information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- In a first, Moody’s downgrades Equifax’s rating outlook due to
cyberattack - Credit ratings agency Moody’s this week revised its
rating outlook for Equifax, downgrading it from stable to negative
as a result of financial losses stemming from a 2017 data breach.
FEC Gives Green Light for Free Cybersecurity Help in Federal
Elections - Official opinion issued by the Federal Election
Commission to nonprofit Defending Digital Campaigns is good news for
free and reduced-cost security offerings to political candidates and
7 Critical Security Steps to Protect You From an Office 365
Compromise - In August 2018, security researchers announced that
cybercriminals were successfully bypassing Office 365’s Advanced
Threat Protection via a new evolution of phishing – inserting
malware links into SharePoint documents.
Exposed files saw 50 percent uptick in last year - In the year since
the Digital Shadows Photon Research Team released its “Too Much
Information” report, the volume data exposed through online files
stores like Amazon S3 buckets, SMB-enabled file shares, and network
attached storage (NAS) drives increased 50 percent – or 750 million
files – in with researchers finding 2.3 billion files exposed.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- HCL employee, customer files found open to public - The digital
solutions firm HCL left accessible information belonging to some of
its employees and customers.
First American Financial website leaked 885 million documents -
About 885 million documents, including bank account numbers,
mortgage records, Social Security numbers, drivers’ license images
and tax records, have been leaked by First American Financial
Shubert theater company organization shines spotlight on customer
data breach - Theater company The Shubert Organization has
reportedly disclosed a data breach that compromised the personal
information of its theater customers.
Computer virus prompts city to shut down court websites, programs -
Websites and computer programs linked to Philadelphia’s court system
have been shut down since Tuesday afternoon, according to sources.
License plate reader firm breached, data leaked - A threat actor by
the alias “Boris Bullet-Dodger” broke into the database of a company
that provides license plate readers for the U.S. government to use
at the Mexican border.
Events planning company database exposes more than 200,000 records -
Australia-based events planning company Amazingco leaked more than
200,000 records after an Elastic database was left unprotected and
accessible by anybody with a browser.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight
- Principle 7: Banks
should ensure that proper authorization controls and access
privileges are in place for e-banking systems, databases and
In order to maintain segregation of duties, banks need to
strictly control authorization and access privileges. Failure to
provide adequate authorization control could allow individuals to
alter their authority, circumvent segregation and gain access to
e-banking systems, databases or applications to which they are not
In e-banking systems, the authorizations and access rights can be
established in either a centralized or distributed manner within a
bank and are generally stored in databases. The protection of those
databases from tampering or corruption is therefore essential for
effective authorization control.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Firewall Policy (Part 2 of 3)
Firewalls are an essential control for a financial institution
with an Internet connection and provide a means of protection
against a variety of attacks. Firewalls should not be relied upon,
however, to provide full protection from attacks. Institutions
should complement firewalls with strong security policies and a
range of other controls. In fact, firewalls are potentially
vulnerable to attacks including:
! Spoofing trusted IP addresses;
! Denial of service by overloading the firewall with excessive
requests or malformed packets;
! Sniffing of data that is being transmitted outside the network;
! Hostile code embedded in legitimate HTTP, SMTP, or other traffic
that meet all firewall rules;
! Attacks on unpatched vulnerabilities in the firewall hardware or
! Attacks through flaws in the firewall design providing
relatively easy access to data or services residing on firewall or
proxy servers; and
! Attacks against machines and communications used for remote
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Interruption of Operations
facilities and physical plant are several decades old and are
frequently under repair or renovation. As a result, power, air
conditioning, and LAN or WAN connectivity for the server are
typically interrupted several times a year for periods of up to one
work day. For example, on several occasions, construction workers
have inadvertently severed power or network cables. Fires, floods,
storms, and other natural disasters can also interrupt computer
operations, as can equipment malfunctions.
Another threat of small
likelihood, but significant potential impact, is that of a malicious
or disgruntled employee or outsider seeking to disrupt time-critical
processing (e.g., payroll) by deleting necessary inputs or system
accounts, misconfiguring access controls, planting computer viruses,
or stealing or sabotaging computers or related equipment. Such
interruptions, depending upon when they occur, can prevent time and
attendance data from getting processed and transferred to the
mainframe before the payroll processing deadline.
20.3.4 Disclosure or
Brokerage of Information
Other kinds of threats
may be stimulated by the growing market for information about an
organization's employees or internal activities. Individuals who
have legitimate work-related reasons for access to the master
employee database may attempt to disclose such information to other
employees or contractors or to sell it to private investigators,
employment recruiters, the press, or other organizations. HGA
considers such threats to be moderately likely and of low to high
potential impact, depending on the type of information involved.