Feds

now browsing by tag

 
 

Feds indict former Shreveport city employee in $400K fraud | #employeefraud | #recruitment | #corporatesecurity | #businesssecurity | #

SHREVEPORT, La. (AP) — A federal grand jury in Louisiana has accused a former city worker and a second man of using city credit cards more than 3,800 times over […] View full post on National Cyber Security

Feds Eye #Cybersecurity Risks of #Tech #Providers

Source: National Cyber Security – Produced By Gregory Evans

Financial regulators just named cybersecurity as one of their top concerns going into 2018, with a heap of worry specifically about third-party contractors supporting the financial system.

So for compliance officers looking for yet another reason to move third-party risk management up the priority scale, now you have one.

The alarm was raised last week in the 2017 report of the Financial Stability Oversight Council. (That’s the council of U.S. financial regulators mandated by the Dodd-Frank Act, to help coordinate regulatory policy and anticipate future financial crises.) Financial firms have come to rely on technology service providers so much, the report said, that a poor understanding of their cybersecurity postures could create risk for the financial system overall:

Maintaining confidence in the security practices of third-party service providers has become increasingly important, particularly since financial institutions are often serviced by the same providers. The Council encourages additional collaboration between government and industry on addressing cybersecurity risk related to third-party service providers, including an effort to promote the use of appropriately tailored contracting language.

What’s more, the FSOC even raised the idea of regulating tech providers in a more uniform fashion, so the current patchwork of supervision doesn’t allow cracks in the system that others could exploit:

[T]he authority to supervise third-party service providers continues to vary across financial regulators. The Council supports efforts to synchronize these authorities and enhance third-party service provider information security. The Council recommends that Congress pass legislation that grants examination and enforcement powers … to oversee third-party service providers and encourages coordination among federal and state regulators in the oversight of these providers.

Wow. When a group of Republican regulators tell a Republican Congress that they might need more regulation, you know things are bad.

Will Congress actually respond to these ideas? Probably not, given the floundering leadership in Washington these days. But the fundamental point — that service providers can now pose dire cybersecurity risk to the financial sector and many others — is not news to compliance officers. So let’s ponder a few other points about how to manage third-party risk in useful ways right now.

The Business Imperative
First, consider the FSOC’s true worry here. Regulators are one party, acting to protect the interests of a second party: the public, which ultimately supports and pays for the financial system. Regulators do that by imposing standards on third parties (financial firms) — and now regulators are worried about the tech service providers supporting those financial firms.

In other words, the FSOC is really worried about fourth-party risk to the financial system.

This underlines a point I’ve been making for a while: the better your firm is at at managing third-party risk, the more attractive you become as a third party yourself. After all, your third parties are your customer’s fourth parties. Fourth-party risk is where your customers start to get antsy, because they can’t easily see what those risks might pose to them. They don’t have visibility into those distant parties.

And that’s what third-party risk management is all about: making your supply chain more transparent, so you can see those risks more clearly. So any compliance program that can achieve that transparency, and pass that assurance along to your customers, will have a strategic advantage over your rivals.

The compliance community likes to talk a lot about the strategic advantage of a strong compliance program. This is the most urgent example. When your board or CFO start complaining about that budget request for more investment in third-party governance, remind them: “If we can’t govern our third parties and possible cybersecurity risk, eventually we’ll get locked out of courting financial services firms.” That’s why investing in third-party governance is worth it.

Three Practical Challenges
So what bumps will compliance and audit officers hit on the road to better cybersecurity assurance? A few come to mind.

Scoping SOC 2 audits. A SOC 2 audit examines a service provider’s data security controls. A Type I audit determines whether vendor’s controls are designed properly at a certain point in time; a Type II audit examines whether the controls work as designed for a set period of time.

Yes, your big firm can probably squeeze an eager vendor to pay for the SOC 2 audit — but scoping the audit correctly is still your responsibility. If the scope is too narrow, you might miss risks that the vendor has, but weren’t audited; if the scope is too broad, you’ve wasted money on “over-compliance” for risks you won’t face.

I wrote a longer essay about scoping SOC 2 audits earlier this year for Reciprocity Labs, if you want to read more there. Suffice to say, you need to understand your own firm’s cybersecurity risks, and the risks of outsourcing some data functions to a vendor, and the vendor’s own security protocols, to do this well.

Implementation of NIST protocols. NIST has several sets of controls it recommends for cybersecurity. They are an outstanding resource, and should be adopted. The FSOC praised NIST, and urged financial regulators to keep current with new advances in the NIST standards as they evolve.

In the private sector, compliance officers, audit executives, and internal control departments should examine the standards and see how to implement those controls into your own operations — and this is especially true for tech service vendors themselves. NIST 800-171 is the standard government contractors are supposed to use to comply with DFARS, which spells out cybersecurity standards if you want to bid on defense contracts.

I have another essay, and companion white paper, about the NIST standards that I wrote for Rapid7 earlier this year. Companies may have a long want to go for compliance, but the NIST standards are the clear destination.

Preparing for more scrutiny. The Securities and Exchange Commission already pressures companies to disclose cybersecurity concerns as risk factors. Good news: many more companies are. According to a report from Intelligize released last week, the number of firms disclosing cybersecurity as a risk factor went from 426 in 2012 to 1,680 this year.

The bad news: those disclosures usually don’t say much, and they certainly don’t capture the full picture of risk from tech service providers. Hence the SEC is talking about enhanced disclosure of cybersecurity risk, or even required disclosure of cybersecurity incidents. (Imagine filing a Form 8-K to disclose a breach every time you have one.)

Likewise, the Public Company Accounting Oversight Board wants audit firms to step up their scrutiny of your cybersecurity risks. I still struggle to understand what that scrutiny will look like in practice, since cybersecurity breaches rarely lead to a material risk of misstated financial results — but that’s the point, really. Regulators know they need to do more about cybersecurity; they just aren’t quite sure what.

I suspect many of us feel the same way.

The post Feds Eye #Cybersecurity Risks of #Tech #Providers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Feds seize largest criminal ‘dark web’ site AlphaBay after Atlanta investigations

Source: National Cyber Security – Produced By Gregory Evans

The largest criminal marketplace on the internet, AlphaBay, has been seized by the U.S. Department of Justice with the help of Atlanta-based investigations, officials said Thursday. An AlphaBay staffer was identified through an ongoing investigation conducted in Atlanta, DOJ spokesman Bob Page said. Officials said the “dark web” operation started…

The post Feds seize largest criminal ‘dark web’ site AlphaBay after Atlanta investigations appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Stolen Identity, Stolen Faith: A Chicagoan’s Fight With Feds Over Fraudulent Student Loans

To Purchase This Product/Services, Go To The Store Link Above Or Go To http://www.become007.com/store/ Source: National Cyber Security – Produced By Gregory Evans Six years after an identity thief stole her personal information to open fraudulent student loans, Chicagoan Marisol Vargas-Sierra said she was still …

The post Stolen Identity, Stolen Faith: A Chicagoan’s Fight With Feds Over Fraudulent Student Loans appeared first on Become007.com.

View full post on Become007.com

Feds charge Arizona man with using password scheme to hack 1,050 college students

tec-digital_life-cyber_spring_cleaning-tips-jpeg-1d540_c0-309-2362-1686_s885x516

Source: National Cyber Security – Produced By Gregory Evans

Feds charge Arizona man with using password scheme to hack 1,050 college students

An Arizona man used his work computer to hack into the personal internet accounts of more than 1,000 students at various colleges across the country, federal prosecutors said this week.
Jonathan Powell, 29, was arrested Wednesday in Phoenix and charged

The post Feds charge Arizona man with using password scheme to hack 1,050 college students appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Feds Award Flint Schools $480K Grant for Lead Crisis Support – District Dossier – Education Week

The money is meant to be used to hire attendance specialists, counselors, and psychologists to help deal with problems that may occur because students were exposed to lead-contaminated tap water.

View full post on Education Week: Bullying







#pso #htcs #b4inc

Read More

The post Feds Award Flint Schools $480K Grant for Lead Crisis Support – District Dossier – Education Week appeared first on Parent Security Online.

View full post on Parent Security Online

Trump Social Media Death Threats Get ‘Serious’ Attention From Feds

rtemagicc_trum-with_guns_pointed_at-him-jpg

Source: National Cyber Security – Produced By Gregory Evans

Trump Social Media Death Threats Get ‘Serious’ Attention From Feds

Death threats in recent months against Republican presidential candidate Donald Trump, especially at the time of his trip to Mexico to meet with Mexican President Enrique Peña Nieto, are being taken seriously by the US Secret Service (USSS) and other

The post Trump Social Media Death Threats Get ‘Serious’ Attention From Feds appeared first on National Cyber Security.

View full post on National Cyber Security

Feds must have ‘zero trust’ of employees to stop hackers, report says

635876703858720582-AP-MILITANT-TRAVEL-78348716

Source: National Cyber Security – Produced By Gregory Evans

Feds must have ‘zero trust’ of employees to stop hackers, report says

Federal agencies seeking to stop another major hack of Americans’ personal data must establish a “zero trust” system that treats government employees as just as big a threat to cybersecurity as foreign attackers, says a report being released Wednesday by

The post Feds must have ‘zero trust’ of employees to stop hackers, report says appeared first on National Cyber Security.

View full post on National Cyber Security

FASHION INDUSTRY TELLS FEDS: WE NEED BETTER CYBERSECURITY FOR INTERNET-CONNECTED CLOTHES

nextgov-medium (2)

Source: National Cyber Security – Produced By Gregory Evans

The fashion industry is urging Washington not to hinder creativity when the government formulates policies surrounding the internet of things, as everyone from Met Gala celebrity guests to U.S soldiers slip on wired garments. During February’s New York Fashion Week, designer Nayana Malhotra wrapped models in pieces that served as projector screens — linked to […]

The post FASHION INDUSTRY TELLS FEDS: WE NEED BETTER CYBERSECURITY FOR INTERNET-CONNECTED CLOTHES appeared first on National Cyber Security.

View full post on National Cyber Security

Mozilla Denied Request To Learn How Feds Hacked Firefox

mozilla-firefoxMozilla Corp. asked the feds toshare details of a Firefox vulnerability that was used in exposing a child pornography website, but the U.S. authorities shut down the plea. The uncomfortable answer came from U.S. District Judge Robert Bryan, who recently denied Mozilla’s attempt to learn which part of Firefox is vulnerable. The company filed the […] View full post on AmIHackerProof.com | Can You Be Hacked?