IT Security News Blast 5-29-2017

How to Meet Cybersecurity Requirements

Below are some of the best practices advisors can harness to ensure they comply with SEC and Finra cybersecurity regulations.

1) Establish cybersecurity policies

2) Test cybersecurity controls

3) Align risk and framework assessments with cybersecurity strategy

4) Align headquarters and branch offices on cybersecurity

5) Store documents in a digital vault

6) Perform vendor risk assessments

 Medical device industry ‘not doing enough on cybersecurity’

The study also found that around half (49%) of device manufacturers were not using guidance from the FDA about how to secure devices. And worryingly, it seems testing of medical devices rarely occurs. Only 9% of manufacturers and 5% of HDOs said they test medical devices at least annually, and 53% of HDO and respondents said they either do not test or are unaware if this takes place. That was also the case for 43% of device companies.

 Radio-controlled pacemakers aren’t as hard to hack as you (may) think

Chief among the concerns: radio frequency-enabled pacemaker programmers don’t authenticate themselves to the implanted cardiac devices, making it possible for someone to remotely tamper with them. “Any pacemaker programmer can reprogram any pacemaker from the same manufacturer,” researchers from medical device security consultancy WhiteScope wrote in a summary of their findings. “This shows one of the areas where patient care influenced cybersecurity posture.”

 Formal Training or Best Fit? Cybersecurity Jobs Evolve to Meet Increasing Demand

One option for companies looking to improve their infosecurity outlook is the “new collar” movement, which focuses on both skills and specializations. New collar initiatives start with training programs aimed at precollege technology students, which first establishes a relationship and then provides key skills to succeed in the cybersecurity world. Additionally, new collar programs redefine employee roles, profiles and partnerships to create new staff sources, and they prioritize hands-on knowledge over more traditional degree tracks.

 Industrial cyber security – Securing Operational Technology 101

As OT systems are often responsible for the control of a physical process, good practice in ISO/IEC 2700x should be adopted where appropriate, but the IEC standards should take precedence at all times. For example, a password lockout policy might be appropriate for preventing unauthorised access to a business system (business confidentiality) but not for the control room where locking an Operator out of the control system could have serious consequences (availability is more important).

 Survey: U.S. execs bearish on 2018 cybersecurity spending, despite increase in threats

The findings highlight the difficulties that many security professionals face when attempting to procure budgetary dollars and resources from upper management, especially with a dearth of reliable industry guidance or benchmarks for what is advisable to spend. James O’Shea, a cybersecurity leader at RBC Capital in New York, noted this very problem at the Cyber Investing Summit 2017 in New York this month, stating that there was no good rule on what organizations should spend on cyber.

 Report: FBI Looking Into Attempted Cyberattack On Trump Organization

The article did not mention the country or region of the world where the alleged hack originated. But investigating the computer network of the President’s company would be delicate for the FBI, given that the bureau’s agents are currently probing possible ties between Trump campaign associates and Russian operatives working to influence the 2016 election. […] Anonymous law enforcement officials told ABC that President Donald Trump’s sons were brought in to discuss the attempted hack on May 8, the day before the President abruptly fired FBI director James Comey.

 The U.S. Military Needs “Second Strike Capability” in the Space and Cyber Arenas

“The one thing about the undersea leg was it gave you that second-strike capability, right, that guaranteed second strike, and that slowed things down a little bit,” Richardson said. “You really had to think things through. It wasn’t just sort of ICBM versus ICBM. That was sort of a high-bandwidth structure, very, very quick decision-making possible. And so, as we think about deterrence, things that slow the process down a little bit, buy us time, seem to be beneficial.

 Security Clearance Process Key Challenge for Military Cyber Forces

The Navy has decided to begin moving the process earlier in a sailor’s career so that by the time they have the technical qualifications for a position they also have made it through the lengthy process, said Vice Adm. Michael Gilday, commander of United States Fleet Cyber Command and U.S. 10th Fleet, according to

 Chipotle Says Hackers Hit Most Restaurants In Data Breach

Hackers used malware to steal customer payment data from most of Chipotle Mexican Grill Inc’s restaurants over a span of three weeks, the company said on Friday, adding to woes at the chain whose sales had just started recovering from a string of food safety lapses in 2015. Chipotle said it did not know how many payment cards or customers were affected by the breach that struck most of its roughly 2,250 restaurants for varying amounts of time between March 24 and April 18, spokesman Chris Arnold said via email.

 Is edge analytics the front line of cybersecurity?

The concept extends the idea of edge computing to data gathering and analysis. Instead of analyzing information generated by sensors at a central computing station, data would be sent through sensors and devices where security is already built in. The advantage is that analytics would get performed closer to the devices that actually generated the data. In theory, that allows IT to more quickly understand what’s happening with their organization’s assets and better gauge evolving threats to carry out predictive maintenance or detect security anomalies in real time.

 FCA Publishes Statement on National Cyber Attack and Webpage on Cyber Resilience

The FCA also published a new webpage on cyber resilience on May 18. The webpage reinforces the importance of firms having a “security culture”—from the board of directors down to every employee. The webpage also acts as a repository for the FCA and other government agency’s publications on cybersecurity, as well as details on how to report a cyber incident.

 New Board to Advise Governor on Homeland Security Issues

The Democratic governor signed an executive order creating Rhode Island’s first Homeland Security Advisory Board Thursday. The seven-member board will work with the state’s cybersecurity officer, law enforcement and other stakeholders to monitor the state’s progress on implementing recommendations from the Cybersecurity Commission. The order dissolves that commission, which last met in December 2015.

 The good old NTFS bug in Windows strikes back but with a different name

Most of you who are from the Windows 95 era, may remember an NTFS bug allowed hackers to attack the devices through special filenames causing the entire system to go berserk and subsequently display a blue screen of death. Well, to everyone’s disappointment, the bug is back to haunt those who are running Windows 7 or 8. This time, however, the bug is cunningly placed in an image source file which is loaded once a web page with that image is accessed.

 Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw

Unlike a May 9 emergency patch for what Google researchers called the worst Windows vulnerability in recent memory, this week’s bug was a silent fix, said Project Zero researcher Tavis Ormandy, who privately disclosed it to Microsoft. The previous zero day (CVE-2017-0290) was also in the Microsoft Malware Protection Engine, running in most of Microsoft’s antimalware offerings bundled with Windows.

 Is “I forget” a valid defense when court orders demand a smartphone password?

On May 30, two suspects accused of extorting the so-called “Queen of Snapchat” as part of a sex-tape scandal are scheduled to appear in a Florida court. But as wild as the premise sounds, primarily the accused need only to answer a simple question on this visit. Miami-Dade Circuit Judge Charles Johnson wants an explanation as to why Hencha Voigt and her then boyfriend, Wesley Victor, can’t remember the passcodes to their mobile phones. If he doesn’t believe them or if they remain silent, the two suspects face possible contempt charges and indefinite jail time for refusing a court order to unlock their phones so prosecutors can examine text messages.

 Network Time Protocol updated to spook-harden user comms

This Internet Draft, published last week, calls for changes in Network Time Protocol (NTP) clients – and devs will be pleased to hear it won’t be that difficult to implement. As the draft explains, the RFCs that define NTP have what amounts to a convenience feature: packets going from client to server have the same set of fields as packets sent from servers to clients.

 Rash Of Phishing Attacks Use HTTPS To Con Victims

Raised awareness has created a “strange side-effect” where consumers trust anything secured with HTTPS, they said, adding that trust is increasingly being abused by scammers especially through phishing attacks. “During our analysis, we have observed domains being used for phishing, as well as by scammers, offering fake technical support and by advertisers promoting products of questionable quality,” they wrote.

 Houdini Worm Gets Posted to Paste Sites

“The individual(s) reusing this Houdini VBscript are continually updating with new command and control servers,” Recorded Future’s Daniel Hatheway explains in a blog post. […] Overall, the security researchers discovered a total of 213 posts to paste sites as of April 26. These included 105 unique subdomains, 1 domain, and 190 hashes. Thus, they concluded that some of the posts were exact matches, while others used the same domain but contained other changes within the VBscript.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.