FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - President signs NIST Small Business Cybersecurity Act into law - A year and nearly four months after the measure was introduced, the NIST Small Business Cybersecurity Act officially passed after President Donald Trump signed the legislation into law. https://www.scmagazine.com/president-signs-nist-small-business-cybersecurity-act-into-law/article/789147/

A "Value at Risk Model" focuses anti-phishing programs where it matters most - If you're a CISO, you've probably wrestled with placing a monetary value on your exposure to cyber-attacks. https://www.scmagazine.com/a-value-at-risk-model-focuses-anti-phishing-programs-where-it-matters-most/article/783903/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Wisconsin county clerk reportedly accused of local government breach affecting 250K-plus individuals - The county clerk of Adams County in central Wisconsin is reportedly the prime suspect in a data breach affecting more than 250,000 people, and now local officials are attempting to remove her from her position. https://www.scmagazine.com/wisconsin-county-clerk-reportedly-accused-of-local-government-breach-affecting-250k-plus-individuals/article/789180/

India's Cosmos bank raided for $13m by hackers - Cosmos Bank in India says that hackers made off with $13.4m in stolen funds over the weekend. https://www.theregister.co.uk/2018/08/15/cosmos_bank_raided/

Phishing attack on Augusta University Health leads to breach exposing info on 400K persons - A phishing attack aimed at the email accounts of 24 university faculty and administrators at Augusta University Health led to the exposure of medical and personal information on about 417,000 individuals. https://www.scmagazine.com/phishing-attack-on-augusta-university-health-leads-to-breach-exposing-info-on-400k-persons/article/789497/

How agencies can stop playing ‘Russian Roulette’ with their email security - With less than two months before the Homeland Security Department’s Oct. 16 deadline, the number of agency domains still not meeting the requirements under Binding Operational Directive 18-01 is more than 200. https://federalnewsradio.com/reporters-notebook-jason-miller/2018/08/how-agencies-can-stop-playing-russian-roulette-with-their-email-security/

Phishing scam claims recall on exploding Barclays credit cards - Scammers are taking phishing attack low tech in a scheme targeting Barclays customers, claiming that a recall has been issued for customers cards because their EMV chips could explode. https://www.scmagazine.com/phishing-scam-claims-recall-on-exploding-barclays-credit-cards/article/789620/

Phishing attack on Augusta University Health leads to breach exposing info on 400K persons - A phishing attack aimed at the email accounts of 24 university faculty and administrators at Augusta University Health led to the exposure of medical and personal information on about 417,000 individuals. https://www.scmagazine.com/phishing-attack-on-augusta-university-health-leads-to-breach-exposing-info-on-400k-persons/article/789497/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)
  
  Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.
  
  Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations. 
  
  Consumer Leasing Act (Regulation M)
  
  The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INFORMATION SECURITY RISK ASSESSMENT
  
  KEY STEPS
  
  Common elements of risk assessment approaches involve three phases: information gathering, analysis, and prioritizing responses. Vendor concerns add additional elements to the process.
  
  INFORMATION GATHERING
  
  Identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution's risk environment. Once gathered, the information can be catalogued to facilitate later analysis. Information gathering generally includes the following actions:
  
  1)  Obtaining listings of information system assets (e.g., data, software, and hardware). Inventories on a device - by - device basis can be helpful in risk assessment as well as risk mitigation. Inventories should consider whether data resides in house or at a TSP.
  
  2)  Determining threats to those assets, resulting from people with malicious intent, employees and others who accidentally cause damage, and environmental problems that are outside the control of the organization (e.g., natural disasters, failures of interdependent infrastructures such as power, telecommunications, etc.).
  
  3)  Identifying organizational vulnerabilities (e.g., weak senior management support, ineffective training, inadequate expertise or resource allocation, and inadequate policies, standards, or procedures).
  
  4)  Identifying technical vulnerabilities (e.g., vulnerabilities in hardware and software, configurations of hosts, networks, workstations, and remote access).
  
  5)  Documenting current controls and security processes, including both information technology and physical security.
  
  6)  Identifying security requirements and considerations (e.g., GLBA).
  
  7)  Maintaining the risk assessment process requires institutions to review and update their risk assessment at least once a year, or more frequently in response to material changes in any of the six actions above.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 17.3.1.3 Access Control Lists
 
 Access Control Lists (ACLs) refer to a register of: (1) users (including groups, machines, processes) who have been given permission to use a particular system resource, and (2) the types of access they have been permitted.
 
 ACLs vary considerably in their capability and flexibility. Some only allow specifications for certain pre-set groups (e.g., owner, group, and world) while more advanced ACLs allow much more flexibility, such as user-defined groups. Also, more advanced ACLs can be used to explicitly deny access to a particular individual or group. With more advanced ACLs, access can be at the discretion of the policymaker (and implemented by the security administrator) or individual user, depending upon how the controls are technically implemented.
 
 Elementary ACLs. Elementary ACLs (e.g., "permission bits") are a widely available means of providing access control on multiuser systems. In this scheme, a short, predefined list of the access rights to files or other system resources is maintained.
 
 Elementary ACLs are typically based on the concepts of owner, group, and world. For each of these, a set of access modes (typically chosen from read, write, execute, and delete) is specified by the owner (or custodian) of the resource. The owner is usually its creator, though in some cases, ownership of resources may be automatically assigned to project administrators, regardless of the identity of the creator. File owners often have all privileges for their resources.
 
 In addition to the privileges assigned to the owner, each resource is associated with a named group of users. Users who are members of the group can be granted modes of access distinct from nonmembers, who belong to the rest of the "world" that includes all of the system's users. User groups may be arranged according to departments, projects, or other ways appropriate for the particular organization. For example, groups may be established for members of the Personnel and Accounting departments. The system administrator is normally responsible for technically maintaining and changing the membership of a group, based upon input from the owners/custodians of the particular resources to which the groups may be granted access.
 
 As the name implies, however, the technology is not particularly flexible. It may not be possible to explicitly deny access to an individual who is a member of the file's group. Also, it may not be possible for two groups to easily share information (without exposing it to the "world"), since the list is predefined to only include one group. If two groups wish to share information, an owner may make the file available to be read by "world." This may disclose information that should be restricted. Unfortunately, elementary ACLs have no mechanism to easily permit such sharing.
 
 Example of Elementary ACL for the file "payroll":
 Owner: PAYMANAGER
 Access: Read, Write, Execute, Delete
 Group: COMPENSATION-OFFICE
 Access: Read, Write, Execute, Delete
 "World"
 Access: None
 
 Advanced ACLs. Like elementary ACLs, advanced ACLs provide a form of access control based upon a logical registry. They do, however, provide finer precision in control.
 
 Advanced ACLs can be very useful in many complex information sharing situations. They provide a great deal of flexibility in implementing system-specific policy and allow for customization to meet the security requirements of functional managers. Their flexibility also makes them more of a challenge to manage. The rules for determining access in the face of apparently conflicting ACL entries are not uniform across all implementations and can be confusing to security administrators. When such systems are introduced, they should be coupled with training to ensure their correct use.
 
 Since one would presume that no one would have access without being granted access, why would it be desirable to explicitly deny access? Consider a situation in which a group name has already been established for 50 employees. If it were desired to exclude 5 of the individuals from that group, it would be easier for the access control administrator to simply grant access to that group and take it away from the 5 rather than grant access to 45 people. Or, consider the case of a complex application in which many groups of users are defined. It may be desired, for some reason, to prohibit Ms. X from generating a particular report (perhaps she is under investigation). In a situation in which group names are used (and perhaps modified by others), this explicit denial may be a safety check to restrict Ms. X's access -- in case someone were to redefine a group (with access to the report generation function) to include Ms. X. She would still be denied access.