FYI - FCC votes to repeal net neutrality, could increase cybersecurity threats - Despite calls for Federal Communications Commission (FCC) Chairman Ajit Pai to temporarily suspend the vote on net neutrality until an investigation into fake comments on the public docket could be completed, the commission decided today to repeal the regulations put in place under the Obama administration, prompting criticism that the move would not only choke freedom but would compromise security and privacy. https://www.scmagazine.com/fcc-votes-to-repeal-net-neutrality-could-increase-cybersecurity-threats/article/718769/

N.C.'s Mecklenberg County CIO details recent ransomware attack - Mecklenberg County officials reported additional progress restoring its systems following a ransomware attack earlier this month. https://www.scmagazine.com/ncs-mecklenberg-county-cio-details-recent-ransomware-attack/article/718751/

Pentagon Delays Deadline For Military Suppliers to Meet Cybersecurity Rules - The goal of the new regulations is to secure sensitive data on the computers and networks at smaller companies. http://www.nextgov.com/cio-briefing/2017/12/pentagon-delays-deadline-military-suppliers-meet-cybersecurity-rules/144562/

AHA calls for more oversight of medical device cybersecurity as FDA outlines plans to modernize approvals - The American Hospital Association wants the Food and Drug Administration to ramp up efforts to ensure medical device manufacturers minimize the risks of a cyberattack. https://www.fiercehealthcare.com/privacy-security/aha-fda-medical-device-cybersecurity-guidance-oversight-approval

Air Force Pays Out Government’s Biggest Bug Bounty Yet - On Dec. 9, a group of elite hackers once again found themselves deep within critical Air Force networks, probing for security gaps that could put the branch’s online operations at risk. And this time, military cyber specialists joined them in the hunt. http://www.nextgov.com/cybersecurity/2017/12/air-force-pays-out-governments-biggest-bug-bounty-yet/144640/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers target private schools in U.K. - Hackers apparently are taking advantage of poorly secured systems at private schools in the U.K., nicking identifying data, typically through phishing attacks, that they could then use to target parents with fake invoices and other means of cybercrime. https://www.scmagazine.com/hackers-target-private-schools-in-uk/article/718744/

Starbucks free Wi-Fi caught secretly mining cryptocurrency - A tech CEO noticed the free Wi-Fi at his local Starbucks didn't exactly come without a price after discovering the network was secretly jacking his computing power to mine cryptocurrency. https://www.scmagazine.com/buenos-aires-starbucks-free-wi-fi-secretly-charges-cpu-to-mine-monero/article/718218/

Database aggregating 1.4B credentials found on dark web - A single file on the dark web with a database of 1.4 billion clear text credentials not only is the largest aggregate found there but it opens a trove of credentials to even the least sophisticated hackers. https://www.scmagazine.com/database-aggregating-14b-credentials-found-on-dark-web/article/713543/

Millions of California voter records exposed in unprotected MongoDB - California officials are investigating a report that an unprotected MongoDB database has been discovered possibly containing the names of every California voter. https://www.scmagazine.com/millions-of-california-voter-records-exposed-in-unprotected-mongodb/article/719028/

Attackers exploit old WordPress to inject sites with code enabling site redirection, takeover - Attackers have exploited an old WordPress vulnerability to infect more than one thousand websites with malware capable of injecting malvertising and even creating a rogue admin user with full access privileges, according to researchers. https://www.scmagazine.com/attackers-exploit-old-wordpress-to-inject-sites-with-code-enabling-site-redirection-takeover/article/719049/

Pyramid scheme: AnubisSpy Android malware steals data, seemingly links to old Sphinx campaign - A newly discovered Android spyware that victimizes Arabic-speakers has been potentially linked to the 2014-15 Sphinx cyber espionage campaign, which was launched by the threat group APT-C-15 to target PC users in the Middle East. https://www.scmagazine.com/pyramid-scheme-anubisspy-android-malware-steals-data-seemingly-links-to-old-sphinx-campaign/article/719741/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
  
  Due Diligence in Selecting a Service Provider - Contract Issues
  
 Business Resumption and Contingency Plans
  
 The contract should address the service provider’s responsibility for backup and record protection, including equipment, program and data files, and maintenance of disaster recovery and contingency plans. Responsibilities should include testing of the plans and providing results to the institution. The institution should consider interdependencies among service providers when determining business resumption testing requirements. The service provider should provide the institution with operating procedures the service provider and institution are to implement in the event business resumption contingency plans are implemented. Contracts should include specific provisions for business recovery timeframes that meet the institution’s business requirements. The institution should ensure that the contract does not contain any provisions that would excuse the service provider from implementing its contingency plans.
  
 Sub-contracting and Multiple Service Provider Relationships
  
 Some service providers may contract with third-parties in providing services to the financial institution. To provide accountability, it may be beneficial for the financial institution to seek an agreement with and designate a primary contracting service provider. The institution may want to consider including a provision specifying that the contracting service provider is responsible for the service provided to the institution regardless of which entity is actually conducting the operations. The institution may also want to consider including notification and approval requirements regarding changes to the service provider’s significant subcontractors.
  
 Cost
  
 The contract should fully describe fees and calculations for base services, including any development, conversion, and recurring services, as well as any charges based upon volume of activity and for special requests. Cost and responsibility for purchase and maintenance of hardware and software may also need to be addressed. Any conditions under which the cost structure may be changed should be addressed in detail including limits on any cost increases.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
  
  Risk Mitigation Components - Wireless Internet Devices
  
  For wireless customer access, the financial institution should institute policies and standards requiring that information and transactions be encrypted throughout the link between the customer and the institution. Financial institutions should carefully consider the impact of implementing technologies requiring that a third party have control over unencrypted customer information and transactions.
  
  As wireless application technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless application services. They should also consider informing customers when wireless Internet devices that require the use of communications protocols deemed insecure will no longer be supported by the institution.
  
  The financial institution should consider having regular independent security testing performed on its wireless customer access application. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless application security implementation and conformity to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 13 - AWARENESS, TRAINING, AND EDUCATION
 
 13.7 Interdependencies
 
 Training can, and in most cases should, be used to support every control in the handbook. All controls are more effective if designers, implementers, and users are thoroughly trained.
 
 Policy. Training is a critical means of informing employees of the contents of and reasons for the organization's policies.
 
 Security Program Management. Federal agencies need to ensure that appropriate computer security awareness and training is provided, as required under the Computer Security Act of 1987. A security program should ensure that an organization is meeting all applicable laws and regulations.
 
 Personnel/User Issues. Awareness, training, and education are often included with other personnel/user issues. Training is often required before access is granted to a computer system.
 
 13.8 Cost Considerations
 
 The major cost considerations in awareness, training, and education programs are:
 
 1)  the cost of preparing and updating materials, including the time of the preparer;
 
 2)  the cost of those providing the instruction;
 
 3)  employee time attending courses and lectures or watching videos; and
 
 4)  the cost of outside courses and consultants (both of which may including travel expenses), including course maintenance.