- Company offers cybersecurity scholarships for returning vets -
Engility Holdings and the Center for Cyber Safety and Education are
offering a scholarship program to help returning veterans gain
cybersecurity certifications to reenter the workforce.
Report: Dell domain takeover could have spread malware - Dell
computer users could have possibly been exposed to malware last
summer after visiting a third-party customer support website, whose
domain was suddenly taken over by an unaffiliated company.
Swiss phishing scam aims to download Retefe banking trojan -
Researchers with PhishMe have released the details of a phishing
campaign, currently being run in Switzerland, that uses a tax dodge
to entice its victims to open an attached file, which will then
download the Retefe banking trojan.
NSA hacking tool EternalRomance found in BadRabbit - BadRabbit
evidence is multiplying, like well rabbits, with the latest
revelation being the malware used another stolen NSA tool to help it
move laterally through networks.
McAfee won't allow government code reviews as Kaspersky offers more
transparency - McAfee announced it will no longer permit foreign
governments to scrutinize its product source code for hidden
backdoors, at the same time as Kaspersky Labs is offering to be more
transparent with its source code.
LG patches app bug that can turn IoT vacuums into robotic spies - LG
Electronics has patched a bug in its smart appliance app that can be
exploited to gain remote access to devices under its control,
including a camera-equipped vacuum that can be abused to spy on its
DHS is Too Slow to Share Cyber Threat Info, Companies Say - The
Homeland Security Department should speed up how quickly it shares
information about cyber and physical threats facing critical
infrastructure sectors, according to half the respondents in a
Government Accountability Office review.
Equifax Was Warned of Vulnerability Months Before Breach - This
week, some old security threats came back to haunt the internet, a
fitting horror trope this close to Halloween.
Risk and Policy - This month we are looking at the current state of
risk and policy management tools. This is one of the most dynamic
groups we have watched over the years.
Hilton to pay $700,000 in data breach settlement with New York,
Vermont - Hilton hotels has reached a $700,000 joint settlement with
New York and Vermont for a pair of data breaches that were
discovered in 2015, including one that exposed more than 350,000
credit card numbers.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- DUHK, DUHK, DUHK stolen encryption key attack - After the KRACK
epidemic and the ROCA scare the latest DUHK cryptography attack be
may more of a threat than its quacked up to be for old Fortinet
Tarte Cosmetics breach exposes nearly 2 million customers - Here's
one case where you might say the crime was worse than the cover-up.
Dell Lost Control of Key Customer Support Domain for a Month in 2017
- A Web site set up by PC maker Dell Inc. to help customers recover
from malicious software and other computer maladies may have been
hijacked for a few weeks this summer by people who specialize in
deploying said malware, KrebsOnSecurity has learned.
University of Iowa student arrested, charged with hacking school
system to change grades - Former University of Iowa student was
arrested last week and charged in the U.S. District Court, Southern
District of Iowa with hacking into the school's system to change
Man finds USB stick with Heathrow security plans, Queen’s travel
details - Secrets discovered when USB was plugged into library
computer; data unencrypted.
Dark Overlord goes Hollywood, threatens to leak celebrity data - The
Dark Overlord has once again struck from the darkest corners of the
dark web, this time to reveal intentions to leak the contents of a
stolen Hollywood database taken from a top studio.
Possibly everyone in Malaysia had their mobile records stolen - It
is possible that everyone in Malaysia may have had their mobile
phone records stolen and put up for sale on the Dark Web.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services ( Part 4 of 4)
Service Provider Oversight
Institutions should implement an oversight program to monitor each
service provider’s controls, condition, and performance.
Responsibility for the administration of the service provider
relationship should be assigned to personnel with appropriate
expertise to monitor and manage the relationship. The number of
personnel, functional responsibilities, and the amount of time
devoted to oversight activities will depend, in part, on the scope
and complexity of the services outsourced. Institutions should
document the administration of the service provider relationship.
Documenting the process is important for contract negotiations,
termination issues, and contingency planning.
The board of directors and management are responsible for ensuring
adequate risk mitigation practices are in place for effective
oversight and management of outsourcing relationships. Financial
institutions should incorporate an outsourcing risk management
process that includes a risk assessment to identify the
institution’s needs and requirements; proper due diligence to
identify and select a provider; written contracts that clearly
outline duties, obligations and responsibilities of the parties
involved; and ongoing oversight of outsourcing technology services.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
MONITORING AND UPDATING
Effective monitoring of threats includes both non - technical and
technical sources. Nontechnical sources include organizational
changes, business process changes, new business locations, increased
sensitivity of information, or new products and services. Technical
sources include new systems, new service providers, and increased
access. Security personnel and financial institution management must
remain alert to emerging threats and vulnerabilities. This effort
could include the following security activities:
! Senior management support for strong security policy awareness
and compliance. Management and employees must remain alert to
operational changes that could affect security and actively
communicate issues with security personnel. Business line managers
must have responsibility and accountability for maintaining the
security of their personnel, systems, facilities, and information.
! Security personnel should monitor the information technology
environment and review performance reports to identify trends, new
threats, or control deficiencies. Specific activities could include
reviewing security and activity logs, investigating operational
anomalies, and routinely reviewing system and application access
! Security personnel and system owners should monitor external
sources for new technical and nontechnical vulnerabilities and
develop appropriate mitigation solutions to address them. Examples
include many controls discussed elsewhere in this booklet including:
- Establishing an effective configuration
management process that monitors for vulnerabilities in hardware and
software and establishes a process to install and test security
- Maintaining up - to - date anti - virus definitions and
intrusion detection attack definitions, and
- Providing effective oversight of service providers and vendors
to identify and react to new security issues.
! Senior management should require periodic security
self-assessments and audits to provide an ongoing assessment of
policy compliance and ensure prompt corrective action of significant
! Security personnel should have access to automated tools
appropriate for the complexity of the financial institution systems.
Automated security policy and security log analysis tools can
significantly increase the effectiveness and productivity of
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 13 -
AWARENESS, TRAINING, AND EDUCATION
The purpose of training is to teach people the skills that will
enable them to perform their jobs more securely. This includes
teaching people what they should do and how they should (or can) do
it. Training can address many levels, from basic security practices
to more advanced or specialized skills. It can be specific to one
computer system or generic enough to address all systems.
Training is most effective when targeted to a specific audience.
This enables the training to focus on security-related job skills
and knowledge that people need performing their duties. Two types of
audiences are general users and those who require specialized or
General Users. Most users need to understand good computer security
practices, such as:
1) protecting the physical area and equipment (e.g., locking
doors, caring for floppy diskettes);
2) protecting passwords (if used) or other authentication data
or tokens (e.g., never divulge PINs); and
3) reporting security violations or incidents (e.g., whom to
call if a virus is suspected).
In addition, general users should be taught the organization's
policies for protecting information and computer systems and the
roles and responsibilities of various organizational units with
which they may have to interact.
In teaching general users, care should be taken not to overburden
them with unneeded details. These people are the target of
multiple training programs, such as those addressing safety, sexual
harassment, and AIDS in the workplace. The training should be made
useful by addressing security issues that directly affect the users.
The goal is to improve basic security practices, not to make
everyone literate in all the jargon or philosophy of security.
Specialized or Advanced Training. Many groups need more
advanced or more specialized training than just basic security
practices. For example, managers may need to understand security
consequences and costs so they can factor security into their
decisions, or system administrators may need to know how to
implement and use specific access control products.
There are many different ways to identify individuals or groups who
need specialized or advanced training. One method is to look at job
categories, such as executives, functional managers, or technology
providers. Another method is to look at job functions, such as
system design, system operation, or system use. A third method is to
look at the specific technology and products used, especially for
advanced training for user groups and training for a new system.
Techniques. A security training program normally includes
training classes, either strictly devoted to security or as added
special sections or modules within existing training classes.
Training may be computer- or lecture-based (or both), and may
include hands-on practice and case studies. Training, like
awareness, also happens on the job.
One group that has been targeted for specialized training is
executives and functional managers. The training for management
personnel is specialized (rather than advanced) because managers do
not (as a general rule) need to understand the technical details of
security. However, they do need to understand how to organize,
direct, and evaluate security measures and programs. They also need
to understand risk acceptance.