NTSC Technology Security Roundup

Weekly News Roundup: July 3, 2017

Editor’s Note: We will be publishing an article focused on Petya later this week.

Building Software Securely from the Ground Up May Be a Possible Solution to Vulnerabilities

It’s such a simple solution: Build software securely from the very beginning. Then, software vulnerabilities will be nearly eliminated. A recent article from FedTech points out that the Defense Advanced Research Projects Agency (DARPA) is currently working on such a solution to eliminate problems related to zero-day vulnerabilities. According to FedTech, “The goal is to shift the culture of software development for the government from one in which software is highly vulnerable to a world where software is made secure to begin with, thanks to new algorithms and software methods.” While formal methods and automatic scanning/patching are not only possible but also used in some industries, obstacles include cost and “specialized training to use [the software] effectively.”

GDPR Will Significantly Affect Sharing of B2B Information for US Companies

A recent ThreatPost article discussed reflections by Clare Sullivan (Georgetown University professor at the Law Center, and a Fellow at the Center on National Security and the Law) at the Borderless Cyber conference. Quoted from the article, Sullivan said, “Many factors can affect an organization’s legal ability to engage in global business-to-business sharing of cyber threat information. Of chief concern is whether IP addresses can be lawfully shared between organizations as cyber threat intelligence.” She also talked about Extraterritoriality, saying “if you are a U.S. company and you process the personal data of an EU subject you are subject to the EU data protection regime. That’s a distinct change from current rules.”

North American Securities Administrators Association Discusses Regulatory Efforts to Help Investment Firm Cybersecurity

Bloomberg BNA recently reported that the North American Securities Administrators Association (NASAA) discussed regulatory efforts to help investment firm cybersecurity—specifically to “[gather] information about firms’ cybersecurity practices that may serve as the basis for a model cybersecurity rule.” According to Bloomberg BNA, “Thus far, three states—New York, Vermont and Colorado—have cybersecurity rules in place, which require safeguards such as annual risk assessments and mandatory e-mail encryption practices.”

New NIST Guidelines Challenge Status Quo of Password Best Practices

Many of us have been taught to create “complex” passwords with a combination of letters, numbers, and special characters. However, these may be not as secure as previously thought. Instead, according to a recent Quartz article, “NIST recommends the use of lengthy passwords, and instructs administrators to allow passwords to run at least 64 characters long. It also says people should only be forced to change their passwords if there is evidence of tampering, rather than at an arbitrary interval.” The article goes on to say, “A password with special characters may be hard to remember but easy for a computer to guess. On the other hand, a long and simple password is easy for a human to remember and actually very difficult for a computer to guess.”

Contractors Working With Department of Defense Expected to Uphold Same Cybersecurity Standards

An updated regulation will require contractors working with the Department of Defense to match or exceed its level of cybersecurity standards. According to FedScoop, the updated regulation “requires all vendors who do business with the department to more safely guard ‘covered defense information’ that is transmitted to or stored in their systems or networks for contracted work.” More specifically, “For such information that contractors hold on their networks or systems, they must provide ‘adequate security’—at minimum complying with the National Institute of Standards and Technology’s Special Publication 800-171, ‘Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.’”