NTSC Technology Security Roundup

Weekly News Roundup: January 21, 2019

Approximately 773 Million Records Aggregated from Data Breaches Made Publicly Available

Last week, it was discovered that hackers made publicly available aggregated records collected from various data breaches that included unique email addresses (totaling 772,904,991) and unique passwords (totaling 21,222,975). Researcher Troy Hunt, who is also a Microsoft Regional Director, helped alert the public to this breach and said, “Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totaled over 12,000 separate files and more than 87GB of data.” According to Wired, “That sort of Voltron breach has happened before, but never on this scale. In fact, not only is this the largest breach to become public, it’s second only to Yahoo’s pair of incidents—which affected 1 billion and 3 billion users, respectively—in size.”

Massachusetts Data Breach Notification Law Amended

Governor Charlie Baker recently signed a law that amends data breach notification law requirements for the state of Massachusetts. According to Bleeping Computer, the new law “amends the state's data breach law removing the fees imposed by credit reporting agencies for security disclosures and freezes of consumer credit reports. […] One of the most important amendments for individuals affected by data breaches is that companies will be required by law to ‘contract with a third party to offer to each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security, credit monitoring services at no cost to said resident for a period of not less than 18 months.’ […] The new amendments to the Massachusetts law also forbid companies that have experienced security attacks that have led to data breaches from waiving the individuals affected by that incident to waive their right to a ‘private right of action as a condition of the offer of credit monitoring services.’” These amendments will take effect on April 11, 2019.

Palo Alto Networks Unit 42 Discovers Malware That Evades Cloud Security Detection

On Thursday, Palo Alto Networks Unit 42 reported the discovery of malware that evades detection by cloud security products. According to Unit 42, “During our analysis, we realized that these samples used by the Rocke group adopted new code to uninstall five different cloud security protection and monitoring products from compromised Linux servers. In our analysis, these attacks did not compromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would.” The Hill noted “The report is particularly concerning as more and more private and public groups move toward using the cloud for online data storage purposes. This research indicates that the protections in place could be disabled.”

World Economic Forum Ranks Cyberattacks a Top 10 Global Risk

According to the recently released “Global Risks Report 2019” by the World Economic Forum, cyberattacks were ranked a Top 10 global risk in terms of both likelihood and impact. The report states “Last year […] provided further evidence that cyber-attacks pose risks to critical infrastructure, prompting countries to strengthen their screening of cross-border partnerships on national security grounds. […] A large majority of respondents expected increased risks in 2019 of cyber-attacks leading to theft of money and data (82%) and disruption of operations (80%). The survey reflects how new instabilities are being caused by the deepening integration of digital technologies into every aspect of life.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Global Cyber Security Market Size to surpass $300bn by 2024: Reported in MarketWatch, “The cybersecurity market is expected to grow from USD 120 billion in 2017 to USD 300 billion by 2024, according to a 2019 Global Market Insights, Inc. report.”
  • Encryption is key to protecting information as it travels outside the network: Reported in Help Net Security, “Sixty-one percent of respondents believe compliance drives the need for encryption, not users’ data protection, heightening the disconnect between encryption and security. Conversely, in order to ensure the security of files that are distributed or shared, 41 percent of companies resort to banning the use of file-sharing sites, hindering productivity and collaboration.”
  • Cyberattacks now cost businesses an average of $1.1M: Reported in TechRepublic, “The average estimated cost of a cyberattack on an enterprise was $1.1 million in 2018—up 52% from the year before, according to a [January 15] report from Radware. For companies with a formal cost calculation process, that estimate rises to $1.7 million, the report found, with the top impacts being operational/productivity loss (54%), negative customer experiences (43%), and brand reputation loss (37%).”
  • Data Abuse, AI, Live Hacking to be Major Cybersecurity Threats in 2019: According to a press release, in its newly published Annual Report, PandaLabs, Panda Security's anti-malware laboratory, predicts the seven biggest cybersecurity trends in 2019, including live hacking, digital sovereignty in security, an increase in supply chain attacks, attackers adopting AI, the discovery of new catastrophic vulnerabilities, more attacks on routers and IoT devices, and data abuse.
  • PwC’s “Digital Trust Insights” Report Reveals Lack of IoT Security Preparedness: According to PwC, “[Most] respondents (81%) say IoT is critical to at least some of their business. Only 39%, however, say they are very confident they are building sufficient ‘digital trust’ controls—security, privacy and data ethics—into their adoption of IoT. (An additional 30% say they are ‘somewhat confident.’) In addition, only 30% list IoT security among the safeguards they plan to invest in this year.”
  • Venture Capital Funding of Cybersecurity Firms Hit Record High in 2018: Report: Reported in The New York Times, “Total venture capital funding in the space totaled $5.3 billion in 2018, up 20 percent from $4.4 billion seen in 2017.”