FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - DHS Sets Approach to National Cyber Risk Management Through New Strategy - The Department of Homeland Security has issued a new strategy that outlines measures to detect and manage cybersecurity risk and address changing threats to critical infrastructure and functions. http://www.executivegov.com/2018/05/dhs-sets-approach-to-national-cyber-risk-management-through-new-strategy/

Mexico central bank to create cyber security unit after hack - Mexico’s central bank said on Tuesday that it was creating a cyber security unit, following a hack on a domestic payments system at the end of April that affected Mexican banks. https://www.reuters.com/article/us-mexico-cyber/mexico-central-bank-to-create-cyber-security-unit-after-hack-idUSKCN1IG3AB

DHS, DoT team up to secure federal vehicle fleets - The Department of Homeland Security (DHS) and the Department of Transportation (DoT) joined forces to create a cybersecurity implementation and operational primer to secure federal vehicle fleets. https://www.scmagazine.com/dhs-and-dot-team-up-to-secure-federal-vehicle-fleets/article/767092/

GAO - The National Aeronautics and Space Administration (NASA) has not yet effectively implemented leading practices for information technology (IT) management. Specifically, GAO identified weaknesses in NASA's IT management practices for strategic planning, workforce planning, governance, and cybersecurity. https://www.gao.gov/products/GAO-18-337

Flaws in smart pet devices, apps could come back to bite owners - Fido might be man's best friend, but smart devices designed to track pets' movements and activity could be your worst enemy if attackers manage to capitalize on any of the dozen vulnerabilities researchers recently observed in them. https://www.scmagazine.com/flaws-in-smart-pet-devices-apps-could-come-back-to-bite-owners/article/767981/

5 Steps to Protect your Business from Ransomware - In 2017, ransomware became the 5th most common type of malware, with damage costs reaching $5 billion according to Cybersecurity Ventures. https://www.scmagazine.com/5-steps-to-protect-your-business-from-ransomware/article/761871/

Pen testers break down bank security flaws - While banks have built effective barriers for external attacks, researchers warn they have not done nearly as much work to fight threats on their internal networks. https://www.scmagazine.com/pen-testers-break-down-bank-security-flaws/article/767889/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - More than a million distrusted Symantec certs still in use despite deadlines - More than one million distrusted digital SSL/TLS Symantec certificates are still in use and failure to replace these certificates will result in site breakage in upcoming version of major browsers, including Google Chrome and Mozilla Firefox. https://www.scmagazine.com/more-than-a-million-distrusted-symantec-certs-still-in-use-despite-deadlines/article/766460/

Securus hacked after reports cops used it for tracking location - A hacker swiped 2,800 logins and passwords from Securus, the company Sen. Ron Wyden, D-Ore., recently pilloried for letting law enforcement track phones. https://www.scmagazine.com/securus-hacked-after-reports-cops-used-it-for-tracking-location/article/767125/

Speech recognition software firm breach exposes thousands of patient records - Burlington, Mass.-based speech recognition software firm Nuance announced the breach of thousands of patient records after a third party gained unauthorized access. https://www.scmagazine.com/speech-recognition-software-firm-breach-exposes-thousands-of-patient-records/article/767531/

Former Marvel exec Stan Lee claims Facebook and Instagram accounts were hacked - Comic-book writer and former Marvel executive Stan Lee appears to have sent a beacon to assemble his fans and Mark Zuckerberg after discovering his Instagram and Facebook accounts were hacked. https://www.scmagazine.com/stan-lee-claims-facebook-and-instagram-accounts-were-hacked/article/767308/

2,500 students, alumni and staffers affected by University at Buffalo data breach - The University at Buffalo reported that about 2,700 students, alumni, faculty and staff accounts were compromised when a third-party vendor was breached. https://www.scmagazine.com/2500-students-alumni-and-staffers-affected-by-university-at-buffalo-data-breach/article/767284/

TeenSafe app exposes data on more than 10K accounts - Parents probably don't appreciate the irony – the TeenSafe app they use to monitor their children's devices instead has left personal information exposed after a server affiliated with the app and hosted on AWS was left open to the public. https://www.scmagazine.com/teensafe-app-exposes-data-on-more-than-10k-accounts/article/767533/

3.2 million LA County 211 records exposed on misconfigured AWS S3 bucket - The Los Angeles County 211 service left about 3.2 million call records on an exposed AWS server that included a wide variety of personally indefinable information on callers along with the sometimes very personal reason they called looking for help. https://www.scmagazine.com/32-million-la-county-211-records-exposed-on-misconfigured-aws-s3-bucket/article/767888/

Corporation Service Company breach exposes PII on 5,678 customers - Hackers stole the personally identifiable information of 5,678 customers of the Corporation Service Company (CSC), according to a notice the company sent to the California attorney general's office. https://www.scmagazine.com/corporation-service-company-breach-exposes-pii-on-5678-customers/article/767991/

Baltimore-based LifeBridge Health breach impacts half a million patients - Baltimore-based LifeBridge Health is notifying 500,000 patients that their personal information was exposed in a data breach after an attacker gained access to company servers via one of its physician practices. https://www.scmagazine.com/baltimore-based-lifebridge-health-breach-impacts-half-a-million-patients/article/768007/

Corporation Service Company breach exposes PII on 5,678 customers - Hackers stole the personally identifiable information of 5,678 customers of the Corporation Service Company (CSC), according to a notice the company sent to the California attorney general's office. https://www.scmagazine.com/corporation-service-company-breach-exposes-pii-on-5678-customers/article/767991/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week concludes our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 6 of  6)
  
  President’s Identity Theft Task Force
  
  On May 10, 2006, the President issued an executive order establishing an Identity Theft Task Force (Task Force). The Chairman of the FDIC is a principal member of the Task Force and the FDIC is an active participant in its work. The Task Force has been charged with delivering a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution. On September 19, 2006, the Task Force adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft. Among other things, these recommendations dealt with data breach guidance to federal agencies, alternative methods of "authenticating" identities, and reducing access of identity thieves to Social Security numbers. The final strategic plan is expected to be publicly released soon.
  
  Conclusion
  
  Financial institutions have an affirmative and continuing obligation to protect the privacy of customers' nonpublic personal information. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review part two of three regarding controls to prevent and detect intrusions.
  
  4) Attack Profile. Frequently systems are installed with more available components and services than are required for the performance of necessary functions. Banks maintaining unused features may unwittingly enable network penetration by increasing the potential vulnerabilities. To reduce the risk of intrusion, institutions should use the minimum number of system components and services to perform the necessary functions.
  
  5) Modem Sweep. While access to a system is typically directed through a firewall, sometimes modems are attached to the system directly, perhaps without the knowledge of personnel responsible for security. Those modems can provide an uncontrolled and unmonitored area for attack. Modems that present such vulnerabilities should be identified and either eliminated, or monitored and controlled.
  
  6) Intrusion Identification. Real-time identification of an attack is essential to minimize damage. Therefore, management should consider the use of real-time intrusion detection software. Generally, this software inspects for patterns or "signatures" that represent known intrusion techniques or unusual system activities. It may not be effective against new attack methods or modified attack patterns. The quality of the software and sophistication of an attack also may reduce the software's effectiveness. To identify intrusions that escape software detection, other practices may be necessary. For example, banks can perform visual examinations and observations of systems and logs for unexpected or unusual activities and behaviors as well as manual examinations of hardware. Since intrusion detection software itself is subject to compromise, banks should take steps to ensure the integrity of the software before it is used.
  
  7) Firewalls. Firewalls are an important component of network security and can be effective in reducing the risk of a successful attack. The effectiveness of a firewall, however, is dependent on its design and implementation. Because misconfigurations, operating flaws, and the means of attack may render firewalls ineffective, management should consider additional security behind the firewall, such as intrusion identification and encryption.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION
 
 16.2.2 Smart Tokens (1 of 2)
  
 A smart token expands the functionality of a memory token by incorporating one or more integrated circuits into the token itself. When used for authentication, a smart token is another example of authentication based on something a user possesses (i.e., the token itself). A smart token typically requires a user also to provide something the user knows (i.e., a PIN or password) in order to "unlock" the smart token for use.
 
 There are many different types of smart tokens. In general, smart tokens can be divided three different ways based on physical characteristics, interface, and protocols used. These three divisions are not mutually exclusive.
 
 Physical Characteristics. Smart tokens can be divided into two groups: smart cards and other types of tokens. A smart card looks like a credit card, but incorporates an embedded microprocessor. Smart cards are defined by an International Standards Organization (ISO) standard. Smart tokens that are not smart cards can look like calculators, keys, or other small portable objects.
 
 Interface. Smart tokens have either a manual or an electronic interface. Manual or human interface tokens have displays and/or keypads to allow humans to communicate with the card. Smart tokens with electronic interfaces must be read by special reader/writers. Smart cards, described above, have an electronic interface. Smart tokens that look like calculators usually have a manual interface.
 
 Protocol. There are many possible protocols a smart token can use for authentication. In general, they can be divided into three categories: static password exchange, dynamic password generators, and challenge-response.
 
 1)  Static tokens work similarly to memory tokens, except that the users authenticate themselves to the token and then the token authenticates the user to the computer.
 
 2)  A token that uses a dynamic password generator protocol creates a unique value, for example, an eight-digit number, that changes periodically (e.g., every minute). If the token has a manual interface, the user simply reads the current value and then types it into the computer system for authentication. If the token has an electronic interface, the transfer is done automatically. If the correct value is provided, the log-in is permitted, and the user is granted access to the system.
 
 3)  Tokens that use a challenge-response protocol work by having the computer generate a challenge, such as a random string of numbers. The smart token then generates a response based on the challenge. This is sent back to the computer, which authenticates the user based on the response. The challenge-response protocol is based on cryptography. Challenge-response tokens can use either electronic or manual interfaces.