Cyber Security Fraud in the Banking Industry: Lessons Learned in OCC Examiner Training

Rick Dakin, CEO, Co-founder and Chief Security Strategist

In late October 2011, Coalfire participated in a day of IT audit training with about 35 bank examiners.  As you would expect, we covered a lot of previously hot topics. The conversation changed as we started talking about the amount of fraud being realized by community banks and credit unions.

The real discussion started when one of the examiners relayed a heartbreaking story about a family-owned bank that incurred losses from fraud that hit at the exact same time as some escalating loan loss reserves were recognized. The situation at the bank went from bad to worse, with their very survival at risk.  

The examiners agreed that some of the loan loss situations could not have been anticipated, but essentially the fraud form of cyber crime could have been prevented. The mood in the audience was that the focus on cyber security and compliance with the FFIEC guidelines would be reviewed in much more depth in 2012 than was the case in 2011.  I made a note to get with our friends in the banking sector and help prepare for a much more active and demanding series of IT compliance audit activities in 2012.  The actual losses resulting from preventable cyber fraud is driving the forward momentum.

The new FFIEC Authentication Guidelines have already caused some confusion. What does each bank or credit union have to do to be in compliance with the new guidelines? They must prevent the increasing fraud but the guidelines are still not clear.  

Each institution has to conduct a security risk assessment and select justified controls. It sounds much easier than the process turns out to be. In many cases, the control adjustments impact not only the remote access and online access but the entire infrastructure of the bank’s IT systems, IT policy changes, user training, administrative oversight, authentication mechanisms, network segmentation, placement and strength of the encryption and so on. The IT audit group enthusiastically discussed a full range of risks and justified controls and the potential implications.

I have already seen that one $280 million bank has been asked to provide a risk assessment and control rationalization plan. The bar is getting higher. We simply have to take the time to get ready for 2012.  The threat is real … the wave of new audits is near, and the readiness is questionable.  
- Rick Dakin

Rick Dakin


Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS