IT Security News Blast 03-29-2018

5 Steps to HIPAA Compliant Cyber Plan

5 Steps to Creating a HIPAA-Compliant Cyber Attack Contingency Plan
1. Make it a formal policy
2. Classify what is critical
3. Categorize risks, threats and preventative controls by performing a risk analysis
4. Be sure to create straightforward guidelines, parameters and procedures
5. Operationalize and integrate the plan into normal business operations
https://www.campussafetymagazine.com/hospital/hipaa-compliant-cyber-attack-contingency-plan/

Engaging Employees in Health Care Data Security
To get started, ask the following questions:
·       What problems are we targeting?
·       What behaviors are we hoping for?
·       What staff members are we targeting?
·       What tone will work with the staff?
https://hbr.org/2018/03/engaging-employees-in-health-care-data-security

At the HIT Summit in Cleveland, a Closer Look at How Cybersecurity Issues Impact Clinicians
“We try to communicate what we’re doing and why, without making it too technical,” Aldridge said. “And now at my new job, I use my marketing department, and the marketing department actually does a good job for me. Because I can’t be the person to give the controls and communicate the controls at the same time, because they won’t want to listen to me. Big communications should be done with a good PR background,” he asserted.
https://www.healthcare-informatics.com/article/cybersecurity/hit-summit-cleveland-closer-look-how-cybersecurity-issues-impact-clinicians

Meltdown and Spectre: The Risk Manager’s Guide
In mid-November, we covered the Intel vulnerabilities that were discovered with the IME and AMT technologies, including details on the remote management access vulnerabilities on desktops and laptops (usually corporate fleets) that Intel had super-secured with things like a blank admin password. […] In this post, we’re going to dive into the actual risk, where we are today, and some of the timeline and the chain of events of this global (not an understatement) security risk.  We’ll include some translations along the way for the risk managers of the world.  Let’s start at the top.
https://criticalinformatics.com/resources/blog/meltdown-and-spectre-the-risk-managers-guide

Digital innovation held back as IT teams firefight security threats
“IT departments in banks are being pulled in two directions,” says Marcin Swiety, Global Head of Luxoft’s Information Security practice. “Banks want to focus on digital innovation, but IT professionals feel unable to escape from the ever-present cyber threat. Budget cuts are leaving smaller teams with fewer spare hours in the day. Unable to plan ahead, they spend their days firefighting problems and upgrading legacy systems.”
https://www.helpnetsecurity.com/2018/03/27/firefight-security-threats/

NYS DFS Issues Sweeping New FAQs Affecting Scope of Its Cybersecurity Regulations
In the same FAQ that exempts federally chartered exempt mortgage servicers from Part 500, however, DFS also “encourage[d] all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.” Although non-binding, such administrative “encouragement” carries profound weight, especially with the rise of state legislatures, including in New York, considering and sometimes passing laws requiring “reasonable [cybersecurity] safeguards.”
https://www.law.com/newyorklawjournal/2018/03/28/nys-dfs-issues-sweeping-new-faqs-affecting-scope-of-its-cybersecurity-regulations/?slreturn=20180228192122

Is Facebook Undermining Our Military?
The U.S. military has long laid claim to having the best-equipped, best-trained fighting force in the world, and to spending more on defense than the next eight top-spending nations combined. But when the battleground is cyberspace, does that claim hold up?
https://www.meritalk.com/articles/is-facebook-undermining-our-military/

Boeing hit by WannaCry virus, fears it could cripple some jet production
Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, sent out an alarming memo calling for “All hands on deck.” “It is metastasizing rapidly out of North Charleston and I just heard 777 (automated spar assembly tools) may have gone down,” VanderWel wrote, adding that he’s concerned the virus will hit equipment used in functional tests of airplanes ready to roll out and potentially “spread to airplane software.”
https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/

More on the Boeing WannaCry virus story – overstated and inaccurate
Boeing have issued a statement:
·       A number of articles on a malware disruption are overstated and inaccurate
·       Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems
·       Remediations were applied and this is not a production or delivery issue
https://www.forexlive.com/news/!/more-on-the-boeing-wannacry-virus-story-20180328

The global cyber warfare market is expected to reach USD 91.75 billion by 2025
Increased concern towards catastrophic nature of cyber warfare and national security are factors anticipated to drive the market over the forecast period. Cyberspace disruption capabilities have outstripped nation’s focus on terrorism.The increasing cyber-attacks such as abusing digital infrastructure and network infiltration within industries and defense sector have led the government to focus more on cyberspace vulnerabilities.
https://www.prnewswire.com/news-releases/the-global-cyber-warfare-market-is-expected-to-reach-usd-9175-billion-by-2025-300620993.html

Cyber-arms-dealer Grey Heron really, really doesn’t want you to know about the connections between them and the disgraced Hacking Team
Grey Heron’s links don’t stop at their spokesjerk — they staffed up by recruiting technical staff orphaned by the collapse of Hacking Team, merging them with cyber-arms developers from other firms.  Grey Heron may even just be a rebranded version of Hacking Team; a Saudi businessman just bought Hacking Team and infused cash into it, and an ex-Hacking Team source told Motherboard that it would “make sense to use a different name to continue to sell to those clients who weren’t happy after the hack.”
https://boingboing.net/2018/03/26/arming-despots.html

Tempe cybersecurity expert breaks down vulnerabilities in paper voting
[The] biggest issue is being able to maintain authenticity, meaning that the information wasn’t falsified, modified or forged. “We’re very paper-driven still. When I think about that, I think about how much less secure paper is than any sort of digital system where you have a built-in trail and kind of cookie crumb of what’s occurred,” Pistillo said. “People are so afraid that if we go to a purely digital format that it’s more hackable, when it always has been easier to create fraudulent systems on pure paper.”
http://www.azfamily.com/story/37818672/tempe-cybersecurity-expert-breaks-down-vulnerabilities-in-paper-voting

The 2020 Census Is a Cybersecurity Fiasco Waiting to Happen
Now the United States is planning its first census that will be conducted primarily online. And with ongoing hacking of US political and government data by foreign powers, it’s no surprise security experts are warning that things could go very wrong. […] The US Census Bureau tested an internet survey in 2000 and scrapped it in 2010 because of concerns over data collection effectiveness and security. Now, despite cost overruns, underfunding, understaffing, and tight deadlines, it’s back for 2020.
https://www.motherjones.com/politics/2018/03/the-2020-census-is-a-cybersecurity-fiasco-waiting-to-happen/

South Dakota Becomes 49th State to Enact a Data Breach Notification Law
South Dakota defines a “breach of system security” as “the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.” It is important to note that the definition of breach of system security does not include personal or protected information that is stored on paper.
https://www.dataprivacymonitor.com/data-breach-notification-laws/south-dakota-becomes-49th-state-to-enact-a-data-breach-notification-law/

Ecuadoran Embassy in London cuts off Julian Assange’s Internet
In a statement, Ecuador said it has suspended Assange’s ability to communicate with the outside world because he violated an agreement he signed with his hosts at the end of 2017 not to use his communiques to interfere in the affairs of other states. It was not immediately clear whether visitors would also be stopped.
https://www.washingtonpost.com/world/ecuadoran-embassy-in-london-cuts-off-julian-assanges-internet/2018/03/28/10322e9c-32ae-11e8-b6bd-0084a1666987_story.html?utm_term=.ae2eeaf48db4

House Judiciary chair hopeful eyes surveillance reform
House Judiciary chairman hopeful Rep. Doug Collins (R-Ga.), who publicly announced his bid for the gavel this month, sees potential surveillance reform as one of the issues that the panel might focus on under his leadership. Citing allegations raised in a controversial memo authored by staff for House Intelligence Committee chairman Devin Nunes (R-Calif.), Collins said he sees a need for the Judiciary panel to examine the Foreign Intelligence Surveillance Court (FISC) process.
http://thehill.com/homenews/house/380654-house-judiciary-chair-hopeful-eyes-surveillance-reform

Facebook reportedly delaying smart speaker launch in wake of data outrage
But the Cambridge Analytica controversy and the subsequent public outrage over Facebook’s handling of user data appear to have put the big reveal on the back burner. (Cambridge Analytica, a political consulting firm that did work for Donald Trump’s 2016 presidential campaign, was revealed to have retained copies of private data for some 50 million Facebook users.) The report says Facebook is now taking a closer look at the products to ensure they make the “right trade-offs regarding user data.”
https://arstechnica.com/gadgets/2018/03/facebook-reportedly-delaying-smart-speaker-launch-in-wake-of-data-outrage/

Running Drupal? You need to patch, patch, patch right now!
The holes could allow hackers to attack a Drupal website in a number of different ways and that “could result in the site being completely compromised.” In other words, it’s really bad. A hacker will be able to hack your site from any webpage, the company warned, and it doesn’t require them to login or have any privileges, meaning that a completely anonymous user can take over your site as well as access, delete and change non-public data.
https://www.theregister.co.uk/2018/03/28/running_drupal_you_need_to_patch_patch_patch_right_now/

Bad Microsoft Meltdown Patch Made Some Windows Systems Less Secure
Fisk, a Swedish IT security expert, reported on Tuesday that Microsoft made a fatal mistake in January with a botched patch that allowed malicious apps or a local user to access protected kernel memory and steal passwords and personal information from Windows 7 (64-bit) and Server 2008 R2 machines. No other Windows OS version is impacted. Microsoft corrected the error in its March Patch Tuesday update.
https://threatpost.com/bad-microsoft-meltdown-patch-made-some-windows-systems-less-secure/130844/

Android malware found inside apps downloaded 500,000 times
Cybercriminals have distributed malware to hundreds of thousands of Android users by hiding it inside a series of apparently harmless apps. The malware was sneaked onto the Google Play store disguised as seven different apps — six QR readers and one ‘smart compass’ — and bypassed security checks by hiding its true intent with a combination of clever coding and delaying its initial burst of malicious activity.
http://www.zdnet.com/article/android-malware-found-inside-apps-downloaded-500000-times/

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.