technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- Compliance vs. Cybersecurity - Duking It Out When they Should be
Working Together - What should you fear the most� hackers and
malicious actors, or auditors for that pesky compliance status? On
one hand, you have those that will steal sensitive and crucial data
for personal gain. On the other, you have a nitpicky consultant that
will comb over every detail looking to fail your compliance.
43% businesses, 19% of charities hit by data breaches - In a month
from now, the UK will welcome GDPR which will give the ICO more
powers to defend consumer interests and issue fines of up to �17
million or four percent of global turnover on organisations in the
event of data breaches owing to poor cyber-security credentials.
Equifax data breach cost hits $242 million - The massive data breach
that compromised the data of 147.9 million Equifax customers last
year has cost the company more than $242 million in related
expenses, but luckily for the company, much of this cost has been
covered by its cybersecurity insurance.
Ski Lift in Austria Left Control Panel Open on the Internet -
Officials from the city of Innsbruck in Austria have shut down a
local ski lift after two security researchers found its control
panel open wide on the Internet, and allowing anyone to take control
of the ski lift's operational settings.
Fed contractors aren't using DMARC, new study finds - Just one of
the 50 biggest federal IT contractors have adopted an important
email security measure to guard against phishing, according to a new
NYU and NY Cyber Command team up to offer cheap cybersecurity
education and training - Earlier this year NYU Tandon School of
Engineering and New York's Cyber Command (NYC3) joined forces to
announce one of the country's most affordable Cybersecurity Master's
Degree in the form of its NY Cyber Fellows program.
Epidemic of leaky cloud storage 'really frustrating,' says Trend
Micro expert - Data breaches stemming from misconfigured cloud-based
storage servers are utterly preventable, and it's up to the security
community to educate organizations about tools that are readily
available to scan for such mistakes.
Delaware data breach resource site goes live - The state of Delaware
launched a website to assist in the compliance of the state's
updated data breach laws.
Cyberattack map shows impacted U.S. school districts - A group
called the K-12 Cybersecurity Resource Center has created an
interactive incident map that shows all of the school districts in
the U.S. that have been affected by a cyberattack since 2016.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Lock maker offers fixes to prevent hackers from using fake master
keys to open hotel locks - Lock maker Assa Abloy has provided fixes
to address design vulnerabilities in the Vision by VingCard software
for electronic lock systems used by global hotel chains and other
hotels around the world that can be exploited to allow hackers
access to any room in a hotel.
A Loud Noise Knocked Out Computers That Run Stock Exchanges Across
Northern Europe - It seems like computers can do just about anything
these days. They write news articles, (almost) drive cars, and trade
stocks faster than a human ever could. But our future machine
overlords also have weaknesses that makes them seem, in a way,
almost human. For one thing, it turns out they don�t like loud
Massachusetts school district caves to ransomware demand, pays
$10,000 - The Leominster, Mass., school district found itself
compelled to pay a $10,000 ransom after the district was hit with
Student loan borrower files sent to unauthorized party in accidental
breach - The student loan services company Access Group Education
Lending is blaming a third-party business partner for inadvertently
sending loan files containing borrowers' personal information to
another business that was not authorized to receive them.
Zippy's Restaurants suffers POS data breach - The Hawaii-based
Zippy's Restaurants reported that for four months its point-of-sale
system at 25 of its locations had been compromised exposing customer
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our series on
the FDIC's Supervisory Policy on Identity Theft.
3 of 6)
FDIC Response to Identity Theft
The FDIC's supervisory programs include many steps to address
identity theft. The FDIC acts directly, often in conjunction with
other Federal regulators, by promulgating standards that financial
institutions are expected to meet to protect customers' sensitive
information and accounts. The FDIC enforces these standards against
the institutions under its supervision and encourages all financial
institutions to educate their customers about steps they can take to
reduce the chances of becoming an identity theft victim. The FDIC
also sponsors and conducts a variety of consumer education efforts
to make consumers more aware of the ways they can protect themselves
from identity thieves.
the top of the newsletter
FFIEC IT SECURITY -
Over the next few weeks, we will cover the OCC
Bulletin about Infrastructure Threats and Intrusion Risks.
This bulletin provides guidance to financial institutions on how
to prevent, detect, and respond to intrusions into bank computer
systems. Intrusions can originate either inside or outside of the
bank and can result in a range of damaging outcomes, including the
theft of confidential information, unauthorized transfer of funds,
and damage to an institution's reputation.
The prevalence and risk of computer intrusions are increasing as
information systems become more connected and interdependent and as
banks make greater use of Internet banking services and other remote
access devices. Recent e-mail-based computer viruses and the
distributed denial of service attacks earlier this year revealed
that the security of all Internet-connected networks are
increasingly intertwined. The number of reported incidences of
intrusions nearly tripled from 1998 to 1999, according to Carnegie
Mellon University's CERT/CC.
Management can reduce a bank's risk exposure by adopting and
regularly reviewing its risk assessment plan, risk mitigation
controls, intrusion response policies and procedures, and testing
processes. This bulletin provides guidance in each of these critical
areas and also highlights information-sharing mechanisms banks can
use to keep abreast of current attack techniques and potential
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND
Problems With Passwords. The security of a password system is
dependent upon keeping passwords secret. Unfortunately, there are
many ways that the secret may be divulged. All of the problems
discussed below can be significantly mitigated by improving password
security, as discussed in the sidebar. However, there is no fix for
the problem of electronic monitoring, except to use more advanced
authentication (e.g., based on cryptographic techniques or tokens).
Guessing or finding passwords. If users select their own
passwords, they tend to make them easy to remember. That often makes
them easy to guess. The names of people's children, pets, or
favorite sports teams are common examples. On the other hand,
assigned passwords may be difficult to remember, so users are more
likely to write them down. Many computer systems are shipped with
administrative accounts that have preset passwords. Because these
passwords are standard, they are easily "guessed." Although security
practitioners have been warning about this problem for years, many
system administrators still do not change default passwords. Another
method of learning passwords is to observe someone entering a
password or PIN. The observation can be done by someone in the same
room or by someone some distance away using binoculars. This is
often referred to as shoulder surfing.
Giving passwords away. Users may share their passwords. They
may give their password to a co-worker in order to share files. In
addition, people can be tricked into divulging their passwords. This
process is referred to as social engineering.
Electronic monitoring. When passwords are transmitted to a
computer system, they can be electronically monitored. This can
happen on the network used to transmit the password or on the
computer system itself. Simple encryption of a password that will be
used again does not solve this problem because encrypting the same
password will create the same ciphertext; the ciphertext becomes the
Accessing the password file. If the password file is not
protected by strong access controls, the file can be downloaded.
Password files are often protected with one-way encryption so that
plain-text passwords are not available to system administrators or
hackers (if they successfully bypass access controls). Even if the
file is encrypted, brute force can be used to learn passwords if the
file is downloaded (e.g., by encrypting English words and comparing
them to the file).
Passwords Used as Access Control. Some mainframe operating
systems and many PC applications use passwords as a means of
restricting access to specific resources within a system. Instead of
using mechanisms such as access control lists, access is granted by
entering a password. The result is a proliferation of passwords that
can reduce the overall security of a system. While the use of
passwords as a means of access control is common, it is an approach
that is often less than optimal and not cost-effective.
Improving Password Security
Password generators. If users are not allowed to generate their
own passwords, they cannot pick easy-to-guess passwords. Some
generators create only pronounceable nonwords to help users remember
them. However, users tend to write down hard-to-remember passwords.
Limits on log-in attempts. Many operating systems can be configured
to lock a user ID after a set number of failed log-in attempts. This
helps to prevent guessing of passwords.
Password attributes. Users can be instructed, or the system
can force them, to select passwords (1) with a certain minimum
length, (2) with special characters, (3) that are unrelated to their
user ID, or (4) to pick passwords, which are not in an on-line
dictionary. This makes passwords more difficult to guess (but more
likely to be written down).
Changing passwords. Periodic changing of passwords can reduce
the damage done by stolen passwords and can make brute-force
attempts to break into systems more difficult. Too frequent changes,
however, can be irritating to users.
Technical protection of the password file. Access control and
one-way encryption can be used to protect the password file itself.