technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for financial
Texas, New Mexico, Colorado, and Oklahoma.
- How AT&T Insiders Were Bribed to 'Unlock' Millions of Phones - A
dramatic saga that began with a civil lawsuit between AT&T and
former employees has resulted in a high-profile arrest.
Destructive malware attacks double as attackers pair ransomware with
disk wipers - IBM Security’s X-Force Incident Response and
Intelligence Services (IRIS) team reported this week that it
witnessed a 200 percent increase in destructive malware attacks over
the first half of 2019, compared to the second half of 2018.
State Farm hit with credential stuffing attack, data not compromised
- The good hands at State Farm managed to let slip through a
credential stuffing attack, but the company does not believe any
information was leaked or viewed by the malicious actor.
Adapting the classical art of penetration testing to the cubist
world of cloud - Many technical practitioners may believe that, at
the end of the day, penetration testing is penetration testing.
Proper penetration testing, however, is an art that must adapt over
Desjardins breach cost $53 million in Q2 - A breach that exposed
personally identifiable information (PII) on 2.9 million Desjardins
customers cost the Canadian credit union $53 million in Q2.
Cyber leaders must take ownership of cyber skills gap - We’ve all
heard about the cyber skills gap by now. As cyber adversaries grow
more advanced and organizations struggle to manage these evolving
threats, cybersecurity jobs are getting harder to fill.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- iNSYNQ Ransom Attack Began With Phishing Email - A ransomware
outbreak that hit QuickBooks cloud hosting firm iNSYNQ in mid-July
appears to have started with an email phishing attack that snared an
employee working in sales for the company, KrebsOnSecurity has
Anatomy of an attack: How Coinbase was targeted with emails
booby-trapped with Firefox zero-days - Coinbase chief information
security officer Philip Martin this week published an incident
report covering the recent attack on the cryptocurrency exchange,
revealing a phishing campaign of surprising sophistication.
700,000 Choice Hotels customer records compromised - Cybercriminals
took advantage of an open MongoDB database containing data from
Choice Hotels and stole 700,000 customer records and then demanded a
$3,800 ransom payment for their return.
BioStar 2 database leaked one million fingerprints, facial
recognition data - A breach in a database of biometric security
smart lock platform Suprema BioStar 2 exposed more than one million
fingerprint records as well as facial recognition information and
other sensitive data.
SEC looking into First American Financial Corp.’s leaky website -
First American Financial Corp. is reportedly the subject of a U.S.
Securities and Exchange Commission investigation, following the
discovery of a website defect that left 885 million documents
exposed to the public.
Major breach found in biometrics system used by banks, UK police and
defence firms - The fingerprints of over 1 million people, as well
as facial recognition information, unencrypted usernames and
passwords, and personal information of employees, was discovered on
a publicly accessible database for a company used by the likes of
the UK Metropolitan police, defence contractors and banks.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Sound Practices for Managing Outsourced E-Banking
Systems and Services
(Part 3 of 3)
4. Banks should ensure that periodic independent internal and/or
external audits are conducted of outsourced operations to at least
the same scope required if such operations were conducted in-house.
a) For outsourced relationships involving critical or
technologically complex e-banking services/applications, banks may
need to arrange for other periodic reviews to be performed by
independent third parties with sufficient technical expertise.
5. Banks should develop appropriate contingency plans for
outsourced e-banking activities.
a) Banks need to develop and periodically test their contingency
plans for all critical e-banking systems and services that have been
outsourced to third parties.
b) Contingency plans should address credible worst-case
scenarios for providing continuity of e-banking services in the
event of a disruption affecting outsourced operations.
c) Banks should have an identified team that is responsible for
managing recovery and assessing the financial impact of a disruption
in outsourced e-banking services.
6. Banks that provide e-banking services to third parties should
ensure that their operations, responsibilities, and liabilities are
sufficiently clear so that serviced institutions can adequately
carry out their own effective due diligence reviews and ongoing
oversight of the relationship.
a) Banks have a responsibility to provide serviced institutions
with information necessary to identify, control and monitor any
risks associated with the e-banking service arrangement.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
Encryption is used to secure communications and data storage,
particularly authentication credentials and the transmission of
sensitive information. It can be used throughout a technological
environment, including the operating systems, middleware,
applications, file systems, and communications protocols.
Encryption is used both as a prevention and detection control. As
a prevention control, encryption acts to protect data from
disclosure to unauthorized parties. As a detective control,
encryption is used to allow discovery of unauthorized changes to
data and to assign responsibility for data among authorized parties.
When prevention and detection are joined, encryption is a key
control in ensuring confidentiality, data integrity, and
Properly used, encryption can strengthen the security of an
institution's systems. Encryption also has the potential, however,
to weaken other security aspects. For instance, encrypted data
drastically lessens the effectiveness of any security mechanism that
relies on inspections of the data, such as anti - virus scanning and
intrusion detection systems. When encrypted communications are used,
networks may have to be reconfigured to allow for adequate detection
of malicious code and system intrusions.
Although necessary, encryption carries the risk of making data
unavailable should anything go wrong with data handling, key
management, or the actual encryption. The products used and
administrative controls should contain robust and effective controls
to ensure reliability.
Encryption can impose significant overhead on networks and
computing devices. A loss of encryption keys or other failures in
the encryption process can deny the institution access to the
Financial institutions should employ an encryption strength
sufficient to protect information from disclosure until such time as
the information's disclosure poses no material threat. For instance,
authenticators should be encrypted at a strength sufficient to allow
the institution time to detect and react to an authenticator theft
before the attacker can decrypt the stolen authenticators.
Decisions regarding what data to encrypt and at what points to
encrypt the data are typically based on the risk of disclosure and
the costs and risks of encryption. Generally speaking,
authenticators are always encrypted whether on public networks or on
the financial institution's network. Sensitive information is also
encrypted when passing over a public network, and also may be
encrypted within the institution.
Encryption cannot guarantee data security. Even if encryption is
properly implemented, for example, a security breach at one of the
endpoints of the communication can be used to steal the data or
allow an intruder to masquerade as a legitimate system user.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Protection Against Risks from Non-HGA Computer Systems
HGA relies on systems
and components that it cannot control directly because they are
owned by other organizations. HGA has developed a policy to avoid
undue risk in such situations. The policy states that system
components controlled and operated by organizations other than HGA
may not be used to process, store, or transmit HGA information
without obtaining explicit permission from the application owner and
the COG Manager. Permission to use such system components may not be
granted without written commitment from the controlling organization
that HGA's information will be safeguarded commensurate with its
value, as designated by HGA. This policy is somewhat mitigated by
the fact that HGA has developed an issue-specific policy on the use
of the Internet, which allows for its use for e-mail with outside
organizations and access to other resources (but not for
transmission of HGA's proprietary data).
Vulnerabilities Reported by the Risk Assessment Team
The risk assessment
team found that many of the risks to which HGA is exposed stem from
(1) the failure of individuals to comply with established policies
and procedures or (2) the use of automated mechanisms whose
assurance is questionable because of the ways they have been
developed, tested, implemented, used, or maintained. The team also
identified specific vulnerabilities in HGA's policies and procedures
for protecting against payroll fraud and errors, interruption of
operations, disclosure and brokering of confidential information,
and unauthorized access to data by outsiders.
Please don't hesitate to email me (firstname.lastname@example.org)
if you have any questions.
Have a great week,
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Our pen-test firewall audit
meets the independent diagnostic test
requirements of FDIC, OCC, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
a hacker's perspective, which will help
your IT staff identify real-world weaknesses. For more information, please
call R. Kinney Williams at Office/Cell 806-535-8300, send an email to
email@example.com, or visit