information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- FBI Warns of ‘Unlimited’ ATM Cashout Blitz - The Federal Bureau of
Investigation (FBI) is warning banks that cybercriminals are
preparing to carry out a highly choreographed, global fraud scheme
known as an “ATM cash-out,” in which crooks hack a bank or payment
card processor and use cloned cards at cash machines around the
world to fraudulently withdraw millions of dollars in just a few
Banks and Retailers Are Tracking How You Type, Swipe and Tap - When
you’re browsing a website and the mouse cursor disappears, it might
be a computer glitch - or it might be a deliberate test to find out
who you are.
NARA is doing great at email, website security. Maybe - The National
Archives and Records Administration is (possibly) a model for
federal agencies looking to comply with a binding operational
directive issued by the Department of Homeland Security last year to
boost security of federal websites and email.
A New Pacemaker Hack Puts Malware Directly on the Device - The first
pacemaker hacks emerged about a decade ago. But the latest variation
on the terrifying theme depends not on manipulating radio commands,
as many previous attacks have, but on malware installed directly on
an implanted pacemaker.
FCC lied to Congress about made-up DDoS attack, investigation found
- The Federal Communications Commission lied to members of Congress
multiple times in a letter that answered questions about a "DDoS
attack" that never happened, an internal investigation found.
'Hack the Marine Corps' Bug Bounty Event Held in Vegas - The US
Marine Corps yesterday in Las Vegas held a live hacking event
focused on its public-facing websites and enterprise services, and
it paid out $80,000 in total to researchers for 75 new
vulnerabilities that they found.
How California Is Improving Cyber Threat Information Sharing - The
state wants to add every city and county government to its automated
threat feed program in the next three to four years.
Fax Machines Are Still Everywhere, and Wildly Insecure - It's
tempting to think of fax machines as a relic, every bit as relevant
as an eight-track tape. But fields like health care and government
still rely on faxes every day. Even your all-in-one printer probably
has a fax component. And new research shows that vulnerabilities in
that very old tech could expose entire corporate networks to attack.
Caesars' Palace security room checks rattle Def Con attendees,
conference SecOps head offers resignation - A policy implemented at
Caesar's Palace in the wake of last October's shooting that allows
hotel security to spotcheck the room of guests who've rejected
housekeeping services has prompted the head of security operations
of Def Con, which held its conference in the hotel last week, to
offer his resignation.
If not now, when? Reinventing your IT security approach to
prioritize speed - For years, the security ecosystem has been in
response mode. When an attack happens, the common reaction is
centered around damage control or applying security band-aids, and
it doesn't always happen in a speedy fashion.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Ransomware attack at Blue Springs Family Care in Missouri affects
45,000 patients - Blue Springs Family Care in Missouri was hit by a
ransomware attack that compromised the information of nearly 45,000
Comcast Xfinity exposed 26.5 million customer SSNs and partial home
addresses - Security researcher Ryan Stevenson spotted a
vulnerability in Comcast Xfinity's in-home authentication system,
which exposed the partial home addresses and partial Social Security
numbers of 26.5 million customers.
The worst kind of hazard: PGA falls victim to ransomware - "Hacker"
was already a dirty word in golf when it referred to a terrible
player. But now the term is taking on an even worse connotation,
after attackers reportedly infected the PGA of America with
GoDaddy configuration info exposed on open S3 bucket created by
Amazon employee - An open Amazon AWS S3 bucket that exposed
GoDaddy's cloud configuration information was originated with an AWS
salesperson, according to Amazon, and secured after the UpGuard
Cyber Risk Team that discovered it notified the domain name
Brazilian banking customers targeted by IoT DNS hijacking attacks -
A DNS hijacking campaign has been discovered targeting Banco de
Brasil and Itau Unibanco customer credentials through the end-user
50.5 million Sungy Mobile customers exposed through open ports -
Chinese app maker Sungy Mobile may have exposed the information of
more than 50.5 million of its customers, according to researchers
who were able to access dozens of the company's databases through a
pair of IP addresses that did not require any login credentials.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written
authorization for preauthorized transfers from a consumer's account
includes an electronic authorization that is not signed, but
similarly authenticated by the consumer, such as through the use of
a security code. According to the Official Staff Commentary
(OSC,) an example of a consumer's authorization that is not in the
form of a signed writing but is, instead, "similarly authenticated,"
is a consumer's authorization via a home banking system. To
satisfy the regulatory requirements, the institution must have some
means to identify the consumer (such as a security code) and make a
paper copy of the authorization available (automatically or upon
request). The text of the electronic authorization must be
displayed on a computer screen or other visual display that enables
the consumer to read the communication from the institution. Only
the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
The quality of security controls can significantly influence
all categories of risk. Traditionally, examiners and bankers
recognize the direct impact on operational/transaction risk from
incidents related to fraud, theft, or accidental damage. Many
security weaknesses, however, can directly increase exposure in
other risk areas. For example, the GLBA introduced additional
legal/compliance risk due to the potential for regulatory
noncompliance in safeguarding customer information. The potential
for legal liability related to customer privacy breaches may present
additional risk in the future. Effective application access controls
can reduce credit and market risk by imposing risk limits on loan
officers or traders. If a trader were to exceed the intended trade
authority, the institution may unknowingly assume additional market
A strong security program reduces levels of reputation and
strategic risk by limiting the institution's vulnerability to
intrusion attempts and maintaining customer confidence and trust in
the institution. Security concerns can quickly erode customer
confidence and potentially decrease the adoption rate and rate of
return on investment for strategically important products or
services. Examiners and risk managers should incorporate security
issues into their risk assessment process for each risk category.
Financial institutions should ensure that security risk assessments
adequately consider potential risk in all business lines and risk
Information security risk assessment is the process used to
identify and understand risks to the confidentiality, integrity, and
availability of information and information systems. An adequate
assessment identifies the value and sensitivity of information and
system components and then balances that knowledge with the exposure
from threats and vulnerabilities. A risk assessment is a necessary
pre-requisite to the formation of strategies that guide the
institution as it develops, implements, tests, and maintains its
information systems security posture. An initial risk assessment may
involve a significant one-time effort, but the risk assessment
process should be an ongoing part of the information security
Risk assessments for most industries focus only on the risk to the
business entity. Financial institutions should also consider the
risk to their customers' information. For example, section 501(b) of
the GLBA requires financial institutions to 'protect against
unauthorized access to or use of customer information that could
result in substantial harm or inconvenience to any customer."
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 17 - LOGICAL ACCESS CONTROL
17.3.1 Internal Access Controls
Internal access controls are a logical means of separating what
defined users (or user groups) can or cannot do with system
resources. Five methods of internal access control are discussed in
this section: passwords, encryption, access control lists,
constrained user interfaces, and labels.
Passwords are most often associated with user authentication.
However, they are also used to protect data and applications on many
systems, including PCs. For instance, an accounting application may
require a password to access certain financial data or to invoke a
restricted application (or function of an application).
Password-based access control is often inexpensive because it is
already included in a large variety of applications. However, users
may find it difficult to remember additional application passwords,
which, if written down or poorly chosen, can lead to their
compromise. Password-based access controls for PC applications are
often easy to circumvent if the user has access to the operating
system (and knowledge of what to do). There are other disadvantages
to using passwords.
The use of passwords as a means of access control can result in a
proliferation of passwords that can reduce overall security.
Another mechanism that can be used for logical access control is
encryption. Encrypted information can only be decrypted by those
possessing the appropriate cryptographic key. This is especially
useful if strong physical access controls cannot be provided, such
as for laptops or floppy diskettes. Thus, for example, if
information is encrypted on a laptop computer, and the laptop is
stolen, the information cannot be accessed. While encryption can
provide strong access control, it is accompanied by the need for
strong key management. Use of encryption may also affect
availability. For example, lost or stolen keys or read/write errors
may prevent the decryption of the information.