information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Cyber-sec biz Fortinet coughs up $545,000 after 'flogging'
rebadged Chinese kit to Uncle Sam – but why so low? We may be able
to explain - Fortinet this week agreed to pay the US government
$545,000 to settle claims it allowed employees to peddle
Chinese-made gear that would eventually end up being illegally
supplied to federal agencies.
Demand pushes CIO Council to increase class size of cyber reskilling
academy - The Federal Cyber Reskilling Academy received so much
interest from federal employees that it expanded the number of
students and going virtual.
Ransomware ravages municipalities nationwide this week -
Municipalities took a beating this week with at least four reporting
being shut down from new ransomware attacks or struggling to recover
from an older incident.
Everything is hackable: The crowd is here to help - The
cybersecurity industry at large is facing a massive skills shortage.
Coupled with a growing attack surface and economically incentivized
adversaries, this skills gap has made it more difficult than ever
for organizations to shore up their defenses.
How hacking threats spurred secret U.S. blacklist - U.S. energy
regulators are pursuing a risky plan to share with electric
utilities a secret "don't buy" list of foreign technology suppliers,
according to multiple sources.
FBI fielded roughly $2.7 billion worth of Internet crime complaints
in 2018 - The FBI’s Internet Crime Complaint Center (IC3) received
nearly 352,000 complaints related to cybercrime activity that
collectively was responsible for $2.7 billion in losses, according
to the agency’s 2018 Internet Crime Report.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Malware attack rains on Weather Channel’s parade, disrupts live
broadcast - The Weather Channel is blaming a “malicious software”
attack for knocking its live morning broadcast off the air for
approximately one hour and 39 minutes today.
Chipotle customers stewing over payment card hack - Chipotle is
receiving some negative customer reviews, but not over its food.
Student hacks online school government election - A student running
for class president of Berkley High School in California hacked into
the email accounts of his fellow students in order to swing the
school’s first ever online election his way.
Unauthorized party muscles its way into Bodybuilding.com’s systems -
Fitness retailer Bodybuilding.com last Friday disclosed that an
unauthorized party used a phishing scam to gain access to systems
containing its customer data.
EmCare data breach exposes 60,000 employees, patients - EmCare Inc.
suffered a data breach after several employee email accounts were
accessed by an unauthorized entity, resulting in the compromise of
up to 60,000 individuals’ information.
App leaves over 2 million WiFi network passwords exposed on open
database - More than two million WiFi network passwords were
reportedly left exposed on an open database by the developer of WiFi
Finder, an app designed to help device owners find and log in to
Magecart hackers force turnover, steal data from Atlanta Hawks’
online shop - Cybercriminals using Magecart card-skimming code
attacked the online store of the NBA’s Atlanta Hawks, stealing
customers names, addresses and payment card numbers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight - Principle 3: The
Board of Directors and senior management should establish a
comprehensive and ongoing due diligence and oversight process for
managing the bank's outsourcing relationships and other third-party
dependencies supporting e-banking.
Increased reliance upon partners and third party service
providers to perform critical e-banking functions lessens bank
management's direct control. Accordingly, a comprehensive process
for managing the risks associated with outsourcing and other
third-party dependencies is necessary. This process should encompass
the third-party activities of partners and service providers,
including the sub-contracting of outsourced activities that may have
a material impact on the bank.
Historically, outsourcing was often limited to a single service
provider for a given functionality. However, in recent years, banks'
outsourcing relationships have increased in scale and complexity as
a direct result of advances in information technology and the
emergence of e-banking. Adding to the complexity is the fact that
outsourced e-banking services can be sub-contracted to additional
service providers and/or conducted in a foreign country. Further, as
e-banking applications and services have become more technologically
advanced and have grown in strategic importance, certain e-banking
functional areas are dependent upon a small number of specialized
third-party vendors and service providers. These developments may
lead to increased risk concentrations that warrant attention both
from an individual bank as well as a systemic industry standpoint.
Together, these factors underscore the need for a comprehensive
and ongoing evaluation of outsourcing relationships and other
external dependencies, including the associated implications for the
bank's risk profile and risk management oversight abilities. Board
and senior management oversight of outsourcing relationships and
third-party dependencies should specifically focus on ensuring that:
1) The bank fully understands the risks associated with entering
into an outsourcing or partnership arrangement for its e-banking
systems or applications.
2) An appropriate due diligence review of the competency and
financial viability of any third-party service provider or partner
is conducted prior to entering into any contract for e-banking
3) The contractual accountability of all parties to the
outsourcing or partnership relationship is clearly defined. For
instance, responsibilities for providing information to and
receiving information from the service provider should be clearly
4) All outsourced e-banking systems and operations are subject to
risk management, security and privacy policies that meet the bank's
5) Periodic independent internal and/or external audits are
conducted of outsourced operations to at least the same scope
required if such operations were conducted in-house.
This is the last of three principles regarding Board and
Management Oversight. Next week we will begin the series on the
principles of security controls, which include Authentication,
Non-repudiation, Data and transaction integrity, Segregation of
duties, Authorization controls, Maintenance of audit trails, and
Confidentiality of key bank information.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION -
Packet Filter Firewalls
Basic packet filtering was described in the router section and
does not include stateful inspection. Packet filter firewalls
evaluate the headers of each incoming and outgoing packet to ensure
it has a valid internal address, originates from a permitted
external address, connects to an authorized protocol or service, and
contains valid basic header instructions. If the packet does not
match the pre-defined policy for allowed traffic, then the firewall
drops the packet. Packet filters generally do not analyze the packet
contents beyond the header information. Dynamic packet filtering
incorporates stateful inspection primarily for performance benefits.
Before re-examining every packet, the firewall checks each packet as
it arrives to determine whether it is part of an existing
connection. If it verifies that the packet belongs to an established
connection, then it forwards the packet without subjecting it to the
Weaknesses associated with packet filtering firewalls include the
! The system is unable to prevent attacks that employ application
specific vulnerabilities and functions because the packet filter
cannot examine packet contents.
! Logging functionality is limited to the same information used to
make access control decisions.
! Most do not support advanced user authentication schemes.
! Firewalls are generally vulnerable to attacks and exploitation
that take advantage of problems in the TCP/IP specification.
! The firewalls are easy to misconfigure, which allows traffic to
pass that should be blocked.
Packet filtering offers less security, but faster performance than
application-level firewalls. The former are appropriate in high -
speed environments where logging and user authentication with
network resources are not important. Packet filter firewalls are
also commonly used in small office/home office (SOHO) systems and
default operating system firewalls.
Institutions internally hosting Internet-accessible services
should consider implementing additional firewall components that
include application-level screening.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Initiating the Risk Assessment
HGA has information
systems that comprise and are intertwined with several different
kinds of assets valuable enough to merit protection. HGA's systems
play a key role in transferring U.S. Government funds to individuals
in the form of paychecks; hence, financial resources are among the
assets associated with HGA's systems. The system components owned
and operated by HGA are also assets, as are personnel information,
contracting and procurement documents, draft regulations, internal
correspondence, and a variety of other day-to-day business
documents, memos, and reports. HGA's assets include intangible
elements as well, such as reputation of the agency and the
confidence of its employees that personal information will be
handled properly and that the wages will be paid on time.
A recent change in the
directorship of HGA has brought in a new management team. Among the
new Chief Information Officer's first actions was appointing a
Computer Security Program Manager who immediately initiated a
comprehensive risk analysis to assess the soundness of HGA's
computer security program in protecting the agency's assets and its
compliance with federal directives. This analysis drew upon prior
risk assessments, threat studies, and applicable internal control
reports. The Computer Security Program Manager also established a
timetable for periodic reassessments.
Since the wide-area
network and mainframe used by HGA are owned and operated by other
organizations, they were not treated in the risk assessment as HGA's
assets. And although HGA's personnel, buildings, and facilities are
essential assets, the Computer Security Program Manager considered
them to be outside the scope of the risk analysis.
After examining HGA's
computer system, the risk assessment team identified specific
threats to HGA's assets, reviewed HGA's and national safeguards
against those threats, identified the vulnerabilities of those
policies, and recommended specific actions for mitigating the
remaining risks to HGA's computer security. The following sections
provide highlights from the risk assessment. The assessment
addressed many other issues at the programmatic and system levels.
However, this chapter focuses on security issues related to the time
and attendance application.