information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Study finds medical device security pros may have false sense of
security - A recent study surveying healthcare IT professionals
found while the majority of them are very confident their connected
devices are protected from cyberattacks, there may be some
disconnects between the perceived level of security and how secure
medical devices are.
DOD disables file sharing service due to 'security risks' - AMRDEC
SAFE portal had been to handle the transfer of classified and
non-classified materials. The US Department of Defense has disabled
access this month to a file sharing service used by its army
aviation and missile research centers, citing security issues.
DEA and ICE using surveillance cameras hidden in streetlights - In a
move that could stir up visions of an Orwellian-style government
surveillance state, recently published government procurement data
revealed the US Drug Enforcement Administration (DEA) and
Immigration and Customs Enforcement (ICE) have purchased an
undisclosed number of covert surveillance cameras hidden inside
streetlights to place around the country.
Britain may not be able to fend off a determined cyber-attack, MPs
warn - Britain's critical national infrastructure is vulnerable to
hackers and neither UK.gov nor privatised operators are doing enough
to tighten things up, a Parliamentary committee has warned.
GSA proposes new cybersecurity reporting rules for contractors - The
General Services Administration is proposing new rules shaping how
contractors protect government information on the IT systems they
How the U.S. might respond if China launched a full-scale
cyberattack - The U.S. financial and energy sectors are no strangers
to foreign government hackers, from Iranian denial-of-service
attacks on American banks to Russian reconnaissance of industrial
control systems. Less-familiar territory, however, is how companies
would work with the U.S. government to respond to a cross-sector
cyberattack during a geopolitical crisis.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Instagram flaw exposes user passwords - A security flaw in
Instagram’s recently released “Download Your Data” tool could have
exposed some user passwords, the company reportedly told users.
Amarillo City workers PII compromised - The employees of the city of
Amarillo, Texas, had their personal information compromised when an
outside contractor conducting an audit lost a USB drive containing
Vision Direct breach exposes customers’ personal, financial data -
Personal and financial data entered by customers who ordered or
updated information on the VisionDirect.co.uk website was
compromised and stolen between November 3 to November 8, the
London-based company warned in an updated online alert.
Make-A-Wish website compromised for cryptomining campaign - Not even
the Make-A-Wish Foundation is off limits for some unscrupulous
cybercriminals, as evidenced by a cryptojacking operation that
compromised the charitable organization’s international website.
ETSU breached after phishing scam - Two employees at East Tennessee
State University fell for an email phishing scam and paved the way
for a breach at the school.
Return to the top
of the newsletter
WEB SITE COMPLIANCE - We
continue our review of the FDIC paper "Risk Assessment Tools and
Practices or Information System Security."
When assessing information security products, management should be
aware that many products offer a combination of risk assessment
features, and can cover single or multiple operating systems.
Several organizations provide independent assessments and
certifications of the adequacy of computer security products (e.g.,
firewalls). While the underlying product may be certified, banks
should realize that the manner in which the products are configured
and ultimately used is an integral part of the products'
effectiveness. If relying on the certification, banks should
understand the certification process used by the organization
certifying the security product. Other examples of items to consider
in the risk assessment process include:
1) Identifying mission-critical information systems, and
determining the effectiveness of current information security
programs. For example, a vulnerability might involve critical
systems that are not reasonably isolated from the Internet and
external access via modem. Having up-to-date inventory listings of
hardware and software, as well as system topologies, is important in
2) Assessing the importance and sensitivity of information and the
likelihood of outside break-ins (e.g., by hackers) and insider
misuse of information. For example, if a large depositor list were
made public, that disclosure could expose the bank to reputational
risk and the potential loss of deposits. Further, the institution
could be harmed if human resource data (e.g., salaries and personnel
files) were made public. The assessment should identify systems that
allow the transfer of funds, other assets, or sensitive
data/confidential information, and review the appropriateness of
access controls and other security policy settings.
3) Assessing the risks posed by electronic connections with
business partners. The other entity may have poor access controls
that could potentially lead to an indirect compromise of the bank's
system. Another example involves vendors that may be allowed to
access the bank's system without proper security safeguards, such as
firewalls. This could result in open access to critical information
that the vendor may have "no need to know."
4) Determining legal implications and contingent liability
concerns associated with any of the above. For example, if hackers
successfully access a bank's system and use it to subsequently
attack others, the bank may be liable for damages incurred by the
party that is attacked.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Action Summary - Financial institutions should use effective
authentication methods appropriate to the level of risk. Steps
1) Selecting authentication mechanisms based on the risk
associated with the particular application or services;
2) Considering whether multi - factor authentication is
appropriate for each application, taking into account that
multifactor authentication is increasingly necessary for many forms
of electronic banking and electronic payment activities; and
3) Encrypting the transmission and storage of authenticators
(e.g., passwords, PINs, digital certificates, and biometric
Authentication is the verification of identity by a system based on
the presentation of unique credentials to that system. The unique
credentials are in the form of something the user knows, something
the user has, or something the user is. Those forms exist as shared
secrets, tokens, or biometrics. More than one form can be used in
any authentication process. Authentication that relies on more than
one form is called multi - factor authentication and is generally
stronger than any single authentication method. Authentication
contributes to the confidentiality of data and the accountability of
actions performed on the system by verifying the unique identity of
the system user.
Authentication is not identification as that term is used in the USA
PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide
assurance that the initial identification of a system user is
proper. Authentication only provides assurance that the user of the
system is the same user that was initially identified. Procedures
for the initial identification of a system user are beyond the scope
of this booklet.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
18.2 Audit Trails and Logs
Keystroke monitoring is the process used to view or record both the
keystrokes entered by a computer user and the computer's response
during an interactive session. Keystroke monitoring is usually
considered a special case of audit trails. Examples of keystroke
monitoring would include viewing characters as they are typed by
users, reading users' electronic mail, and viewing other recorded
information typed by users.
Some forms of routine system maintenance may record user
keystrokes. This could constitute keystroke monitoring if the
keystrokes are preserved along with the user identification so that
an administrator could determine the keystrokes entered by specific
users. Keystroke monitoring is conducted in an effort to protect
systems and data from intruders who access the systems without
authority or in excess of their assigned authority. Monitoring
keystrokes typed by intruders can help administrators assess and
repair damage caused by intruders.
18.2.2 Audit Events
System audit records are generally used to monitor
and fine-tune system performance. Application audit trails
may be used to discern flaws in applications, or violations of
security policy committed within an application. User audits
records are generally used to hold individuals accountable for
their actions. An analysis of user audit records may expose a
variety of security violations, which might range from simple
browsing to attempts to plant Trojan horses or gain unauthorized
The system itself enforces certain aspects of policy (particularly
system-specific policy) such as access to files and access to
the system itself. Monitoring the alteration of systems
configuration files that implement the policy is important. If
special accesses (e.g., security administrator access) have to be
used to alter configuration files, the system should generate audit
records whenever these accesses are used.
Sometimes a finer level of detail than system audit trails is
required. Application audit trails can provide this greater
level of recorded detail. If an application is critical, it can be
desirable to record not only who invoked the application, but
certain details specific to each use. For example, consider an
e-mail application. It may be desirable to record who sent mail, as
well as to whom they sent mail and the length of messages. Another
example would be that of a database application. It may be useful to
record who accessed what database as well as the individual rows or
columns of a table that were read (or changed or deleted), instead
of just recording the execution of the database program.
A user audit trail monitors and logs user activity in a
system or application by recording events initiated by the user
(e.g., access of a file, record or field, use of a modem).
Flexibility is a critical feature of audit trails. Ideally (from a
security point of view), a system administrator would have the
ability to monitor all system and user activity, but could choose to
log only certain functions at the system level, and within certain
applications. The decision of how much to log and how much to review
should be a function of application/data sensitivity and should be
decided by each functional manager/application owner with guidance
from the system administrator and the computer security
manager/officer, weighing the costs and benefits of the logging.