Thursday, January 18, 2018

Kaspersky is Kaput in U.S.!

Posted by Joseph December 31, 1969 7:00pm

Photo Credit: Public Domain

By Joe Alecci, IT Senior Manager

In September 2017, the Acting Secretary of Homeland Security issued what is known as a Binding Operational Directive (BOD) that compels Executive Branch departments and agencies to identify and remove Kaspersky Lab products from their systems. Kaspersky Anti-virus products provide access to files and elevated privileges on systems that have this software installed, which can be exploited to compromise said systems. At the time of this Directive, there were concerns about the ties between certain Kaspersky officials and Russian Intelligence agencies. Russian agencies, under Russian laws and in collaboration with Kaspersky, could potentially utilize access provided by these products to compromise federal systems and affect national security.  

Fast forward to December 12th, President Trump signed into law the National Defense Authorization Act -- the defense spending bill for the 2018 fiscal year that includes a provision which stems from the September Directive banning the use of Kaspersky products within the U.S Government, including both civilian and military networks. Reuters noted that Kaspersky denied any ties or involvement with cyber espionage and offered to submit the source code for software and future updates for inspection by third parties. U.S. officials apparently responded with a "Нет, спасибо" in Russian or "no, thank you."

So what does this this mean for financial institutions? Any organization using Kaspersky should start to develop a plan to remove and replace any Kaspersky Anti-virus applications or products in an expedient manner. Although I have not seen anything from the regulators, I would not tempt fate. On a final note, it just dawned on me, why would the Federal Government be using any Russian or foreign government software for cybersecurity-related protection in the first place? Hmm...

To learn about P&G's IT/Cybersecurity Audit & Risk Management Services, please email WhatsYourRisk@pandgassociates.com or call 877-651-1700.  

 

 

Comments

Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.



 Image

Joseph Alecci, CISA, CISM, CISSP, CRISC

Senior Manager – IT Audit & Information Security

Joseph Alecci leads the IT/Cybersecurity Audit & Risk Management Group at P&G Associates. He has over 20 years of experience in information systems and auditing management and is a member of the ISACA N.J. Chapter Board of Directors.



Joseph's Posts Subscribe to RSS Feed



Kaspersky is Kaput in U.S.!
A Lesson in Equifax
ADA Website Compliance: For Whom the Bell Trolls
NYDFS considers requiring CISOs for all NY Financial Institutions
FFIEC Assessment notes Community Banks at Risk