technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- Organizations can't just flirt with their disaster plan - A cyber
disaster plan must not only be designed to keep an organization or
business functioning in the wake of a cyberattack, but it also must
be practiced regularly in order to be fully effective, according to
the members of the Disaster Planning Cybersecurity Style panel at
the RiskSec NY conference today.
Are Departing Employees Taking Your Data with Them? - The
off-boarding process is seemingly straightforward: the departing
employee returns all company property, including laptop, mobile
device and building access card.
Still only 1/3 of companies have cyber insurance despite increasing
risks and costs - Despite the Equifax breach costing the company
more than $242 million only about 35 percent of companies have
June 2018 Group Test: Vulnerability management tools - This month we
take a look at the vulnerability management tools, one of the
often-overlooked basics in your security posture.
Lightweight Cryptography - NIST has initiated a process to solicit,
evaluate, and standardize lightweight cryptographic algorithms that
are suitable for use in constrained environments where the
performance of current NIST cryptographic standards is not
Mobile Devs Making the Same Security Mistakes Web Devs Made in the
Early 2000s - Mobile app developers are going through the same
growing pains that the webdev scene has gone through in the 90s and
2000s when improper input validation led to many security incidents.
Florida leads list of states with worst cyber hygiene, New Hampshire
the safest - When it comes to cyber hygiene people who live in the
Northeast are marginally more likely to have good habits, while
those with poor habits are scattered liberally across the country,
according to a new Webroot report.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Open AWS S3 bucket exposes info on 50,000 Honda India - Honda Car
India is singing a familiar refrain – an unsecured Amazon AWS 3
bucket, this time actually two servers, exposed the personal
information of tens of thousands of users.
Wide open Apache Airflow server at Universal Music Group contractor
exposes FTP, SQL, AWS credentials - An unsecured Apache Airflow
server at cloud data storage contractor Agilisium exposed internal
FTP credentials, SQL passwords and AWS secret access key and
password information for Universal Music Group.
Two Canadian Banks Warn Customers of Possible Breach - Two Canadian
banks confirmed on Monday that they have been contacted by
‘fraudsters’ claiming to have in their possession personal and
financial information on tens of thousands of customers.
Coca-Cola Suffers Breach at the Hands of Former Employee - The
Coca-Cola company announced a data breach incident this week after a
former employee was found in possession of worker data on a personal
'Cyber incident' leaves Eventbrite-owned Ticketfly offline, ransom
demanded. Eventbrite-owned Ticketfly took its websites offline after
a saying it was “the target of a cyber incident.”
Buffalo Wild Wings apologizes after racist tirade from hacked
account - Buffalo Wild Wings apologized for a series of racist and
vulgar tweets sent from its Twitter account which appears to have
been hacked Friday night.
Cybercriminals phish Booking.com customers after possibly breaching
partner hotels - Cybercriminals recently launched a phishing
campaign targeting Booking.com customers whose information was
illegally obtained, possibly by breaching certain partner hotels,
according to multiple reports.
Rhode Island state agencies hit with malware - Rhode Island state
officials say about 400 of the government's 10,000 computer end
points have been infected with malware.
Atlanta cyberattack destroyed critical police evidence - While
Atlanta city officials have claimed for the last three months the
recent SamSam ransomware has had no effect on public safety, the
city's police chief has revealed the attack compromised critical
Australian bank mistakenly sent data on 10K customers to wrong
domain - After Commonwealth Bank of Australia (CBA) financial staff
inadvertently didn't include an “.au” on a domain name, the bank
exposed information on 10,000 customers to a foreign company.
Human Resources firm PageUp suffers data breach, clients affected -
The Australia-based human resource software firm PageUp has suffered
a data breach that may have revealed information associated with
many of that company's customers, however, the company believes any
information that was exposed was properly encrypted.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer
Act, Regulation E (Part 2 of 2)
Federal Reserve Board Official Staff Commentary (OSC) also clarifies
that terminal receipts are unnecessary for transfers initiated
on-line. Specifically, OSC regulations provides that, because the
term "electronic terminal" excludes a telephone operated by a
consumer, financial institutions need not provide a terminal receipt
when a consumer initiates a transfer by a means analogous in
function to a telephone, such as by a personal computer or a
Additionally, the regulations clarifies that a written
authorization for preauthorized transfers from a consumer's account
includes an electronic authorization that is not signed, but
similarly authenticated by the consumer, such as through the use of
a security code. According to the OSC, an example of a consumer's
authorization that is not in the form of a signed writing but is,
instead, "similarly authenticated" is a consumer's authorization via
a home banking system. To satisfy the regulatory requirements, the
institution must have some means to identify the consumer (such as a
security code) and make a paper copy of the authorization available
(automatically or upon request). The text of the electronic
authorization must be displayed on a computer screen or other visual
display that enables the consumer to read the communication from the
Only the consumer may authorize the transfer and not, for example,
a third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
the top of the newsletter
FFIEC IT SECURITY -
We continue our review of the OCC Bulletin about Infrastructure
Threats and Intrusion Risks. This week we review Intrusion Response
Policies and Procedures.
Management should establish, document, and review the policies and
procedures that guide the bank's response to information system
intrusions. The review should take place at least annually, with
more frequent reviews if the risk exposure warrants them.
Policies and procedures should address the following:
1. The priority and sequence of actions to respond to an
intrusion. Actions should address the containment and elimination of
an intrusion and system restoration. Among other issues, containment
actions include a determination of which business processes must
remain operational, which systems may be disconnected as a
precaution, and how to address authentication compromises (e.g.,
revealed passwords) across multiple systems.
2. Gathering and retaining intrusion information, as discussed
3. The employee's authority to act, whether by request or by
pre-approval, and the process for escalating the intrusion response
to progressively higher degrees of intensity and senior management
4. Availability of necessary resources to respond to intrusions.
Management should ensure that contact information is available for
those that are responsible for responding to intrusions.
5. System restoration tools and techniques, including the
elimination of the intruder's means of entry and back doors, and the
restoration of data and systems to the pre-intrusion state.
6. Notification and reporting to operators of other affected
systems, users, regulators, incident response organizations, and law
enforcement. Guidelines for filing a Suspicious Activity Report for
suspected computer related crimes are discussed below, and in OCC
Advisory Letter 97-9, "Reporting Computer Related Crimes" (November
7. Periodic testing, as discussed below.
8. Staff training resources and requirements.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND
16.3 I&A Based on Something the User Is
Biometric authentication technologies use the unique
characteristics (or attributes) of an individual to authenticate
that person's identity. These include physiological attributes (such
as fingerprints, hand geometry, or retina patterns) or behavioral
attributes (such as voice patterns and hand-written signatures).
Biometric authentication technologies based upon these attributes
have been developed for computer log-in applications.
Biometric authentication is technically complex and expensive, and
user acceptance can be difficult. However, advances continue to be
made to make the technology more reliable, less costly, and more
Biometric systems can provide an increased level of security for
computer systems, but the technology is still less mature than that
of memory tokens or smart tokens. Imperfections in biometric
authentication devices arise from technical difficulties in
measuring and profiling physical attributes as well as from the
somewhat variable nature of physical attributes. These may change,
depending on various conditions. For example, a person's speech
pattern may change under stressful conditions or when suffering from
a sore throat or cold.
Due to their relatively high cost, biometric systems are typically
used with other authentication means in environments requiring high
Biometric authentication generally operates in the following
Before any authentication attempts, a user is "enrolled" by
creating a reference profile (or template) based on the desired
physical attribute. The resulting template is associated with the
identity of the user and stored for later use.
When attempting authentication, the user's biometric attribute is
measured. The previously stored reference profile of the biometric
attribute is compared with the measured profile of the attribute
taken from the user. The result of the comparison is then used to
either accept or reject the user.