FYI - Dept. of Education warns districts over extortion cyberattacks - The U.S. Department of Education issued a belated warning to the nation's school districts concerning cyberattacks that use threats of violence against students in an attempt to extort money from the district. https://www.scmagazine.com/dept-of-education-warns-districts-over-extortion-cyberattacks/article/701340/

FBI's recruitment strategy for cybersecurity pros starts early, focuses on high school - The FBI’s longterm strategy for hiring proficient cybersecurity professionals involves reaching into high schools, helping foster STEM education and perhaps most importantly, encouraging students to enroll in Scholarship for Service programs that eventually guide them toward Quantico, said Howard Marshall, deputy assistant director of the bureau’s cybersecurity division. https://www.cyberscoop.com/fbis-recruitment-strategy-cybersecurity-pros-starts-early-focuses-high-school/

Booter and Stresser Services Increase the Scale and Frequency of Distributed Denial of Service Attacks - Criminal actors offer distributed denial of service (DDoS)-for-hire services in criminal forums and marketplaces. https://www.ic3.gov/media/2017/171017-2.aspx

Judge shocked to learn NYPD’s evidence database has no backup - As part of an ongoing legal battle to get the New York City Police Department to track money police have grabbed in cash forfeitures, an attorney for the city told a Manhattan judge on October 17 that part of the reason the NYPD can't comply with such requests is that the department's evidence database has no backup. https://arstechnica.com/information-technology/2017/10/nypd-database-that-tracks-seized-evidence-and-cash-has-no-backup/

Study: 18% of fed agencies embrace DMARC yet 25% of email fraudulent, unauthenticated - Research released just three days after the federal government said it would compel agencies to adopt the Domain-based Message Authentication, Reporting & Conformance (DMARC) shows the criticality of implementing the standard—nearly 82 percent of agency domains lack DMARC while 25 percent of email that purports to be from agencies is fraudulent or at least unauthenticated. https://www.scmagazine.com/study-18-of-fed-agencies-embrace-dmarc-yet-25-of-email-fraudulent-unauthenticated/article/702134/

DHS, FBI issue warning and details concerning on-going ICS attacks on power, aviation sectors - The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a joint alert concerning an advanced persistent threat currently targeting the government and organizations in the energy, nuclear, water and manufacturing sectors. https://www.scmagazine.com/dhs-fbi-issue-warning-and-details-concerning-on-going-ics-attacks-on-power-aviation-sectors/article/702170/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Whole Foods says it has resolved a data breach that it reported last month, in which the company detected unauthorized access to credit card information in some point-of-sale systems. https://www.cyberscoop.com/whole-foods-point-of-sale-breach/

Microsoft responded quietly after detecting secret database hack in 2013 - Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database. http://www.reuters.com/article/us-microsoft-cyber-insight/exclusive-microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idUSKBN1CM0D0

Dark Overlord threatens to release plastic surgery images of royals, celebrities - The Dark Overlord cybergang has at least temporarily moved away from attacking school districts and has turned back to and old favorite, threatening to release celebrity private information grabbed from a London, UK plastic surgery firm. https://www.scmagazine.com/dark-overlord-threatens-to-release-plastic-surgery-images-of-royals-celebrities/article/702286/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 3 of 4)
  
  Due Diligence in Selecting a Service Provider
  
  Once the institution has completed the risk assessment, management should evaluate service providers to determine their ability, both operationally and financially, to meet the institution’s needs. Management should convey the institution’s needs, objectives, and necessary controls to the potential service provider. Management also should discuss provisions that the contract should contain. The appendix to this statement contains some specific factors for management to consider in selecting a service provider.
  
  Contract Issues
  
  Contracts between the institution and service provider should take into account business requirements and key risk factors identified during the risk assessment and due diligence phases. Contracts should be clearly written and sufficiently detailed to provide assurances for performance, reliability, security, confidentiality, and reporting. Management should consider whether the contract is flexible enough to allow for changes in technology and the financial
  institution's operations. Appropriate legal counsel should review contracts prior to signing.
  
  Institutions may encounter situations where service providers cannot or will not agree to terms that the institution requests to manage the risk effectively. Under these circumstances, institutions should either not contract with that provider or supplement the service provider’s commitments with additional risk mitigation controls. The appendix to this statement contains some specific considerations for management in contracting with a service provider.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
 
 MONITORING AND UPDATING
 
 A static security program provides a false sense of security and will become increasingly ineffective over time. Monitoring and updating the security program is an important part of the ongoing cyclical security process. Financial institutions should treat security as dynamic with active monitoring; prompt, ongoing risk assessment; and appropriate updates to controls. Institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should use that information to update the risk assessment, strategy, and implemented controls. Monitoring and updating the security program begins with the identification of the potential need to alter aspects of the security program and then recycles through the security process steps of risk assessment, strategy, implementation, and testing.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 13 - AWARENESS, TRAINING, AND EDUCATION
 
 13.3 Awareness
 
 Awareness stimulates and motivates those being trained to care about security and to remind them of important security practices. Explaining what happens to an organization, its mission, customers, and employees if security fails motivates people to take security seriously.
 
 Awareness can take on different forms for particular audiences. Appropriate awareness for management officials might stress management's pivotal role in establishing organizational attitudes toward security. Appropriate awareness for other groups, such as system programmers or information analysts, should address the need for security as it relates to their job. In today's systems environment, almost everyone in an organization may have access to system resources -- and therefore may have the potential to cause harm.
 
 Security awareness programs: (1) set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure; and (2) remind users of the procedures to be followed.
 
 Awareness is used to reinforce the fact that security supports the mission of the organization by protecting valuable resources. If employees view security as just bothersome rules and procedures, they are more likely to ignore them. In addition, they may not make needed suggestions about improving security nor recognize and report security threats and vulnerabilities.
 
 Awareness also is used to remind people of basic security practices, such as logging off a computer system or locking doors.
 
 Techniques. A security awareness program can use many teaching methods, including video tapes, newsletters, posters, bulletin boards, flyers, demonstrations, briefings, short reminder notices at log-on, talks, or lectures. Awareness is often incorporated into basic security training and can use any method that can change employees' attitudes.
 
 Effective security awareness programs need to be designed with the recognition that people tend to practice a tuning out process (also known as acclimation). For example, after a while, a security poster, no matter how well designed, will be ignored; it will, in effect, simply blend into the environment. For this reason, awareness techniques should be creative and frequently changed.
 
 Employees often regard computer security as an obstacle to productivity. A common feeling is that they are paid to produce, not to protect. To help motivate employees, awareness should emphasize how security, from a broader perspective, contributes to productivity. The consequences of poor security should be explained, while avoiding the fear and intimidation that employees often associate with security.