information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Lazarus FASTCash ATM attack details discovered - Symantec
researchers have uncovered several crucial details behind how the
cybergang Lazarus, (AKA Hidden Cobra) has successfully conducted
dozens of ATM hacks resulting in the machines literally spewing
money out on the group’s command.
U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail
Scanning Service - A year ago, KrebsOnSecurity warned that “Informed
Delivery,” a new offering from the U.S. Postal Service (USPS) that
lets residents view scanned images of all incoming mail, was likely
to be abused by identity thieves and other fraudsters unless the
USPS beefed up security around the program and made it easier for
people to opt out.
Companies, customers will avoid you after a breach, survey says - A
recent study found customers would cease engaging with a brand after
it experienced a breach and that overall, most respondents were
unwilling to pay extra for the protection of their personal data.
Pentagon bolstering cybersecurity demands for future contracts - The
Pentagon's top weapons buyer has issued new language applying to
future contracts that's intended to put companies on notice that
they must elevate cybersecurity protection.
Top banks in cyber-attack 'war gam7e' - The Bank of England is
testing the UK's ability to withstand a major cyber-attack on
financial institutions. Some 40 firms, including leading banks, are
taking part in a one-day "war-gaming" exercise designed to assess
GAO - Departments Need to Improve Chief Information Officers' Review
and Approval of IT Budgets.
GAO - OPM Has Implemented Many of GAO's 80 Recommendations, but Over
One-Third Remain Open.
U.S. declines to sign cybersecurity pact - The U.S. Monday joined
Russia, North Korea and China in declining to sign a cybersecurity
pact supported by 50 countries and aimed at fighting both
cyberwarfare and cybercrime.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Oracle’s VirtualBox vulnerability leaked by disgruntled researcher
- An independent researcher who was disgruntled with traditional bug
bounty methods took it upon himself to leak the details of an
exploit in Oracle’s Virtual Box without first informing Oracle.
Leaky MongoDB server exposes personal info on 700K Amex India
customers - An unsecured MongoDB server has exposed personal data on
689,272 American Express India customers.
Huntsville Hospital in Alabama notifies job applicants of data
breach - Huntsville Hospital in Alabama is reporting the information
of job applicants who applied to the facility may be at risk after a
breach at a recruiting firm it uses.
WooCommerce WordPress flaw allowed unique privilege escalation, 4M
users affected - A file deletion vulnerability in WordPress can be
used to exploit millions of WooCommerce shops.
Nordstrom data breach exposes employee information - High-end
retailer Nordstrom is in the process of notifying its employees
their data may have been compromised in a breach.
Google hit with IP hijack taking down several services - Google G
Suite yesterday had much of its traffic re-routed through Russia and
dropped at China Telecom, according to the network intelligence
company Thousand Eyes.
22,000 Kars4Kids donor data records exposed - Thousands of donors
who were able to look past the Kars4Kids ad jingle and went ahead
had their information exposed when a misconfigured MongoDB made it
Return to the top
of the newsletter
WEB SITE COMPLIANCE - We
continue our review of the FDIC paper "Risk Assessment Tools and
Practices or Information System Security."
Performing the Risk Assessment and Determining Vulnerabilities
Performing a sound risk assessment is critical to establishing an
effective information security program. The risk assessment provides
a framework for establishing policy guidelines and identifying the
risk assessment tools and practices that may be appropriate for an
institution. Banks still should have a written information security
policy, sound security policy guidelines, and well-designed system
architecture, as well as provide for physical security, employee
education, and testing, as part of an effective program.
When institutions contract with third-party providers for
information system services, they should have a sound oversight
program. At a minimum, the security-related clauses of a written
contract should define the responsibilities of both parties with
respect to data confidentiality, system security, and notification
procedures in the event of data or system compromise. The
institution needs to conduct a sufficient analysis of the provider's
security program, including how the provider uses available risk
assessment tools and practices. Institutions also should obtain
copies of independent penetration tests run against the provider's
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (5 of 5)
The access rights process also constrains user activities through
an acceptable - use policy (AUP). Users who can access internal
systems typically are required to agree to an AUP before using a
system. An AUP details the permitted system uses and user activities
and the consequences of noncompliance. AUPs can be created for all
categories of system users, from internal programmers to customers.
An AUP is a key control for user awareness and administrative
policing of system activities. Examples of AUP elements for internal
network and stand - alone users include:
! The specific access devices that can be used to access the
! Hardware and software changes the user can make to their access
! The purpose and scope of network activity;
! Network services that can be used, and those that cannot be
! Information that is allowable and not allowable for transmission
using each allowable service;
! Bans on attempting to break into accounts, crack passwords, or
! Responsibilities for secure operation; and
! Consequences of noncompliance.
Depending on the risk associated with the access, authorized
internal users should generally receive a copy of the policy and
appropriate training, and signify their understanding and agreement
with the policy before management grants access to the system.
Customers may be provided with a Web site disclosure as their AUP.
Based on the nature of the Web site, the financial institution may
require customers to demonstrate knowledge of and agreement to abide
by the terms of the AUP. That evidence can be paper based or
Authorized users may seek to extend their activities beyond what
is allowed in the AUP, and unauthorized users may seek to gain
access to the system and move within the system. Network security
controls provide the protection necessary to guard against those
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
18.1 Benefits and Objectives
18.1.4 Problem Analysis
Audit trails may also be used as on-line tools to help identify
problems other than intrusions as they occur. This is often referred
to as real-time auditing or monitoring. If a system or application
is deemed to be critical to an organization's business or mission,
real-time auditing may be implemented to monitor the status of these
processes (although, as noted above, there can be difficulties with
real-time analysis). An analysis of the audit trails may be able to
verify that the system operated normally (i.e., that an error may
have resulted from operator error, as opposed to a system-originated
error). Such use of audit trails may be complemented by system
performance logs. For example, a significant increase in the use of
system resources (e.g., disk file space or outgoing modem use) could
indicate a security problem.
18.2 Audit Trails and Logs
A system can maintain several different audit trails concurrently.
There are typically two kinds of audit records, (1) an
event-oriented log and (2) a record of every keystroke, often called
keystroke monitoring. Event-based logs usually contain records
describing system events, application events, or user events.
An audit trail should include sufficient information to establish
what events occurred and who (or what) caused them. In general, an
event record should specify when the event occurred, the user ID
associated with the event, the program or command used to initiate
the event, and the result. Date and time can help determine if the
user was a masquerader or the actual person specified.