Weekly News Roundup: January 22, 2018
Vulnerabilities Equities Process (VEP) Transparency Bill Passes House and Goes to Senate
A bill that requires more transparency about the Vulnerabilities Equities Process (VEP) recently passed the House and moved to the Senate. According to GovTech, “The bill, introduced by Democratic Rep. Sheila Jackson Lee of Texas, would require DHS to submit an annual report to Congress describing the process the federal government uses to disclose cybersecurity flaws it discovers to the private sector and other affected organizations. The bill would include information about how DHS is working with other federal agencies and managers of private cyberinfrastructure to mitigate susceptibility to cyberattacks.”
DHS Secretary Kirstjen Nielsen Supports Active Defense for Private Companies
Despite controversy and legal ambiguity, Department of Homeland Security (DHS) Secretary Kirstjen Nielsen spoke last Tuesday about the DHS helping private companies with active defense. According to The Hill, Nielsen said, “we want to provide the tools and resources to the private sector to protect their systems. So, if we can anticipate or we are aware of a given threat — and as you know, we’ve gone to great lengths this year to work with the [intelligence] community to also include otherwise classified information with respect to malware, botnets, other types of infections — we want to give that to the private sector so that they can proactively defend themselves before they are in fact attacked.”
Bipartisan Cyber Diplomacy Act of 2017 Passes House and Moves to Senate
Sponsored by Rep. Ed Royce (R-Calif.), the bipartisan Cyber Diplomacy Act of 2017 seeks to establish an Office of Cyber Issues within the State Department. The head of the office will “serve as the principal cyber-policy official within the senior management of the Department of State and advisor to the Secretary of State for cyber issues; [and] lead the Department of State’s diplomatic cyberspace efforts generally, including relating to international cybersecurity, internet access, internet freedom, digital economy, cybercrime, deterrence and international responses to cyber threats.” According to FCW, “The Trump administration’s decision to shutter the Office of Cyber Coordinator received bipartisan criticism from members of Congress, some of whom were already concerned about White House’s inability to publicly articulate strategies to protect critical infrastructure, election systems and other sectors from cyber attacks.”
Summary of Cybersecurity Research Reports and Surveys
Many cybersecurity research reports and surveys were released last week. We’ve collected a few of the most interesting here.
- ThreatMetrix Cybercrime Report 2017: A Year in Review: “Account takeover attacks increased 170 percent, now taking place once every 10 seconds” and “Fraudulent payments increased 100 percent over the last two years.”
- Gemalto and Ponemon Institute’s 2018 Global Cloud Data Security Study: “Half of global organizations believe that payment information (54%) and customer data (49%) is at risk in the cloud” and “over half (57%) think using the cloud increases compliance risk.”
- Check Point’s Global Threat Index: “Check Point researchers found that crypto-miners managed to impact 55% of organizations globally, with two variants in the top three list of malware and ten different variants in the expanded top 100.”
- Tracking Trends in Business Email Compromise (BEC) Schemes (Trend Micro): “In May 2017, the Federal Bureau of Investigation (FBI) released a public service announcement stating that Business Email Compromise (BEC) attacks have grown into a US $5.3 billion industry. By 2018, we predict that the number will exceed $9 billion.”
Quest-Owned One Identity Acquires PAM and Log Management Company Balabit
Last Wednesday, Quest-owned identity and access management (IAM) company One Identity announced it acquired privileged access management (PAM) and log management company Balabit. According to a press release, “Balabit’s PAM solution provides protection from threats posed by high-risk, privileged accounts, while its privileged account analytics solution provides an additional layer of protection by collecting and analyzing data from privileged sessions to help identify anomalous activity.” This is One Identity’s first acquisition as an independent company.