technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- The Worst Cybersecurity Breaches of 2018 So Far - Looking back at
the first six months of 2018, there haven't been as many government
leaks and global ransomware attacks as there were by this time last
year, but that's pretty much where the good news ends.
BOE Tells U.K. Banks Cyber Attacks Coming, Now Get Ready - Many
U.K. financial firms don’t have a Plan B to fall back on if they’re
hit by a cyber attack. The Bank of England wants to change that.http://biglawbusiness.com/boe-tells-u-k-banks-cyber-attacks-coming-now-get-ready/
Israel charges former employee of NSO Group with cyber crimes - A
former employee of cyber surveillance company NSO Group has been
charged with stealing intellectual property and trying to sell it
for $50 million over the Darknet in a manner that could harm state
security, Israel’s Justice Ministry said.
The IoT Security Skills Gap - It is a well-known fact that IT
security (or as it is more commonly known today, “cybersecurity”)
suffers from an acute shortage of working hands.
London to become home to specialty cybercrime court - The UK
government is establishing a specialized court complex in London
where cybercrime cases will be heard, along with other civil and
property related legal issues.
Stolen legitimate security certificates used to push Plead backdoor
- What is being described as a “highly skilled” cybergang was using
legitimate security certificates stolen from D-Link and Changing
Information Technology to help spread Plead malware.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Timehop deactivates 21 million user accounts
after hackers steal access keys, other data - Timehop has
deauthorized all 21 million of its user accounts after hackers
intruders infiltrated its cloud infrastructure on December 19, 2017,
through a poorly protected admin account pilfered information,
including access keys that could be used to gain entry to the
victims' social media accounts where the app is used to recall posts
from the same date in previous years.
Breach department: Unauthorized party accesses Macys.com and
Bloomingdales.com customer accounts - For nearly two months, an
unauthorized party reportedly used stolen usernames and passwords to
log into the online accounts of certain Macys.com and
Insurers Sue Trustwave for $30M Over '08 Heartland Data Breach -
Lawsuit filed by Lexington Insurance and Beazley Insurance is in
response to a Trustwave legal filing that called their claims
Web biz DomainFactory confirms: We were hacked in January 2018 -
German name 'n' hosting outfit tells customers told to reset
passwords after hacker taunts.
Timehop breach hits 21 million users due to a lack of 2FA on cloud
services - Usernames, email addresses, and social media tokens for
21 million users breached, with 4.7 million phone numbers scooped up
in the process.
Top-ranked Australian university hit by Chinese hackers: media -
Australia’s top-ranked university on Friday said it had spent
several months fighting off a threat to its computer systems, which
media said had been compromised by Chinese hackers.
Malware at nine B&B Hospitality Group restaurants in New York
targeted payment info - Malware on B&B Hospitality Group (B&BHG)
point of sale devices at nine restaurants in the New York City area
may have been used to access payment card data.
Third-party Ticketmaster breach targeted 800-plus e-commerce sites -
The third-party breach that compromised the data of several
Ticketmaster UK customers was part of a larger campaign which
targeted more than 800 e-commerce sites.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Record retention provisions apply to electronic delivery of
disclosures to the same extent required for non-electronic delivery
of information. For example, if the web site contains an
advertisement, the same record retention provisions that apply to
paper-based or other types of advertisements apply. Copies of such
advertisements should be retained for the time period set out in the
relevant regulation. Retention of electronic copies is acceptable.
the top of the newsletter
FFIEC IT SECURITY -
We begin our series on the FFIEC
interagency Information Security Booklet. This booklet is
required reading for anyone involved in information systems
security, such as the Network Administrator, Information Security
Officer, members of the IS Steering Committee, and most important
your outsourced network security consultants. Your outsourced
network security consultants can receive the "Internet Banking News"
by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
Information security enables a financial institution to meet its
business objectives by implementing business systems with due
consideration of information technology (IT) - related risks to the
organization, business and trading partners, technology service
providers, and customers. Organizations meet this goal by striving
to accomplish the following objectives.
1) Availability - The ongoing availability of systems addresses
the processes, policies, and controls used to ensure authorized
users have prompt access to information. This objective protects
against intentional or accidental attempts to deny legitimate users
access to information and/or systems.
2) Integrity of Data or Systems - System and data integrity
relate to the processes, policies, and controls used to ensure
information has not been altered in an unauthorized manner and that
systems are free from unauthorized manipulation that will compromise
accuracy, completeness, and reliability.
3) Confidentiality of Data or Systems - Confidentiality covers
the processes, policies, and controls employed to protect
information of customers and the institution against unauthorized
access or use.
4) Accountability - Clear accountability involves the processes,
policies, and controls necessary to trace actions to their source.
Accountability directly supports non-repudiation, deterrence,
intrusion prevention, intrusion detection, recovery, and legal
admissibility of records.
5) Assurance - Assurance addresses the processes, policies, and
controls used to develop confidence that technical and operational
security measures work as intended. Assurance levels are part of the
system design and include availability, integrity, confidentiality,
and accountability. Assurance highlights the notion that secure
systems provide the intended functionality while preventing
Appropriate security controls are necessary for financial
institutions to challenge potential customer or user claims that
they did not initiate a transaction. Financial institutions can
accomplish this by achieving both integrity and accountability to
produce what is known as non-repudiation. Non-repudiation occurs
when the financial institution demonstrates that the originators who
initiated the transaction are who they say they are, the recipient
is the intended counter party, and no changes occurred in transit or
storage. Non-repudiation can reduce fraud and promote the legal
enforceability of electronic agreements and transactions. While
non-repudiation is a goal and is conceptually clear, the manner in
which non-repudiation can be achieved for electronic systems in a
practical, legal sense may have to wait for further judicial
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 17 - LOGICAL ACCESS CONTROL
This chapter first discusses basic criteria that can be used to
decide whether a particular user should be granted access to a
particular system resource. It then reviews the use of these
criteria by those who set policy (usually system-specific policy),
commonly used technical mechanisms for implementing logical access
control, and issues related to administration of access controls.
Controlling access is normally thought of as applying to human
users (e.g., will technical access be provided for user JSMITH to
the file "payroll.dat") but access can be provided to other computer
systems. Also, access controls are often incorrectly thought of as
only applying to files. However, they also protect other system
resources such as the ability to place an outgoing long-distance
phone call through a system modem (as well as, perhaps, the
information that can be sent over such a call). Access controls can
also apply to specific functions within an application and to
specific fields of a file.
17.1 Access Criteria
In deciding whether to permit someone to use a system resource
logical access controls examine whether the user is authorized for
the type of access requested. (Note that this inquiry is usually
distinct from the question of whether the user is authorized to use
the system at all, which is usually addressed in an identification
and authentication process.)
The system uses various criteria to determine if a request for
access will be granted. They are typically used in some combination.
Many of the advantages and complexities involved in implementing and
managing access control are related to the different kinds of user
When determining what kind of technical access to allow to specific
data, programs, devices, and resources, it is important to consider
who will have access and what kind of access they will be allowed.
It may be desirable for everyone in the organization to have access
to some information on the system, such as the data displayed on an
organization's daily calendar of nonconfidential meetings. The
program that formats and displays the calendar, however, might be
modifiable by only a very few system administrators, while the
operating system controlling that program might be directly
accessible by still fewer.