technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- Email fraud still a substantial threat to business - Business
email compromise still most popular and most effective attack
vector. The bulk of email fraud gangs still operate out of Nigeria,
according to new research.
Lack of cooperation between contractors creates lasting
vulnerabilities for DoD, official says - Competition among U.S.
weapons makers keeps them from collaborating on cybersecurity
problems, and it�s causing new and lasting vulnerabilities for the
military, a senior U.S. official said Tuesday.
Pentagon Tightens Rules for Personal Mobile Devices - A US Defense
Department (DoD) policy memo released on May 22, 2018, says that all
Pentagon personnel, contractors, and visitors are no longer
permitted to have personal mobile devices in areas involved in
"processing, handling, or discussion of classified information."
US-CERT - What is home network security? - Home network security
refers to the protection of a network that connects devices to each
other and to the internet within a home.
Banks Adopt Military-Style Tactics to Fight Cybercrime - In a
windowless bunker here, a wall of monitors tracked incoming attacks
� 267,322 in the last 24 hours, according to one hovering dial, or
about three every second � as a dozen analysts stared at screens
filled with snippets of computer code.
Cobalt shrugs off arrests, resumes cyberattacks on banks - The
arrest of several leaders of the Cobalt cybergang, including its
leader, has not stopped the group from launching additional attacks
with the most recent being tracked late last week.
Face, iris scanners gaining ground on fingerprint readers as a
security measure - The biometric side of the cybersecurity equation
is getting ready to put fingerprint readers in its rear-view mirror
as newer technologies coming into the market prove more capable.
Cybercriminals on average have seven-day window of opportunity to
attack - Once a vulnerability is announced, the average attacker has
a seven-day window of opportunity to exploit the flaw before a
defender is even aware they are vulnerable.
Court dismisses Kaspersky suits challenging U.S. government ban - A
U.S. District Court Judge Wednesday ruled that a ban on Kaspersky
Lab products by the U.S. government set to take effect October 1 is
constitutional and tossed two lawsuits filed by the Russia-based
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- VPNFilter malware with bricking capabilities poses major threat
after infecting 500,000+ networking devices - A potentially highly
destructive malware is estimated to have infected at least 500,000
networking devices in at least 54 countries since as far back as
2016, in what could be the prelude to a massive attack potentially
capable of cutting off the internet from hundreds of thousands
around the world.
Luxury hackers crack Bimmers and Benzes, a tale of BMW's bugs and
Mercedes-Benz thugs - Hackers with a taste for some of the finer
things in life found a host of vulnerabilities in multiple BMW
vehicles while tech-savvy car thieves managed to hack into and steal
a Mercedes-Benz in 23 seconds.
Coca-Cola hit with insider breach, 8,000 affected - The Coca-Cola
Company announced a data breach today possibly affecting about 8,000
workers due to a former employee having in their possession an
external hard drive containing employee personal data.
Canadian banks warn data breach may have affected 90,000 customers -
Cybercriminals may have the stolen data of nearly 90,000 customers
from two of Canada's largest banks in what appears to be the first
significant cyberattack on a Canadian financial institution.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week begins our series on the
Federal Financial Institutions Examination Council Guidance on
Electronic Financial Services and Consumer Compliance.
Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the consumer's
deposit account at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for
a new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
the top of the newsletter
FFIEC IT SECURITY -
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review the
last of a three part series regarding controls to prevent and detect
8) Encryption. Encryption is a means of securing data. Data can by
encrypted when it is transmitted, and when it is stored. Because
networks are not impervious to penetration, management should
evaluate the need to secure their data as well as their network.
Management's use of encryption should be based on an internal risk
assessment and a classification of data. The strength of encryption
should be proportional to the risk and impact if the data were
9) Employee and Contractor Background Checks. Management should
ensure that information technology staff, contractors, and others
who can make changes to information systems have passed background
checks. Management also should revalidate periodically access lists
and logon IDs.
10) Accurate and Complete Records of Uses and Activities. Accurate
and complete records of users and activities are essential for
analysis, recovery, and development of additional security measures,
as well as possible legal action. Information of primary importance
includes the methods used to gain access, the extent of the
intruder's access to systems and data, and the intruder's past and
current activities. To ensure that adequate records exist,
management should consider collecting information about users and
user activities, systems, networks, file systems, and applications.
Consideration should be given to protecting and securing this
information by locating it in a physical location separate from the
devices generating the records, writing the data to a tamperproof
device, and encrypting the information both in transit and in
storage. The OCC expects banks to limit the use of personally
identifiable information collected in this manner for security
purposes, and to otherwise comply with applicable law and
regulations regarding the privacy of personally identifiable
11) Vendor Management. Banks rely on service providers, software
vendors, and consultants to manage networks and operations. In
outsourcing situations, management should ensure that contractual
agreements are comprehensive and clear with regard to the vendor's
responsibility for network security, including its monitoring and
reporting obligations. Management should monitor the vendor's
performance under the contract, as well as assess the vendor's
financial condition at least annually.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND
16.2.2 Smart Tokens (2 of 2)
There are other types of
protocols, some more sophisticated and some less so. The three types
described above are the most common.
Benefits of Smart Tokens
Smart tokens offer great flexibility and can be used to solve many
authentication problems. The benefits of smart tokens vary,
depending on the type used. In general, they provide greater
security than memory cards. Smart tokens can solve the problem of
electronic monitoring even if the authentication is done across an
open network by using one-time passwords.
1) One-time passwords. Smart tokens that use either dynamic
password generation or challenge-response protocols can create
one-time passwords. Electronic monitoring is not a problem with
one-time passwords because each time the user is authenticated to
the computer, a different "password" is used. (A hacker could learn
the one-time password through electronic monitoring, but would be of
2) Reduced risk of forgery. Generally, the memory on a
smart token is not readable unless the PIN is entered. In addition,
the tokens are more complex and, therefore, more difficult to forge.
3) Multi-application. Smart tokens with electronic
interfaces, such as smart cards, provide a way for users to access
many computers using many networks with only one log-in. This is
further discussed in the Single Log-in section of this chapter. In
addition, a single smart card can be used for multiple functions,
such as physical access or as a debit card.
Problems with Smart Tokens
Like memory tokens, most of the problems associated with smart
tokens relate to their cost, the administration of the system, and
user dissatisfaction. Smart tokens are generally less vulnerable to
the compromise of PINs because authentication usually takes place on
the card. (It is possible, of course, for someone to watch a PIN
being entered and steal that card.) Smart tokens cost more than
memory cards because they are more complex, particularly
Need reader/writers or human intervention. Smart tokens can
use either an electronic or a human interface. An electronic
interface requires a reader, which creates additional expense. Human
interfaces require more actions from the user. This is especially
true for challenge-response tokens with a manual interface, which
require the user to type the challenge into the smart token and the
response into the computer. This can increase user dissatisfaction.
Substantial Administration. Smart tokens, like passwords and
memory tokens, require strong administration. For tokens that use
cryptography, this includes key management.
Electronic reader/writers can take many forms, such as a slot in a
PC or a separate external device. Most human interfaces consist of a
keypad and display.