FFIEC information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for financial
Texas, New Mexico, Colorado, and Oklahoma.
- Chinese Malware Found Preinstalled on US Government-Funded Phones
- Researchers found unremovable malware preinstalled in the Unimax
U686CL, a budget Android device sold by Assurance Wireless.
Is a single cybersecurity congressional committee possible? - What
if a single Congressional committee in each chamber had oversight
for cybersecurity issues?
Federally funded Unimax smartphone pre-loaded with malware - The
Unimax UMX U686CL is a Chinese-made smartphone distributed by the
federally funded Assured Wireless by Virgin Mobile has been found to
come pre-loaded with two malicious applications.
The psychology of ransomware - While there is some debate over
whether the number of ransomware attacks is rising, there is no
arguing that the losses suffered by both public and private sector
organizations have increased.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Bahraini oil company reportedly attacked by new ‘Dustman’ disk
wiper - Bapco, the national oil company of the Persian Gulf island
nation of Bahrain, was reportedly targeted in a Dec. 29 disk wiper
attack that officials believe originated from Iran-backed hackers.
Ransomware hits, but doesn’t stop, the Pittsburgh Unified School
District - The Pittsburgh Unified School District is still
recovering from a ransomware attack that took place over the holiday
recess, but its superintendent says school is open for business.
Bay Area Library System Suffers Ransomware Attack - The Contra Costa
County Library System was hit by ransomware Friday, officials have
confirmed. The resulting network outages affected services at all 26
library branches. An investigation is underway.
Breach of email accounts impacts 50,000 patients of Minnesota
hospital - Minnesota-based hospital operator Alomere Health this
month began notifying patients of a data breach affecting 49,351
individuals, after a malicious actor gained access to two employee
email accounts in late October and early November.
Bahraini oil company reportedly attacked by new ‘Dustman’ disk wiper
- Bapco, the national oil company of the Persian Gulf island nation
of Bahrain, was reportedly targeted in a Dec. 29 disk wiper attack
that officials believe originated from Iran-backed hackers.
Texas school district phished for $2.3 million - The Manor
Independent School District fell victim to an apparent phishing scam
to the tune of $2.3 million.
NSA reveals to Microsoft critical Windows 10 flaw - Microsoft
reportedly acted on an NSA warning creating and issuing a secret
out-of-band patch to the military and other high-value targets
fixing CVE-2020-0601, a vulnerability affecting a core cryptographic
component present in all versions of Windows.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from
Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance
for Web Site Spoofing Incidents (Part 5 of 5) Next week we
will begin our series on the Guidance on Safeguarding Customers
Against E-Mail and Internet-Related Fraudulent Schemes.
PROCEDURES TO ADDRESS SPOOFING - Contact the
OCC and Law Enforcement Authorities
If a bank is the target of a spoofing incident, it should
promptly notify its OCC supervisory office and report the incident
to the FBI and appropriate state and local law enforcement
authorities. Banks can also file complaints with the Internet
Fraud Complaint Center (see
http://www.ic3.gov), a partnership of the FBI and the National
White Collar Crime Center.
In order for law enforcement authorities to respond effectively
to spoofing attacks, they must be provided with information
necessary to identify and shut down the fraudulent Web site and to
investigate and apprehend the persons responsible for the attack.
The data discussed under the "Information Gathering" section should
meet this need.
In addition to reporting to the bank's supervisory office and law
enforcement authorities, there are other less formal mechanisms that
a bank can use to report these incidents and help combat fraudulent
activities. For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/),
which is a joint initiative of industry and law enforcement designed
to support apprehension of perpetrators of phishing-related crimes,
including spoofing. Members of Digital Phishnet include ISPs,
online auction services, financial institutions, and financial
service providers. The members work closely with the FBI,
Secret Service, U.S. Postal Inspection Service, Federal Trade
Commission (FTC), and several electronic crimes task forces around
the country to assist in identifying persons involved in
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
A maxim of security is "prevention is ideal, but detection is a
must." Security systems must both restrict access and protect
against the failure of those access restrictions. When those systems
fail, however, an intrusion occurs and the only remaining protection
is a detection - and - response capability. The earlier an intrusion
is detected, the greater the institution's ability to mitigate the
risk posed by the intrusion. Financial institutions should have a
capability to detect and react to an intrusion into their
Preparation for intrusion detection generally involves
identifying data flows to monitor for clues to an intrusion,
deciding on the scope and nature of monitoring, implementing that
monitoring, and establishing a process to analyze and maintain
custody over the resulting information. Additionally, legal
requirements may include notifications of users regarding the
monitoring and the extent to which monitoring must be performed as
an ordinary part of ongoing operations.
Adequate preparation is a key prerequisite to detection. The best
intrusion detection systems will not identify an intrusion if they
are not located to collect the relevant data, do not analyze correct
data, or are not configured properly. Even if they detect an
intrusion, the information gathered may not be usable by law
enforcement if proper notification of monitoring and preservation of
data integrity has not taken place.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 4.1 Errors and Omissions
Errors and omissions are an important threat to data and system
integrity. These errors are caused not only by data entry clerks
processing hundreds of transactions per day, but also by all types
of users who create and edit data. Many programs, especially those
designed by users for personal computers, lack quality control
measures. However, even the most sophisticated programs cannot
detect all types of input errors or omissions. A sound awareness and
training program can help an organization reduce the number and
severity of errors and omissions.
Users, data entry clerks, system operators, and programmers
frequently make errors that contribute directly or indirectly to
security problems. In some cases, the error is the threat, such as a
data entry error or a programming error that crashes a system. In
other cases, the errors create vulnerabilities. Errors can occur
during all phases of the systems life cycle. A long-term survey of
computer-related economic losses conducted by Robert Courtney, a
computer security consultant and former member of the Computer
System Security and Privacy Advisory Board, found that 65 percent of
losses to organizations were the result of errors and omissions.
This figure was relatively consistent between both private and
public sector organizations.
Programming and development errors, often called "bugs," can range
in severity from benign to catastrophic. In a 1989 study for the
House Committee on Science, Space and Technology, entitled Bugs in
the Program, the staff of the Subcommittee on Investigations and
Oversight summarized the scope and severity of this problem in terms
of government systems as follows:
a) As expenditures grow, so do concerns about the
reliability, cost and accuracy of ever-larger and more complex
software systems. These concerns are heightened as computers perform
more critical tasks, where mistakes can cause financial turmoil,
accidents, or in extreme cases, death.
Since the study's publication, the software industry has changed
considerably, with measurable improvements in software quality. Yet
software "horror stories" still abound, and the basic principles and
problems analyzed in the report remain the same. While there have
been great improvements in program quality, as reflected in
decreasing errors per 1,000 lines of code, the concurrent growth in
program size often seriously diminishes the beneficial effects of
these program quality enhancements.
Installation and maintenance errors are another source of security
problems. For example, an audit by the President's Council for
Integrity and Efficiency (PCIE) in 1988 found that every one of the
ten mainframe computer sites studied had installation and
maintenance errors that introduced significant security
Please don't hesitate to email me (firstname.lastname@example.org)
if you have any questions. Have a great week,
R. Kinney Williams, President
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Our pen-test firewall audit
meets the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Bliley Act 501(b).
a hacker's perspective, which will help
your IT staff identify real-world weaknesses.
For more information, please call R. Kinney Williams at Office/Cell
806-535-8300, send an email to
email@example.com, or visit