technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- April 12, 2018 - Cyber Insurance: FFIEC Joint Statement on Cyber
Insurance and Its Potential Role in Risk Management Programs - The
Federal Financial Institutions Examination Council, on behalf of its
members, has issued a joint statement that discusses considerations
for financial institutions contemplating the purchase of cyber
insurance as a component of their risk management programs.
April 12, 2018 - FDIC Hosts Use of Technology in the Business of
Banking Forum in Arlington, Virginia - The Federal Deposit Insurance
Corporation will host a forum on the Use of Technology in the
Business of Banking on Monday, May 7, 2018.
Hold the phone: Mystery fake cell towers spotted slurping comms
around Washington DC - US Homeland Security says it detected
'anomalous' spy kit - The US Department of Homeland Security (DHS)
says it has detected strange fake cellphone towers – known as IMSI
catchers – in America's capital.
UK politician admits and apologizes for hacking into opponent's
website 10 years ago - A now high-ranking member of the UK
Conservative Party admitted and apologized for hacking into her
Labour opponent's website to post pro-Tory propaganda, a crime
punishable by up to two years in prison.
GAO report recommends stronger security controls for third parties
that receive Medicare beneficiary data - The U.S. Government
Accountability Office (GAO) last week publicly released a report
warning the Centers for Medicare and Medicaid Services (CMS) has
failed to provide specific security controls guidance to research
organizations with whom it shares Medicare beneficiary data.
Hackers have taken down dozens of 911 centers. Why is it so hard to
stop them? - America’s emergency-response networks remain
dangerously vulnerable to criminals bent on crippling the country’s
U.S. Department of Interior CIO office fails IG cybersecurity
inspection - The U.S. Department of the Interior Office of the Chief
Information Officer (OCIO) essentially received a failing grade from
its own Office of the Inspector General (IG) when it comes to
following NIST for incident detection and response.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Atlanta takes down water department website two weeks after cyber
attack - Atlanta took down its water department website indefinitely
on Thursday, two weeks after a ransomware cyber attack tore through
the city’s computer systems in one of the most disruptive hacks ever
to strike a U.S. local government.
Bot-ched security: Chat system hacked to slurp hundreds of thousands
of Delta Air Lines, Sears customers' bank cards - Hackers are feared
to have swiped sensitive personal information held by two of the
best known companies in the US – after malware infected a customer
support software maker.
Major U.S. pipeline hit by cyberattack on transaction software - A
supply chain cyberattack has disrupted a customer transaction
service for a network of U.S. natural gas companies, according to
multiple news reports.
Best Buy payment info compromised in 7.ai breach; malware
reportedly suspected - Consumer electronics retailer Best Buy on
Thursday became the third major company to acknowledge that a
portion of its customer payment information was exposed in a data
breach of third-party chat and customer engagement services provider
Hackers take over Cisco switches to warn against election
interference - Unidentified hackers misused hundreds of thousands of
Cisco Systems switches to take control of networks across the world
and deliver an ominous warning not to interfere with future U.S.
Botched upgrade at Belgian bank Argenta sparks phishing frenzy -
Belgian bank Argenta has apologised for a botched tech plumbing
upgrade that delayed transfers and confronted customers with
incorrect balance data.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We finish our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 10 of 10)
B. RISK MANAGEMENT TECHNIQUES
Managing Service Providers
Financial institutions, especially smaller institutions, may
choose to subcontract with a service provider to create, arrange,
and manage their websites, including weblinks. The primary risks for
these financial institutions are the same as for those institutions
that arrange the links directly. However, if a financial institution
uses a set of pre-established links to a large number of entities
whose business policies or procedures may be unfamiliar, it may
increase its risk exposure. This is particularly true in situations
it maintains certain minimum information security standards at all
When a financial institution subcontracts weblinking arrangements
to a service provider, the institution should conduct sufficient due
diligence to ensure that the service provider is appropriately
managing the risk exposure from other parties. Management should
keep in mind that a vendor might establish links to third parties
that are unacceptable to the financial institution. Finally, the
written agreement should contain a regulatory requirements clause in
which the service provider acknowledges that its linking activities
must comply with all applicable consumer protection laws and
Financial institution management should consider weblinking
agreements with its service provider to mitigate significant risks.
These agreements should be clear and enforceable with descriptions
of all obligations, liabilities, and recourse arrangements. These
may include the institution's right to exclude from its site links
the financial institution considers unacceptable. Such contracts
should include a termination clause, particularly if the contract
does not include the ability to exclude websites. Finally, a
financial institution should apply its link monitoring policies
discussed above to links arranged by service providers or other
the top of the newsletter
FFIEC IT SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Logical Access Controls (Part 1 of 2)
If passwords are used for access control or authentication
measures, users should be properly educated in password selection.
Strong passwords consist of at least six to eight alpha numeric
characters, with no resemblance to any personal data. PINs should
also be unique, with no resemblance to personal data. Neither
passwords nor PINs should ever be reduced to writing or shared with
Other security measures should include the adoption of one-time
passwords, or password aging measures that require periodic changes.
Encryption technology can also be employed in the entry and
transmission of passwords, PINs, user IDs, etc. Any password
directories or databases should be properly protected, as well.
Password guessing programs can be run against a system. Some can
run through tens of thousands of password variations based on
personal information, such as a user's name or address. It is
preferable to test for such vulnerabilities by running this type of
program as a preventive measure, before an unauthorized party has
the opportunity to do so. Incorporating a brief delay requirement
after each incorrect login attempt can be very effective against
these types of programs. In cases where a potential attacker is
monitoring a network to collect passwords, a system utilizing
one-time passwords would render any data collected useless.
When additional measures are necessary to confirm that passwords
or PINs are entered by the user, technologies such as tokens, smart
cards, and biometrics can be useful. Utilizing these technologies
adds another dimension to the security structure by requiring the
user to possess something physical.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY
Physical and environmental security measures rely on and support
the proper functioning of many of the other areas discussed in this
handbook. Among the most important are the following:
Logical Access Controls. Physical security controls augment
technical means for controlling access to information and
processing. Even if the most advanced and best-implemented logical
access controls are in place, if physical security measures are
inadequate, logical access controls may be circumvented by directly
accessing the hardware and storage media. For example, a computer
system may be rebooted using different software.
Contingency Planning. A large portion of the contingency
planning process involves the failure of physical and environmental
controls. Having sound controls, therefore, can help minimize losses
from such contingencies.
Identification and Authentication (I&A). Many physical
access control systems require that people be identified and
authenticated. Automated physical security access controls can use
the same types of I&A as other computer systems. In addition, it is
possible to use the same tokens (e.g., badges) as those used for
other computer-based I&A.
Other. Physical and environmental controls are also closely
linked to the activities of the local guard force, fire house, life
safety office, and medical office. These organizations should be
consulted for their expertise in planning controls for the systems
15.10 Cost Considerations
Costs associated with physical security measures range greatly.
Useful generalizations about costs, therefore, are difficult make.
Some measures, such as keeping a door locked, may be a trivial
expense. Other features, such as fire-detection and -suppression
systems, can be far more costly. Cost considerations should include
operation. For example, adding controlled-entry doors requires
persons using the door to stop and unlock it. Locks also require
physical key management and accounting (and rekeying when keys are
lost or stolen). Often these effects will be inconsequential, but
they should be fully considered. As with other security measures,
the objective is to select those that are cost-beneficial.