information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- How hackers managed to steal $13.5 million in Cosmos bank heist -
An in-depth look into the incident reveals how the 112-year-old bank
may have been swindled out of millions.
FBI faces ‘recruiting challenge’ in plan to hire data scientists at
all field offices - As the FBI looks to move to the cloud and share
data more easily, the agency says it has the funding it needs to
hire data experts across all 56 of its field offices.
Harsh Reality: Former NSA contractor sentenced to 63 months for
leaking classified report - The former NSA contractor who last June
pleaded guilty to leaking classified defense reports pertaining to
Russian election interference to a media outlet, was sentenced today
to 63 months in federal prison.
How to stop falling behind on cybersecurity training - Today's
fast-paced digital world means the number of cyberthreats are
multiplying by the minute and organizations' IT environments are in
a constant state of flux.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Massive WordPress redirect Campaign spotted targeting tagDiv
Themes and Ultimate Member Plugins - Sucuri researchers have
uncovered what they described as a massive WordPress redirecting
campaign targeting vulnerable tagDiv themes and Ultimate Member
Babysitting app Sitter exposed the data of 93,000 customers - The
babysitting app Sitter notified some 93,000 account holders their
personal data was exposed after independent security researcher Bob
Diachenko discovered an inadvertently exposed MongoDB file.
Cheddar's restaurant data breach exposes 567,000 payment cards -
Darden Restaurants suffered a point-of-sale system data breach at
certain of its Cheddar's Scratch Kitchen locations that exposed at
least 567,000 payment card numbers.
Bank of Spain's website hit by cyber attack - The Bank of Spain’s
website has been hit since Sunday by a cyber attack which has
temporarily disrupted access to the site, a spokesman for the
central bank said on Monday.
T-Mobile discovers security breach of certain customer information -
T-Mobile US and its unit Metro PCS informed customers on Thursday
about a potential security breach that was discovered and shut down
by the company.
Air Canada mobile app breach potentially impacts about 20,000
profiles - Air Canada yesterday warned customers of "unusual login
behavior" on its mobile app between Aug. 22 and 24, during which
time a portion of its account profiles may have been accessed in
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Role Of Consumer Compliance In Developing And Implementing
Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system designers
consult with the compliance officer during the development and
implementation stages in order to minimize compliance risk. The
compliance officer should ensure that the proper controls are
incorporated into the system so that all relevant compliance issues
are fully addressed. This level of involvement will help decrease
an institution's compliance risk and may prevent the need to delay
deployment or redesign programs that do not meet regulatory
The compliance officer should develop a compliance risk profile as
a component of the institution's online banking business and/or
technology plan. This profile will establish a framework from which
the compliance officer and technology staff can discuss specific
technical elements that should be incorporated into the system to
ensure that the online system meets regulatory requirements. For
example, the compliance officer may communicate with the technology
staff about whether compliance disclosures/notices on a web site
should be indicated or delivered by the use of "pointers" or
"hotlinks" to ensure that required disclosures are presented to the
consumer. The compliance officer can also be an ongoing resource to
test the system for regulatory compliance.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
ANALYZE INFORMATION (1 of 2)
The information gathered is used to characterize the system,
to identify and measure threats to the system and the data it
contains and transmits, and to estimate the likelihood that a threat
will take action against the system or data.
System characterization articulates the understanding of the
system, including the boundaries of the system being assessed, the
system's hardware and software, and the information that is stored,
processed, and transmitted. Since operational systems may have
changed since they were last documented, a current review of the
system should be performed. Developmental systems, on the other
hand, should be analyzed to determine their key security rules and
attributes. Those rules and attributes should be documented as part
of the systems development lifecycle process. System
characterization also requires the cross-referencing of
vulnerabilities to current controls to identify those that mitigate
specific threats, and to assist in highlighting the control areas
that should be improved.
A key part of system characterization is the ranking of data and
system components according to their sensitivity and importance to
the institution's operations. Additionally, consistent with the
GLBA, the ranking should consider the potential harm to customers of
unauthorized access and disclosure of customer non - public personal
information. Ranking allows for a reasoned and measured analysis of
the relative outcome of various attacks, and the limiting of the
analysis to sensitive information or information and systems that
may materially affect the institution's condition and operations.
Threats are identified and measured through the creation and
analysis of threat scenarios. Threat scenarios should be
comprehensive in their scope (e.g., they should consider reasonably
foreseeable threats and possible attacks against information and
systems that may affect the institution's condition and operations
or may cause data disclosures that could result in substantial harm
or inconvenience to customers). They should consider the potential
effect and likelihood for failure within the control environment due
to non-malicious or malicious events. They should also be
coordinated with business continuity planning to include attacks
performed when those plans are implemented. Non-malicious scenarios
typically involve accidents related to inadequate access controls
and natural disasters. Malicious scenarios, either general or
specific, typically involve a motivated attacker (i.e., threat)
exploiting a vulnerability to gain access to an asset to create an
outcome that has an impact.
An example of a general malicious threat scenario is an unskilled
attacker using a program script to exploit a vulnerable
Internet-accessible Web server to extract customer information from
the institution's database. Assuming the attacker's motivation is to
seek recognition from others, the attacker publishes the
information, causing the financial institution to suffer damage to
its reputation. Ultimately, customers are likely to be victims of
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 17 - LOGICAL ACCESS CONTROL
Often used in conjunction with ACLs are constrained user
interfaces, which restrict users' access to specific functions by
never allowing them to request the use of information, functions, or
other specific system resources for which they do not have access.
Three major types exist: (1) menus, (2) database views, and (3)
physically constrained user interfaces.
Constrained user interfaces can provide a form of access control
that closely models how an organization operates. Many systems allow
administrators to restrict users' ability to use the operating
system or application system directly. Users can only execute
commands that are provided by the administrator, typically in the
form of a menu. Another means of restricting users is through
restricted shells, which limit the system commands the user can
invoke. The use of menus and shells can often make the system easier
to use and can help reduce errors.
Menu-driven systems are a common constrained user interface, where
different users are provided different menus on the same system.
Database views is a mechanism for restricting user access to
data contained in a database. It may be necessary to allow a user to
access a database, but that user may not need access to all the data
in the database (e.g., not all fields of a record nor all records in
the database). Views can be used to enforce complex access
requirements that are often needed in database situations, such as
those based on the content of a field. For example, consider the
situation where clerks maintain personnel records in a database.
Clerks are assigned a range of clients based upon last name (e.g.,
A-C, D-G). Instead of granting a user access to all records, the
view can grant the user access to the record based upon the first
letter of the last name field.
Physically constrained user interfaces can also limit a
user's abilities. A common example is an ATM machine, which provides
only a limited number of physical buttons to select options; no
alphabetic keyboard is usually present.