FYI - Company offers cybersecurity scholarships for returning vets - Engility Holdings and the Center for Cyber Safety and Education are offering a scholarship program to help returning veterans gain cybersecurity certifications to reenter the workforce. https://www.scmagazine.com/cybersecurity-scholarships-for-veterans/article/702796/

Report: Dell domain takeover could have spread malware - Dell computer users could have possibly been exposed to malware last summer after visiting a third-party customer support website, whose domain was suddenly taken over by an unaffiliated company. https://www.scmagazine.com/report-dell-domain-takeover-could-have-spread-malware/article/702826/

Swiss phishing scam aims to download Retefe banking trojan - Researchers with PhishMe have released the details of a phishing campaign, currently being run in Switzerland, that uses a tax dodge to entice its victims to open an attached file, which will then download the Retefe banking trojan. https://www.scmagazine.com/swiss-phishing-scam-aims-to-download-retefe-banking-trojan/article/703111/

NSA hacking tool EternalRomance found in BadRabbit - BadRabbit evidence is multiplying, like well rabbits, with the latest revelation being the malware used another stolen NSA tool to help it move laterally through networks. https://www.scmagazine.com/nsa-hacking-tool-eternalromance-found-in-badrabbit/article/703488/

McAfee won't allow government code reviews as Kaspersky offers more transparency - McAfee announced it will no longer permit foreign governments to scrutinize its product source code for hidden backdoors, at the same time as Kaspersky Labs is offering to be more transparent with its source code. https://www.scmagazine.com/mcafee-changes-policy-to-prohibit-government-source-code-review/article/703503/

LG patches app bug that can turn IoT vacuums into robotic spies - LG Electronics has patched a bug in its smart appliance app that can be exploited to gain remote access to devices under its control, including a camera-equipped vacuum that can be abused to spy on its owners. https://www.scmagazine.com/lg-patches-app-bug-that-can-turn-iot-vacuums-into-robotic-spies/article/703496/

DHS is Too Slow to Share Cyber Threat Info, Companies Say - The Homeland Security Department should speed up how quickly it shares information about cyber and physical threats facing critical infrastructure sectors, according to half the respondents in a Government Accountability Office review. http://www.nextgov.com/cybersecurity/2017/10/dhs-too-slow-share-cyber-threat-info-companies-say/142151/

Equifax Was Warned of Vulnerability Months Before Breach - This week, some old security threats came back to haunt the internet, a fitting horror trope this close to Halloween. https://www.wired.com/story/equifax-warned-of-vulnerability-months-before-breach/

Risk and Policy - This month we are looking at the current state of risk and policy management tools. This is one of the most dynamic groups we have watched over the years. https://www.scmagazine.com/risk-and-policy/article/703977/

Hilton to pay $700,000 in data breach settlement with New York, Vermont - Hilton hotels has reached a $700,000 joint settlement with New York and Vermont for a pair of data breaches that were discovered in 2015, including one that exposed more than 350,000 credit card numbers. https://www.scmagazine.com/hilton-to-pay-700000-in-data-breach-settlement-with-new-york-vermont/article/704345/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - DUHK, DUHK, DUHK stolen encryption key attack - After the KRACK epidemic and the ROCA scare the latest DUHK cryptography attack be may more of a threat than its quacked up to be for old Fortinet FortiGare devices. https://www.scmagazine.com/duhk-dont-use-hard-coded-keys-attack-can-be-exploited-to-recover-encryption-keys/article/702831/

Tarte Cosmetics breach exposes nearly 2 million customers - Here's one case where you might say the crime was worse than the cover-up. https://www.scmagazine.com/tarte-cosmetics-breach-exposes-nearly-2-million-customers/article/702935/

Dell Lost Control of Key Customer Support Domain for a Month in 2017 - A Web site set up by PC maker Dell Inc. to help customers recover from malicious software and other computer maladies may have been hijacked for a few weeks this summer by people who specialize in deploying said malware, KrebsOnSecurity has learned. https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/

University of Iowa student arrested, charged with hacking school system to change grades - Former University of Iowa student was arrested last week and charged in the U.S. District Court, Southern District of Iowa with hacking into the school's system to change grades. https://www.scmagazine.com/university-of-iowa-student-arrested-charged-with-hacking-school-system-to-change-grades/article/703657/

Man finds USB stick with Heathrow security plans, Queen’s travel details - Secrets discovered when USB was plugged into library computer; data unencrypted. https://arstechnica.com/information-technology/2017/10/man-finds-usb-stick-with-heathrow-security-plans-queens-travel-details/

Dark Overlord goes Hollywood, threatens to leak celebrity data - The Dark Overlord has once again struck from the darkest corners of the dark web, this time to reveal intentions to leak the contents of a stolen Hollywood database taken from a top studio. https://www.scmagazine.com/dark-overlord-targets-hollywood-production-studio-line-204/article/704207/

Possibly everyone in Malaysia had their mobile records stolen - It is possible that everyone in Malaysia may have had their mobile phone records stolen and put up for sale on the Dark Web. https://www.scmagazine.com/update-possibly-everyone-in-malaysia-had-their-mobile-records-stolen/article/704331/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 4 of 4)
  
  Service Provider Oversight
  
  Institutions should implement an oversight program to monitor each service provider’s controls, condition, and performance. Responsibility for the administration of the service provider relationship should be assigned to personnel with appropriate expertise to monitor and manage the relationship. The number of personnel, functional responsibilities, and the amount of time devoted to oversight activities will depend, in part, on the scope and complexity of the services outsourced. Institutions should document the administration of the service provider relationship. Documenting the process is important for contract negotiations, termination issues, and contingency planning.
  
  Summary
  
  The board of directors and management are responsible for ensuring adequate risk mitigation practices are in place for effective oversight and management of outsourcing relationships. Financial institutions should incorporate an outsourcing risk management process that includes a risk assessment to identify the institution’s needs and requirements; proper due diligence to identify and select a provider; written contracts that clearly outline duties, obligations and responsibilities of the parties involved; and ongoing oversight of outsourcing technology services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
 
 MONITORING AND UPDATING - MONITORING
 
 Effective monitoring of threats includes both non - technical and technical sources. Nontechnical sources include organizational changes, business process changes, new business locations, increased sensitivity of information, or new products and services. Technical sources include new systems, new service providers, and increased access. Security personnel and financial institution management must remain alert to emerging threats and vulnerabilities. This effort could include the following security activities:
 
 ! Senior management support for strong security policy awareness and compliance. Management and employees must remain alert to operational changes that could affect security and actively communicate issues with security personnel. Business line managers must have responsibility and accountability for maintaining the security of their personnel, systems, facilities, and information.
 
 ! Security personnel should monitor the information technology environment and review performance reports to identify trends, new threats, or control deficiencies. Specific activities could include reviewing security and activity logs, investigating operational anomalies, and routinely reviewing system and application access levels.
 
 ! Security personnel and system owners should monitor external sources for new technical and nontechnical vulnerabilities and develop appropriate mitigation solutions to address them. Examples include many controls discussed elsewhere in this booklet including:
 
  -  Establishing an effective configuration management process that monitors for vulnerabilities in hardware and software and establishes a process to install and test security patches,
 
  -  Maintaining up - to - date anti - virus definitions and intrusion detection attack definitions, and
 
  -  Providing effective oversight of service providers and vendors to identify and react to new security issues.
 
 ! Senior management should require periodic security self-assessments and audits to provide an ongoing assessment of policy compliance and ensure prompt corrective action of significant deficiencies.
 
 ! Security personnel should have access to automated tools appropriate for the complexity of the financial institution systems. Automated security policy and security log analysis tools can significantly increase the effectiveness and productivity of security personnel.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -

We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

13.4 Training

The purpose of training is to teach people the skills that will enable them to perform their jobs more securely. This includes teaching people what they should do and how they should (or can) do it. Training can address many levels, from basic security practices to more advanced or specialized skills. It can be specific to one computer system or generic enough to address all systems.

Training is most effective when targeted to a specific audience. This enables the training to focus on security-related job skills and knowledge that people need performing their duties. Two types of audiences are general users and those who require specialized or advanced skills.

General Users. Most users need to understand good computer security practices, such as:

1)  protecting the physical area and equipment (e.g., locking doors, caring for floppy diskettes);
2)  protecting passwords (if used) or other authentication data or tokens (e.g., never divulge PINs); and
3)  reporting security violations or incidents (e.g., whom to call if a virus is suspected).

In addition, general users should be taught the organization's policies for protecting information and computer systems and the roles and responsibilities of various organizational units with which they may have to interact.

In teaching general users, care should be taken not to overburden them with unneeded details. These people are the target of multiple training programs, such as those addressing safety, sexual harassment, and AIDS in the workplace. The training should be made useful by addressing security issues that directly affect the users. The goal is to improve basic security practices, not to make everyone literate in all the jargon or philosophy of security.

Specialized or Advanced Training. Many groups need more advanced or more specialized training than just basic security practices. For example, managers may need to understand security consequences and costs so they can factor security into their decisions, or system administrators may need to know how to implement and use specific access control products.

There are many different ways to identify individuals or groups who need specialized or advanced training. One method is to look at job categories, such as executives, functional managers, or technology providers. Another method is to look at job functions, such as system design, system operation, or system use. A third method is to look at the specific technology and products used, especially for advanced training for user groups and training for a new system.

Techniques. A security training program normally includes training classes, either strictly devoted to security or as added special sections or modules within existing training classes. Training may be computer- or lecture-based (or both), and may include hands-on practice and case studies. Training, like awareness, also happens on the job.

One group that has been targeted for specialized training is executives and functional managers. The training for management personnel is specialized (rather than advanced) because managers do not (as a general rule) need to understand the technical details of security. However, they do need to understand how to organize, direct, and evaluate security measures and programs. They also need to understand risk acceptance.