FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Organizations can't just flirt with their disaster plan - A cyber disaster plan must not only be designed to keep an organization or business functioning in the wake of a cyberattack, but it also must be practiced regularly in order to be fully effective, according to the members of the Disaster Planning Cybersecurity Style panel at the RiskSec NY conference today. https://www.scmagazine.com/organizations-cant-just-flirt-with-their-disaster-plan/article/769967/

Are Departing Employees Taking Your Data with Them? - The off-boarding process is seemingly straightforward: the departing employee returns all company property, including laptop, mobile device and building access card. https://www.scmagazine.com/are-departing-employees-taking-your-data-with-them/article/770915//a>

Still only 1/3 of companies have cyber insurance despite increasing risks and costs - Despite the Equifax breach costing the company more than $242 million only about 35 percent of companies have cybersecurity insurance. https://www.scmagazine.com/still-only-13-of-companies-have-cyber-insurance-despite-increasing-risks-and-costs/article/769939/

June 2018 Group Test: Vulnerability management tools - This month we take a look at the vulnerability management tools, one of the often-overlooked basics in your security posture. https://www.scmagazine.com/june-2018-group-test-vulnerability-management-tools/article/770697/

Lightweight Cryptography - NIST has initiated a process to solicit, evaluate, and standardize lightweight cryptographic algorithms that are suitable for use in constrained environments where the performance of current NIST cryptographic standards is not acceptable. https://csrc.nist.gov/Projects/Lightweight-Cryptography

Mobile Devs Making the Same Security Mistakes Web Devs Made in the Early 2000s - Mobile app developers are going through the same growing pains that the webdev scene has gone through in the 90s and 2000s when improper input validation led to many security incidents. https://www.bleepingcomputer.com/news/security/mobile-devs-making-the-same-security-mistakes-web-devs-made-in-the-early-2000s/

Florida leads list of states with worst cyber hygiene, New Hampshire the safest - When it comes to cyber hygiene people who live in the Northeast are marginally more likely to have good habits, while those with poor habits are scattered liberally across the country, according to a new Webroot report. https://www.scmagazine.com/florida-leads-list-of-states-with-worst-cyber-hygiene-new-hampshire-the-safest/article/771129/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Open AWS S3 bucket exposes info on 50,000 Honda India - Honda Car India is singing a familiar refrain – an unsecured Amazon AWS 3 bucket, this time actually two servers, exposed the personal information of tens of thousands of users. https://www.scmagazine.com/open-aws-s3-bucket-exposes-info-on-50000-honda-india/article/769964/

Wide open Apache Airflow server at Universal Music Group contractor exposes FTP, SQL, AWS credentials - An unsecured Apache Airflow server at cloud data storage contractor Agilisium exposed internal FTP credentials, SQL passwords and AWS secret access key and password information for Universal Music Group. https://www.scmagazine.com/wide-open-apache-airflow-server-at-universal-music-group-contractor-exposes-ftp-sql-aws-credentials/article/769955/

Two Canadian Banks Warn Customers of Possible Breach - Two Canadian banks confirmed on Monday that they have been contacted by ‘fraudsters’ claiming to have in their possession personal and financial information on tens of thousands of customers. https://www.infosecurity-magazine.com/news/two-canadian-banks-warn-customers/

Coca-Cola Suffers Breach at the Hands of Former Employee - The Coca-Cola company announced a data breach incident this week after a former employee was found in possession of worker data on a personal hard drive. https://www.bleepingcomputer.com/news/security/coca-cola-suffers-breach-at-the-hands-of-former-employee/

'Cyber incident' leaves Eventbrite-owned Ticketfly offline, ransom demanded. Eventbrite-owned Ticketfly took its websites offline after a saying it was “the target of a cyber incident.” https://www.scmagazine.com/cyber-incident-leaves-eventbrite-owned-ticketfly-offline-ransom-demanded/article/770512/

Buffalo Wild Wings apologizes after racist tirade from hacked account - Buffalo Wild Wings apologized for a series of racist and vulgar tweets sent from its Twitter account which appears to have been hacked Friday night. https://www.scmagazine.com/buffalo-wild-wings-apologizes-after-racist-tirade-from-hacked-account/article/770919/

Cybercriminals phish Booking.com customers after possibly breaching partner hotels - Cybercriminals recently launched a phishing campaign targeting Booking.com customers whose information was illegally obtained, possibly by breaching certain partner hotels, according to multiple reports. https://www.scmagazine.com/cybercriminals-phish-bookingcom-customers-after-possibly-breaching-partner-hotels/article/771091/

Rhode Island state agencies hit with malware - Rhode Island state officials say about 400 of the government's 10,000 computer end points have been infected with malware. https://www.scmagazine.com/rhode-island-state-agencies-hit-with-malware/article/771086/

Atlanta cyberattack destroyed critical police evidence - While Atlanta city officials have claimed for the last three months the recent SamSam ransomware has had no effect on public safety, the city's police chief has revealed the attack compromised critical police evident. https://www.scmagazine.com/atlanta-cyberattack-destroyed-critical-police-evidence/article/771087/

Australian bank mistakenly sent data on 10K customers to wrong domain - After Commonwealth Bank of Australia (CBA) financial staff inadvertently didn't include an “.au” on a domain name, the bank exposed information on 10,000 customers to a foreign company. https://www.scmagazine.com/australian-bank-mistakenly-sent-data-on-10k-customers-to-wrong-domain/article/771026/

Human Resources firm PageUp suffers data breach, clients affected - The Australia-based human resource software firm PageUp has suffered a data breach that may have revealed information associated with many of that company's customers, however, the company believes any information that was exposed was properly encrypted. https://www.scmagazine.com/human-resources-firm-pageup-suffers-data-breach-clients-affected/article/771427/ 

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E  (Part 2 of 2)
  
  The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.
  
  Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.
  
  Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.
  
  Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Intrusion Response Policies and Procedures.
  
  Management should establish, document, and review the policies and procedures that guide the bank's response to information system intrusions. The review should take place at least annually, with more frequent reviews if the risk exposure warrants them. 
  
  Policies and procedures should address the following:
  
  1. The priority and sequence of actions to respond to an intrusion. Actions should address the containment and elimination of an intrusion and system restoration. Among other issues, containment actions include a determination of which business processes must remain operational, which systems may be disconnected as a precaution, and how to address authentication compromises (e.g., revealed passwords) across multiple systems.
  
  2. Gathering and retaining intrusion information, as discussed below.
  
  3. The employee's authority to act, whether by request or by pre-approval, and the process for escalating the intrusion response to progressively higher degrees of intensity and senior management involvement.
  
  4. Availability of necessary resources to respond to intrusions. Management should ensure that contact information is available for those that are responsible for responding to intrusions.
  
  5. System restoration tools and techniques, including the elimination of the intruder's means of entry and back doors, and the restoration of data and systems to the pre-intrusion state.
  
  6. Notification and reporting to operators of other affected systems, users, regulators, incident response organizations, and law enforcement. Guidelines for filing a Suspicious Activity Report for suspected computer related crimes are discussed below, and in OCC Advisory Letter 97-9, "Reporting Computer Related Crimes" (November 19, 1997). 
  
  7. Periodic testing, as discussed below.
  
  8. Staff training resources and requirements.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION
 
 16.3 I&A Based on Something the User Is
  
 Biometric authentication technologies use the unique characteristics (or attributes) of an individual to authenticate that person's identity. These include physiological attributes (such as fingerprints, hand geometry, or retina patterns) or behavioral attributes (such as voice patterns and hand-written signatures). Biometric authentication technologies based upon these attributes have been developed for computer log-in applications.
 
 Biometric authentication is technically complex and expensive, and user acceptance can be difficult. However, advances continue to be made to make the technology more reliable, less costly, and more user-friendly.
 
 Biometric systems can provide an increased level of security for computer systems, but the technology is still less mature than that of memory tokens or smart tokens. Imperfections in biometric authentication devices arise from technical difficulties in measuring and profiling physical attributes as well as from the somewhat variable nature of physical attributes. These may change, depending on various conditions. For example, a person's speech pattern may change under stressful conditions or when suffering from a sore throat or cold.
 
 Due to their relatively high cost, biometric systems are typically used with other authentication means in environments requiring high security.
 
 Biometric authentication generally operates in the following manner:
 
 Before any authentication attempts, a user is "enrolled" by creating a reference profile (or template) based on the desired physical attribute. The resulting template is associated with the identity of the user and stored for later use.
 
 When attempting authentication, the user's biometric attribute is measured. The previously stored reference profile of the biometric attribute is compared with the measured profile of the attribute taken from the user. The result of the comparison is then used to either accept or reject the user.