FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - GOP committee chair blasts agency over scathing data security report - The chairman of the House Science, Space and Technology Committee blasted a federal agency with oversight of U.S. financial institutions after a watchdog investigation revealed “systemic issues” plaguing the agency’s handling and disclosure of data breaches. http://thehill.com/policy/cybersecurity/384140-gop-chair-blasts-agency-over-scathing-watchdog-report-on-data-security

Security Experts Warn of New Cyber-Threats to Data Stored in Cloud - While established cyber-attack vectors, such as malware and ransomware, continue to be a challenge for IT security pros, a panel of experts at the SANS Institute detailed new and emerging threats. http://www.eweek.com/security/security-experts-warn-of-new-cyber-threats-to-data-stored-in-cloud

Doctors at RSA simulate emergency overdose caused by hacked medical pump - There's a famous axiom about doctors making unusual medical diagnoses when a more commonplace explanation is more likely: “When you hear hoofbeats, think of horses not zebras. https://www.scmagazine.com/doctors-at-rsa-simulate-emergency-overdose-caused-by-hacked-medical-pump/article/759885/

FDA Wants Medical Devices to Have Mandatory Built-In Update Mechanisms - The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. https://www.bleepingcomputer.com/news/government/fda-wants-medical-devices-to-have-mandatory-built-in-update-mechanisms/

NIST releases updated cybersecurity framework - The National Institute of Standards and Technology on Monday released a much-anticipated update to its Cybersecurity Framework, which provides organizations with guidelines for implementing cybersecurity practices. https://www.cyberscoop.com/nist-cybersecurity-framework-version-1-1/

GAO - Cybersecurity: DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and Private-Sector Networks.  https://www.gao.gov/products/GAO-18-520T

DHS cyber official calls election security a priority; GAO report says agency's risk mitigation efforts fall short - The Department of Homeland Security's chief cybersecurity official Jeanette Manfra testified in a Congressional committee hearing yesterday that her agency is "doing everything that we can" to protect the nation's electoral infrastructure, including prioritizing any state's request for a voting system risk assessment. https://www.scmagazine.com/dhs-cyber-official-calls-election-security-a-priority-gao-report-says-agencys-risk-mitigation-efforts-fall-short/article/761188/

At least 432 UK businesses to be affected by NIS cyber-security regulation - Compliance with new NIS (network and information systems) regulations that come into force next month could cost large essential service providers around £278,000 each. https://www.scmagazine.com/at-least-432-uk-businesses-to-be-affected-by-nis-cyber-security-regulation/article/760985/

Two-thirds of online banking systems in 2017 contained high-risk vulnerabilities - 75 percent of online banking systems contained cross-site scripting flaws, 69 percent lacked protection from data interception, 63 percent had insufficient authorisation, 50 percent were vulnerable to sensitive data disclosure. https://www.scmagazine.com/two-thirds-of-online-banking-systems-in-2017-contained-high-risk-vulnerabilities/article/760983/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Social media aggregator LocalBlox leaves 48M records exposed - In the wake of the Facebook- Cambridge Analytica scandal, social media data aggregation firm LocalBlox left an AWS bucket misconfigured revealing 48 million records gleaned from publicly available data on Facebook, LinkedIn and Twitter profiles. https://www.scmagazine.com/in-the-wake-of-the-facebook-cambridge-analytica-scandal-social-media-data-aggregation-firm-localblox-left-an-aws-bucket-misconfigured/article/759886/

Ex-employee Sun Trust helps compromise 1.5 million bank clients - Sun Trust Bank today confirmed it was hit with an insider attack when a former employee, working with a third party, stole company contact lists possibly exposing the personal information of up to 1.5 million customers. https://www.scmagazine.com/ex-employee-sun-trust-helps-compromise-15-million-bank-clients/article/760195/

New hacker group targets US health-care industry, researchers say - A new hacking group has been spying on health-care organizations in the United States and across the globe likely for commercial purposes. http://thehill.com/policy/cybersecurity/384409-new-hacker-group-targets-us-healthcare-industry-researchers-say

SunTrust Banks ex-employee may have stolen 1.5 million customer records - The former staff member is suspected of stealing customer data belonging to the financial company. https://www.zdnet.com/article/suntrust-banks-ex-employee-may-have-stolen-1-5-million-customer-records/

CCleaner attackers gained access to app developer's network via TeamViewer - The adversaries who infected 2.27 million machines last year using a modified version of the computer maintenance app CCleaner were able to pull off the supply chain attack by gaining unauthorized access to the developer's network using the remote desktop access program TeamViewer. https://www.scmagazine.com/ccleaner-attackers-gained-access-to-app-developers-network-via-teamviewer/article/760838/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 2 of  6)
  
  Characteristics of Identity Theft
  
  At this time, the majority of identity theft is committed using hard-copy identification or other documents obtained from the victim without his or her permission. A smaller, but significant, amount of identity theft is committed electronically via phishing, spyware, hacking and computer viruses.  Financial institutions are among the most frequent targets of identity thieves since they store sensitive information about their customers and hold customer funds in accounts that can be accessed remotely and transferred electronically.
  
  Identity theft may harm consumers in several ways. First, an identity thief may gain access to existing accounts maintained by consumers and either transfer funds out of deposit accounts or incur charges to credit card accounts. Identity thieves may also open new accounts in the consumer's name, incur expenses, and then fail to pay. This is likely to prompt creditors to attempt to collect payment from the consumer for debts the consumer did not incur. In addition, inaccurate adverse information about the consumer's payment history may prevent the consumer from obtaining legitimate credit when he or she needs it. An identity theft victim can spend months or years attempting to correct errors in his or her credit record.

Return to the top of the newsletter

FFIEC IT SECURITY - This concludes the series from the FDIC "Security Risks Associated with the Internet."  Starting next week, we will begin covering the OCC Bulletin about Infrastructure Threats and Intrusion Risks.
  
  V. Security Flaws and Bugs 
  
  Because hardware and software continue to improve, the task of maintaining system performance and security is ongoing. Products are frequently issued which contain security flaws or other bugs, and then security patches and version upgrades are issued to correct the deficiencies. The most important action in this regard is to keep current on the latest software releases and security patches. This information is generally available from product developers and vendors. Also important is an understanding of the products and their security flaws, and how they may affect system performance. For example, if there is a time delay before a patch will be available to correct an identified problem, it may be necessary to invoke mitigating controls until the patch is issued. 
  
  Reference sources for the identification of software bugs exist, such as the Computer Emergency Response Team Coordination Center (CERT/CC) at the Software Engineering Institute of Carnegie Mellon University, Pittsburgh, Pennsylvania. The CERT/CC, among other activities, issues advisories on security flaws in software products, and provides this information to the general public through subscription e‑mail, Internet newsgroups (Usenet), and their Web site at www.cert.org.  Many other resources are freely available on the Internet. 
  
  Active Content Languages 
  
  Active content languages have been the subject of a number of recent security discussions within the technology industry. While it is not their only application, these languages allow computer programs to be attached to Web pages. As such, more appealing and interactive Web pages can be created, but this function may also allow unauthorized programs to be automatically downloaded to a user's computer. To date, few incidents have been reported of harm caused by such programs; however, active content programs could be malicious, designed to access or damage data or insert a virus. 
  
  Security problems may result from an implementation standpoint, such as how the languages and developed programs interact with other software, such as Web browsers. Typically, users can disable the acceptance of such programs on their Web browser. Or, users can configure their browser so they may choose which programs to accept and which to deny. It is important for users to understand how these languages function and the risks involved, so that they make educated decisions regarding their use. Security alerts concerning active content languages are usually well publicized and should receive prompt reviews by those utilizing the technology. 
  
  VI. Viruses 
  
  Because potentially malicious programs can be downloaded directly onto a system from the Internet, virus protection measures beyond the traditional boot scanning techniques may be necessary to properly protect servers, systems, and workstations. Additional protection might include anti-virus products that remain resident, providing for scanning during downloads or the execution of any program. It is also important to ensure that all system users are educated in the risks posed to systems by viruses and other malicious programs, as well as the proper procedures for accessing information and avoiding such threats.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION
 
 For most applications, trade-offs will have to be made among security, ease of use, and ease of administration, especially in modern networked environments.
 
 While it may appear that any of these means could provide strong authentication, there are problems associated with each. If people wanted to pretend to be someone else on a computer system, they can guess or learn that individual's password; they can also steal or fabricate tokens. Each method also has drawbacks for legitimate users and system administrators: users forget passwords and may lose tokens, and administrative overhead for keeping track of I&A data and tokens can be substantial. Biometric systems have significant technical, user acceptance, and cost problems as well.
 This section explains current I&A technologies and their benefits and drawbacks as they relate to the three means of authentication. Although some of the technologies make use of cryptography because it can significantly strengthen authentication, the explanations of cryptography appear in Chapter 19, rather than in this chapter.
 
 16.1 I&A Based on Something the User Knows
 
 The most common form of I&A is a user ID coupled with a password. This technique is based solely on something the user knows. There are other techniques besides conventional passwords that are based on knowledge, such as knowledge of a cryptographic key.
 
 16.1.1 Passwords
 
 In general, password systems work by requiring the user to enter a user ID and password (or pass phrase or personal identification number). The system compares the password to a previously stored password for that user ID. If there is a match, the user is authenticated and granted access.
 
 Benefits of Passwords. Passwords have been successfully providing security for computer systems for a long time. They are integrated into many operating systems, and users and system administrators are familiar with them. When properly managed in a controlled environment, they can provide effective security.