FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - April 12, 2018 - Cyber Insurance: FFIEC Joint Statement on Cyber Insurance and Its Potential Role in Risk Management Programs - The Federal Financial Institutions Examination Council, on behalf of its members, has issued a joint statement that discusses considerations for financial institutions contemplating the purchase of cyber insurance as a component of their risk management programs. www.occ.treas.gov/news-issuances/bulletins/2018/bulletin-2018-8.html

April 12, 2018 - FDIC Hosts Use of Technology in the Business of Banking Forum in Arlington, Virginia - The Federal Deposit Insurance Corporation will host a forum on the Use of Technology in the Business of Banking on Monday, May 7, 2018. www.fdic.gov/news/news/press/2018/pr18025.html

Hold the phone: Mystery fake cell towers spotted slurping comms around Washington DC - US Homeland Security says it detected 'anomalous' spy kit - The US Department of Homeland Security (DHS) says it has detected strange fake cellphone towers – known as IMSI catchers – in America's capital. http://www.theregister.co.uk/2018/04/03/imsi_catcher_stingray_washington_dc/

UK politician admits and apologizes for hacking into opponent's website 10 years ago - A now high-ranking member of the UK Conservative Party admitted and apologized for hacking into her Labour opponent's website to post pro-Tory propaganda, a crime punishable by up to two years in prison. https://www.scmagazine.com/uk-politician-admits-and-apologizes-for-hacking-into-opponents-website-10-years-ago/article/757044/

GAO report recommends stronger security controls for third parties that receive Medicare beneficiary data - The U.S. Government Accountability Office (GAO) last week publicly released a report warning the Centers for Medicare and Medicaid Services (CMS) has failed to provide specific security controls guidance to research organizations with whom it shares Medicare beneficiary data. https://www.scmagazine.com/gao-report-recommends-stronger-security-controls-for-third-parties-that-receive-medicare-beneficiary-data/article/757040/

Hackers have taken down dozens of 911 centers. Why is it so hard to stop them? - America’s emergency-response networks remain dangerously vulnerable to criminals bent on crippling the country’s critical infrastructure. https://www.nbcnews.com/news/us-news/hackers-have-taken-down-dozens-911-centers-why-it-so-n862206

U.S. Department of Interior CIO office fails IG cybersecurity inspection - The U.S. Department of the Interior Office of the Chief Information Officer (OCIO) essentially received a failing grade from its own Office of the Inspector General (IG) when it comes to following NIST for incident detection and response. https://www.scmagazine.com/us-department-of-interior-cio-office-fails-ig-cybersecurity-inspection/article/757547/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Atlanta takes down water department website two weeks after cyber attack - Atlanta took down its water department website indefinitely on Thursday, two weeks after a ransomware cyber attack tore through the city’s computer systems in one of the most disruptive hacks ever to strike a U.S. local government. https://www.reuters.com/article/us-usa-cyber-atlanta-water/atlanta-takes-down-water-department-website-two-weeks-after-cyber-attack-idUSKCN1HC2WB

Bot-ched security: Chat system hacked to slurp hundreds of thousands of Delta Air Lines, Sears customers' bank cards - Hackers are feared to have swiped sensitive personal information held by two of the best known companies in the US – after malware infected a customer support software maker. http://www.theregister.co.uk/2018/04/05/sears_delta_customer_payment_cards_hacked/

Major U.S. pipeline hit by cyberattack on transaction software - A supply chain cyberattack has disrupted a customer transaction service for a network of U.S. natural gas companies, according to multiple news reports. https://www.cyberscoop.com/major-u-s-pipeline-disrupted-cyberattack-transaction-software/

Best Buy payment info compromised in [24]7.ai breach; malware reportedly suspected - Consumer electronics retailer Best Buy on Thursday became the third major company to acknowledge that a portion of its customer payment information was exposed in a data breach of third-party chat and customer engagement services provider [24]7.ai. https://www.scmagazine.com/best-buy-payment-info-compromised-in-247ai-breach-malware-reportedly-suspected/article/756692/

Hackers take over Cisco switches to warn against election interference - Unidentified hackers misused hundreds of thousands of Cisco Systems switches to take control of networks across the world and deliver an ominous warning not to interfere with future U.S. elections.
https://www.scmagazine.com/hackers-take-over-cisco-switches-to-warn-against-election-interference/article/757196/
http://www.theregister.co.uk/2018/04/09/cisco_smart_install_clients_attack_vector/

Botched upgrade at Belgian bank Argenta sparks phishing frenzy - Belgian bank Argenta has apologised for a botched tech plumbing upgrade that delayed transfers and confronted customers with incorrect balance data. http://www.theregister.co.uk/2018/04/06/belgian_bank_argenta_outage_botched_it_infrastructure_upgrade/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We finish our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 10 of 10)  
  
  B. RISK MANAGEMENT TECHNIQUES
  
  Managing Service Providers
  
  Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.
  
  When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.
  
  Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  Logical Access Controls (Part 1 of 2)
  
  If passwords are used for access control or authentication measures, users should be properly educated in password selection. Strong passwords consist of at least six to eight alpha numeric characters, with no resemblance to any personal data. PINs should also be unique, with no resemblance to personal data. Neither passwords nor PINs should ever be reduced to writing or shared with others. 
  
  Other security measures should include the adoption of one-time passwords, or password aging measures that require periodic changes. Encryption technology can also be employed in the entry and transmission of passwords, PINs, user IDs, etc. Any password directories or databases should be properly protected, as well. 
  
  Password guessing programs can be run against a system. Some can run through tens of thousands of password variations based on personal information, such as a user's name or address. It is preferable to test for such vulnerabilities by running this type of program as a preventive measure, before an unauthorized party has the opportunity to do so. Incorporating a brief delay requirement after each incorrect login attempt can be very effective against these types of programs. In cases where a potential attacker is monitoring a network to collect passwords, a system utilizing one-time passwords would render any data collected useless. 
  
  When additional measures are necessary to confirm that passwords or PINs are entered by the user, technologies such as tokens, smart cards, and biometrics can be useful. Utilizing these technologies adds another dimension to the security structure by requiring the user to possess something physical.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 15 - PHYSICAL AND ENVIRONMENTAL SECURITY
 
 15.9 Interdependencies
 
 Physical and environmental security measures rely on and support the proper functioning of many of the other areas discussed in this handbook. Among the most important are the following:
 
 Logical Access Controls. Physical security controls augment technical means for controlling access to information and processing. Even if the most advanced and best-implemented logical access controls are in place, if physical security measures are inadequate, logical access controls may be circumvented by directly accessing the hardware and storage media. For example, a computer system may be rebooted using different software.
 
 Contingency Planning. A large portion of the contingency planning process involves the failure of physical and environmental controls. Having sound controls, therefore, can help minimize losses from such contingencies.
 
 Identification and Authentication (I&A). Many physical access control systems require that people be identified and authenticated. Automated physical security access controls can use the same types of I&A as other computer systems. In addition, it is possible to use the same tokens (e.g., badges) as those used for other computer-based I&A.
 
 Other. Physical and environmental controls are also closely linked to the activities of the local guard force, fire house, life safety office, and medical office. These organizations should be consulted for their expertise in planning controls for the systems environment.
 
 15.10 Cost Considerations
 
 Costs associated with physical security measures range greatly. Useful generalizations about costs, therefore, are difficult make. Some measures, such as keeping a door locked, may be a trivial expense. Other features, such as fire-detection and -suppression systems, can be far more costly. Cost considerations should include operation. For example, adding controlled-entry doors requires persons using the door to stop and unlock it. Locks also require physical key management and accounting (and rekeying when keys are lost or stolen). Often these effects will be inconsequential, but they should be fully considered. As with other security measures, the objective is to select those that are cost-beneficial.