FYI - Lawmakers Back Down from Pushing NIST into Cyber Auditing Role - House Science Committee lawmakers have pared back a controversial bill that would have tasked the government’s cyber standards agency with auditing federal agencies’ cyber protections. http://www.nextgov.com/cybersecurity/2017/10/lawmakers-back-down-pushing-nist-cyber-auditing-role/142187/

Hilton to pay $700,000 over credit card data breaches - Hilton Worldwide Holdings Inc agreed to pay $700,000 and bolster security to resolve probes into two
data breaches that exposed more than 363,000 credit card numbers, the attorneys general of New York and Vermont announced on Tuesday. http://www.reuters.com/article/us-hilton-wrldwide-settlement/hilton-to-pay-700000-over-credit-card-data-breaches-idUSKBN1D02L3

Third-party contractor may have deactivated Trump's Twitter account - The person that deactivated President Donald Trump's Twitter account briefly Thursday, originally pegged by the company as human error by an employee, reportedly was instead a third-party contractor. https://www.scmagazine.com/third-party-contractor-may-have-deactivated-trumps-twitter-account/article/705389/

Texas National Guard spent $373,000 on stingray equipment - The Texas National Guard last year spent more than $373,000 to install two of its DRT 1301C “portable receiver systems” in two RC-26 surveillance aircraft. https://www.scmagazine.com/texas-national-guard-used-stingrays-on-surveillance-planes/article/705830/

Americans worry about cybercrime more than they worry about car theft - American's are worrying more about becoming cybercrime victims far more so than becoming victims of conventional crimes. https://www.scmagazine.com/american-worry-about-cybercrime-more-than-conventional-crime-study/article/706341/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Another misconfigured Amazon S3 server leaks data of 50,000 Australian employees - Another misconfigured Amazon server has resulted in the exposure of personal data - this time on 50,000 Australian employees that were left unsecure by a third-party contractor. https://www.scmagazine.com/contractor-misconfigures-aws-exposes-data-of-50000-australian-employees/article/704873/

Malaysia investigating reported leak of 46 million mobile users' data - Malaysia is investigating an alleged attempt to sell the data of more than 46 million mobile phone subscribers online, in what appears to be one of the largest leaks of customer data in Asia. http://www.reuters.com/article/us-malaysia-cyber/malaysia-investigating-reported-leak-of-46-million-mobile-users-data-idUSKBN1D13JM

Trump signs Cyber Crime Fighting Act to train up local and state law enforcement - With a flourish of President Donald Trump's pen Thursday, state and local law enforcement got the tools and training needed to fight cybercrime as the Strengthening State and Local Cyber Crime Fighting Act of 2017 became law. https://www.scmagazine.com/trump-signs-cyber-crime-fighting-act-to-train-up-local-and-state-law-enforcement/article/705171/

Asian content distributor Crunchyroll blames DNS hijack for malicious redirection - Asian entertainment website Crunchyroll.com is blaming a DNS hijack attack after site visitors in the early morning of Nov. 4 were redirected to a malicious website designed to infect them with malware. https://www.scmagazine.com/anime-enemy-asian-content-distributor-crunchyroll-blames-dns-hijack-for-malicious-redirection/article/705510/

Estonia suspends national 760,000 ID cards found prone to encryption vulnerability - Estonia on Friday blocked the certificates of 760,000 national ID cards in response to a cryptographic vulnerability that researchers have discovered is even more dangerous than originally reported. https://www.scmagazine.com/estonia-suspends-national-760000-id-cards-found-prone-to-encryption-vulnerability/article/706134/

Hundreds of school websites redirected pro-ISIS web page - Pro-ISIS hackers hijacked the websites of roughly 800 U.S. schools and educational districts on Monday, after compromising their web hosting provider, various news outlets have reported. https://www.scmagazine.com/hundreds-of-school-websites-redirected-pro-isis-web-page/article/705985/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
  
  Due Diligence in Selecting a Service Provider
  
  Some of the factors that institutions should consider when performing due diligence in selecting a service provider are categorized and listed below. Institutions should review the service provider’s due diligence process for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties). Depending on the services being outsourced and the level of in-house expertise, institutions should consider whether to hire or consult with qualified independent sources. These sources include consultants, user groups, and trade associations that are familiar with products and services offered by third parties. Ultimately, the depth of due diligence will vary depending on the scope and importance of the outsourced services as well as the risk to the institution from these services.

Return to the top of the newsletter

FFIEC IT SECURITY - We conclude our series on the FFIEC interagency Information Security Booklet. 
 
 MONITORING AND UPDATING - UPDATING
 
 Financial institutions should evaluate the information gathered to determine the extent of any required adjustments to the various components of their security program. The institution will need to consider the scope, impact, and urgency of any new threat. Depending on the new threat or vulnerability, the institution will need to reassess the risk and make changes to its security process (e.g., the security strategy, the controls implementation, or the security testing requirements).
 
 Institution management confronts routine security issues and events on a regular basis. In many cases, the issues are relatively isolated and may be addressed through an informal or targeted risk assessment embedded within an existing security control process. For example, the institution might assess the risk of a new operating system vulnerability before testing and installing the patch. More systemic events like mergers, acquisitions, new systems, or system conversions, however, would warrant a more extensive security risk assessment. Regardless of the scope, the potential impact and the urgency of the risk exposure will dictate when and how controls are changed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 13 - AWARENESS, TRAINING, AND EDUCATION
 
 13.5 Education
 
 Security education is more in-depth than security training and is targeted for security professionals and those whose jobs require expertise in security.
 Techniques. Security education is normally outside the scope of most organization awareness and training programs. It is more appropriately a part of employee career development. Security education is obtained through college or graduate classes or through specialized training programs. Because of this, most computer security programs focus primarily on awareness and training, as does the remainder of this chapter.
 
 13.6 Implementation
 
 An effective computer security awareness and training (CSAT) program requires proper planning, implementation, maintenance, and periodic evaluation. The following seven steps constitute one approach for developing a CSAT program.
 
 Step 1: Identify Program Scope, Goals, and Objectives.
 
 Step 2: Identify Training Staff.
 
 Step 3: Identify Target Audiences.
 
 Step 4: Motivate Management and Employees.
 
 Step 5: Administer the Program.
 
 Step 6: Maintain the Program.
 
 Step 7: Evaluate the Program.