FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Two-thirds of orgs have suffered supply chain attacks despite defenses - /A recent study found two thirds of organizations are hit by supply chain attacks despite having defense strategies in place. https://www.scmagazine.com/two-thirds-of-orgs-have-suffered-supply-chain-attacks-despite-defenses/article/782755/

Game of Thrones hacker and dam hacker make FBI most wanted cybercriminals list - The threat actor who hacked and held unaired Game of Thrones episodes for ransom is landed himself a spot on the FBI's 41 most-wanted cybercriminals list with the likes of the dam hacker and several other state-sponsored actors. https://www.scmagazine.com/game-of-thrones-hacker-and-dam-hacker-make-fbi-most-wanted-cybercriminals-list/article/782557/

Federal Judge scolds FBI agent for improper stingray use - A federal judge in San Francisco scolded an FBI agent for the improper use of a stingray as well as an improper cellphone search stemming from warrants signed by the wrong type of judge. https://www.scmagazine.com/federal-judge-scolds-fbi-agent-for-improper-stingray-use/article/781734/

U.S. energy regulator wants more disclosure of cyber attacks - The U.S. government on Thursday asked power generators to disclose more information about cyber attacks amid growing concern that foreign hackers could disrupt the electric grid. https://www.reuters.com/article/us-cyber-energy-regulator/u-s-energy-regulator-wants-more-disclosure-of-cyber-attacks-idUSKBN1K92OB

Attackers concealing malware in images uploaded to Google servers - Cybercriminals are putting a new spin on the old trick of hiding malware code in Exchangeable Image File Format (EXIF) data. Recently, attackers were observed using this technique in image files, rather than text files, and uploading them to googleusercontent.com servers. https://www.scmagazine.com/attackers-concealing-malware-in-images-uploaded-to-google-servers/article/782393/

NIST developing guidelines on mobile app testing and vetting - The National Institute of Standards and Technology (NIST) has issued a revised draft and a call for public comment for Special Publication 800-163 Vetting the Security of Mobile Applications that is designed to give organizations basic guidance on app security. https://www.scmagazine.com/nist-developing-guidelines-on-mobile-app-testing-and-vetting/article/782735/

Robo-drop: Factory bot biz 'leaks' automakers' secrets onto the web - Assembly line 'droid builder latest to be accused of leaving rsync wide open on the internet - Yet another organization has allegedly been caught accidentally exposing more than 100GB of sensitive corporate data to the open internet. https://www.theregister.co.uk/2018/07/23/car_factory_rsync_server_leak/

Bank Hackers Exploit Outdated Router to Steal $1 Million - Hackers stole at least $920,000 from Russia's PIR Bank after they successfully compromised an outdated, unsupported Cisco router at a bank branch office and used it to tunnel into the bank's local network. http://www.bankinfosecurity.com/bank-hackers-exploit-outdated-router-to-steal-1-million-a-11227

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Suspicious network activity could be symptom of breach at diagnostics firm LabCorp - Clinical medical diagnostics company LabCorp took some of its systems offline following suspicious network activity that could possibly indicate a serious breach of sensitive medical information. https://www.scmagazine.com/suspicious-network-activity-could-be-symptom-of-breach-at-diagnostics-firm-labcorp/article/781733/

HR firm ComplyRight breached compromising PII - Cloud-based human resources company ComplyRight fell victim to a data breach which compromised customer information. https://www.scmagazine.com/hr-firm-complyright-breached-compromising-pii/article/782411/

Hackers access personal data of 1.5 million SingHealth patients, including Singapore's prime minister - Singapore's largest health care group, SingHealth, acknowledged today that attackers infiltrated a company database and copied information belonging to roughly 1.5 million patients, including the country's prime minster, Lee Hsien Loong. https://www.scmagazine.com/hackers-access-personal-data-of-15-million-singhealth-patients-including-singapores-prime-minister/article/782409/

Ransomware-based breach of Alaskan medical billing vendor impacts Fairbanks municipality - A data breach and corresponding ransomware attack at an Alaskan medical billing company that compromised the health information of roughly 44,600 people counteed a Fairbanks-based government municipality among its victims. https://www.scmagazine.com/ransomware-based-breach-of-alaskan-medical-billing-vendor-impacts-fairbanks-municipality/article/782886/

Southern Baptist Convention IMB suffers data breach - The Southern Baptist Convention's (SBC) International Mission Board suffered a data breach earlier this year exposing the personally identifiable information on its current and former employees, volunteers and applicants. https://www.scmagazine.com/southern-baptist-convention-imb-suffers-data-breach/article/782884/

Blacksburg bank loses $2.4 million after two phishing attacks - Bank robbers often stick up the same bank twice, but a recent lawsuit between a Virginia bank and its insurer revealed the bank lost $2.4 million when staffers twice fell for phishing attacks resulting in illegal ATM withdrawals. https://www.scmagazine.com/blacksburg-bank-loses-24-million-after-two-phishing-attacks/article/783417/

Singapore securities investor database breached in 2013 - Less than a week after SingHealth announced the nation's largest breach in which the data of 1.5 million patients was compromised, the Securities Investors Association (Singapore) or Sias announced it too has suffered a breach. https://www.scmagazine.com/singapore-securities-investor-database-breached-in-2013/article/783413/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Flood Disaster Protection Act
  
  The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 
  
  ROLES AND RESPONSIBILITIES (1 of 2)
  
  Information security is the responsibility of everyone at the institution, as well as the institution's service providers and contractors. The board, management, and employees all have different roles in developing and implementing an effective security process. The board of directors is responsible for overseeing the development, implementation, and maintenance of the institution's information security program. Oversight requires the board to provide management with guidance and receive reports on the effectiveness of management's response. The board should approve written information security policies and the information security program at least annually. The board should provide management with its expectations and requirements for:
  
  1)  Central oversight and coordination,
  2)  Areas of responsibility,
  3)  Risk measurement,
  4)  Monitoring and testing,
  5)  Reporting, and
  6)  Acceptable residual risk.
  
  Senior management's attitude towards security affects the entire organization's commitment to security. For example, the failure of a financial institution president to comply with security policies could undermine the entire organization's commitment to security.
  
  Senior management should designate one or more individuals as information security officers. Security officers should be responsible and accountable for security administration. At a minimum, they should directly manage or oversee risk assessment, development of policies, standards, and procedures, testing, and security reporting processes. Security officers should have the authority to respond to a security event by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value. They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 17.1.3 Location
 
 Access to particular system resources may also be based upon physical or logical location. For example, in a prison, all users in areas to which prisoners are physically permitted may be limited to read-only access. Changing or deleting is limited to areas to which prisoners are denied physical access. The same authorized users (e.g., prison guards) would operate under significantly different logical access controls, depending upon their physical location. Similarly, users can be restricted based upon network addresses (e.g., users from sites within a given organization may be permitted greater access than those from outside).
 
 17.1.4 Time
 
 Time-of-day or day-of-week restrictions are common limitations on access. For example, use of confidential personnel files may be allowed only during normal working hours -- and maybe denied before 8:00 a.m. and after 6:00 p.m. and all day during weekends and holidays.
 
 17.1.5 Transaction
 
 Another approach to access control can be used by organizations handling transactions (e.g., account inquiries). Phone calls may first be answered by a computer that requests that callers key in their account number and perhaps a PIN. Some routine transactions can then be made directly, but more complex ones may require human intervention. In such cases, the computer, which already knows the account number, can grant a clerk, for example, access to a particular account for the duration of the transaction. When completed, the access authorization is terminated. This means that users have no choice in which accounts they have access to, and can reduce the potential for mischief. It also eliminates employee browsing of accounts (e.g., those of celebrities or their neighbors) and can thereby heighten privacy.
 
 17.1.6 Service Constraints
 
 Service constraints refer to those restrictions that depend upon the parameters that may arise during use of the application or that are preestablished by the resource owner/manager. For example, a particular software package may only be licensed by the organization for five users at a time. Access would be denied for a sixth user, even if the user were otherwise authorized to use the application. Another type of service constraint is based upon application content or numerical thresholds. For example, an ATM machine may restrict transfers of money between accounts to certain dollar limits or may limit maximum ATM withdrawals to $500 per day. Access may also be selectively permitted based on the type of service requested. For example, users of computers on a network may be permitted to exchange electronic mail but may not be allowed to log in to each others' computers.