FFIEC information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for your bank in
Texas, New Mexico, Colorado, and Oklahoma.
Please drop Kinney Williams an email at
firstname.lastname@example.org from your domain and I will email you information and
- CISOs burdened by unhealthy stress levels, survey study finds - In
a recent survey of 400 U.S.- and UK-based chief information security
officers, an overwhelming number, 88 percent, said they find
themselves under a moderate or high amount of job-related stress.
FBI Warns of DDoS Attack on State Voter Registration Site - The US
Federal Bureau of Investigation (FBI) warned of a potential
Distributed Denial of Service (DDoS) attack that targeted a
state-level voter registration and information site in a Private
Industry Notification (PIN) released today.
A tale of two ransomware attacks - Two schools, two ransomware
attack and two different outcomes.
Spoiler alert: Attack simulation isnít ethical hacking - Everything
you wanted to know about Breach and Attack Simulation (BAS) vs.
Automated Penetration Testing - Better prepared, Right!? Companies
are investing a significant amount of resources in building and
improving their cybersecurity posture.
U.S. indicts four Chinese military members over Equifax breach - The
U.S. Department of Justice has charged four members of the Chinese
Peopleís Liberation Army with nine criminal counts, accusing them of
orchestrating and carrying out the 2017 hack of credit reporting
Metamorfo banking malware spreads around the world - A new variant
of the Metamorfo banking malware is on the loose targeting a wider
range of financial institutions than the original version tricking
the victims into typing in sensitive information which it then
Forgotten motherboard driver turns out to be perfect for slipping
Windows ransomware past antivirus checks - Old Gigabyte code lets
file-scrambling RobbinHood go undetected - A kernel-level driver for
old PC motherboards has been abused by criminals to hijack Windows
computers, disable antivirus, and hold files to ransom.
Why you canít bank on backups to fight ransomware anymore -
Ransomware operators stealing data before they encrypt means backups
are not enough. Not every ransomware attack is an unmitigated
disaster. But even the most prepared organizations, it seems, can
have small-scale disasters in the era of mass scans, spear phishes,
and targeted ransomware.
GAO - Weaknesses in Cybersecurity Management and Oversight Need to
Czech authorities investigating Avast over recent data collection
practices - The Czech Republicís Office for Personal Data Protection
(DPA) said in a brief statement today that it has launched a
preliminary investigation into Avast Software s.r.o., following
reports that the Prague-based antivirus company collected data from
users of its free AV product and sold it via a separate business
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Health Share of Oregon discloses data breach, theft of member PII
- A break-in and stolen laptop are at the heart of the security
incident. A burglary and stolen laptop from GridWorks IC, a vendor
hired by Health Share of Oregon, has led to the exposure of Medicaid
Bug hunter finds cryptocurrency-mining botnet on DOD network -
Monero-mining botnet infects one of the DOD's Jenkins servers. A
security researcher hunting for bug bounties discovered last month
that a cryptocurrency-mining botnet had found a home and burrowed
inside a web server operated by the US Department of Defense (DOD).
Malware Destroys Data of 30,000 Fondren Orthopedic Patients - A
malware incident damaged some Fondren Orthopedic medical rcords;
ransomware, business email compromise, an email gaffe, phishing, and
a payroll security incident complete this weekís breach roundup.
Iranian internet attacked Saturday, knocked partially offline - An
extensive, several-hour-long interruption to Iranís telecom
infrastructure and internet hit that took place on February 8 that
was likely caused by a distributed denial of service (DDoS) attack.
Metro county shuts down 9 servers after ransomware attack on water
department - A local county hit by a ransomware attack says it's
slowly getting back up to speed. Rockdale County said is waiting on
a ransom demand connected to this latest attack.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services ( Part 1 of 4)
Purpose and Background
This statement focuses on the risk management process of
identifying, measuring, monitoring, and controlling the risks
associated with outsourcing technology services.1 Financial
institutions should consider the guidance outlined in this statement
and the attached appendix in managing arrangements with their
technology service providers. While this guidance covers a broad
range of issues that financial institutions should address, each
financial institution should apply those elements based on the scope
and importance of the outsourced services as well as the risk to the
institution from the services.
Financial institutions increasingly rely on services provided by
other entities to support an array of technology-related functions.
While outsourcing to affiliated or nonaffiliated entities can help
financial institutions manage costs, obtain necessary expertise,
expand customer product offerings, and improve services, it also
introduces risks that financial institutions should address. This
guidance covers four elements of a risk management process: risk
assessment, selection of
service providers, contract review, and monitoring of service
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 4 of 4)
Some host-based IDS units address the difficulty of
performing intrusion detection on encrypted traffic. Those units
position their sensors between the decryption of the IP packet and
the execution of any commands by the host. This host-based intrusion
detection method is particularly appropriate for Internet banking
servers and other servers that communicate over an encrypted
channel. LKMs, however, can defeat these host-based IDS units.
Host-based intrusion detection systems are recommended by the
NIST for all mission-critical systems, even those that should not
allow external access.
The heuristic, or behavior, method creates a statistical profile
of normal activity on the host or network. Boundaries for activity
are established based on that profile. When current activity exceeds
the boundaries, an alert is generated. Weaknesses in this system
involve the ability of the system to accurately model activity, the
relationship between valid activity in the period being modeled and
valid activity in future periods, and the potential for malicious
activity to take place while the modeling is performed. This method
is best employed in environments with predictable, stable activity.
Both signature-based and heuristic detection methods result in
false positives (alerts where no attack exists), and false negatives
(no alert when an attack does take place). While false negatives are
obviously a concern, false positives can also hinder detection. When
security personnel are overwhelmed with the number of false
positives, they may look at the IDS reports with less vigor,
allowing real attacks to be reported by the IDS but not researched
or acted upon. Additionally, they may tune the IDS to reduce the
number of false positives, which may increase the number of false
negatives. Risk-based testing is necessary to ensure the detection
capability is adequate.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 4.6 Industrial Espionage
Industrial espionage is the act of gathering proprietary data from
private companies or the government for the purpose of aiding
another company(ies). Industrial espionage can be perpetrated either
by companies seeking to improve their competitive advantage or by
governments seeking to aid their domestic industries. Foreign
industrial espionage carried out by a government is often referred
to as economic espionage. Since information is processed and stored
on computer systems, computer security can help protect against such
threats; it can do little, however, to reduce the threat of
authorized employees selling that information.
Industrial espionage is on the rise. A 1992 study sponsored by the
American Society for Industrial Security (ASIS) found that
proprietary business information theft had increased 260 percent
since 1985. The data indicated 30 percent of the reported losses in
1991 and 1992 had foreign involvement. The study also found that 58
percent of thefts were perpetrated by current or former employees.
The three most damaging types of stolen information were pricing
information, manufacturing process information, and product
development and specification information. Other types of
information stolen included customer lists, basic research, sales
data, personnel data, compensation data, cost data, proposals, and
Within the area of economic espionage, the Central Intelligence
Agency has stated that the main objective is obtaining information
related to technology, but that information on U.S. government
policy deliberations concerning foreign affairs and information on
commodities, interest rates, and other economic factors is also a
target. The Federal Bureau of Investigation concurs that
technology-related information is the main target, but also lists
corporate proprietary information, such as negotiating positions and
other contracting data, as a target.
Please don't hesitate to email me (email@example.com)
if you have any questions. Have a great week,
R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Our pen-test firewall audit
meets the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Bliley Act 501(b).
a hacker's perspective, which will help
your IT staff identify real-world weaknesses.
For more information, please call R. Kinney Williams at Office/Cell
806-535-8300, send an email to
firstname.lastname@example.org, or visit