- DHS Statement on the Issuance of Binding Operational Directive
17-01 - After careful consideration of available information and
consultation with interagency partners, Acting Secretary of Homeland
Security Elaine Duke today issued a Binding Operational Directive
(BOD) directing Federal Executive Branch departments and agencies to
take actions related to the use or presence of information security
products, solutions, and services supplied directly or indirectly by
AO Kaspersky Lab or related entities.
Equifax CSO, CIO to retire post-breach - Following a breach at
Equifax that left the records of 143 million Americans vulnerable to
exposure, the company's chief information officer (CIO) and chief
security officer (CSO) are retiring, the credit monitoring company
Houston man sentenced to 27 months for hospital hack - A Houston man
was sentenced to 27 months in prison for hacking into the
Centerville Clinic computer system, disabling all administrative
controls and using the health care facilities credit card to make
purchases at Staples.
Top 10 most desired traits for cybersecurity job candidates -
Finding a good candidate, or possibly any candidate, to fill one of
the thousands of open cybersecurity positions available is one of
the greatest challenges facing security executives today.
Without safeguards, Internet and IoT may create surveillance states
in near future - A catastrophic worldwide cyberattack, the emergence
of an IoT-enabled surveillance state, and the weakening of
encryption were among the chief security and privacy fears expressed
by experts who were polled for a sweeping new report about the
internet and its future impact on mankind.
Future Navy Accident Investigations Will Look for Cyber Attacks -
Rampant internet speculation aside, there’s no evidence yet that any
hostile electronic breach led to recent U.S. Navy mishaps, according
to the admiral who leads the service’s cyber operations.
Cuomo orders new regs to protect New Yorkers from Equifax breach -
As fallout from the Equifax breach that exposed personal data on 143
million Americans continues to spread, New York Governor Andrew
Cuomo told the state's Department of Financial Services to create
new regulation compelling credit reporting companies for the first
time to register with New York.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 600,000 Alaskan voters' data left exposed - Kromtech Security
Center researchers discovered an unsecured U.S. voter database was
exposed to the public internet due to a misconfiguration of CouchDB
Medfusion 4000 Wireless Syringe Infusion Pump can be exploited to
compromise operations - Until a new version of Smiths Medical's
Medfusion 4000 Wireless Syringe Infusion Pump is issued in January
2018, its operators should be wary of eight vulnerabilities that can
be remotely exploited to gain access to the device and compromise
Equifax UK admits: 400,000 Brits caught up in mega-breach - UK
dedicated systems not affected - Equifax UK has surfaced to say that
British systems were not affected by a recently disclosed megahack,
however 400,000 UK people were affected due to a “process failure.”
Paramount Pictures, Comedy Central, MTV and hundreds more exposed in
Viacom AWS leak - A mishandling of Viacom's master AWS key has left
the credentials of hundreds of digital properties, including Comedy
Central, Paramount, MTV and other entertainment companies, exposed.
WannaCry and Hollywood hospital ransomware attacks crossed a line
for some cybercriminals - The ransomware infection that disrupted
Hollywood Presbyterian Medical Center in 2016 and the worldwide
WannaCry attack in 2017 caused an ethical and philosophical rift
among members of the Russian and Eastern European cybercriminal
community, according to a new report.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding
Customers Against E-Mail and Internet-Related Fraudulent Schemes
(Part 1 of 3)
E-mail and Internet-related fraudulent schemes, such as "phishing"
(pronounced "fishing"), are being perpetrated with increasing
frequency, creativity and intensity. Phishing involves the use of
seemingly legitimate e-mail messages and Internet Web sites to
deceive consumers into disclosing sensitive information, such as
bank account information, Social Security numbers, credit card
numbers, passwords, and personal identification numbers (PINs). The
perpetrator of the fraudulent e-mail message may use various means
to convince the recipient that the message is legitimate and from a
trusted source with which the recipient has an established business
relationship, such as a bank. Techniques such as a false "from"
address or the use of seemingly legitimate bank logos, Web links and
graphics may be used to mislead e-mail recipients.
In most phishing schemes, the fraudulent e-mail message will
request that recipients "update" or "validate" their financial or
personal information in order to maintain their accounts, and direct
them to a fraudulent Web site that may look very similar to the Web
site of the legitimate business. These Web sites may include copied
or "spoofed" pages from legitimate Web sites to further trick
consumers into thinking they are responding to a bona fide request.
Some consumers will mistakenly submit financial and personal
information to the perpetrator who will use it to gain access to
financial records or accounts, commit identity theft or engage in
other illegal acts.
The Federal Deposit Insurance Corporation (FDIC) and other
government agencies have also been "spoofed" in the perpetration of
e-mail and Internet-related fraudulent schemes. For example, in
January 2004, a fictitious e-mail message that appeared to be from
the FDIC was widely distributed, and it told recipients that their
deposit insurance would be suspended until they verified their
identity. The e-mail message included a hyperlink to a fraudulent
Web site that looked similar to the FDIC's legitimate Web site and
asked for confidential information, including bank account
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY TESTING - TESTING CONCEPTS AND
Testing Risks to Data Integrity, Confidentiality, and Availability.
Management is responsible for carefully controlling information
security tests to limit the risks to data integrity,
confidentiality, and system availability. Because testing may
uncover nonpublic customer information, appropriate safeguards to
protect the information must be in place. Contracts with third
parties to provide testing services should require that the third
parties implement appropriate measures to meet the objectives of
section 501(b) of the GLBA. Management also is responsible for
ensuring that employee and contract personnel who perform the tests
or have access to the test results have passed appropriate
background checks, and that contract personnel are appropriately
bonded. Because certain tests may pose more risk to system
availability than other tests, management is responsible for
considering whether to require the personnel performing those tests
to maintain logs of their testing actions. Those logs can be helpful
should the systems react in an unexpected manner.
of Test Plans and Data. Since knowledge of test planning and
results may facilitate a security breach, institutions should
carefully limit the distribution of their testing information.
Management is responsible for clearly identifying the individuals
responsible for protecting the data and provide guidance for that
protection, while making the results available in a useable form to
those who are responsible for following up on the tests. Management
also should consider requiring contractors to sign nondisclosure
agreements and to return to the institution information they
obtained in their testing.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 12 - COMPUTER
SECURITY INCIDENT HANDLING
12.3 Technical Support for Incident Handling
Incident handling will be greatly enhanced by technical mechanisms
that enable the dissemination of information quickly and
12.3.1 Communications for Centralized Reporting of Incidents
The technical ability to report incidents is of primary importance,
since without knowledge of an incident, response is precluded.
Fortunately, such technical mechanisms are already in place in many
For rapid response to constituency problems, a simple telephone
"hotline" is practical and convenient. Some agencies may already
have a number used for emergencies or for obtaining help with other
problems; it may be practical (and cost-effective) to also use this
number for incident handling. It may be necessary to provide 24-hour
coverage for the hotline. This can be done by staffing the answering
center, by providing an answering service for non-office hours, or
by using a combination of an answering machine and personal pagers.
If additional mechanisms for contacting the incident handling team
can be provided, it may increase access and thus benefit incident
handling efforts. A centralized e-mail address that forwards mail to
staff members would permit the constituency to conveniently exchange
information with the team. Providing a fax number to users may also
One way to establish a centralized reporting and incident response
capability, while minimizing expenditures, is to use an existing
Help Desk. Many agencies already have central Help Desks for
fielding calls about commonly used applications, troubleshooting
system problems, and providing help in detecting and eradicating
computer viruses. By expanding the capabilities of the Help Desk and
publicizing its telephone number (or e-mail address), an agency may
be able to significantly improve its ability to handle many
different types of incidents at minimal cost.
Please don't hesitate to email me (firstname.lastname@example.org)
if you have any questions.
Have a great week,
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Our cybersecurity pen-test firewall audit
meets the independent diagnostic test
requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with
Bliley Act 501(b).
a hacker's perspective, which will help
your IT staff identify real-world weaknesses.
There is no charge if you are not satisfied with our service.
For more information, please call R. Kinney Williams at 806-798-7119, send
an email to
email@example.com, or visit
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors