controls to protect against malicious code use technology, policies and procedures, and training. Prevention and detection of malicious code typically involves anti-virus and other detection products at gateways, mail servers, and workstations. Those products generally scan messages for known signatures of a variety of malicious code, or potentially dangerous behavioral characteristics. Differences between products exist in detection capabilities and the range of malicious code included in their signatures. Detection products should not be relied upon to detect all malicious code. Additionally, anti-virus and other products that rely on signatures generally are ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and encrypted e-mail will all shield malicious code from detection.
  
  Signature-based anti-virus products scan for unique components of certain known malicious code. Since new malicious code is created daily, the signatures need to be updated continually. Different vendors of anti-virus products update their signatures on different frequencies. When an update appears, installing the update on all of an institution's computers may involve automatically pushing the update to the computers, or requesting users to manually obtain the update.
  
  Heuristic anti - virus products generally execute code in a protected area of the host to analyze and detect any hostile intent. Heuristic products are meant to defend against previously unknown or disguised malicious code.
  
  Malicious code may be blocked at the firewall or gateway. For example, a general strategy might be to block all executable e-mail attachments, as well as any Active-X or Java applets. A more refined strategy might block based on certain characteristics of known code.
  
  Protection of servers involves examining input from users and only accepting that input which is expected. This activity is called filtering. If filtering is not employed, a Web site visitor, for instance, could employ an attack that inserts code into a response form, causing the server to perform certain actions. Those actions could include changing or deleting data and initiating fund transfers.
  
  Protection from malicious code also involves limiting the capabilities of the servers and Web applications to only include functions necessary to support operations. See "Systems Development, Acquisition, and Maintenance."
  
  Anti-virus tools and code blocking are not comprehensive solutions. New malicious code could have different signatures, and bypass other controls. Protection against newly developed malicious code typically comes in the form of policies, procedures, and user awareness and training. For example, policies could prohibit the installation of software by unauthorized employees, and regular reviews for unauthorized software could take place. System users could be trained not to open unexpected messages, not to open any executables, and not to allow or accept file transfers in P2P communications. Additional protection may come from disconnecting and isolating networks from each other or from the Internet in the face of a fast-moving malicious code attack.
  
  An additional detection control involves network and host intrusion detection devices. Network intrusion detection devices can be tuned to alert when known malicious code attacks occur. Host intrusion detection can be tuned to alert when they recognize abnormal system behavior, the presence of unexpected files, and changes to other files.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
  
  PENETRATION ANALYSIS (Part 1 of 2)
  
  After the initial risk assessment is completed, management may determine that a penetration analysis (test) should be conducted. For the purpose of this paper, "penetration analysis" is broadly defined. Bank management should determine the scope and objectives of the analysis. The scope can range from a specific test of a particular information systems security or a review of multiple information security processes in an institution.
  
  A penetration analysis usually involves a team of experts who identify an information systems vulnerability to a series of attacks. The evaluators may attempt to circumvent the security features of a system by exploiting the identified vulnerabilities. Similar to running vulnerability scanning tools, the objective of a penetration analysis is to locate system vulnerabilities so that appropriate corrective steps can be taken.
  
  The analysis can apply to any institution with a network, but becomes more important if system access is allowed via an external connection such as the Internet. The analysis should be independent and may be conducted by a trusted third party, qualified internal audit team, or a combination of both. The information security policy should address the frequency and scope of the analysis. In determining the scope of the analysis, items to consider include internal vs. external threats, systems to include in the test, testing methods, and system architectures.
  
  A penetration analysis is a snapshot of the security at a point in time and does not provide a complete guaranty that the system(s) being tested is secure. It can test the effectiveness of security controls and preparedness measures. Depending on the scope of the analysis, the evaluators may work under the same constraints applied to ordinary internal or external users. Conversely, the evaluators may use all system design and implementation documentation. It is common for the evaluators to be given just the IP address of the institution and any other public information, such as a listing of officers that is normally available to outside hackers. The evaluators may use vulnerability assessment tools, and employ some of the attack methods discussed in this paper such as social engineering and war dialing. After completing the agreed-upon analysis, the evaluators should provide the institution a detailed written report. The report should identify vulnerabilities, prioritize weaknesses, and provide recommendations for corrective action.
  
  FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 19 - CRYPTOGRAPHY

19.3.4 Security of Cryptography Modules

Cryptography is typically implemented in a module of software, firmware, hardware, or some combination thereof. This module contains the cryptographic algorithm(s), certain control parameters, and temporary storage facilities for the key(s) being used by the algorithm(s). The proper functioning of the cryptography requires the secure design, implementation, and use of the cryptographic module. This includes protecting the module against tampering.

19.3.5 Applying Cryptography to Networks

The use of cryptography within networking applications often requires special considerations. In these applications, the suitability of a cryptographic module may depend on its capability for handling special requirements imposed by locally attached communications equipment or by the network protocols and software.

Encrypted information, MACs, or digital signatures may require transparent communications protocols or equipment to avoid being misinterpreted by the communications equipment or software as control information. It may be necessary to format the encrypted information, MAC, or digital signature to ensure that it does not confuse the communications equipment or software. It is essential that cryptography satisfy the requirements imposed by the communications equipment and does not interfere with the proper and efficient operation of the network.

Data is encrypted on a network using either link or end-to-end encryption. In general, link encryption is performed by service providers, such as a data communications provider. Link encryption encrypts all of the data along a communications path (e.g., a satellite link, telephone circuit, or T1 line). Since link encryption also encrypts routing data, communications nodes need to decrypt the data to continue routing. End-to-end encryption is generally performed by the end-user organization. Although data remains encrypted when being passed through a network, routing information remains visible. It is possible to combine both types of encryption.