FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Pentagon reveals a Do Not Buy software list as a cybersecurity measure - The U.S. Department of Defense has instructed its procurers and contractors to stop buying software that may have Chinese or Russian connections to help defend these institutions against a possible cyberattack.
https://www.scmagazine.com/pentagon-reveals-a-do-not-buy-software-list-as-a-cybersecurity-measure/article/784588/
https://www.defenseone.com/threats/2018/07/pentagon-creates-do-not-buy-list-russian-chinese-software/150100/

Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor Setup - Reddit said in a blog post Wednesday that a hacker broke into the company's systems in June and gained access to a variety of data, including user emails, source code, internal files, and “all Reddit data from 2007 and before.” https://www.wired.com/story/reddit-hacked-thanks-to-woefully-insecure-two-factor-setup/

U.S. Congress passes bill forcing tech companies to disclose foreign software probes - The U.S. Congress is sending President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military. https://www.reuters.com/article/us-usa-software-cyber/u-s-congress-passes-bill-forcing-tech-companies-to-disclose-foreign-software-probes-idUSKBN1KM6A8

U.S. Treasury calls for national data breach notification and increased data protections - The U.S. Treasury is calling for sweeping changes in fin-tech consumer protections, including an increased control given to consumers over their data and a national data breach notification standard. https://www.scmagazine.com/us-treasury-calls-for-national-data-breach-notification-and-increased-data-protections/article/785999/

Atlanta ransomware recovery cost now at $17 million, reports say - The cost to rebuild Atlanta's computer network after it was hit with a SamSam ransomware attack in March continues to climb with a new report now placing the tab at $17 million, almost six times the initial estimate. https://www.scmagazine.com/atlanta-ransomware-recovery-cost-now-at-17-million-reports-say/article/786184/

DOE to vet grid's ability to reboot after a cyberattack - The Department of Energy is planning an unprecedented, "hands-on" test of the grid's ability to bounce back from a blackout caused by hackers, E&E News has learned. https://www.eenews.net/stories/1060092675

Spam still the most common cyber crime technique, according to recent research - With spam emails being around for more than 40 years, cybercriminals have always found new ways to us them to catch victims out, having gauged “click rates rising from 13.4% in the second half of 2017 to 14.2% in 2018.” https://www.information-age.com/spam-still-first-choice-cyber-crime-according-study-123473840/

DOD cracks down on geolocation devices and services - Defense Department personnel can no longer use geolocation features on any device -- personal or government issued -- in areas used for military operations, according to a DOD policy memo released Aug. 6. https://fcw.com/articles/2018/08/06/dod-geo-ban-williams.aspx

Cybercriminals waste no time breaking into experimental honeypot designed to look like ICS environment - A research honeypot set up to look like an electric company's power transmission substation network was compromised by a dark web hacker within two days of it going online -- yet another sign that industrial control systems are increasingly becoming targets of not just nation-states, but also traditional cybercriminals. https://www.scmagazine.com/cybercriminals-waste-no-time-breaking-into-experimental-honeypot-designed-to-look-like-ics-environment/article/787021/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Phishing attack compromised the data of 1.4 million UnityPoint Health patients - UnityPoint Health in Des Moines, Iowa, is warning patients of a data breach that could impact 1.4 million patients. https://www.scmagazine.com/phishing-attack-compromised-the-data-of-14-million-unitypoint-health-patients/article/785692/

Salesforce API error left data accessible - An error involving in a Salesforce marketing cloud API could have allowed third parties to access data or for data to be corrupted. https://www.scmagazine.com/salesforce-api-error-left-data-accessible/article/786472/

Third-party misconfiguration exposes TCM Bank consumer data - A third-party website misconfiguration resulted in the exposure of sensitive data by credit card issuer TCM Bank leaked applicant data for 16 months. https://www.scmagazine.com/third-party-misconfiguration-exposes-tcm-bank-consumer-data/article/786383/

Taiwanese Semiconductor product knocked offline due to malware - The Taiwan Semiconductor Manufacturing Co. (TSMC) had several factories knocked offline late last week due to a cyberattack. https://www.scmagazine.com/taiwanese-semiconductor-product-knocked-offline-due-to-malware/article/786362/

MongoDB database exposes more than 2 million Mexican patients - A MongoDB database containing the health care information of more than 2 million patients in Mexico was left exposed, revealing sensitive patient information. https://www.scmagazine.com/mongodb-database-exposes-more-than-2-million-mexican-patients/article/786517/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 1 of 2)
  
  Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).
  
  Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.
  
  Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.
  
  The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INFORMATION SECURITY RISK ASSESSMENT
  
  Action Summary -Financial institutions must maintain an ongoing information security risk assessment program that effectively
  
  1)  Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;
  
  2)  Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and
  
  3) Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and testing necessary for effective mitigation.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 17.2 Policy: The Impetus for Access Controls
 
 Logical access controls are a technical means of implementing policy decisions. Policy is made by a management official responsible for a particular system, application, subsystem, or group of systems. The development of an access control policy may not be an easy endeavor. It requires balancing the often-competing interests of security, operational requirements, and user-friendliness. In addition, technical constraints have to be considered.
 
 This chapter discusses issues relating to the technical implementation of logical access controls - not the actual policy decisions as to who should have what type of access. These decisions are typically included in system-specific policy.
 
 Once these policy decisions have been made, they will be implemented (or enforced) through logical access controls. In doing so, it is important to realize that the capabilities of various types of technical mechanisms (for logical access control) vary greatly.
 
 A few simple examples of specific policy issues are provided below; it is important to recognize, however, that comprehensive system-specific policy is significantly more complex.
 
 1. The director of an organization's personnel office could decide that all clerks can update all files, to increase the efficiency of the office. Or the director could decide that clerks can only view and update specific files, to help prevent information browsing.
 
 2. In a disbursing office, a single individual is usually prohibited from both requesting and authorizing that a particular payment be made. This is a policy decision taken to reduce the likelihood of embezzlement and fraud.
 
 3. Decisions may also be made regarding access to the system itself. In the government, for example, the senior information resources management official may decide that agency systems that process information protected by the Privacy Act may not be used to process public-access database applications.
 
 17.3 Technical Implementation Mechanisms
 
 Many mechanisms have been developed to provide internal and external access controls, and they vary significantly in terms of precision, sophistication, and cost. These methods are not mutually exclusive and are often employed in combination. Managers need to analyze their organization's protection requirements to select the most appropriate, cost-effective logical access controls.