|
FFIEC information
technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
to
On-site FFIEC IT Audits.
FYI
- Australia will force tech companies to help cops view encrypted
data - The country's cyber security chief insists it won't involve a
back door to bypass encryption. Australia will reveal in the coming
weeks new laws that will force tech companies to help police access
the encrypted data of suspected criminals, but is ambiguous on how
those powers will work.
https://www.cnet.com/news/australias-new-laws-will-force-tech-companies-to-help-cops-access-suspects-encrypted-data/
An Encryption Upgrade Could Upend Online Payments - At the end of
June, digital credit card transactions are getting a mandatory
encryption upgrade. It's good news - but not if you have an old
device, or depend on a retailer that hasn't completed the
transition.
https://www.wired.com/story/tls-encryption-upgrade-credit-card-online-payments/
Vulnerabilities, Says Airline Hack Is ‘Only a Matter of Time’ -
According to DHS and other US government documents obtained by
Motherboard, the DHS is continuing to investigate how insecure
commercial aircraft are to cyber attacks, with one research lab
saying hacking a plane may lead to a "catastrophic disaster."
https://motherboard.vice.com/en_us/article/d3kwzx/documents-us-government-hacking-planes-dhs
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Here's a transaction Transamerica regrets: Transgressors swipe
retirees' personal info - 45,000 plan holders hit by crooks, say
corp officials - Updated Financial house Transamerica has admitted
criminals swiped some of its customers' sensitive personal
information, including social security numbers.
http://www.theregister.co.uk/2018/06/05/transamerica_retirement_plan_hack/
Chinese gov't hackers snag secret missile plans in Navy contractor
breach - Hackers from the Chinese Ministry of State Security who
broke into the systems of a contractor working for the U.S. Naval
Undersea Warfare Center stole 614GB of sensitive information,
including plans for a supersonic anti-ship missile to be launched
from a submarine.
https://www.scmagazine.com/chinese-govt-hackers-snag-secret-missile-plans-in-navy-contractor-breach/article/772420/
Hackers target payment transfer system at Chile's biggest bank,
'take $10m' - SWIFT-linked system was the target, claim infosec
types - Banco de Chile has become the latest victim in a string of
cyber attacks targeting the payment transfer systems of banks.
http://www.theregister.co.uk/2018/06/11/chile_bank_wiper_prelude_cyberheaist/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Equal Credit Opportunity Act (Regulation B)
The regulations clarifies the rules concerning the taking of
credit applications by specifying that application information
entered directly into and retained by a computerized system
qualifies as a written application under this section. If an
institution makes credit application forms available through its
on-line system, it must ensure that the forms satisfy the
requirements.
The regulations also clarify the regulatory requirements that
apply when an institution takes loan applications through electronic
media. If an applicant applies through an electronic medium (for
example, the Internet or a facsimile) without video capability that
allows employees of the institution to see the applicant, the
institution may treat the application as if it were received by
mail.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our review
of the OCC Bulletin about Infrastructure Threats and Intrusion
Risks. This week we review Gathering and Retaining Intrusion
Information.
Particular care should be taken when gathering intrusion
information. The OCC expects management to clearly assess the
tradeoff between enabling an easier recovery by gathering
information about an intruder and the risk that an intruder will
inflict additional damage while that information is being gathered.
Management should establish and communicate procedures and
guidelines to employees through policies, procedures, and training.
Intrusion evidence should be maintained in a fashion that enables
recovery while facilitating subsequent actions by law enforcement.
Legal chain of custody requirements must be considered. In general,
legal chain of custody requirements address controlling and securing
evidence from the time of the intrusion until it is turned over to
law enforcement personnel. Chain of custody actions, and those
actions that should be guarded against, should be identified and
embodied in the bank's policies, procedures, and training.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND
AUTHENTICATION
16.4 Implementing I&A Systems
Some of the important implementation issues for I&A systems include
administration, maintaining authentication, and single log-in.
16.4.1 Administration
Administration of authentication data is a critical element for all
types of authentication systems. The administrative overhead
associated with I&A can be significant. I&A systems need to create,
distribute, and store authentication data. For passwords, this
includes creating passwords, issuing them to users, and maintaining
a password file. Token systems involve the creation and distribution
of tokens/PINs and data that tell the computer how to recognize
valid tokens/PINs. For biometric systems, this includes creating and
storing profiles.
The administrative tasks of creating and distributing
authentication data and tokens can be a substantial. Identification
data has to be kept current by adding new users and deleting former
users. If the distribution of passwords or tokens is not controlled,
system administrators will not know if they have been given to
someone other than the legitimate user. It is critical that the
distribution system ensure that authentication data is firmly linked
with a given individual.
In addition, I&A administrative tasks should address lost or stolen
passwords or tokens. It is often necessary to monitor systems to
look for stolen or shared accounts.
Authentication data needs to be stored securely, as discussed with
regard to accessing password files. The value of authentication data
lies in the data's confidentiality, integrity, and availability. If
confidentiality is compromised, someone may be able to use the
information to masquerade as a legitimate user. If system
administrators can read the authentication file, they can masquerade
as another user. Many systems use encryption to hide the
authentication data from the system administrators.111 If integrity
is compromised, authentication data can be added or the system can
be disrupted. If availability is compromised, the system cannot
authenticate users, and the users may not be able to work.
One method of looking for improperly used accounts is for the
computer to inform users when they last logged on. This allows users
to check if someone else used their account. |
