FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Lawmakers pass stringent California Consumer Privacy Act - After a rush to get legislation done so a ballot measure slated for the November election could be pulled by today's withdrawal deadline, the California State Assembly Thursday passed the California Consumer Privacy Act of 2018. https://www.scmagazine.com/lawmakers-pass-stringent-california-consumer-privacy-act/article/777105/

Equifax agrees to cybersecurity regulations set forth by 8 U.S. States - Equifax agreed to a number of security measures put in place by financial regulators in eight states in response to the breach that compromised the personal information of more than 147 million people. https://www.scmagazine.com/equifax-agrees-to-cybersecurity-regulations-set-forth-by-8-us-states/article/776871/

Women are the future? - There's no doubt that the women's movement, however you define it, has had a positive effect on the plight of women in security. https://www.scmagazine.com/women-are-the-future/article/777069/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Exactis breach exposes 340M records, may compel GDPR-like reg in U.S. - An exposed database at data broker Exactis exposed nearly 340 million records amounting to around two terabytes of information. https://www.scmagazine.com/exactis-breach-exposes-340m-records-may-compel-gdpr-like-reg-in-us/article/777059/

Spam and eggs: Red Hen restaurant's website apparently injected with SEO spam links - The website for the restaurant that recently refused to host White House Press Secretary Sarah Huckabee Sanders was found unknowingly hosting hidden code linking to ads for Viagra and other pharmaceuticals. https://www.scmagazine.com/spam-and-eggs-red-hen-restaurants-website-apparently-injected-with-seo-spam-links/article/776877/

Ticketmaster Breach Exposes Supply Chain Risks - Ticketmaster is the latest online vendor to report a breach that is the result of a third-party widget. Event ticket retailer Ticketmaster publicly disclosed a data breach at its United Kingdom division on June 27 that involved a subset of its global customer base. http://www.eweek.com/security/ticketmaster-breach-exposes-supply-chain-risks

Tread carefully: Adidas U.S. retail website breached - Several million online retail customers of German shoe and apparel manufacturer Adidas may have had their personal information compromised in a data breach involving an unauthorized third party. https://www.scmagazine.com/tread-carefully-adidas-us-retail-website-breached/article/777413/

Facebook quizzes may have exposed 120 million users personal information - Facebook's data privacy woes continue to grow as a security researcher uncovered the social media's popular "tests“ not only told users which Disney princess they were, but also exposed the private data of about 120 million people who took the test. https://www.scmagazine.com/facebook-quizzes-may-have-exposed-120-million-users-personal-information/article/777453/

File-Wiping Malware Placed Inside Gentoo Linux Code After GitHub Account Hack - An unknown hacker has temporarily taken control over the GitHub account of the Gentoo Linux organization and embedded malicious code inside the operating system's distributions that would delete user files. https://www.bleepingcomputer.com/news/linux/file-wiping-malware-placed-inside-gentoo-linux-code-after-github-account-hack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisements
  
  Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.
  
  In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.

Return to the top of the newsletter

FFIEC IT SECURITY - This completes our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks.  This week we review Information Sharing.
  
 Information sharing among reliable and reputable experts can help institutions reduce the risk of information system intrusions. The OCC encourages management to participate in information-sharing mechanisms as part of an effort to detect and respond to intrusions and vulnerabilities. Mechanisms for information sharing are being developed by many different organizations, each with a different mission and operation. In addition, many vendors offer information sharing and analysis services. Three organizations that are primarily involved with the federal government's national information security initiatives are the Financial Services Information Sharing and Analysis Center (FS/ISAC), the Federal Bureau of Investigation (FBI), and Carnegie Mellon University's CERT/CC.
  
  The FS/ISAC was formed in response to Presidential Decision Directive 63: Critical Infrastructure Protection (May 22, 1998), which encourages the banking, finance, and other industries to establish information-sharing efforts in conjunction with the federal government. The FS/ISAC allows financial services entities to report incidents anonymously. In turn, the FS/ISAC rapidly distributes information about attacks to the FS/ISAC members. Banks can contact FS/ISAC by telephone at (888) 660-0134, e-mail at admin@fsisac.com or their Web site at http://www.fsisac.com.
  
  The FBI operates the National Information Protection Center Infraguard outreach effort. Since Infraguard supports law enforcement efforts, Infraguard members submit two versions of an incident report. One complete version is used by law enforcement and contains information that identifies the reporting member. The other version does not contain that identifying information, and is distributed to other Infraguard members. Banks can contact the FBI by contacting local FBI field offices or via e-mail at nipc@fbi.gov. 
  
  CERT/CC is part of a federally funded research and development center at Carnegie Mellon University that helps organizations identify vulnerabilities and recover from intrusions. It provides up-to-date information on specific attacks (including viruses and denial of service) and collates and shares information with other organizations. CERT/CC does not require membership to report problems. Banks can contact CERT/CC by phone at (412) 268-7090 or e-mail at cert@cert.org.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 On many multiuser systems, requirements for using (and prohibitions against the use of) various computer resources vary considerably. Typically, for example, some information must be accessible to all users, some may be needed by several groups or departments, and some should be accessed by only a few individuals. While it is obvious that users must have access to the information they need to do their jobs, it may also be required to deny access to non-job-related information. It may also be important to control the kind of access that is afforded (e.g., the ability for the average user to execute, but not change, system programs). These types of access restrictions enforce policy and help ensure that unauthorized actions are not taken.
 
 Logical access controls provide a technical means of controlling what information users can utilize, the programs they can run, and the modifications they can make.
 
 Access is the ability to do something with a computer resource (e.g., use, change, or view). Access control is the means by which the ability is explicitly enabled or restricted in some way (usually through physical and system-based controls). Computer-based access controls are called logical access controls. Logical access controls can prescribe not only who or what (e.g., in the case of a process) is to have access to a specific system resource but also the type of access that is permitted. These controls may be built into the operating system, may be incorporated into applications programs or major utilities (e.g., database management systems or communications systems), or may be implemented through add-on security packages. Logical access controls may be implemented internally to the computer system being protected or may be implemented in external devices.
 
 The term access is often confused with authorization and authentication.
 
 !  Access is the ability to do something with a computer resource. This usually refers to a technical ability (e.g., read, create, modify, or delete a file, execute a program, or use an external connection).
 !  Authorization is the permission to use a computer resource.  Permission is granted, directly or indirectly, by the application or system owner.
 !  Authentication is proving (to some reasonable degree) that users are who they claim to be.
 
 Logical access controls can help protect:
 
 ! operating systems and other system software from unauthorized modification or manipulation (and thereby help ensure the system's integrity and availability);
 
 ! the integrity and availability of information by restricting the number of users and processes with access; and
 
 ! confidential information from being disclosed to unauthorized individuals.