FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - House Approves DHS Authority to Address Supply Chain Risk, Bar Contractors - The House of Representatives on Tuesday agreed by voice vote to approve HR 6430, the Securing the Homeland Security Supply Chain Act of 2018, which grants the Department of Homeland Security (DHS) Secretary authority to exclude certain contractors from doing business with the Federal government to address “urgent national security interests” and curb supply chain risks. https://www.meritalk.com/articles/dhs-supply-chain-risk-bill-approved/

How did Equifax, a consumer reporting agency, respond to that event? Equifax said that it investigated factors that led to the breach and tried to identify and notify people whose personal information was compromised. https://www.gao.gov/products/GAO-18-559?utm_campaign=usgao_email&utm_content=topci_infosec&utm_medium=email&utm_source=govdelivery

When cybersecurity pros go bad, Silence cybergang makes noise with $800,000 in ATM thefts - A low-profile cybergang appropriately named Silence specializing in ATM bank theft and possibly comprised of two former or current cybersecurity workers has so far stolen more than $800,000 during a two-year-long crime spree.  https://www.scmagazine.com/home/news/when-cybersecurity-pros-go-bad-silence-cybergang-makes-noise-with-800000-in-atm-thefts/

Russian man extradited to U.S. for ‘massive’ financial hacking campaign - A Russian man allegedly part of a series of hacks targeting the financial industry and resulting in the theft of data on more than 80 million people, has been extradited from the nation of Georgia to the U.S., the Manhattan U.S. Attorney’s office said. https://www.scmagazine.com/home/news/russian-man-extradited-to-u-s-for-massive-financial-hacking-campaign/

White House further restricts mobile devices in West Wing - he proclivity of former White House aide Omarosa Manigault Newman to record conversations with colleagues, including the president and her firing in the Situation Room by Chief of Staff John Kelly, has prompted the administration to further restrict staffers use of mobile devices in the West Wing. https://www.scmagazine.com/home/news/white-house-further-restricts-mobile-devices-in-west-wing/

‘Pass’ words: Philadelphia Eagles are the NFL team most often referenced in credentials - Proud Philadelphia Eagles fans might want to think of a more secure way to honor their Super Bowl-winning NFL franchise than using their team name as a user password. https://www.scmagazine.com/home/news/pass-words-philadelphia-eagles-are-the-nfl-team-most-often-referenced-in-credentials/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers steal data on 380,000 British Airways customers - British Airways has resolved an August breach that resulted in data being stolen from about 380,000 customers and the company is treating a probe of the incident with some “urgency.” https://www.scmagazine.com/home/news/hackers-steal-data-on-380000-british-airways-customers/

Park by Phone data breach affects 5,000 customers - A data breach at Cork City Park by Phone service in Ireland has affected more than 5,000 people. https://www.scmagazine.com/home/news/park-by-phone-data-breach-affects-5000-customers/

Veeam MongoDB left unsecured, 440 million records exposed - The Swiss-based data company Veeam exposed more than 445 million records when it used a misconfigured MongoDB hosted on Amazon Web Services that did not require any password to access. https://www.scmagazine.com/home/news/veeam-mongodb-left-unsecured-440-million-records-exposed/

Canadian town bows to ransomware attack, will pay attackers - The small Canadian town of Midland, Ontario plans to pay off the malicious actors who shut down the municipalities compute system with a ransomware attack on Sept. 1. https://www.scmagazine.com/home/news/canadian-town-bows-to-ransomware-attack-will-pay-attackers/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Fair Housing Act
  
  A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.
  
  Home Mortgage Disclosure Act (Regulation C)
  
  The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INFORMATION SECURITY RISK ASSESSMENT
  
  PRIORITIZE RESPONSES
  
  This phase ranks the risk (outcomes and probabilities) presented by various scenarios produced in the analysis phase to prioritize management's response. Management may decide that since some risks do not meet the threshold set in their security requirement, they will accept those risks and not proceed with a mitigation strategy. Other risks may require immediate corrective action. Still others may require mitigation, either fully or partially, over time. Risks that warrant action are addressed in the information security strategy.
  
  In some borderline instances, or if planned controls cannot fully mitigate the risk, management may need to review the risk assessment and risk ranking with the board of directors or a delegated committee. The board should then document its acceptance of the risk or authorize other risk mitigation measures.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 17.3.2 External Access Controls
 
 External access controls are a means of controlling interactions between the system and outside people, systems, and services. External access controls use a wide variety of methods, often including a separate physical device (e.g., a computer) that is between the system being protected and a network.
 
 17.3.2.1 Port Protection Devices
 
 Fitted to a communications port of a host computer, a port protection device (PPD) authorizes access to the port itself, prior to and independent of the computer's own access control functions. A PPD can be a separate device in the communications stream, or it may be incorporated into a communications device (e.g., a modem). PPDs typically require a separate authenticator, such as a password, in order to access the communications port.
 
 One of the most common PPDs is the dial-back modem. A typical dial-back modem sequence follows: a user calls the dial-back modem and enters a password. The modem hangs up on the user and performs a table lookup for the password provided. If the password is found, the modem places a return call to the user (at a previously specified number) to initiate the session. The return call itself also helps to protect against the use of lost or compromised accounts. This is, however, not always the case. Malicious hackers can use such advance functions as call forwarding to reroute calls.