FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Cyber-sec biz Fortinet coughs up $545,000 after 'flogging' rebadged Chinese kit to Uncle Sam – but why so low? We may be able to explain - Fortinet this week agreed to pay the US government $545,000 to settle claims it allowed employees to peddle Chinese-made gear that would eventually end up being illegally supplied to federal agencies. https://www.theregister.co.uk/2019/04/17/doj_fortinet_case/

Demand pushes CIO Council to increase class size of cyber reskilling academy - The Federal Cyber Reskilling Academy received so much interest from federal employees that it expanded the number of students and going virtual. https://federalnewsnetwork.com/training/2019/04/demand-pushes-cio-council-to-increase-class-size-of-cyber-reskilling-academy/

Ransomware ravages municipalities nationwide this week - Municipalities took a beating this week with at least four reporting being shut down from new ransomware attacks or struggling to recover from an older incident. https://www.scmagazine.com/home/security-news/ransomware/ransomware-ravages-municipalities-nationwide-this-week/

Everything is hackable: The crowd is here to help - The cybersecurity industry at large is facing a massive skills shortage. Coupled with a growing attack surface and economically incentivized adversaries, this skills gap has made it more difficult than ever for organizations to shore up their defenses. https://www.scmagazine.com/home/opinion/executive-insight/everything-is-hackable-the-crowd-is-here-to-help/

How hacking threats spurred secret U.S. blacklist - U.S. energy regulators are pursuing a risky plan to share with electric utilities a secret "don't buy" list of foreign technology suppliers, according to multiple sources. https://www.eenews.net/stories/1060176111

FBI fielded roughly $2.7 billion worth of Internet crime complaints in 2018 - The FBI’s Internet Crime Complaint Center (IC3) received nearly 352,000 complaints related to cybercrime activity that collectively was responsible for $2.7 billion in losses, according to the agency’s 2018 Internet Crime Report. https://www.scmagazine.com/home/security-news/fbi-fielded-roughly-2-7-billion-worth-of-internet-crime-complaints-in-2018/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Malware attack rains on Weather Channel’s parade, disrupts live broadcast - The Weather Channel is blaming a “malicious software” attack for knocking its live morning broadcast off the air for approximately one hour and 39 minutes today. https://www.scmagazine.com/home/security-news/malware-attack-rains-on-weather-channels-parade-disrupts-live-broadcast/

Chipotle customers stewing over payment card hack - Chipotle is receiving some negative customer reviews, but not over its food. https://www.scmagazine.com/home/retail/chipotle-customers-stewing-over-payment-card-hack/

Student hacks online school government election - A student running for class president of Berkley High School in California hacked into the email accounts of his fellow students in order to swing the school’s first ever online election his way. http://www.scmagazine.com/home/security-news/election-2016-cybersecurity-insights/student-hacks-online-school-government-election/

Unauthorized party muscles its way into Bodybuilding.com’s systems - Fitness retailer Bodybuilding.com last Friday disclosed that an unauthorized party used a phishing scam to gain access to systems containing its customer data. https://www.scmagazine.com/home/security-news/unauthorized-party-muscles-its-way-into-bodybuilding-coms-systems/

EmCare data breach exposes 60,000 employees, patients - EmCare Inc. suffered a data breach after several employee email accounts were accessed by an unauthorized entity, resulting in the compromise of up to 60,000 individuals’ information. https://www.scmagazine.com/home/security-news/data-breach/emcare-data-breach-exposes-60000-employees-patients/

App leaves over 2 million WiFi network passwords exposed on open database - More than two million WiFi network passwords were reportedly left exposed on an open database by the developer of WiFi Finder, an app designed to help device owners find and log in to hotspots. https://www.scmagazine.com/home/security-news/app-leaves-over-2-million-wifi-network-passwords-exposed-on-open-database/

Magecart hackers force turnover, steal data from Atlanta Hawks’ online shop - Cybercriminals using Magecart card-skimming code attacked the online store of the NBA’s Atlanta Hawks, stealing customers names, addresses and payment card numbers. https://www.scmagazine.com/home/security-news/cybercrime/magecart-hackers-force-a-turnover-steal-from-atlanta-hawks-online-shop/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
   Board and Management Oversight - Principle 3: The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the bank's outsourcing relationships and other third-party dependencies supporting e-banking.
   
   Increased reliance upon partners and third party service providers to perform critical e-banking functions lessens bank management's direct control. Accordingly, a comprehensive process for managing the risks associated with outsourcing and other third-party dependencies is necessary. This process should encompass the third-party activities of partners and service providers, including the sub-contracting of outsourced activities that may have a material impact on the bank.
   
   Historically, outsourcing was often limited to a single service provider for a given functionality. However, in recent years, banks' outsourcing relationships have increased in scale and complexity as a direct result of advances in information technology and the emergence of e-banking. Adding to the complexity is the fact that outsourced e-banking services can be sub-contracted to additional service providers and/or conducted in a foreign country. Further, as e-banking applications and services have become more technologically advanced and have grown in strategic importance, certain e-banking functional areas are dependent upon a small number of specialized third-party vendors and service providers. These developments may lead to increased risk concentrations that warrant attention both from an individual bank as well as a systemic industry standpoint.
   
   Together, these factors underscore the need for a comprehensive and ongoing evaluation of outsourcing relationships and other external dependencies, including the associated implications for the bank's risk profile and risk management oversight abilities. Board and senior management oversight of outsourcing relationships and third-party dependencies should specifically focus on ensuring that:
   
   1) The bank fully understands the risks associated with entering into an outsourcing or partnership arrangement for its e-banking systems or applications.
   
   2) An appropriate due diligence review of the competency and financial viability of any third-party service provider or partner is conducted prior to entering into any contract for e-banking services.
   
   3) The contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined. For instance, responsibilities for providing information to and receiving information from the service provider should be clearly defined.
   
   4) All outsourced e-banking systems and operations are subject to risk management, security and privacy policies that meet the bank's own standards.
   
   5)  Periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.
   
   This is the last of three principles regarding Board and Management Oversight.  Next week we will begin the series on the principles of security controls, which include Authentication, Non-repudiation, Data and transaction integrity, Segregation of duties, Authorization controls, Maintenance of audit trails, and Confidentiality of key bank information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
  
  Packet Filter Firewalls
  
  Basic packet filtering was described in the router section and does not include stateful inspection. Packet filter firewalls evaluate the headers of each incoming and outgoing packet to ensure it has a valid internal address, originates from a permitted external address, connects to an authorized protocol or service, and contains valid basic header instructions. If the packet does not match the pre-defined policy for allowed traffic, then the firewall drops the packet. Packet filters generally do not analyze the packet contents beyond the header information. Dynamic packet filtering incorporates stateful inspection primarily for performance benefits. Before re-examining every packet, the firewall checks each packet as it arrives to determine whether it is part of an existing connection. If it verifies that the packet belongs to an established connection, then it forwards the packet without subjecting it to the firewall ruleset.
  
  Weaknesses associated with packet filtering firewalls include the following:
  
  ! The system is unable to prevent attacks that employ application specific vulnerabilities and functions because the packet filter cannot examine packet contents.
  
  ! Logging functionality is limited to the same information used to make access control decisions.
  
  ! Most do not support advanced user authentication schemes.
  
  ! Firewalls are generally vulnerable to attacks and exploitation that take advantage of problems in the TCP/IP specification.
  
  ! The firewalls are easy to misconfigure, which allows traffic to pass that should be blocked.
  
  Packet filtering offers less security, but faster performance than application-level firewalls. The former are appropriate in high - speed environments where logging and user authentication with network resources are not important. Packet filter firewalls are also commonly used in small office/home office (SOHO) systems and default operating system firewalls.
  
  Institutions internally hosting Internet-accessible services should consider implementing additional firewall components that include application-level screening.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.1 Initiating the Risk Assessment

HGA has information systems that comprise and are intertwined with several different kinds of assets valuable enough to merit protection. HGA's systems play a key role in transferring U.S. Government funds to individuals in the form of paychecks; hence, financial resources are among the assets associated with HGA's systems. The system components owned and operated by HGA are also assets, as are personnel information, contracting and procurement documents, draft regulations, internal correspondence, and a variety of other day-to-day business documents, memos, and reports. HGA's assets include intangible elements as well, such as reputation of the agency and the confidence of its employees that personal information will be handled properly and that the wages will be paid on time.

A recent change in the directorship of HGA has brought in a new management team. Among the new Chief Information Officer's first actions was appointing a Computer Security Program Manager who immediately initiated a comprehensive risk analysis to assess the soundness of HGA's computer security program in protecting the agency's assets and its compliance with federal directives. This analysis drew upon prior risk assessments, threat studies, and applicable internal control reports. The Computer Security Program Manager also established a timetable for periodic reassessments.

Since the wide-area network and mainframe used by HGA are owned and operated by other organizations, they were not treated in the risk assessment as HGA's assets. And although HGA's personnel, buildings, and facilities are essential assets, the Computer Security Program Manager considered them to be outside the scope of the risk analysis.

After examining HGA's computer system, the risk assessment team identified specific threats to HGA's assets, reviewed HGA's and national safeguards against those threats, identified the vulnerabilities of those policies, and recommended specific actions for mitigating the remaining risks to HGA's computer security. The following sections provide highlights from the risk assessment. The assessment addressed many other issues at the programmatic and system levels. However, this chapter focuses on security issues related to the time and attendance application.