information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Equifax IT staff had to rerun hackers' database queries to work
out what was nicked – audit - Equifax was so unsure how much data
had been stolen during its 2017 mega-hack that its IT staff spent
weeks rerunning the hackers' database queries on a test system to
companies push for national privacy law - The Internet Association,
which represents more than 40 companies, including Facebook,
Alphabet, Microsoft and Twitter, came out Tuesday in favor “an
economy-wide, national approach to regulation that protects the
privacy of all Americans” rather than adhere to a bundle of
individual state laws like the recently passed California Consumer
No fly-by-night operation: Researchers suspect Magecart group behind
British Airways breach - A forensic analysis of the recent British
Airways data breach has turned up evidence pointing to the
involvement of Magecart, the same cybercriminal organization linked
to a similar breach earlier this year affecting Ticketmaster.
House Bill Would Create Financial Data Breach Notification Standard
- A bill introduced by Rep. Blaine Luetkemeyer, R-Mo., chairman of
the House Subcommittee on Financial Institutions and Consumer
Credit, on Sept. 7 aims to create a national standard for financial
institutions to notify consumers of data security breaches.
Students and staff blamed in majority of UK university cyberattacks
- A government-funded agency in the UK suspects students and staff
may be behind university cyberattacks rather than cybergangs and
Survey: Nearly one-third of breached companies reported job losses
after data breach - Nearly one-third of surveyed companies that
experienced a data breach in the previous 12 months said the
incident cost certain employees their jobs.
You’ve Been Breached! Now What? - Many companies that suffer a
malicious cyber incident such as a breach hesitate to involve
federal law enforcement, fearing an overbearing investigative
process, loss of control over the incident response, additional pain
or injury caused by law enforcement activities, and public court
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Honolulu-based Fetal Diagnostic Institute of the Pacific hit with
ransomware - Honolulu-based Fetal Diagnostic Institute of the
Pacific (FDIP) announced it was hit by a ransomware attack that may
have compromised patient data.
Brit airport pulls flight info system offline after attack by
'online crims' - Bristol Airport deliberately yanked its flight
screens offline for two days over the weekend in response to a
Veeam holds its hands up, admits database leak was plain
'complacency' -Co-CEO: 'We should have done a better job' - Veeam
has blamed "human error" for the exposure of a marketing database
containing millions of names and email addresses.
Colorado firm claims ransomware attack behind closure - A Colorado
printing company is claiming it was forced out of business after
being hit with a severe cyberattack from which it could not recover.
14 million customer records exposed in GovPayNow leak -
GovPayNow.com, a payment system used by thousands of federal and
state government agencies in the U.S. and recently acquired by
Securus Technologies, has leaked 14 million customer records.
State Department email breach leaks employee PII - The State
Department was hit with an email breach which exposed the personal
information of some of its employees.
Blue Cross and Blue Shield of Rhode Island and Independence Blue
Cross report breaches - Blue Cross and Blue Shield of Rhode Island
(BCBSRI) is blaming a vendor for a breach that compromised the
personal health information of 1,567 people and Philadelphia-based
Insurer Independence Blue Cross was breached in a separate incident.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Non-Deposit Investment Products
Financial institutions advertising or selling non-deposit
investment products on-line should ensure that consumers are
informed of the risks associated with non-deposit investment
products as discussed in the "Interagency Statement on Retail Sales
of Non Deposit Investment Products." On-line systems should
comply with this Interagency Statement, minimizing the possibility
of customer confusion and preventing any inaccurate or misleading
impression about the nature of the non-deposit investment product or
its lack of FDIC insurance.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (1 of 2)
A risk assessment is the key driver of the information security
process. Its effectiveness is directly related to the following key
1) Multidisciplinary and Knowledge - based Approach - A
consensus evaluation of the risks and risk mitigation practices
followed by the institution requires the involvement of a broad
range of users, with a range of expertise and business knowledge.
Not all users may have the same opinion of the severity of various
attacks, the importance of various controls, and the importance of
various data elements and information system components. Management
should apply a sufficient level of expertise to the assessment.
2) Systematic and Central Control - Defined procedures and
central control and coordination help to ensure standardization,
consistency, and completeness of risk assessment policies and
procedures, as well as coordination in planning and performance.
Central control and coordination will also facilitate an
organizational view of risks and lessons learned from the risk
3) Integrated Process - A risk assessment provides a
foundation for the remainder of the security process by guiding the
selection and implementation of security controls and the timing and
nature of testing those controls. Testing results, in turn, provide
evidence to the risk assessment process that the controls selected
and implemented are achieving their intended purpose. Testing can
also validate the basis for accepting risks.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 17 - LOGICAL ACCESS CONTROL
18.104.22.168 Secure Gateways/ Firewalls
Often called firewalls, secure gateways block or filter access
between two networks, often between a privatenetwork and a larger,
more public network such as the Internet, which attract malicious
hackers. Secure gateways allow internal users to connect to external
networks and at the same time prevent malicious hackers from
compromising the internal systems.
Some secure gateways are set up to allow all traffic to pass
through except for specific traffic which has known or suspected
vulnerabilities or security problems, such as remote log-in
services. Other secure gateways are set up to disallow all traffic
except for specific types, such as e-mail. Some secure gateways can
make access-control decisions based on the location of the
requester. There are several technical approaches and mechanisms
used to support secure gateways.
Because gateways provide security by restricting services or
traffic, they can affect a system's usage. For this reason, firewall
experts always emphasize the need for policy, so that appropriate
officials decide how the organization will balance operational needs
In addition to reducing the risks from malicious hackers, secure
gateways have several other benefits. They can reduce internal
system security overhead, since they allow an organization to
concentrate security efforts on a limited number of machines. (This
is similar to putting a guard on the first floor of a building
instead of needing a guard on every floor.)
A second benefit is the centralization of services. A secure
gateway can be used to provide a central management point for
various services, such as advanced authentication, e-mail, or public
dissemination of information. Having a central management point can
reduce system overhead and improve service.
Types of Secure Gateways - There are many types of secure
gateways. Some of the most common are packet filtering (or
screening) routers, proxy hosts, bastion hosts, dual-homed gateways,
and screened-host gateways.
22.214.171.124 Host-Based Authentication
Host-based authentication grants access based upon the identity of
the host originating the request, instead of the identity of the
user making the request. Many network applications in use today use
host-based authentication to determine whether access is allowed.
Under certain circumstances it is fairly easy to masquerade as the
legitimate host, especially if the masquerading host is physically
located close to the host being impersonated. Security measures to
protect against misuse of some host-based authentication systems are
available (e.g., Secure RPC123 uses DES to provide a more secure
identification of the client host).
An example of host-based authentication is the Network File System
(NFS), which allows a server to make file systems/directories
available to specific machines.