technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- GOP committee chair blasts agency over scathing data security
report - The chairman of the House Science, Space and Technology
Committee blasted a federal agency with oversight of U.S. financial
institutions after a watchdog investigation revealed “systemic
issues” plaguing the agency’s handling and disclosure of data
Security Experts Warn of New Cyber-Threats to Data Stored in Cloud
- While established cyber-attack vectors, such as malware and
ransomware, continue to be a challenge for IT security pros, a panel
of experts at the SANS Institute detailed new and emerging threats.
Doctors at RSA simulate emergency overdose caused by hacked medical
pump - There's a famous axiom about doctors making unusual medical
diagnoses when a more commonplace explanation is more likely: “When
you hear hoofbeats, think of horses not zebras.
FDA Wants Medical Devices to Have Mandatory Built-In Update
Mechanisms - The US Food & Drug Administration plans to ask Congress
for more funding and regulatory powers to improve its approach
towards medical device safety, including on the cybersecurity front.
NIST releases updated cybersecurity framework - The National
Institute of Standards and Technology on Monday released a
much-anticipated update to its Cybersecurity Framework, which
provides organizations with guidelines for implementing
GAO - Cybersecurity: DHS Needs to Enhance Efforts to Improve and
Promote the Security of Federal and Private-Sector Networks.
DHS cyber official calls election security a priority; GAO report
says agency's risk mitigation efforts fall short - The Department of
Homeland Security's chief cybersecurity official Jeanette Manfra
testified in a Congressional committee hearing yesterday that her
agency is "doing everything that we can" to protect the nation's
electoral infrastructure, including prioritizing any state's request
for a voting system risk assessment.
At least 432 UK businesses to be affected by NIS cyber-security
regulation - Compliance with new NIS (network and information
systems) regulations that come into force next month could cost
large essential service providers around £278,000 each.
Two-thirds of online banking systems in 2017 contained high-risk
vulnerabilities - 75 percent of online banking systems contained
cross-site scripting flaws, 69 percent lacked protection from data
interception, 63 percent had insufficient authorisation, 50 percent
were vulnerable to sensitive data disclosure.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Social media aggregator LocalBlox leaves 48M records exposed - In
the wake of the Facebook- Cambridge Analytica scandal, social media
data aggregation firm LocalBlox left an AWS bucket misconfigured
revealing 48 million records gleaned from publicly available data on
Facebook, LinkedIn and Twitter profiles.
Ex-employee Sun Trust helps compromise 1.5 million bank clients -
Sun Trust Bank today confirmed it was hit with an insider attack
when a former employee, working with a third party, stole company
contact lists possibly exposing the personal information of up to
1.5 million customers.
New hacker group targets US health-care industry, researchers say -
A new hacking group has been spying on health-care organizations in
the United States and across the globe likely for commercial
SunTrust Banks ex-employee may have stolen 1.5 million customer
records - The former staff member is suspected of stealing customer
data belonging to the financial company.
CCleaner attackers gained access to app developer's network via
TeamViewer - The adversaries who infected 2.27 million machines last
year using a modified version of the computer maintenance app
CCleaner were able to pull off the supply chain attack by gaining
unauthorized access to the developer's network using the remote
desktop access program TeamViewer.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our series on
the FDIC's Supervisory Policy on Identity Theft.
2 of 6)
Characteristics of Identity Theft
At this time, the majority of identity theft is committed using
hard-copy identification or other documents obtained from the victim
without his or her permission. A smaller, but significant, amount of
identity theft is committed electronically via phishing, spyware,
hacking and computer viruses. Financial institutions are among the
most frequent targets of identity thieves since they store sensitive
information about their customers and hold customer funds in
accounts that can be accessed remotely and transferred
Identity theft may harm consumers in several ways. First, an
identity thief may gain access to existing accounts maintained by
consumers and either transfer funds out of deposit accounts or incur
charges to credit card accounts. Identity thieves may also open new
accounts in the consumer's name, incur expenses, and then fail to
pay. This is likely to prompt creditors to attempt to collect
payment from the consumer for debts the consumer did not incur. In
addition, inaccurate adverse information about the consumer's
payment history may prevent the consumer from obtaining legitimate
credit when he or she needs it. An identity theft victim can spend
months or years attempting to correct errors in his or her credit
the top of the newsletter
FFIEC IT SECURITY -
This concludes the
series from the FDIC "Security Risks Associated with the Internet."
Starting next week, we will begin covering the OCC Bulletin
about Infrastructure Threats and Intrusion Risks.
V. Security Flaws and Bugs
Because hardware and software continue to improve, the task of
maintaining system performance and security is ongoing. Products are
frequently issued which contain security flaws or other bugs, and
then security patches and version upgrades are issued to correct the
deficiencies. The most important action in this regard is to keep
current on the latest software releases and security patches. This
information is generally available from product developers and
vendors. Also important is an understanding of the products and
their security flaws, and how they may affect system performance.
For example, if there is a time delay before a patch will be
available to correct an identified problem, it may be necessary to
invoke mitigating controls until the patch is issued.
Reference sources for the identification of software bugs exist,
such as the Computer Emergency Response Team Coordination Center
(CERT/CC) at the Software Engineering Institute of Carnegie Mellon
University, Pittsburgh, Pennsylvania. The CERT/CC, among other
activities, issues advisories on security flaws in software
products, and provides this information to the general public
through subscription e‑mail, Internet newsgroups (Usenet), and their
Web site at www.cert.org. Many
other resources are freely available on the Internet.
Active Content Languages
Active content languages have been the subject of a number of
recent security discussions within the technology industry. While it
is not their only application, these languages allow computer
programs to be attached to Web pages. As such, more appealing and
interactive Web pages can be created, but this function may also
allow unauthorized programs to be automatically downloaded to a
user's computer. To date, few incidents have been reported of harm
caused by such programs; however, active content programs could be
malicious, designed to access or damage data or insert a virus.
Security problems may result from an implementation standpoint,
such as how the languages and developed programs interact with other
software, such as Web browsers. Typically, users can disable the
acceptance of such programs on their Web browser. Or, users can
configure their browser so they may choose which programs to accept
and which to deny. It is important for users to understand how these
languages function and the risks involved, so that they make
educated decisions regarding their use. Security alerts concerning
active content languages are usually well publicized and should
receive prompt reviews by those utilizing the technology.
Because potentially malicious programs can be downloaded directly
onto a system from the Internet, virus protection measures beyond
the traditional boot scanning techniques may be necessary to
properly protect servers, systems, and workstations. Additional
protection might include anti-virus products that remain resident,
providing for scanning during downloads or the execution of any
program. It is also important to ensure that all system users are
educated in the risks posed to systems by viruses and other
malicious programs, as well as the proper procedures for accessing
information and avoiding such threats.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND
For most applications, trade-offs will have to be made among
security, ease of use, and ease of administration, especially in
modern networked environments.
While it may appear that any of these means could provide strong
authentication, there are problems associated with each. If people
wanted to pretend to be someone else on a computer system, they can
guess or learn that individual's password; they can also steal or
fabricate tokens. Each method also has drawbacks for legitimate
users and system administrators: users forget passwords and may lose
tokens, and administrative overhead for keeping track of I&A data
and tokens can be substantial. Biometric systems have significant
technical, user acceptance, and cost problems as well.
This section explains current I&A technologies and their benefits
and drawbacks as they relate to the three means of authentication.
Although some of the technologies make use of cryptography because
it can significantly strengthen authentication, the explanations of
cryptography appear in Chapter 19, rather than in this chapter.
16.1 I&A Based on Something the User Knows
The most common form of I&A is a user ID coupled with a password.
This technique is based solely on something the user knows. There
are other techniques besides conventional passwords that are based
on knowledge, such as knowledge of a cryptographic key.
In general, password systems work by requiring the user to enter a
user ID and password (or pass phrase or personal identification
number). The system compares the password to a previously stored
password for that user ID. If there is a match, the user is
authenticated and granted access.
Benefits of Passwords. Passwords have been successfully
providing security for computer systems for a long time. They are
integrated into many operating systems, and users and system
administrators are familiar with them. When properly managed in a
controlled environment, they can provide effective security.