technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- It's FIFA World Cup season, do you know where your cybersecurity
pros are? - With nearly half the world watching the 2018 FIFA World
Cup, which kicks off today, odds are several security professionals
will be looking to sneak a peak at the games, which could be bad for
the security of your business.
Despite advancements, training and fears of breaches, employees
still practice bad cyber hygiene, study - Despite the majority of
consumers being afraid of having their personal data compromised by
a breach, employees are still continuing to engage in risky
Marine Corps weighs wooing older members for new cyber force - The
head of the Marine Corps says it’s time the U.S. military branch
known for its fierce, young warriors becomes a little more mature.
Former CIA developer charged in Vault 7 hacking tools release - A
former CIA employee was charged Monday with 13 counts of violating
the Espionage Act and other laws for leaking the agency's hacking
tools last year that ended up on WikiLeaks.
University of Texas MD Anderson Cancer Center was fined $4.3M for
data breaches - The University of Texas MD Anderson Cancer Center
was fined $4.3 million by the Department of Health and Human
Services Office Civil Rights (OCR) for a series of breaches which
resulted in the loss of 33,000 patient health records in 2012 and
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Adidas phishing campaign promises free shoes, offers $50
subscription instead - An Adidas phishing campaign is offering
potential victims a “free” $50 per month subscription via all under
the promise of free shoes.
Wiper attack at Chilean bank provided cover for $10M SWIFT heist -
The real target of a wiper malware attack on Banco de Chile were
transactions on the SWIFT network that resulted in a $10 million
AI startup Clarifai hacked by Russian operatives during Pentagon
Maven project, lawsuit claims - Artificial intelligence startup
Clarifai failed to report that it had been hacked by Russian
operatives while it was working on the Defense Department's Maven
project, according to a lawsuit filed by former Clarifai employee
and Air Force Capt. Amy Liu.
HealthEquity breach exposes PII of 23,000 customers - About 23,000
accounts have been compromised by a data breach that took place at
HealthEquity when an employee fell for a phishing scam.
DDoS attack aimed at Mexican opposition presidential candidate
website during debate - A distributed denial of service (DDoS)
attack on the website opposing a Mexican presidential candidate
Tuesday during a debate, renewed fears that elections around the
globe are vulnerable.
Virginia Department of Environmental Quality website hacked -
Virginia Department of Environmental Quality's website was
compromised by a “malicious party” who gained access to agency
Startup Working on Contentious Pentagon AI Project Was Hacked - A
sign appeared on the door to a stuffy, windowless room at the office
of Manhattan artificial-intelligence startup Clarifai. “Chamber of
secrets,” it read, according to three people who saw it.
Tesla hit by insider saboteur who changed code, exfiltrated data -
Tesla has routed out a saboteur who changed code on internal
products and exfiltrated data to outsiders, damaging company
operations and possibly causing a fire, CEO Elon Musk told employees
in an email.
Errant email exposes PII of Chicago Public School systems students -
A Chicago Public Schools (CPS) worker accidentally emailed private
student information to more than 3,700 families who have students in
Return to the top
of the newsletter
WEB SITE COMPLIANCE - Advertisement
The FDIC and NCUA consider every insured depository institution's
online system top-level page, or "home page", to be an
advertisement. Therefore, according to these agencies'
interpretation of their rules, financial institutions subject to the
regulations should display the official advertising statement on
their home pages unless subject to one of the exceptions described
under the regulations. Furthermore, each subsidiary page of an
online system that contains an advertisement should display the
official advertising statement unless subject to one of the
exceptions described under the regulations. Additional information
about the FDIC's interpretation can be found in the Federal
Register, Volume 62, Page 6145, dated February 11, 1997.
the top of the newsletter
FFIEC IT SECURITY -
We continue our
review of the OCC Bulletin about Infrastructure Threats and
Intrusion Risks. This week we review Suspicious Activity Reporting.
National banks are required to report intrusions and other
computer crimes to the OCC and law enforcement by filing a
Suspicious Activity Report (SAR) form and submitting it to the
Financial Crimes Enforcement Network (FinCEN), in accordance with 12
USC 21.11. This reporting obligation exists regardless of whether
the institution has reported the intrusion to the
information-sharing organizations discussed below. For purposes of
the regulation and the SAR form instructions, an "intrusion" is
defined as gaining access to the computer system of a financial
institution to remove, steal, procure or otherwise affect
information or funds of the institution or customers. It also
includes actions that damage, disable, or otherwise affect critical
systems of the institution. For example, distributed denial of
service attaches (DDoS) attacks should be reported on a SAR because
they may temporarily disable critical systems of financial
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
continue the series on the National Institute of Standards and
Technology (NIST) Handbook.
Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND
16.4.2 Maintaining Authentication
So far, this chapter has discussed initial authentication only. It
is also possible for someone to use a legitimate user's account
after log-in. Many computer systems handle this problem by logging a
user out or locking their display or session after a certain period
of inactivity. However, these methods can affect productivity and
can make the computer less user-friendly.
16.4.3 Single Log-in
From an efficiency viewpoint, it is desirable for users to
authenticate themselves only once and then to be able to access a
wide variety of applications and data available on local and remote
systems, even if those systems require users to authenticate
themselves. This is known as single log-in. If the access is within
the same host computer, then the use of a modern access control
system (such as an access control list) should allow for a single
log-in. If the access is across multiple platforms, then the issue
is more complicated, as discussed below. There are three main
techniques that can provide single log-in across multiple computers:
host-to-host authentication, authentication servers, and
Host-to-Host Authentication. Under a host-to-host
authentication approach, users authenticate themselves once to a
host computer. That computer then authenticates itself to other
computers and vouches for the specific user. Host-to-host
authentication can be done by passing an identification, a password,
or by a challenge-response mechanism or other one-time password
scheme. Under this approach, it is necessary for the computers to
recognize each other and to trust each other.
Authentication Servers. When using authentication server,
the users authenticate themselves to a special host computer (the
authentication server). This computer then authenticates the user to
other host computers the user wants to access. Under this approach,
it is necessary for the computers to trust the authentication
server. (The authentication server need not be a separate computer,
although in some environments this may be a cost-effective way to
increase the security of the server.) Authentication servers can be
distributed geographically or logically, as needed, to reduce
User-to-Host. A user-to-host authentication approach
requires the user to log-in to each host computer. However, a smart
token (such as a smart card) can contain all authentication data and
perform that service for the user. To users, it looks as though they
were only authenticated once.
Kerberos and SPX are examples of network authentication server
protocols. They both use cryptography to authenticate users to
computers on networks.