information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Trump issues executive order to help grow the U.S. cybersecurity
workforce - President Trump today issued an executive order
directing the creation of various programs to help eliminate the
cybersecurity labor shortage, promote cybersecurity work within the
government and encourage widespread adoption of the cybersecurity
workforce framework created by the National Initiative for
Cybersecurity Education (NICE).
World Password Day: Are we in the Last Days? - As authentication
methods improve and companies like Microsoft declare the end of the
password era is here, some cybersecurity experts argue this may be
one of the last Global Password days to be held.
Cybersecurity executive changes -
From paper compliance to operational compliance - Data privacy has
become an overarching issue top of mind to organizations across
industries and geographies over the past several years.
When’s the last time you looked at your incident response plan? -
Security is broad. That is evident in, for example, the Security
Rule within the Health Insurance Portability and Accountability Act,
a central compliance concern for any organization handling the
health data of U.S. citizens.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Wolters Kluwer still down from May 6 cyberattack - The information
services firm Wolters Kluwer has been battling to recover from a
cyberattack that forced the company to shut down many of its tax and
accounting software applications, which is causing issues for those
using the affected products.
Man-in-the-Middle vulnerabilities in D-Link cameras - A series of
vulnerabilities in the D-Link DCS-2132L cloud camera allow attackers
to remotely tap into the video streams of the devices and also
manipulate the device’s firmware.
Job seeker’s data exposed on open Ladders database - The employment
website Ladders exposed almost 14 million user records when it left
an Amazon Elasticsearch database unprotected.
Mystery Database Exposed Info on 80 Million US Households -
Researchers Locate an Unprotected 24 GB Database With Names,
Addresses and Incomes - A mysterious, unsecured database hosted on
Microsoft's cloud platform contained personal information on nearly
80 million U.S. households, according to two researchers who found
Denial of service event impacted U.S. power utility last month - An
apparent cyberattack on March 5 caused disruptions at a western U.S.
electric utility by creating a denial of service condition,
according to an official summary of Electric Disturbance Events
reports processed by the U.S. Department of Energy (DOE) this year.
‘Mirrorthief’ card-skimming attack steals card data from online
college stores - A total of 201 online college stores in the U.S.
and Canada have fallen victim to a Magecart-style card-skimming
attack that appears to be the work of a new cybercrime group with no
clear ties to past Magecart activity.
Buena Vista Horace Mann student data compromised - An unknown number
of students at Buena Vista Horace Mann (BVHM) school in San
Francisco had their information exposed when a district worker
emailed their information to an unauthorized individual.
Baltimore struck with Robbinhood ransomware, city servers down -
Baltimore’s government computer system was hit reportedly with
Robbinhood ransomware yesterday shutting down most of the city’s
servers and forcing the city council to cancel meetings.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight
- Principle 4: Banks should
take appropriate measures to authenticate the identity and
authorization of customers with whom it conducts business over the
Internet. (Part 2 of 2)
The bank must determine which authentication methods to use based
on management's assessment of the risk posed by the e-banking system
as a whole or by the various sub-components. This risk analysis
should evaluate the transactional capabilities of the e-banking
system (e.g. funds transfer, bill payment, loan origination, account
aggregation etc.), the sensitivity and value of the stored e-banking
data, and the customer's ease of using the authentication method.
Robust customer identification and authentication processes are
particularly important in the cross-border e-banking context given
the additional difficulties that may arise from doing business
electronically with customers across national borders, including the
greater risk of identity impersonation and the greater difficulty in
conducting effective credit checks on potential customers.
As authentication methods continue to evolve, banks are
encouraged to monitor and adopt industry sound practice in this area
such as ensuring that:
1) Authentication databases that provide access to e-banking
customer accounts or sensitive systems are protected from tampering
and corruption. Any such tampering should be detectable and audit
trails should be in place to document such attempts.
2) Any addition, deletion or change of an individual, agent or
system to an authentication database is duly authorized by an
3) Appropriate measures are in place to control the e-banking
system connection such that unknown third parties cannot displace
4) Authenticated e-banking sessions remain secure throughout the
full duration of the session or in the event of a security lapse the
session should require re-authentication.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Application - Level Firewalls
Application-level firewalls perform application-level screening,
typically including the filtering capabilities of packet filter
firewalls with additional validation of the packet content based on
the application. Application-level firewalls capture and compare
packets to state information in the connection tables. Unlike a
packet filter firewall, an application-level firewall continues to
examine each packet after the initial connection is established for
specific application or services such as telnet, FTP, HTTP, SMTP,
etc. The application-level firewall can provide additional screening
of the packet payload for commands, protocols, packet length,
authorization, content, or invalid headers. Application-level
firewalls provide the strongest level of security, but are slower
and require greater expertise to administer properly.
The primary disadvantages of application - level firewalls are:
! The time required to read and interpret each packet slows
network traffic. Traffic of certain types may have to be split off
before the application level firewall and passed through different
! Any particular firewall may provide only limited support for new
network applications and protocols. They also simply may allow
traffic from those applications and protocols to go through the
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Most of HGA's staff (a
mix of clerical, technical, and managerial staff) are provided with
personal computers (PCs) located in their offices. Each PC includes
hard-disk and floppy-disk drives.
The PCs are connected
to a local area network (LAN) so that users can exchange and share
information. The central component of the LAN is a LAN server,
a more powerful computer that acts as an intermediary between PCs on
the network and provides a large volume of disk storage for shared
information, including shared application programs. The server
provides logical access controls on potentially sharable information
via elementary access control lists. These access controls can be
used to limit user access to various files and programs stored on
the server. Some programs stored on the server can be retrieved via
the LAN and executed on a PC; others can only be executed on the
To initiate a session
on the network or execute programs on the server, users at a PC must
log into the server and provide a user identifier and password known
to the server. Then they may use files to which they have access.
One of the applications
supported by the server is electronic mail (e-mail), which
can be used by all PC users. Other programs that run on the server
can only be executed by a limited set of PC users.
distributed throughout HGA's building complex, are connected to the
LAN. Users at PCs may direct printouts to whichever printer is most
convenient for their use.
Since HGA must
frequently communicate with industry, the LAN also provides a
connection to the Internet via a router. The router is a
network interface device that translates between the protocols and
addresses associated with the LAN and the Internet. The router also
performs network packet filtering, a form of network access
control, and has recently been configured to disallow non-e-mail
(e.g., file transfer, remote log-in) between LAN and Internet
The LAN server also has
connections to several other devices.
- A modem pool is
provided so that HGA's employees on travel can "dial up" via
the public switched (telephone) network and read or send
e-mail. To initiate a dial-up session, a user must
successfully log in. During dial-up sessions, the LAN server
provides access only to e-mail facilities; no other
functions can be invoked.
A special console is provided for the server
administrators who configure the server, establish and
delete user accounts, and have other special privileges
needed for administrative and maintenance functions. These
functions can only be invoked from the administrator
console; that is, they cannot be invoked from a PC on
the network or from a dial-up session.
- A connection to a
government agency X.25-based wide-area network (WAN) is
provided so that information can be transferred to or from
other agency systems. One of the other hosts on the WAN is a
large multiagency mainframe system. This mainframe is used
to collect and process information from a large number of
agencies while providing a range of access controls.