FYI - DHS Statement on the Issuance of Binding Operational Directive 17-01 - After careful consideration of available information and consultation with interagency partners, Acting Secretary of Homeland Security Elaine Duke today issued a Binding Operational Directive (BOD) directing Federal Executive Branch departments and agencies to take actions related to the use or presence of information security products, solutions, and services supplied directly or indirectly by AO Kaspersky Lab or related entities. https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01

Equifax CSO, CIO to retire post-breach - Following a breach at Equifax that left the records of 143 million Americans vulnerable to exposure, the company's chief information officer (CIO) and chief security officer (CSO) are retiring, the credit monitoring company said Friday. https://www.scmagazine.com/equifax-cso-cio-to-retire-post-breach/article/689209/

Houston man sentenced to 27 months for hospital hack - A Houston man was sentenced to 27 months in prison for hacking into the Centerville Clinic computer system, disabling all administrative controls and using the health care facilities credit card to make purchases at Staples. https://www.scmagazine.com/houston-man-sentenced-to-27-months-for-hospital-hack/article/689175/

Top 10 most desired traits for cybersecurity job candidates - Finding a good candidate, or possibly any candidate, to fill one of the thousands of open cybersecurity positions available is one of the greatest challenges facing security executives today. https://www.scmagazine.com/top-10-most-desired-traits-for-cybersecurity-job-candidates/article/689345/

Without safeguards, Internet and IoT may create surveillance states in near future - A catastrophic worldwide cyberattack, the emergence of an IoT-enabled surveillance state, and the weakening of encryption were among the chief security and privacy fears expressed by experts who were polled for a sweeping new report about the internet and its future impact on mankind. https://www.scmagazine.com/report-without-safeguards-internet-and-iot-may-create-surveillance-states-in-near-future/article/689534/

Future Navy Accident Investigations Will Look for Cyber Attacks - Rampant internet speculation aside, there’s no evidence yet that any hostile electronic breach led to recent U.S. Navy mishaps, according to the admiral who leads the service’s cyber operations. http://www.nextgov.com/defense/2017/09/future-navy-accident-investigations-will-look-cyber-attacks/141025/

Cuomo orders new regs to protect New Yorkers from Equifax breach - As fallout from the Equifax breach that exposed personal data on 143 million Americans continues to spread, New York Governor Andrew Cuomo told the state's Department of Financial Services to create new regulation compelling credit reporting companies for the first time to register with New York. https://www.scmagazine.com/cuomo-orders-new-regs-to-protect-new-yorkers-from-equifax-breach/article/689672/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 600,000 Alaskan voters' data left exposed - Kromtech Security Center researchers discovered an unsecured U.S. voter database was exposed to the public internet due to a misconfiguration of CouchDB instance. https://www.scmagazine.com/researchers-spotted-600000-exposed-alaskan-voter-records/article/689173/

Medfusion 4000 Wireless Syringe Infusion Pump can be exploited to compromise operations - Until a new version of Smiths Medical's Medfusion 4000 Wireless Syringe Infusion Pump is issued in January 2018, its operators should be wary of eight vulnerabilities that can be remotely exploited to gain access to the device and compromise its functionality. https://www.scmagazine.com/medfusion-4000-wireless-syringe-infusion-pump-can-be-exploited-to-compromise-operations/article/689007/

Equifax UK admits: 400,000 Brits caught up in mega-breach - UK dedicated systems not affected - Equifax UK has surfaced to say that British systems were not affected by a recently disclosed megahack, however 400,000 UK people were affected due to a “process failure.” http://www.theregister.co.uk/2017/09/15/equifax_uk_breach_statement/

Paramount Pictures, Comedy Central, MTV and hundreds more exposed in Viacom AWS leak - A mishandling of Viacom's master AWS key has left the credentials of hundreds of digital properties, including Comedy Central, Paramount, MTV and other entertainment companies, exposed. https://www.scmagazine.com/viacom-exposes-paramount-pictures-comedy-central-mtv-and-hundreds-more-in-aws-leak/article/690117/

WannaCry and Hollywood hospital ransomware attacks crossed a line for some cybercriminals - The ransomware infection that disrupted Hollywood Presbyterian Medical Center in 2016 and the worldwide WannaCry attack in 2017 caused an ethical and philosophical rift among members of the Russian and Eastern European cybercriminal community, according to a new report. https://www.scmagazine.com/wannacry-and-hollywood-hospital-ransomware-attacks-crossed-a-line-for-some-cybercriminals/article/690110/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 1 of 3)
  
  E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.
  
  In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, and direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include copied or "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request. Some consumers will mistakenly submit financial and personal information to the perpetrator who will use it to gain access to financial records or accounts, commit identity theft or engage in other illegal acts.
  
  The Federal Deposit Insurance Corporation (FDIC) and other government agencies have also been "spoofed" in the perpetration of e-mail and Internet-related fraudulent schemes. For example, in January 2004, a fictitious e-mail message that appeared to be from the FDIC was widely distributed, and it told recipients that their deposit insurance would be suspended until they verified their identity. The e-mail message included a hyperlink to a fraudulent Web site that looked similar to the FDIC's legitimate Web site and asked for confidential information, including bank account information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
 
 SECURITY TESTING - TESTING CONCEPTS AND APPLICATION
 
 Testing Risks to Data Integrity, Confidentiality, and Availability. Management is responsible for carefully controlling information security tests to limit the risks to data integrity, confidentiality, and system availability. Because testing may uncover nonpublic customer information, appropriate safeguards to protect the information must be in place. Contracts with third parties to provide testing services should require that the third parties implement appropriate measures to meet the objectives of section 501(b) of the GLBA. Management also is responsible for ensuring that employee and contract personnel who perform the tests or have access to the test results have passed appropriate background checks, and that contract personnel are appropriately bonded. Because certain tests may pose more risk to system availability than other tests, management is responsible for considering whether to require the personnel performing those tests to maintain logs of their testing actions. Those logs can be helpful should the systems react in an unexpected manner.
 
 Confidentiality of Test Plans and Data. Since knowledge of test planning and results may facilitate a security breach, institutions should carefully limit the distribution of their testing information. Management is responsible for clearly identifying the individuals responsible for protecting the data and provide guidance for that protection, while making the results available in a useable form to those who are responsible for following up on the tests. Management also should consider requiring contractors to sign nondisclosure agreements and to return to the institution information they obtained in their testing.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING
 
 12.3 Technical Support for Incident Handling
 
 Incident handling will be greatly enhanced by technical mechanisms that enable the dissemination of information quickly and conveniently.
 
 12.3.1 Communications for Centralized Reporting of Incidents
 
 The technical ability to report incidents is of primary importance, since without knowledge of an incident, response is precluded. Fortunately, such technical mechanisms are already in place in many organizations.
 
 For rapid response to constituency problems, a simple telephone "hotline" is practical and convenient. Some agencies may already have a number used for emergencies or for obtaining help with other problems; it may be practical (and cost-effective) to also use this number for incident handling. It may be necessary to provide 24-hour coverage for the hotline. This can be done by staffing the answering center, by providing an answering service for non-office hours, or by using a combination of an answering machine and personal pagers.
 
 If additional mechanisms for contacting the incident handling team can be provided, it may increase access and thus benefit incident handling efforts. A centralized e-mail address that forwards mail to staff members would permit the constituency to conveniently exchange information with the team.  Providing a fax number to users may also be helpful.
 
 One way to establish a centralized reporting and incident response capability, while minimizing expenditures, is to use an existing Help Desk. Many agencies already have central Help Desks for fielding calls about commonly used applications, troubleshooting system problems, and providing help in detecting and eradicating computer viruses. By expanding the capabilities of the Help Desk and publicizing its telephone number (or e-mail address), an agency may be able to significantly improve its ability to handle many different types of incidents at minimal cost.