information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Ethical hacking growing in popularity as data breaches increase,
report - As the idea of ethical hacking begins to resonate more with
the general public, it has inspired more people ranging from
aspiring hackers to seasoned security professionals to join the
hacking community and seek out crowdsourced security testing
programs to hunt bug bounties.
Massive email bomb threat extortion scam spamming U.S. inboxes - A
nationwide wave of bomb threat emails demanding a bitcoin payment to
halt the explosion are being received by schools, government
agencies and private organizations.
Equifax how-it-was-mega-hacked damning dossier lands, in all of its
infuriating glory - 'Entirely preventable' theft down to
traffic-monitoring certificate left expired for 19 months - Updated
A US Congressional report outlining the breakdowns that led to the
2017 theft of 148 million personal records from Equifax has revealed
a stunning catalog of failure.
US elections watchdog says it's OK to spend surplus campaign cash on
cybersecurity gear - Congresscritters now have one less excuse for
getting pwned - The US Federal Election Commission has officially
voted to allow members of Congress to use their campaign funds on
U.S. Ballistic Missile Defense System Rife with Security Holes -
Widespread, unpatched vulnerabilities are just one set of problems
uncovered by a Department of Defense audit.
GAO - Agencies Need to Improve Implementation of Federal Approach to
Securing Systems and Protecting against Intrusions.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Exposed S3 bucket compromises 120 million Brazilian citizens -
More than 120 million unique identification numbers issued by the
Brazilian Federal Reserve to Brazilian citizens and tied to
tax-paying resident aliens, spent months earlier this year publicly
exposed on the internet.
Cyberattack sidelines Middle East servers of Italian energy
contractor Saipem - Italian oil and gas industry contractor Saipem
S.p.A. has reportedly confirmed that a Monday cyberattack impacted
its servers and infrastructure in the Middle East as well as in
Save the Children loses $1 million to BEC scam - Save the Children
was hit last year with a business email compromise scam that cost
the charity $1 million.
Report: Boomoji app developer leaves customer data exposed on open
database - The developers of make-your-own-avatar app Boomoji
reportedly neglected to password-protect two of their
internet-connected databases, thus publicly exposing the personal
data of roughly 5.3 million users.
Ransomware strikes University of Maryland Medical System - The
University of Maryland Medical System was hit with a ransomware
attack earlier this week that affected a small number of its medical
Schenectady County gov’t website knocked offline by cyberattack -
Schenectady County, N.Y. had to shut down its government website as
it tries to dig out from a cyberattack.
Hacker forces thousands of printers to churn out PewDiePie support
message - For the second time in less than three weeks, a hacker has
forced thousands of internet-connected printers to spit out messages
in support of Swedish video game commentator and YouTube star
Vermont, Dallas medical facilities suffer email account breaches -
In separate incidents, two U.S. health care facilities have publicly
disclosed data breaches that resulted from the unauthorized access
of an employee’s email.
Return to the top
of the newsletter
WEB SITE COMPLIANCE - We
continue our review of the FDIC paper "Risk Assessment Tools and
Practices or Information System Security."
Host-Versus Network-Based Vulnerability Assessment Tools
As in intrusion detection systems, which are discussed later in
this appendix, there are generally two types of vulnerability
assessment tools: host-based and network-based. Another category is
sometimes used for products that assess vulnerabilities of specific
applications (application-based) on a host. A host is generally a
single computer or workstation that can be connected to a computer
network. Host-based tools assess the vulnerabilities of specific
hosts. They usually reside on servers, but can be placed on
specific desktop computers, routers, or even firewalls.
Network-based vulnerability assessment tools generally reside on
the network, specifically analyzing the network to determine if it
is vulnerable to known attacks. Both host- and network-based
products offer valuable features, and the risk assessment process
should help an institution determine which is best for its needs.
Information systems personnel should understand the types of tools
available, how they operate, where they are located, and the output
generated from the tools.
Host-based vulnerability assessment tools are effective at
identifying security risks that result from internal misuse or
hackers using a compromised system. They can detect holes that
would allow access to a system such as unauthorized modems, easily
guessed passwords, and unchanged vendor default passwords. The
tools can detect system vulnerabilities such as poor virus
protection capabilities; identify hosts that are configured
improperly; and provide basic information such as user log-on hours,
password/account expiration settings, and users with dial-in
access. The tools may also provide a periodic check to confirm that
various security policies are being followed. For instance, they
can check user permissions to access files and directories, and
identify files and directories without ownership.
Network-based vulnerability assessment tools are more effective
than host-based at detecting network attacks such as denial of
service and Internet Protocol (IP) spoofing. Network tools can
detect unauthorized systems on a network or insecure connections to
business partners. Running a host-based scan does not consume
network overhead, but can consume processing time and available
storage on the host. Conversely, frequently running a network-based
scan as part of daily operations increases network traffic during
the scan. This may cause inadvertent network problems such as
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Token Systems (2 of 2)
Weaknesses in token systems relate to theft of the token, ease in
guessing any password generating algorithm within the token, ease of
successfully forging any authentication credential that unlocks the
token, and reverse engineering, or cloning, of the token. Each of
these weaknesses can be addressed through additional control
mechanisms. Token theft generally is protected against by policies
that require prompt reporting and cancellation of the token's
ability to allow access to the system. Additionally, the impact of
token theft is reduced when the token is used in multi - factor
authentication; for instance, the password from the token is paired
with a password known only by the user and the system. This pairing
reduces the risk posed by token loss, while increasing the strength
of the authentication mechanism. Forged credentials are protected
against by the same methods that protect credentials in non - token
systems. Protection against reverse engineering requires physical
and logical security in token design. For instance, token designers
can increase the difficulty of opening a token without causing
irreparable damage, or obtaining information from the token either
by passive scanning or active input/output.
Token systems can also incorporate public key infrastructure, and
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
18.3 Implementation Issues
Audit trail data requires protection, since the data should be
available for use when needed and is not useful if it is not
accurate. Also, the best planned and implemented audit trail is of
limited value without timely review of the logged data. Audit trails
may be reviewed periodically, as needed (often triggered by
occurrence of a security event), automatically in realtime, or in
some combination of these. System managers and administrators, with
guidance from computer security personnel, should determine how long
audit trail data will be maintained -- either on the system or in
Following are examples of implementation issues that may have to be
addressed when using audit trails.
18.3.1 Protecting Audit Trail Data
Access to on-line audit logs should be strictly controlled.
Computer security managers and system administrators or managers
should have access for review purposes; however, security and/or
administration personnel who maintain logical access functions may
have no need for access to audit logs.
It is particularly important to ensure the integrity of
audit trail data against modification. One way to do this is to use
digital signatures. Another way is to use write-once devices. The
audit trail files needs to be protected since, for example,
intruders may try to "cover their tracks" by modifying audit trail
records. Audit trail records should be protected by strong access
controls to help prevent unauthorized access. The integrity of audit
trail information may be particularly important when legal issues
arise, such as when audit trails are used as legal evidence. (This
may, for example, require daily printing and signing of the logs.)
Questions of such legal issues should be directed to the cognizant
The confidentiality of audit trail information may also be
protected, for example, if the audit trail is recording information
about users that may be disclosure-sensitive such as transaction
data containing personal information (e.g., "before" and "after"
records of modification to income tax data). Strong access controls
and encryption can be particularly effective in preserving