FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - The Worst Cybersecurity Breaches of 2018 So Far - Looking back at the first six months of 2018, there haven't been as many government leaks and global ransomware attacks as there were by this time last year, but that's pretty much where the good news ends. https://www.wired.com/story/2018-worst-hacks-so-far/

BOE Tells U.K. Banks Cyber Attacks Coming, Now Get Ready - Many U.K. financial firms don’t have a Plan B to fall back on if they’re hit by a cyber attack. The Bank of England wants to change that.http://biglawbusiness.com/boe-tells-u-k-banks-cyber-attacks-coming-now-get-ready/

Israel charges former employee of NSO Group with cyber crimes - A former employee of cyber surveillance company NSO Group has been charged with stealing intellectual property and trying to sell it for $50 million over the Darknet in a manner that could harm state security, Israel’s Justice Ministry said. https://www.reuters.com/article/us-cyber-israel-nso/israel-charges-former-employee-of-nso-group-with-cyber-crimes-idUSKBN1JV18E

The IoT Security Skills Gap - It is a well-known fact that IT security (or as it is more commonly known today, “cybersecurity”) suffers from an acute shortage of working hands. https://www.scmagazine.com/the-iot-security-skills-gap/article/772982/

London to become home to specialty cybercrime court - The UK government is establishing a specialized court complex in London where cybercrime cases will be heard, along with other civil and property related legal issues. https://www.scmagazine.com/london-to-become-home-to-specialty-cybercrime-court/article/778505/

Stolen legitimate security certificates used to push Plead backdoor - What is being described as a “highly skilled” cybergang was using legitimate security certificates stolen from D-Link and Changing Information Technology to help spread Plead malware. https://www.scmagazine.com/stolen-legitimate-security-certificates-used-to-push-plead-backdoor/article/779352/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Timehop deactivates 21 million user accounts after hackers steal access keys, other data - Timehop has deauthorized all 21 million of its user accounts after hackers intruders infiltrated its cloud infrastructure on December 19, 2017, through a poorly protected admin account pilfered information, including access keys that could be used to gain entry to the victims' social media accounts where the app is used to recall posts from the same date in previous years. https://www.scmagazine.com/timehop-deactivates-21-million-user-accounts-after-hackers-steal-access-keys-other-data/article/779162/

Breach department: Unauthorized party accesses Macys.com and Bloomingdales.com customer accounts - For nearly two months, an unauthorized party reportedly used stolen usernames and passwords to log into the online accounts of certain Macys.com and Bloomingdales.com customers. https://www.scmagazine.com/breach-department-unauthorized-party-accesses-macyscom-and-bloomingdalescom-customer-accounts/article/779351/

Insurers Sue Trustwave for $30M Over '08 Heartland Data Breach - Lawsuit filed by Lexington Insurance and Beazley Insurance is in response to a Trustwave legal filing that called their claims meritless. http://www.darkreading.com/application-security/insurers-sue-trustwave-for-$30m-over-08-heartland-data-breach/d/d-id/1332248

Web biz DomainFactory confirms: We were hacked in January 2018 - German name 'n' hosting outfit tells customers told to reset passwords after hacker taunts. http://www.theregister.co.uk/2018/07/09/domainfactory_in_germany_confirms_brdata_breach/

Timehop breach hits 21 million users due to a lack of 2FA on cloud services - Usernames, email addresses, and social media tokens for 21 million users breached, with 4.7 million phone numbers scooped up in the process. https://www.zdnet.com/article/timehop-breach-hits-21-million-users-due-to-a-lack-of-2fa-on-cloud-services/

Top-ranked Australian university hit by Chinese hackers: media - Australia’s top-ranked university on Friday said it had spent several months fighting off a threat to its computer systems, which media said had been compromised by Chinese hackers. https://www.reuters.com/article/us-australia-cyber/top-ranked-australian-university-hit-by-chinese-hackers-media-idUSKBN1JW1KE

Malware at nine B&B Hospitality Group restaurants in New York targeted payment info - Malware on B&B Hospitality Group (B&BHG) point of sale devices at nine restaurants in the New York City area may have been used to access payment card data. https://www.scmagazine.com/malware-at-nine-bb-hospitality-group-restaurants-in-new-york-targeted-payment-info/article/779488/

Third-party Ticketmaster breach targeted 800-plus e-commerce sites - The third-party breach that compromised the data of several Ticketmaster UK customers was part of a larger campaign which targeted more than 800 e-commerce sites. https://www.scmagazine.com/third-party-ticketmaster-breach-targeted-800-plus-e-commerce-sites/article/780075/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Record Retention
  
  Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.

Return to the top of the newsletter

FFIEC IT SECURITY - We begin our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 
  
 SECURITY OBJECTIVES
  
 Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT) -  related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.
  
  1)  Availability - The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.
  
  2)  Integrity of Data or Systems - System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.
  
  3)  Confidentiality of Data or Systems - Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.
  
  4)  Accountability - Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records.
  
  5)  Assurance - Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.
  
  Appropriate security controls are necessary for financial institutions to challenge potential customer or user claims that they did not initiate a transaction. Financial institutions can accomplish this by achieving both integrity and accountability to produce what is known as non-repudiation. Non-repudiation occurs when the financial institution demonstrates that the originators who initiated the transaction are who they say they are, the recipient is the intended counter party, and no changes occurred in transit or storage. Non-repudiation can reduce fraud and promote the legal enforceability of electronic agreements and transactions. While non-repudiation is a goal and is conceptually clear, the manner in which non-repudiation can be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 This chapter first discusses basic criteria that can be used to decide whether a particular user should be granted access to a particular system resource. It then reviews the use of these criteria by those who set policy (usually system-specific policy), commonly used technical mechanisms for implementing logical access control, and issues related to administration of access controls.
 
 Controlling access is normally thought of as applying to human users (e.g., will technical access be provided for user JSMITH to the file "payroll.dat") but access can be provided to other computer systems. Also, access controls are often incorrectly thought of as only applying to files. However, they also protect other system resources such as the ability to place an outgoing long-distance phone call through a system modem (as well as, perhaps, the information that can be sent over such a call). Access controls can also apply to specific functions within an application and to specific fields of a file.
 
 17.1 Access Criteria
 
 In deciding whether to permit someone to use a system resource logical access controls examine whether the user is authorized for the type of access requested. (Note that this inquiry is usually distinct from the question of whether the user is authorized to use the system at all, which is usually addressed in an identification and authentication process.)
 
 The system uses various criteria to determine if a request for access will be granted. They are typically used in some combination. Many of the advantages and complexities involved in implementing and managing access control are related to the different kinds of user accesses supported.
 
 When determining what kind of technical access to allow to specific data, programs, devices, and resources, it is important to consider who will have access and what kind of access they will be allowed. It may be desirable for everyone in the organization to have access to some information on the system, such as the data displayed on an organization's daily calendar of nonconfidential meetings. The program that formats and displays the calendar, however, might be modifiable by only a very few system administrators, while the operating system controlling that program might be directly accessible by still fewer.