information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- 2019 Cybersecurity Predictions -
Three ways the marriage of SOAR and email security can benefit SOC
and security teams - As email attacks grow more frequent and
complex, organizations are scrambling for new ways to reduce risk
and better detect and remediate threats.
Next Generation Tools: Deception Networks - There have been
several predictions as to where adversary hacking is headed in the
foreseeable future. Virtually all credible predictions have one
thing in common: emerging attacks will be intelligent.
Connected light bulbs give off more than just light - Turning on a
“smart” light bulb may be the latest way people inadvertently flood
the internet with their personal information.
The Aerospace Industries Association today is releasing a National
Aerospace Standard on cybersecurity that provides the aerospace and
defense industry a dynamic, risk-based solution to addressing
threats and ensuring resilience in the increasingly complex
2018 – The year that was: Top Cyberthreats - It was clear it was
going to be an intense year the cybersecurity industry when, just
days after ringing in 2018, researchers announced a vulnerability
found in essentially all CPU processors made over the previous two
Top cybersecurity legislation of 2019 - 2018 may go down as the year
the EU’s GDPR went into effect but legislators domestically kept
busy introducing and passing legislation meant to bolster the U.S.’s
cybersecurity and privacy postures.
Data Breaches Caused by Misconfigured Servers - Misconfigured server
infrastructure is often considered one of the most significant
causes of data breaches within the IT industry.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Aliens? NASA servers with employee PII
potentially compromised - NASA yesterday alerted its employees of a
possible compromise of NASA servers containing personally
Hacking Diplomatic Cables Is Expected. Exposing Them Is Not - On
Wednesday, the security and anti-phishing firm Area 1 published
details of a breach that compromised one of the European Union's
diplomatic communication channels for three years.
NASA reveals employee data breach in internal memo - Information on
employees may have been exposed, but it's unlikely that missions
Caribou Coffee data breach affects 270 locations - The Caribou
Coffee chain has reported that its point of sale system was hacked,
resulting in a data breach affecting dozens of locations, primarily
San Diego Unified School District data breach exposed 500,000
students, staff, parents - The San Diego Unified School District
(SDUSD) – California’s second largest – first discovered in October
2018 that PII of more than a half million students and staff were
Return to the top
of the newsletter
WEB SITE COMPLIANCE - We
continue our review of the FDIC paper "Risk Assessment Tools and
Practices or Information System Security."
PENETRATION ANALYSIS (Part 1 of 2)
After the initial risk assessment is completed, management may
determine that a penetration analysis (test) should be conducted.
For the purpose of this paper, "penetration analysis" is broadly
defined. Bank management should determine the scope and objectives
of the analysis. The scope can range from a specific test of a
particular information systems security or a review of multiple
information security processes in an institution.
A penetration analysis usually involves a team of experts who
identify an information systems vulnerability to a series of
attacks. The evaluators may attempt to circumvent the security
features of a system by exploiting the identified vulnerabilities.
Similar to running vulnerability scanning tools, the objective of a
penetration analysis is to locate system vulnerabilities so that
appropriate corrective steps can be taken.
The analysis can apply to any institution with a network, but
becomes more important if system access is allowed via an external
connection such as the Internet. The analysis should be independent
and may be conducted by a trusted third party, qualified internal
audit team, or a combination of both. The information security
policy should address the frequency and scope of the analysis. In
determining the scope of the analysis, items to consider include
internal vs. external threats, systems to include in the test,
testing methods, and system architectures.
A penetration analysis is a snapshot of the security at a point in
time and does not provide a complete guaranty that the system(s)
being tested is secure. It can test the effectiveness of security
controls and preparedness measures. Depending on the scope of the
analysis, the evaluators may work under the same constraints applied
to ordinary internal or external users. Conversely, the evaluators
may use all system design and implementation documentation. It is
common for the evaluators to be given just the IP address of the
institution and any other public information, such as a listing of
officers that is normally available to outside hackers. The
evaluators may use vulnerability assessment tools, and employ some
of the attack methods discussed in this paper such as social
engineering and war dialing. After completing the agreed-upon
analysis, the evaluators should provide the institution a detailed
written report. The report should identify vulnerabilities,
prioritize weaknesses, and provide recommendations for corrective
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail your company a proposal. E-mail Kinney Williams at
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Public Key Infrastructure (Part 1 of 3)
Public key infrastructure (PKI), if properly implemented and
maintained, may provide a strong means of authentication. By
combining a variety of hardware components, system software,
policies, practices, and standards, PKI can provide for
authentication, data integrity, defenses against customer
repudiation, and confidentiality. The system is based on public key
cryptography in which each user has a key pair - a unique electronic
value called a public key and a mathematically related private key.
The public key is made available to those who need to verify the
The private key is stored on the user's computer or a separate
device such as a smart card. When the key pair is created with
strong encryption algorithms and input variables, the probability of
deriving the private key from the public key is extremely remote.
The private key must be stored in encrypted text and protected with
a password or PIN to avoid compromise or disclosure. The private key
is used to create an electronic identifier called a digital
signature that uniquely identifies the holder of the private key and
can only be authenticated with the corresponding public key.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
18.3.2 Review of
Audit trails can be used to review what occurred after an event,
for periodic reviews, and for real-time analysis. Reviewers should
know what to look for to be effective in spotting unusual activity.
They need to understand what normal activity looks like. Audit trail
review can be easier if the audit trail function can be queried by
user ID, terminal ID, application name, date and time, or some other
set of parameters to run reports of selected information.
Audit Trail Review After an Event. Following a known system
or application software problem, a known violation of existing
requirements by a user, or some unexplained system or user problem,
the appropriate system-level or application-level administrator
should review the audit trails. Review by the application/data owner
would normally involve a separate report, based upon audit trail
data, to determine if their resources are being misused.
Periodic Review of Audit Trail Data. Application owners,
data owners, system administrators, data processing function
managers, and computer security managers should determine how much
review of audit trail records is necessary, based on the importance
of identifying unauthorized activities. This determination should
have a direct correlation to the frequency of periodic reviews of
audit trail data.
Real-Time Audit Analysis. Traditionally, audit trails are
analyzed in a batch mode at regular intervals (e.g., daily). Audit
records are archived during that interval for later analysis. Audit
analysis tools can also be used in a real-time, or near real-time
fashion. Such intrusion detection tools are based on audit
reduction, attack signature, and variance techniques. Manual review
of audit records in real time is almost never feasible on large
multiuser systems due to the volume of records generated. However,
it might be possible to view all records associated with a
particular user or application, and view them in real time.