technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
- DHS algorithm to assess federal agencies’ cyber posture - Federal
agencies are reportedly feeding data into a special algorithm
introduced by the Department of Homeland Security (DHS) in order to
assess their cyber posture scores.
US Senate computers will use disk encryption - New security measure
is meant to protect sensitive Senate data on stolen Senate laptops
and computers. The US Senate will enable disk encryption on all
Senate computers as a basic security measure that will make it
harder for spies or criminals to extract sensitive data from stolen
Senate staff PCs or hard drives.
Dell’s belated data breach notification angers cybersecurity
industry execs - Dell customers who wondered why they had to reset
their passwords earlier this month learned today that action was
taken due to a data breach, a fact it took the company several weeks
Inspector General’s report documents security flaws at Arizona
Medicare MCOs - A recent risk assessment of information systems at
two Arizona-based Medicaid managed care organizations turned up 19
vulnerabilities, according to a new report from the Department of
Health and Human Services Office of the Inspector General.
Half of all Phishing Sites Now Have the Padlock - Maybe you were
once advised to “look for the padlock” as a means of telling
legitimate e-commerce sites from phishing or malware traps.
Unfortunately, this has never been more useless advice. New research
indicates that half of all phishing scams are now hosted on Web
sites whose Internet address includes the padlock and begins with
Sky Brasil exposes data of 32M customers on ElasticSearch - As
ElasticSearch based leaks become the latest source of massive data
exposures, Sky Brasil, one of the biggest subscription television
services in Brazil, is the latest to leave its customers exposed
after not securing the server with a password.
NYS Education Dept. falls short in protecting student data,
comptroller says - The New York State Education Department hasn’t
incorporated all of the recommendations to protect student data,
leaving it vulnerable to attack, the Office of the State Comptroller
wrote in a November letter to Education Commissioner.
Tackling the security complexity in 5G IoT devices - IoT is one of
three major use cases driving the development of 5G and it brings
untold complexity and inherent risk that threatens to undermine the
opportunity even before it gets started.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Marriott Starwood reservation system data breach exposes 500
million customer records - Malicious actors spent more than four
years inside Marriott’s Starwood reservation system obtaining access
to 500 million guest records that included names, payment card
information and other PII, the hotel chain reported today.
Database breach affects 2.6 million Atrium Health patients - Atrium
Health has reported a massive data breach exposing the PII of more
than 2.6 million clients after someone gained access to a database
belonging to a third-party vendor.
Microsoft's multi-factor authentication service flakes out – again -
For the second time in nine days, the Multi-Factor Authentication
system used by Microsoft for Office 365 logins failed. Just one day
after Microsoft came clean with an explanation of a Nov. 19 outage
that blocked users of Office 365 from logging into their accounts
using Multi-Factor Authentication (MFA), today the service again
went on the fritz.
Ames, Iowa, parking ticket payment system breached - For 4,600 Ames,
Iowa, residents, forgetting to put a quarter into a parking meter
may end up costing more than the price of their parking fine.
Bloom is off the rose: Canadian 1-800-FLOWERS operation discloses
four-year breach - The Canadian retail operations of 1-800-FLOWERS
has disclosed a four-year data breach affecting customers who
purchased goods on its website, warning that payment card data was
Florida marijuana dispensary website leaked customer data - A
Florida medical marijuana dispensary took down its website after
being notified that customer information was viewable through the
site’s search function.
Quora breach compromises 100 million users - A breach at the
question and answer website Quora has compromised the data of 100
Return to the top
of the newsletter
WEB SITE COMPLIANCE - We
continue our review of the FDIC paper "Risk Assessment Tools and
Practices or Information System Security."
Hackers may use "social engineering" a scheme using social
techniques to obtain technical information required to access a
system. A hacker may claim to be someone authorized to access the
system such as an employee or a certain vendor or contractor. The
hacker may then attempt to get a real employee to reveal user names
or passwords, or even set up new computer accounts. Another threat
involves the practice of "war-dialing" in which hackers use a
program that automatically dials telephone numbers and searches for
modem lines that bypass network firewalls and other security
measures. A few other common forms of system attack include:
Denial of service (system failure), which is any action
preventing a system from operating as intended. It may be the
unauthorized destruction, modification, or delay of service. For
example, in an "SYN Flood" attack, a system can be flooded with
requests to establish a connection, leaving the system with more
open connections than it can support. Then, legitimate users of the
system being attacked are not allowed to connect until the open
connections are closed or can time out.
Internet Protocol (IP) spoofing, which allows an intruder
via the Internet to effectively impersonate a local system's IP
address in an attempt to gain access to that system. If other local
systems perform session authentication based on a connections IP
address, those systems may misinterpret incoming connections from
the intruder as originating from a local trusted host and not
require a password.
Trojan horses, which are programs that contain additional
(hidden) functions that usually allow malicious or unintended
activities. A Trojan horse program generally performs unintended
functions that may include replacing programs, or collecting,
falsifying, or destroying data. Trojan horses can be attached to
e-mails and may create a "back door" that allows unrestricted access
to a system. The programs may automatically exclude logging and
other information that would allow the intruder to be traced.
Viruses, which are computer programs that may be embedded
in other code and can self-replicate. Once active, they may take
unwanted and unexpected actions that can result in either
nondestructive or destructive outcomes in the host computer
programs. The virus program may also move into multiple platforms,
data files, or devices on a system and spread through multiple
systems in a network. Virus programs may be contained in an e-mail
attachment and become active when the attachment is opened.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Shared Secret Systems (Part 2 of 2)
Weaknesses in shared secret mechanisms generally relate to the
ease with which an attacker can discover the secret. Attack methods
! A dictionary attack is one common and successful way to discover
passwords. In a dictionary attack, the attacker obtains the system
password file, and compares the password hashes against hashes of
commonly used passwords.
Controls against dictionary attacks include securing the password
file from compromise, detection mechanisms to identify a compromise,
heuristic intrusion detection to detect differences in user
behavior, and rapid reissuance of passwords should the password file
ever be compromised. While extensive character sets and storing
passwords as one - way hashes can slow down a dictionary attack,
those defensive mechanisms primarily buy the financial institution
time to identify and react to the password file compromises.
! An additional attack method targets a specific account and
submits passwords until the correct password is discovered.
Controls against those attacks are account lockout mechanisms,
which commonly lock out access to the account after a risk - based
number of failed login attempts.
! A variation of the previous attack uses a popular password, and
tries it against a wide range of usernames.
Controls against this attack on the server are a high ratio of
possible passwords to usernames, randomly generated passwords, and
scanning the IP addresses of authentication requests and client
cookies for submission patterns.
! Password guessing attacks also exist. These attacks generally
consist of an attacker gaining knowledge about the account holder
and password policies and using that knowledge to guess the
Controls include training in and enforcement of password policies
that make passwords difficult to guess. Such policies address the
secrecy, length of the password, character set, prohibition against
using well - known user identifiers, and length of time before the
password must be changed. Users with greater authorization or
privileges, such as root users or administrators, should have
longer, more complex passwords than other users.
! Some attacks depend on patience, waiting until the logged - in
workstation is unattended.
Controls include automatically logging the workstation out after a
period of inactivity (Existing
industry practice is no more than 20 - 30 minutes) and
heuristic intrusion detection.
! Attacks can take advantage of automatic login features, allowing
the attacker to assume an authorized user's identity merely by using
Controls include prohibiting and disabling automatic login
features, and heuristic intrusion detection.
! User's inadvertent or unthinking actions can compromise
passwords. For instance, when a password is too complex to readily
memorize, the user could write the password down but not secure the
paper. Frequently, written - down passwords are readily accessible
to an attacker under mouse pads or in other places close to the
user's machines. Additionally, attackers frequently are successful
in obtaining passwords by using social engineering and tricking the
user into giving up their password.
Controls include user training, heuristic intrusion detection, and
simpler passwords combined with another authentication mechanism.
! Attacks can also become much more effective or damaging if
different network devices share the same or a similar password.
Controls include a policy that forbids the same or similar
password on particular network devices.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
18.2 Audit Trails and Logs
18.104.22.168 Application-Level Audit Trails
System-level audit trails may not be able to track and log events
within applications, or may not be able to provide the level of
detail needed by application or data owners, the system
administrator, or the computer security manager. In general,
application-level audit trails monitor and log user activities,
including data files opened and closed, specific actions, such as
reading, editing, and deleting records or fields, and printing
reports. Some applications may be sensitive enough from a data
availability, confidentiality, and/or integrity perspective that a
"before" and "after" picture of each modified record (or the data
element(s) changed within a record) should be captured by the audit
22.214.171.124 User Audit Trails
User audit trails can usually log:
1) all commands directly initiated by the user;
2) all identification and authentication attempts; and
3) files and resources accessed.
It is most useful if options and parameters are also recorded from
commands. It is much more useful to know that a user tried to delete
a log file (e.g., to hide unauthorized actions) than to know the
user merely issued the delete command, possibly for a personal data