information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Is your organization meeting the cybersecurity “Standard of Care”?
- /CEOs and board members are increasingly under the microscope when
it comes to managing cyber risk. The financial, legal, and
regulatory impact that cyber incidents can have upon organizations
have transformed what was once an “IT problem” into a whole of
We ain't afraid of no 'ghost user': Infosec world tells GCHQ to
GTFO over privacy-busting proposals - Brit spies' idea would
backdoor WhatsApp et al without breaking the crypto - Bruce Schneier,
Richard Stallman and a host of western tech companies including
Microsoft and WhatsApp are pushing back hard against GCHQ proposals
that to add a "ghost user" to encrypted messaging services.
CEO who sold encrypted phones to criminal gangs gets nine years in
prison - Phantom Secure customers included the Sinaloa carter and
the Hells Angels biker gang.
The Marines' Top General Talks About A Changing Corps - Why did Bob
Neller join the Marines? "I needed a job," the top Marine officer
says nonchalantly. He went to Officer Candidate School the summer
before his senior year at the University of Virginia with the
intention of then going to law school.
Huawei ban revoked by science publisher IEEE - The Institute of
Electrical and Electronics Engineers on Sunday reversed restrictions
it had slapped on Huawei last week, letting the Chinese company's
scientists review its papers once again.
Organizations still struggle to manage vulnerability patches, report
- Nearly 27 percent of organizations worldwide have been breached as
a result of an unpatched vulnerability, according to Vulnerability
Premera Blue Cross reaches proposed $72M settlement with 2014 breach
victims - Health insurance company Premera Blue Cross has agreed to
a $72 million proposed settlement that would resolve a contentious
class-action lawsuit stemming from a 2014 data breach affecting
roughly 10.6 million people.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Nonprofit People Inc. info exposed after two
employee email accounts breached - Nonprofit People Inc. has
notified nearly 1,000 of its current and former clients that
personal information was exposed after email accounts of two
employees had been breached.
POS malware swipes payment info from Checkers and Rally’s
restaurants - Just over 100 Checkers and Rally’s fast food joints
and their customers were victimized by a long-running point-of-sale
malware campaign that stole payment card information from purchases
taking place as far back as December 2015, Checkers Drive-In
Restaurants announced in an online breach notification yesterday.
Theta360 leak exposes 11 million photos, user data - An open
database exposed at least 11 million photographs after the Theta360
photo sharing system run by Ricoh was breached.
Nonprofit People Inc. info exposed after two employee email accounts
breached - Nonprofit People Inc. has notified nearly 1,000 of its
current and former clients that personal information was exposed
after email accounts of two employees had been breached.
Breach of bill collection agency may affect 11.9 million Quest
Diagnostics patients - Quest Diagnostics today disclosed that
roughly 11.9 million patients who sought medical testing through its
clinical labs may be affected by the breach of a third-party bill
ANU data breach exposes 19 years of staff and student data -
Australian National University revealed news of a data breach today
that took place in late 2018 compromising the PII of more than
200,000 employees and students who were associated with the school
for the last 19 years.
UChicago Medicine secures database after publicly exposing info on
donors and patients - The University of Chicago Medicine scrambled
to secure a database containing information on patients as well as
existing and potential financial donors, after a researcher
discovered that a misconfiguration left nearly 1.68 million records
exposed to the public.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight
- Principle 8: Banks
should ensure that appropriate measures are in place to protect the
data integrity of e-banking transactions, records and information.
Data integrity refers to the assurance that information that is
in-transit or in storage is not altered without authorization.
Failure to maintain the data integrity of transactions, records and
information can expose banks to financial losses as well as to
substantial legal and reputational risk.
The inherent nature of straight-through processes for e-banking
may make programming errors or fraudulent activities more difficult
to detect at an early stage. Therefore, it is important that banks
implement straight-through processing in a manner that ensures
safety and soundness and data integrity.
As e-banking is transacted over public networks, transactions are
exposed to the added threat of data corruption, fraud and the
tampering of records. Accordingly, banks should ensure that
appropriate measures are in place to ascertain the accuracy,
completeness and reliability of e-banking transactions, records and
information that is either transmitted over Internet, resident on
internal bank databases, or transmitted/stored by third-party
service providers on behalf of the bank. Common practices used to
maintain data integrity within an e-banking environment include the
1) E-banking transactions should be conducted in a manner that
makes them highly resistant to tampering throughout the entire
2) E-banking records should be stored, accessed and modified in
a manner that makes them highly resistant to tampering.
3) E-banking transaction and record-keeping processes should be
designed in a manner as to make it virtually impossible to
circumvent detection of unauthorized changes.
4) Adequate change control policies, including monitoring and
testing procedures, should be in place to protect against any
e-banking system changes that may erroneously or unintentionally
compromise controls or data reliability.
5) Any tampering with e-banking transactions or records should
be detected by transaction processing, monitoring and record keeping
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Firewall Policy (Part 3 of 3)
Financial institutions can reduce their vulnerability to these
attacks somewhat through network configuration and design, sound
implementation of its firewall architecture that includes multiple
filter points, active firewall monitoring and management, and
integrated intrusion detection. In most cases, additional access
controls within the operating system or application will provide an
additional means of defense.
Given the importance of firewalls as a means of access control,
good practices include:
! Hardening the firewall by removing all unnecessary services and
appropriately patching, enhancing, and maintaining all software on
the firewall unit;
! Restricting network mapping capabilities through the firewall,
primarily by blocking inbound ICMP traffic;
! Using a ruleset that disallows all traffic that is not
! Using NAT and split DNS (domain name service) to hide internal
system names and addresses from external networks (split DNS uses
two domain name servers, one to communicate outside the network, and
the other to offer services inside the network);
! Using proxy connections for outbound HTTP connections;
! Filtering malicious code;
! Backing up firewalls to internal media, and not backing up the
firewall to servers on protected networks;
! Logging activity, with daily administrator review;
! Using intrusion detection devices to monitor actions on the
firewall and to monitor communications allowed through the firewall;
! Administering the firewall using encrypted communications and
strong authentication, only accessing the firewall from secure
devices, and monitoring all administrative access;
! Limiting administrative access to few individuals; and
! Making changes only through well - administered change control
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
continue the series on the National Institute of Standards and
Technology (NIST) Handbook.
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Most of the human
threats of concern to HGA originate from insiders. Nevertheless, HGA
also recognizes the need to protect its assets from outsiders. Such
attacks may serve many different purposes and pose a broad spectrum
of risks, including unauthorized disclosure or modification of
information, unauthorized use of services and assets, or
unauthorized denial of services.
As shown in the figure
below, HGA's systems are connected to the three external networks:
(1) the Internet, (2) the Interagency WAN, and (3) the
public-switched (telephone) network. Although these networks are a
source of security risks, connectivity with them is essential to
HGA's mission and to the productivity of its employees; connectivity
cannot be terminated simply because of security risks.
In each of the past few
years before establishing its current set of network safeguards, HGA
had detected several attempts by outsiders to penetrate its systems.
Most, but not all of these, have come from the Internet, and those
that succeeded did so by learning or guessing user account
passwords. In two cases, the attacker deleted or corrupted
significant amounts of data, most of which were later restored from
backup files. In most cases, HGA could detect no ill effects of the
attack, but concluded that the attacker may have browsed through
some files. HGA also conceded that its systems did not have audit
logging capabilities sufficient to track an attacker's activities.
Hence, for most of these attacks, HGA could not accurately gauge the
extent of penetration.
In one case, an
attacker made use of a bug in an e-mail utility and succeeded in
acquiring System Administrator privileges on the server--a
significant breach. HGA found no evidence that the attacker
attempted to exploit these privileges before being discovered two
days later. When the attack was detected, COG immediately contacted
the HGA's Incident Handling Team, and was told that a bug fix had
been distributed by the server vendor several months earlier. To its
embarrassment, COG discovered that it had already received the fix,
which it then promptly installed. It now believes that no subsequent
attacks of the same nature have succeeded.
Although HGA has no
evidence that it has been significantly harmed to date by attacks
via external networks, it believes that these attacks have great
potential to inflict damage. HGA's management considers itself lucky
that such attacks have not harmed HGA's reputation and the
confidence of the citizens its serves. It also believes the
likelihood of such attacks via external networks will increase in