|
FFIEC information
technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
to
On-site FFIEC IT Audits.
FYI
- Two-factor authentication hackable - Two-factor authentication may
not be the panacea of securing access to online accounts that many
believe it is as KnowBe4's Kevin Mitnick shows how easily this
defensive measure can be spoofed.
https://www.scmagazine.com/two-factor-authentication-hackable/article/765135/
RESPONSE - Two-factor authentication is hackable, so what,
everything is - I confess, I remain baffled whenever I read the
statement, "this can be hacked". In this world, everything can be
hacked, given enough time, enough of this and of that. Everything is
vulnerable, based on the simple fact that WE are humans and,
consequently, we are vulnerable.
https://www.scmagazine.com/two-factor-authentication-is-hackable-so-what-everything-is/article/765571/
IBM bans all removable storage, for all staff, everywhere - Risk of
‘financial and reputational damage’ is too high, says CISO - IBM has
banned its staff from using removable storage devices.
http://www.theregister.co.uk/2018/05/10/ibm_bans_all_removable_storage_for_all_staff_everywhere/
NIS Directive comes into force to boost infrastructure
cyber-security - The Security of Network Information Systems (NIS)
Directive, which aims to ensure that critical infrastructure is
protected from cyber-attacks and computer network failure, has come
into force today with fines for non-compliance.
https://www.scmagazine.com/nis-directive-comes-into-force-to-boost-infrastructure-cyber-security/article/765121/
NIST adds privacy recommendations to its Risk Management Framework -
The National Institute of Standards and Technology has updated its
Risk Management Framework (RMF) to cover privacy issues with a focus
on helping organizations better understand and protect their
member's personally identifiable information (PII).
https://www.scmagazine.com/nist-adds-privacy-recommendations-to-its-risk-management-framework/article/764855/
Cybersecurity salaries highest in retail sector - A recent study
found cybersecurity salaries in the retail sector are among the
highest in the field while those in education and telecommunication
are some of the lowest.
https://www.scmagazine.com/in-larger-companies-salaries-often-range-from-75000-100000-a-year-while-firms-with-less-than-100-employees-salaries-range-between-50000-75000/article/765482/
Open Source in Your Data Center - What You Should Know - Open-source
software started out as a grassroots movement and morphed in a short
time into a mega-industry.
https://www.scmagazine.com/open-source-in-your-data-center--what-you-should-know/article/761869/
Senate votes 52-47 to preserve net neutrality - After the Federal
Communications Commission voted earlier this year to nix net
neutrality, the U.S. Senate today passed the Congressional Review
Act discharge resolution meant to preserve it.
https://www.scmagazine.com/senate-votes-52-47-to-preserve-net-neutrality/article/766457/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Goodyear, Ariz., utility POS system breached - The City of
Goodyear, Ariz., is reporting a possible data breach associated with
its online utility bill payment system causing the municipality to
disable the system while it investigates.
https://www.scmagazine.com/goodyear-ariz-utility-pos-system-breached/article/764973/
Chili's got data breached, data breached, data breached - Chili's is
informing its customers that between March and April 2018 payment
card information was compromised at some of its 1,600 locations and
industry execs are giving the restaurant chain props for quickly
coming forward once the breach was discovered.
https://www.scmagazine.com/chilis-got-data-breached-data-breached-data-breached/article/765792/
Third-party software vulnerability results in Mexican bank heist
scoring millions - Mexican authorities are investigating suspect a
bank hack that siphoned hundreds of millions of pesos out of at
least five banks.
https://www.scmagazine.com/mexican-bank-cyberheist-nabs-millions/article/765804/
https://www.bloomberg.com/news/articles/2018-05-13/mexico-says-possible-bank-hack-led-to-large-cash-withdrawals
Police Dept Loses 10 Months of Work to Ransomware. Gets Infected a
Second Time! - Ransomware has infected the servers of the Riverside
Fire and Police department for the second time in a month.
https://www.bleepingcomputer.com/news/security/police-dept-loses-10-months-of-work-to-ransomware-gets-infected-a-second-time/
Data from 3 million Facebook myPersonality app users left exposed
for four years - Personal information on more than three million
Facebook users who used the now-suspended myPersonality app was
exposed online for four years and accessible by anyone who had a
username and password publicly available on GitHub, according to an
investigation by New Scientist.
https://www.scmagazine.com/intimate-data-from-3-million-facebook-mypersonality-app-users-left-exposed-for-four-years/article/765895/
Rail Europe North America discloses breach of e-commerce IT platform
- U.S. residents who purchased European train tickets through Rail
Europe North America (RENA) may be affected by a nearly three-month
data breach/compromise of its e-commerce websites' IT platform that
started late last year.
https://www.scmagazine.com/rail-europe-north-america-discloses-breach-of-e-commerce-it-platform/article/765919/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our series on
the FDIC's Supervisory Policy on Identity Theft.
(Part
5 of 6)
Consumer Education
The FDIC believes that consumers have an important role to play in
protecting themselves from identity theft. As identity thieves
become more sophisticated, consumers can benefit from accurate,
up-to-date information designed to educate them concerning steps
they should take to reduce their vulnerability to this type of
fraud. The financial services industry, the FDIC and other federal
regulators have made significant efforts to raise consumers'
awareness of this type of fraud and what they can do to protect
themselves.
In 2005, the FDIC sponsored four identity theft symposia entitled
Fighting Back Against Phishing and Account-Hijacking. At each
symposium (held in Washington, D.C., Atlanta, Los Angeles and
Chicago), panels of experts from government, the banking industry,
consumer organizations and law enforcement discussed efforts to
combat phishing and account hijacking, and to educate consumers on
avoiding scams that can lead to account hijacking and other forms of
identity theft. Also in 2006, the FDIC sponsored a symposia series
entitled Building Confidence in an E-Commerce World. Sessions were
held in San Francisco, Phoenix and Miami. Further consumer education
efforts are planned for 2007.
In 2006, the FDIC released a multi-media educational tool, Don't
Be an On-line Victim, to help online banking customers avoid common
scams. It discusses how consumers can secure their computer, how
they can protect themselves from electronic scams that can lead to
identity theft, and what they can do if they become the victim of
identity theft. The tool is being distributed through the FDIC's web
site and via CD-ROM. Many financial institutions also now display
anti-fraud tips for consumers in a prominent place on their public
web site and send customers informational brochures discussing ways
to avoid identity theft along with their account statements.
Financial institutions are also redistributing excellent educational
materials from the Federal Trade Commission, the federal
government's lead agency for combating identity theft.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we start a
three part review of controls to prevent and detect intrusions.
Management should determine the controls necessary to deter,
detect, and respond to intrusions, consistent with the best
practices of information system operators. Controls may include the
following:
1) Authentication. Authentication provides identification by means
of some previously agreed upon method, such as passwords and
biometrics. (A method of identifying a person's identity by
analyzing a unique physical attribute.) The means and strength of
authentication should be commensurate with the risk. For instance,
passwords should be of an appropriate length, character set, and
lifespan (The lifespan of a password is the length of time the
password allows access to the system. Generally speaking, shorter
lifespans reduce the risk of password compromises.) for the systems
being protected. Employees should be trained to recognize and
respond to fraudulent attempts to compromise the integrity of
security systems. This may include "social engineering" whereby
intruders pose as authorized users to gain access to bank systems or
customer records.
2) Install and Update Systems. When a bank acquires and installs
new or upgraded systems or equipment, it should review security
parameters and settings to ensure that these are consistent with the
intrusion risk assessment plan. For example, the bank should review
user passwords and authorization levels for maintaining "separation
of duties" and "need to know" policies. Once installed, security
flaws to software and hardware should be identified and remediated
through updates or "patches." Continuous monitoring and updating is
essential to protect the bank from vulnerabilities. Information
related to vulnerabilities and patches are typically available from
the vendor, security-related web sites, and in bi-weekly National
Infrastructure Protection Center's CyberNotes.
3) Software Integrity. Copies of software and integrity checkers
(An integrity checker uses logical analysis to identify whether a
file has been changed.) are used to identify unauthorized changes to
software. Banks should ensure the security of the integrity
checklist and checking software. Where sufficient risk exists, the
checklist and software should be stored away from the network, in a
location where access is limited. Banks should also protect against
viruses and other malicious software by using automated virus
scanning software and frequently updating the signature file (The
signature file contains the information necessary to identify each
virus.) to enable identification of new viruses.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND
AUTHENTICATION
16.2.1 Memory Tokens
Memory tokens store, but do not process, information. Special
reader/writer devices control the writing and reading of data to and
from the tokens. The most common type of memory token is a magnetic
striped card, in which a thin stripe of magnetic material is affixed
to the surface of a card (e.g., as on the back of credit cards). A
common application of memory tokens for authentication to computer
systems is the automatic teller machine (ATM) card. This uses a
combination of something the user possesses (the card) with
something the user knows (the PIN).
Some computer systems authentication technologies are based solely
on possession of a token, but they are less common. Token-only
systems are more likely to be used in other applications, such as
for physical access.
Benefits of Memory Token Systems. Memory tokens when used
with PINs provide significantly more security than passwords. In
addition, memory cards are inexpensive to produce. For a hacker or
other would-be masquerader to pretend to be someone else, the hacker
must have both a valid token and the corresponding PIN. This is much
more difficult than obtaining a valid password and user ID
combination (especially since most user IDs are common knowledge).
Another benefit of tokens is that they can be used in support of
log generation without the need for the employee to key in a user ID
for each transaction or other logged event since the token can be
scanned repeatedly. If the token is required for physical entry and
exit, then people will be forced to remove the token when they leave
the computer. This can help maintain authentication.
Problems With Memory Token Systems. Although sophisticated
technical attacks are possible against memory token systems, most of
the problems associated with them relate to their cost,
administration, token loss, user dissatisfaction, and the compromise
of PINs. Most of the techniques for increasing the security of
memory token systems relate to the protection of PINs. Many of the
techniques discussed in the sidebar on Improving Password Security
apply to PINs.
1) Requires special reader. The need for a special reader
increases the cost of using memory tokens. The readers used for
memory tokens must include both the physical unit that reads the
card and a processor that determines whether the card and/or the PIN
entered with the card is valid. If the PIN or token is validated by
a processor that is not physically located with the reader, then the
authentication data is vulnerable to electronic monitoring (although
cryptography can be used to solve this problem).
2) Token loss. A lost token may prevent the user from being
able to log in until a replacement is provided. This can increase
administrative overhead costs.
The lost token could be found by someone who wants to break into
the system, or could be stolen or forged. If the token is also used
with a PIN, any of the methods described above in password problems
can be used to obtain the PIN. Common methods are finding the PIN
taped to the card or observing the PIN being entered by the
legitimate user. In addition, any information stored on the magnetic
stripe that has not been encrypted can be read.
3) User Dissatisfaction. In general, users want computers to
be easy to use. Many users find it inconvenient to carry and present
a token. However, their dissatisfaction may be reduced if they see
the need for increased security.
Attacks on memory-card systems have sometimes been quite creative.
One group stole an ATM machine that they installed at a local
shopping mall. The machine collected valid account numbers and
corresponding PINs, which the thieves used to forge cards. The
forged cards were then used to withdraw money from legitimate ATMs. |
