information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- How CISOs can tell a better security story to their board -
Historically, when CISOs have been called to speak to their
organization’s board of directors, it was an uncommon event. Just a
decade ago, the CISO who presented more than once per year was a
Microsoft details the causes of its recent multi-factor
authentication meltdown - Microsoft has posted a root cause analysis
of the multifactor authentication issue which hit a number of its
customers worldwide last week. Here's what happened.
We must inspire more talent into cybersecurity careers - As the
skills shortage worsens and cyber attacks soar to new heights,
there’s a tangible need to attract fresh and experienced talent to
careers in cybersecurity or catastrophe looms.
U.K., Dutch fine Uber $1.2 million over data breach violations - The
U.K. and Netherland’s government fined Uber a combined $1.2 million
over for the data breach the company endured in 2016 that exposed
the data on many of its customers and drivers.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- ETSU breached after phishing scam - Two employees at East
Tennessee State University fell for an email phishing scam and paved
the way for a breach at the school.
Furry site ‘High Tail Hall’ exposed data of nearly 500K users - An
furry site High Tail Hall suffered a data breach exposing the
information of 411,755 fury fans.
Amazon website glitch exposes customer data - Amazon customer
service reportedly sent an unknown number of customers an email
today, warning that a technical error on its website had exposed
USPS fixes ‘Informed Delivery’ flaw that exposed 60M users - A
couple of weeks after the Secret Service issued an alert that
cybercriminals were using the U.S. Postal Service’s Informed
Delivery feature for identity theft and other forms of fraud, the
USPS has fixed a flaw that exposed the personal details of 60
million users who have usps.com accounts.
ETSU breached after phishing scam - Two employees at East Tennessee
State University fell for an email phishing scam and paved the way
for a breach at the school.
Drake’s Fortnite account hacked, Travis Scott may also be affected -
After taking home a Soul Train Award Toronto rapper Drake may be
looking to change his Fortnite account password after someone
hijacked his account to spew racial slurs during a charity
Smash Bros. Ultimate leaks, Nintendo struggles to contain breach -
Nintendo is struggling to contain leaks surround the release of
Smash Bros. Ultimate after reports of the game being sold early in
Mexico and pirated copies being released online being trawled by
data miners for hidden info.
ElasticSearch server exposed data of nearly 57M U.S. residents - An
ElasticSearch server database containing the information of nearly
57 million U.S. residents was found to have been left exposed
without a password.
London-based Urban Massage app leaks data on 300K customers,
including misconduct claims - A data breach of London-based startup
Urban Massage exposed the personal records of more than 309,000
users including data on clients accused of misconduct.
Database breach affects 2.6 million Atrium Health patients - Atrium
Health has reported a massive data breach exposing the PII of more
than 2.6 million clients after someone gained access to a database
belonging to a third-party vendor.
Return to the top
of the newsletter
WEB SITE COMPLIANCE - We
continue our review of the FDIC paper "Risk Assessment Tools and
Practices or Information System Security."
Potential Threats To Consider
Serious hackers, interested computer novices, dishonest vendors or
competitors, disgruntled current or former employees, organized
crime, or even agents of espionage pose a potential threat to an
institution's computer security. The Internet provides a wealth of
information to banks and hackers alike on known security flaws in
hardware and software. Using almost any search engine, average
Internet users can quickly find information describing how to break
into various systems by exploiting known security flaws and software
bugs. Hackers also may breach security by misusing vulnerability
assessment tools to probe network systems, then exploiting any
identified weaknesses to gain unauthorized access to a system.
Internal misuse of information systems remains an ever-present
Many break-ins or insider misuses of information occur due to poor
security programs. Hackers often exploit well-known weaknesses and
security defects in operating systems that have not been
appropriately addressed by the institution. Inadequate maintenance
and improper system design may also allow hackers to exploit a
security system. New security risks arise from evolving attack
methods or newly detected holes and bugs in existing software and
hardware. Also, new risks may be introduced as systems are altered
or upgraded, or through the improper setup of available
security-related tools. An institution needs to stay abreast of new
security threats and vulnerabilities. It is equally important to
keep up to date on the latest security patches and version upgrades
that are available to fix security flaws and bugs. Information
security and relevant vendor Web sites contain much of this
Systems can be vulnerable to a variety of threats, including the
misuse or theft of passwords. Hackers may use password cracking
programs to figure out poorly selected passwords. The passwords may
then be used to access other parts of the system. By monitoring
network traffic, unauthorized users can easily steal unencrypted
passwords. The theft of passwords is more difficult if they are
encrypted. Employees or hackers may also attempt to compromise
system administrator access (root access), tamper with critical
files, read confidential e-mail, or initiate unauthorized e-mails or
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Shared Secret Systems (Part 1 of 2)
Shared secret systems uniquely identify the user by matching
knowledge on the system to knowledge that only the system and user
are expected to share. Examples are passwords, pass phrases, or
current transaction knowledge. A password is one string of
characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string
of words or characters (e.g., "My car is a shepherd") that the
system may shorten to a smaller password by means of an algorithm.
Current transaction knowledge could be the account balance on the
last statement mailed to the user/customer. The strength of shared
secret systems is related to the lack of disclosure of and about the
secret, the difficulty in guessing or discovering the secret, and
the length of time that the secret exists before it is changed.
A strong shared secret system only involves the user and the
system in the generation of the shared secret. In the case of
passwords and pass phrases, the user should select them without any
assistance from any other user, such as the help desk. One exception
is in the creation of new accounts, where a temporary shared secret
could be given to the user for the first login, after which the
system prompts the user to create a different password. Controls
should prevent any user from re - using shared secrets that may have
been compromised or were recently used by them.
Passwords are the most common authentication mechanism. Passwords
are generally made difficult to guess when they are composed from a
large character set, contain a large number of characters, and are
frequently changed. However, since hard - to - guess passwords may
be difficult to remember, users may take actions that weaken
security, such as writing the passwords down. Any password system
must balance the password strength with the user's ability to
maintain the password as a shared secret. When the balancing
produces a password that is not sufficiently strong for the
application, a different authentication mechanism should be
considered. Pass phrases are one alternative to consider. Due to
their length, pass phrases are generally more resistant to attack
than passwords. The length, character set, and time before enforced
change are important controls for pass phrases as well as passwords.
Shared secret strength is typically assured through the use of
automated tools that enforce the password selection policy.
Authentication systems should force changes to shared secrets on a
schedule commensurate with risk.
Passwords can also be dynamic. Dynamic passwords typically use
seeds, or starting points, and algorithms to calculate a new -
shared secret for each access. Because each password is used for
only one access, dynamic passwords can provide significantly more
authentication strength than static passwords. In most cases,
dynamic passwords are implemented through tokens. A token is a
physical device, such as an ATM card, smart card, or other device
that contains information used in the authentication process.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
18.2 Audit Trails and Logs
184.108.40.206 System-Level Audit Trails
If a system-level audit capability exists, the audit trail should
capture, at a minimum, any attempt to log on (successful or
unsuccessful), the log-on ID, date and time of each log-on attempt,
date and time of each log-off, the devices used, and the function(s)
performed once logged on (e.g., the applications that the user
tried, successfully or unsuccessfully, to invoke). System-level
logging also typically includes information that is not specifically
security-related, such as system operations, cost-accounting
charges, and network performance.
A system audit trail should be able to identify failed log-on
attempts, especially if the system does not limit the number of
failed log-on attempts. Unfortunately, some system-level audit
trails cannot detect attempted log-ons, and therefore, cannot log
them for later review. These audit trails can only monitor and log
successful log-ons and subsequent activity. To effectively detect
intrusion, a record of failed log-on attempts is required.