FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - GAO report slams Department of Defense cybersecurity practices - Securing the upcoming election against cyberattack or influence is rightfully garnering a great deal of attention, but a recent General Accounting Office (GAO) report indicates the United States is doing a poor job building weapon systems resistant to cyberattack.
https://www.scmagazine.com/home/security-news/gao-report-slams-department-of-defense-cybersecurity-practices/
https://www.wired.com/story/us-weapons-systems-easy-cyberattack-targets/

UK.gov teams up with Five Eyes chums to emit spotters' guide for miscreants' hack tools - The UK's National Cyber Security Centre and its western intel pals have today put out a report spotlighting the most commonly wielded hacking utilities. https://www.theregister.co.uk/2018/10/11/hacking_tools_taxonomy/

35 million voter records from 19 states found for sale on Dark Web - ore than 35 million voter records have been found for sale in a Dark Web forum containing information on voters from 19 states with prices ranging from $150 to $12,500. https://www.scmagazine.com/home/security-news/35-million-voter-records-from-19-states-found-for-sale-on-dark-web/

New York CISO: State committed to helping its local municipalities bolster cyber defenses - There are 62 counties in New York State, and nearly 1,000 cities and towns within them. Many lack adequate resources to devote to cybersecurity, but New York is committed to making sure these local municipalities are nevertheless protected against digital threats, according to the state’s CISO Deborah Snyder, speaking today at a conference. https://www.scmagazine.com/home/security-news/new-york-ciso-state-committed-to-helping-its-local-municipalities-bolster-cyber-defenses/

Anthem to pay record $16M for 2015 data breach - Anthem will pay a record $16 million to settle potential privacy violations stemming from its massive data breach 2015 data breach which compromised the data of nearly 80 million current and former patients. https://www.scmagazine.com/home/security-news/anthem-to-pay-record-16m-for-2015-data-breach/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Mail mix up sends Michigan Medicine letters to the wrong people - For the second time this year healthcare provider Michigan Medicine is notifying patients that some of their personally identifiable information may have been exposed, this time due to a mailing error. https://www.scmagazine.com/home/security-news/mail-mix-up-sends-michigan-medicine-letters-to-the-wrong-people/

Iceland’s largest phishing campaign imitated police - Iceland fell victim to the largest phishing campaign to target the nation, a complex scheme which involved impersonating law enforcement officers. https://www.scmagazine.com/home/security-news/icelands-largest-phishing-campaign-imitated-police/

Ransomware hits Madison County Idaho government - A ransomware attack held hostage Madison County, Idaho’s services, ranging from the sanitation department to the county treasurer’s office. https://www.scmagazine.com/home/security-news/madison-county-idaho-hit-with-ransomware-attack/

FitMetrix data exposed on unprotected Elasticsearch servers - A trio of unprotected Elasticsearch servers hosted by Amazon Web Service (AWS) left 113.5 million records of fitness tracking company FitMetrix customers exposed, according to the security researcher who discovered the databases. https://www.scmagazine.com/home/security-news/fitmetrix-data-exposed-on-unprotected-elasticsearch-servers/

BEC attack scams Texas school district out of $600,000 - The Henderson, Texas school district was hit with a business email compromise (BEC) attack resulting in a $600,000 loss for the district. https://www.scmagazine.com/home/security-news/bec-attack-scamstexas-school-district-out-of-600000/

Pentagon data breach exposed 30,000 travel records - The U.S. Department of Defense suffered a data breach through a third-party vendor resulting in at least 30,000 service members and employees having some of their personal and payment card information compromised.
 https://www.scmagazine.com/home/security-news/pentagon-data-breach-exposed-30000-travel-records/
https://www.reuters.com/article/us-usa-pentagon-cyber/pentagon-investigating-cyber-breach-of-some-travel-records-idUSKCN1MM2ML

North Carolina water utility ONWASA taken down by ransomware - The Onslow Water and Sewer Authority (ONWASA) in Jacksonville, N.C. was hit with a ransomware attack over the weekend that has all but shut down its computer operations. https://www.scmagazine.com/home/security-news/north-carolina-water-utility-onwasa-taken-down-by-ransomware/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next few weeks we will cover the FDIC's paper "Risk Assessment Tools and Practices or Information System Security" dated July 7, 1999. This is our first selection for your reading.
  
  Whether financial institutions contract with third-party providers for computer services such as Internet banking, or maintain computer services in-house, bank management is responsible for ensuring that systems and data are protected against risks associated with emerging technologies and computer networks. If a bank is relying on a third-party provider, management must generally understand the provider's information security program to effectively evaluate the security system's ability to protect bank and customer data.
  
  The FDIC has previously issued guidance on information security concerns such as data privacy and confidentiality, data integrity, authentication, non-repudiation, and access control/system design. This paper is designed to supplement Financial Institution Letter 131-97, "Security Risks Associated With the Internet," dated December 18, 1997, and to complement the FDIC's safety and soundness electronic banking examination procedures. Related guidance can be found in the FFIEC Information Systems Examination Handbook.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  
  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
  
  The goal of logical and administrative access control is to restrict access to system resources. Access should be provided only to authorized individuals whose identity is established, and their activities should be limited to the minimum required for business purposes. Authorized individuals (users) may be employees, TSP employees, vendors, contractors, customers, or visitors.
  
  An effective control mechanism includes numerous controls to safeguard and limit access to key information system assets. This section addresses logical and administrative controls, including access rights administration and authentication through network, operating system, application, and remote access. A subsequent section addresses physical security controls.
  
  ACCESS RIGHTS ADMINISTRATION (1 of 5)
  
  Action Summary - Financial institutions should have an effective process to administer access rights. The process should include the following controls:
  
  1)  Assign users and system resources only the access required to perform their required functions,
  
  2)  Update access rights based on personnel or system changes,
  
  3)  Periodically review users' access rights at an appropriate frequency based on the risk to the application or system, and
  
  4)  Design appropriate acceptable-use policies and require users to sign them.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 17 - LOGICAL ACCESS CONTROL
 
 17.4 Administration of Access Controls
 
 17.7 Cost Considerations
 
 Incorporating logical access controls into a computer system involves the purchase or use of access control mechanisms, their implementation, and changes in user behavior.
 
 Direct Costs. Among the direct costs associated with the use of logical access controls are the purchase and
 support of hardware, operating systems, and applications that provide the controls, and any add-on security packages. The most significant personnel cost in relation to logical access control is usually for administration (e.g., initially determining, assigning, and keeping access rights up to date). Label-based access control is available in a limited number of commercial products, but at greater cost and with less variety of selection. Role-based systems are becoming more available, but there are significant costs involved in customizing these systems for a particular organization. Training users to understand and use an access control system is another necessary cost.
 
 Indirect Costs. The primary indirect cost associated with introducing logical access controls into a computer system is the effect on user productivity. There may be additional overhead involved in having individual users properly determine (when under their control) the protection attributes of information. Another indirect cost that may arise results from users not being able to immediately access information necessary to accomplish their jobs because the permissions were incorrectly assigned (or have changed). This situation is familiar to most organizations that put strong emphasis on logical access controls.