FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - OCC Begins Accepting National Bank Charter Applications From Financial Technology Companies - The Office of the Comptroller of the Currency today announced it will begin accepting applications for national bank charters from nondepository financial technology companies engaged in the business of banking. www.occ.gov/news-issuances/news-releases/2018/nr-occ-2018-74.html

ERP security warning as hackers step up attacks on systems - Vulnerable ERP applications are being increasingly targeted by attackers. The US Department of Homeland Security has warned businesses of the growing risk of attackers targeting enterprise resource planning (ERP) systems. https://www.zdnet.com/article/erp-security-warning-as-hackers-step-up-attacks-on-systems/

NSA Hasn’t Implemented Post-Snowden Security Fixes, Audit Finds - The nation’s cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency’s inspector general released Wednesday. https://www.nextgov.com/cybersecurity/2018/07/nsa-hasnt-implemented-post-snowden-security-fixes-audit-finds/150067/

Multiple Ransomware Attacks Cut Off Police Access to Crime Database in Riverside, Ohio - The department lost access to the Ohio Law Enforcement Gateway on May 14 to shield the statewide system from damage and prevent data exposure. http://www.govtech.com/security/Multiple-Ransomware-Attacks-Cut-Off-Police-Access-to-Crime-Database-in-Riverside-Ohio.html

Old school: Yale discloses breach from more than 10 years ago - Talk about excessive tardiness: Yale University yesterday disclosed that more than 10 years ago, an online intruder breached one of the Ivy League school's databases, which contained information on alumni, faculty and staff members.  https://www.scmagazine.com/old-school-yale-discloses-breach-from-more-than-10-years-ago/article/784584/

US Warns of Supply Chain Attacks - The US government has repeated warnings of state-sponsored cyber-attacks made possible by infiltrating the software supply chain. https://www.infosecurity-magazine.com/news/us-warns-of-supply-chain-attacks/

Houston Tests Its Preparedness for A Cyberattack - The city is conducting a three-day exercise to find out how well it would react to such an attack on top of a major disaster. https://www.houstonpublicmedia.org/articles/news/city-of-houston/2018/07/25/297211/houston-tests-its-preparedness-for-a-cyberattack/

Pentagon reveals a Do Not Buy software list as a cybersecurity measure - The U.S. Department of Defense has instructed its procurers and contractors to stop buying software that may have Chinese or Russian connections to help defend these institutions against a possible cyberattack. https://www.scmagazine.com/pentagon-reveals-a-do-not-buy-software-list-as-a-cybersecurity-measure/article/784588/

SamSam ransomware payments hit $6 million, malware called labor intensive to operate - SamSam ransomware, known for its recent takedown of several high-profile targets, is a well-coded piece of malware that is backed by a group that does not mind spending time to properly set up its victims to ensure a maximum payout from each attack, resulting in about $6 million being paid so far, according to a study by SophosLabs. https://www.scmagazine.com/samsam-ransomware-payments-hit-6-million-malware-called-labor-intensive-to-operate/article/784454/

Kentucky city cites the risk of terrorism for not releasing surveillance details - The Lexington, Ky., police department cited the risk of terrorism as an excuse to not release information concerning its surveillance equipment. https://www.scmagazine.com/kentucky-city-cites-the-risk-of-terrorism-for-not-releasing-surveillance-details/article/784749/

'Security incident' at Reddit exposed user data to hackers - A hacker who compromised the accounts of a few Reddit employees who are with the company's cloud and source code hosting providers penetrated some of its systems and accessed user data, including email addresses and a 2007 backup of a database that contained old salted and hashed passwords. https://www.scmagazine.com/security-incident-at-reddit-exposed-user-data-to-hackers/article/785327/

Insecure server holding U.K. fashion retailers' customer data breached by white hat - A server containing a database holding customer information pertaining to various U.K.-based online fashion retailers was discovered to be insecure after it was breached by a white-hat hacker on July 9. https://www.scmagazine.com/insecure-server-holding-uk-fashion-retailers-customer-data-breached-by-white-hat/article/785301/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - LifeLock unsubscribe error unlocks customers' email address info - Symantec's ID theft prevention subsidiary LifeLock suffered from some embarrassing optics on Wednesday after it was reported that an error in its e-marketing unsubscribe process left the email addresses of its customers exposed to potential data theft and tampering. https://www.scmagazine.com/lifelock-unsubscribe-error-unlocks-customers-email-address-info/article/783775/

Fake bank apps found on Google Play - The official Google Play app store has again been found harboring malicious apps, this time fake banking apps that steal credit card credentials and other banking information. https://www.scmagazine.com/fake-bank-apps-found-on-google-play/article/783777/

Ransomware attack knocks out shipping giant COSCO's U.S. network - A ransomware attack has severely disabled the U.S. network of COSCO (China Ocean Shipping Company), one of the world's largest shipping companies. https://www.scmagazine.com/ransomware-attack-knocks-out-cosco-shipping-giants-american-network/article/783584/

lue Springs Family Care endangers patient records, enables ransomware attack - Missouri-based health care provider Blue Springs Family Care has disclosed a ransomware attack resulting from a data breach that may have also compromised patients records -- 44,979, to be precise, according to news reports. https://www.scmagazine.com/data-breach-at-blue-springs-family-care-endangers-patient-records-enables-ransomware-attack/article/784080/

Idaho inmates hack prison tablets, steal $225,000 in commissary credits - The Idaho Department of Corrections reported that 364 prisoners hacked into its computer tablets and falsely credited almost $225,000 into their personal prison accounts. https://www.scmagazine.com/idaho-inmates-hack-prison-tablets-steal-225000-in-commissary-credits/article/783887/

Malvertising scam compromises 10,000+ websites; researchers suggest ad network and resellers may be culpable - A malicious actor essentially posing as a web publisher compromised more than 10,000 WordPress websites in an elaborate malvertising campaign involving various ad resellers and ad networks, according to a report. https://www.scmagazine.com/malvertising-scam-compromises-10000-websites-researchers-suggest-ad-network-and-resellers-may-be-culpable/article/784226/

Hack of D.C. police cameras was part of ransomware scheme, prosecutors say - When hackers took over two-thirds of D.C. police’s surveillance cameras days before the 2017 presidential inauguration, it appeared that the cyberattack was limited to elicit a single ransom payment. https://www.washingtonpost.com/local/public-safety/attack-on-dc-police-security-cameras-had-broad-implications/2018/07/24/7ff01d78-8440-11e8-9e80-403a221946a7_story.html

Alaska city, borough under attack by CryptoLocker - The Borough of Matanuska-Susitna (Mat-Su) and City of Valdez in Alaska were each hit with ransomware attacks, within days of each other, which knocked both networks offline. https://www.scmagazine.com/alaska-city-borough-under-attack-by-cryptolocker/article/784776/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures and Notices
  
  Several consumer regulations provide for disclosures and/or notices to consumers.  The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means.  The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).  The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.
  
  Disclosures are generally required to be "clear and conspicuous."  Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected.  A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 
  
  ROLES AND RESPONSIBILITIES (2 of 2)
  
  Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements. A central authority should be responsible for establishing and monitoring the security program. Security management responsibilities, however, may be distributed throughout the institution from the IT department to various lines of business depending on the institution's size, complexity, culture, nature of operations, and other factors. The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.
  
  Senior management also has the responsibility to ensure integration of security controls throughout the organization. To support integration, senior management should
  
  1)  Ensure the security process is governed by organizational policies and practices that are consistently applied,
  2)  Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,
  3)  Enforce compliance with the security program in a balanced and consistent manner across the organization, and
  4)  Coordinate information security with physical security.
  
  Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors.
  
  Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies. Financial institutions can achieve effective employee awareness and understanding through security training, employee certifications of compliance, self - assessments, audits, and monitoring.
  
  Management also should consider the roles and responsibilities of external parties. Technology service providers (TSPs), contractors, customers, and others who have access to the institution's systems and data should have their security responsibilities clearly delineated and documented in contracts.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 17.1.7 Common Access Modes
 
 In addition to considering criteria for when access should occur, it is also necessary to consider the types of access, or access modes. The concept of access modes is fundamental to access control. Common access modes, which can be used in both operating or application systems, include the following:
 
 1)  Read access provides users with the capability to view information in a system resource (such as a file, certain records, certain fields, or some combination thereof), but not to alter it, such as delete from, add to, or modify in any way. One must assume that information can be copied and printed if it can be read (although perhaps only manually, such as by using a print screen function and retyping the information into another file).
 
 2)  Write access allows users to add to, modify, or delete information in system resources (e.g., files, records, programs). Normally user has read access to anything they have write access to.
 
 3)  Execute privilege allows users to run programs.
 
 4)  Delete access allows users to erase system resources (e.g., files, records, fields, programs). Note that if users have write access but not delete access, they could overwrite the field or file with gibberish or otherwise inaccurate information and, in effect, delete the information.
 
 Other specialized access modes (more often found in applications) include:
 
 1)  Create access allows users to create new files, records, or fields.
 
 2)  Search access allows users to list the files in a directory.
 
 Of course, these criteria can be used in conjunction with one another. For example, an organization may give authorized individuals write access to an application at any time from within the office but only read access during normal working hours if they dial-in.
 
 Depending upon the technical mechanisms available to implement logical access control, a wide variety of access permissions and restrictions are possible. No discussion can present all possibilities.We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 17.1.7 Common Access Modes
 
 In addition to considering criteria for when access should occur, it is also necessary to consider the types of access, or access modes. The concept of access modes is fundamental to access control. Common access modes, which can be used in both operating or application systems, include the following:
 
 1)  Read access provides users with the capability to view information in a system resource (such as a file, certain records, certain fields, or some combination thereof), but not to alter it, such as delete from, add to, or modify in any way. One must assume that information can be copied and printed if it can be read (although perhaps only manually, such as by using a print screen function and retyping the information into another file).
 
 2)  Write access allows users to add to, modify, or delete information in system resources (e.g., files, records, programs). Normally user has read access to anything they have write access to.
 
 3)  Execute privilege allows users to run programs.
 
 4)  Delete access allows users to erase system resources (e.g., files, records, fields, programs). Note that if users have write access but not delete access, they could overwrite the field or file with gibberish or otherwise inaccurate information and, in effect, delete the information.
 
 Other specialized access modes (more often found in applications) include:
 
 1)  Create access allows users to create new files, records, or fields.
 
 2)  Search access allows users to list the files in a directory.
 
 Of course, these criteria can be used in conjunction with one another. For example, an organization may give authorized individuals write access to an application at any time from within the office but only read access during normal working hours if they dial-in.
 
 Depending upon the technical mechanisms available to implement logical access control, a wide variety of access permissions and restrictions are possible. No discussion can present all possibilities.