NTSC Blog

Weekly News Roundup: January 28, 2019

Cybersecurity Announcements from DNI and DHS

The Director of National Intelligence (DNI) and Department of Homeland Security (DHS) made cybersecurity-related announcements last week.

• New intel strategy stresses data collection, cyber threats: Reported in FCW, “The 2019 National Intelligence Strategy, meant to guide the nation's intelligence agencies over the next four years, puts cybersecurity and technology issues front and center. The document highlights cyberspace and emerging ‘disruptive’ technologies like AI and quantum computing as areas that intelligence agencies must invest in heavily over the coming years.”
• DHS issues security alert about recent DNS hijacking attacks: Reported in ZDNet, “The US Department of Homeland Security (DHS) has published […] an ‘emergency directive’ that contains guidance in regards to a recent report detailing a wave of DNS hijacking incidents perpetrated out of Iran. The emergency directive orders government agencies to audit DNS records for unauthorized edits, change passwords, and enable multi-factor authentication for all accounts through which DNS records can be managed.”

North Carolina Seeks to Strengthen Identity Theft Protection Act

North Carolina’s Attorney General Josh Stein and State Representative Jason Saine are seeking to strengthen the state’s Identity Theft Protection Act to update what constitutes a security breach, provide quicker notification to consumers, and offer greater control to consumers over their data. According to a fact sheet, “The new definition will now include Ransomware attacks – attacks when personal information is accessed but is not necessarily acquired. As a result, the breached organization must notify both the people affected and the Attorney General’s office.” Bleeping Computer notes that “Consumer reporting agencies such as Equifax will be required by the new modified law to provide four years of free credit monitoring to all individuals affected if the agency itself is breached. On the other hand, all other businesses will be asked to offer two years of free credit monitoring to all affected parties when social security numbers are also involved. The legislation update will also clarify the penalties imposed on breached organizations which fail to notify consumers or the Attorney General’s office in a timely fashion, as well as to set up reasonable security procedures prior to the breach incident.”

Congress Gives Cyber Diplomacy Act Another Go

While it passed the House and the Senate Foreign Relations Committee last year, the Cyber Diplomacy Act of 2017 did not end up becoming law during the 115^th Congress. However, the 116^th Congress will give it another try as it was reintroduced as the Cyber Diplomacy Act of 2019 by Rep. Michael McCaul (R-Texas) and Rep. Eliot Engel (D-New York). According to CyberScoop, “The Cyber Diplomacy Act would require the [State Department] to open an Office of International Cyberspace Policy, whose top official would report directly to the secretary of State or deputy secretary of State. The office’s primary goals would be to advocate democratic ideals for cyberspace and push back against Russian and Chinese effects to ‘extort more control and censorship over the internet,’ say the bill’s sponsors…”

France Fines Google $57 Million for GDPR Penalty

Even before GDPR went into effect in May 2018, many data privacy experts predicted regulators would enact hefty fines against major companies to show the force of the EU regulation. As an example of this prediction coming true, France fined Google $57 million last Monday for a GDPR violation. According to Reuters, “France’s data protection watchdog fined Alphabet’s Google 50 million euros ($57 million) [last] Monday for breaching European Union online privacy rules, the biggest such penalty levied against a U.S. tech giant. The French regulator said the world’s biggest search engine lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalized ads. […] The French authority, known for its stringent interpretation of privacy rules and for favoring a tough approach toward U.S. Internet companies, sets a record with this penalty, which could reverberate in Silicon Valley.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Microsoft remains the most impersonated brand, Netflix phishing spikes: Reported in Help Net Security, “Microsoft remains the #1 impersonated brand, receiving more than 2.3 times the number of phishing URLs than Netflix. […] Netflix phishing spiked in December (+25.7 percent), and Christmas day was the single biggest day for Netflix phishing in all of 2018.”
• Malwarebytes' Annual "State of Malware" Report Reveals Malware Targeting Businesses Increased Nearly 80 Percent: According to a press release, “Malware authors pivoted in the second half of 2018 to target organizations over consumers, recognizing that businesses provided a bigger payoff. Overall business detections of malware rose significantly over the last year—79 percent to be exact—primarily due to the increase in backdoors, miners, spyware and information-stealers. Biggest increases came from Trojans (132 percent), riskware tools (126 percent), backdoor malware (173 percent) and spyware (142 percent).”
• Hackers turn to data theft and resale on the Dark Web for higher payouts: Reported in TechRepublic, “Hackers are changing tactics following strengthened security from high-value targets and diminished returns from cryptojacking attacks, as values of cryptocurrencies such as Bitcoin and Monero decline, according to a report from Positive Technologies released [last] Tuesday. Attack campaigns focused on end goal of direct financial gain fell from 53% in Q1 2018 to 33% in Q3. Stealing data from financial institutions has become more difficult for attackers, who have opted to target business plans or personal communication for blackmail purposes or resale on the Dark Web.”
• Outdated Software Exposes PC Users to Security Risks Says Report: Reported in Bleeping Computer, “Based on a sample size of 163 million computers, 55% of all programs installed on personal computers running Windows are outdated according to an Avast report, exposing their users to security risks because of unpatched vulnerabilities.”
• Cryptomining Attacks Hit 40 percent of Enterprises in 2018 Report Finds: Reported in CBR, “Over 40 percent of organisations were affected by cryptomining attacks in 2018, a marked increase of 20 percent in comparison to 2017.”
• New research sheds light on how IT teams should patch vulnerabilities: Reported in Silicon Republic, “[Only] 5 percent of all published CVEs (common vulnerabilities and exposures) have known exploits against them and 42.3 percent of vulnerabilities are remediated within 30 days of discovery. Half of all vulnerabilities are not patched within 90 days. Organisations have closed 70 percent of the critical vulnerabilities on their systems, but they still aren’t as efficient as they could be. Out of the 544 million high-risk vulnerabilities, organisations remediated 381 million, leaving 163 million open.”
• Cybersecurity study reveals ‘misperceptions’ leave consumers vulnerable: Reported in VentureBeat, “Only 56.9 percent of people surveyed are taking measures that cybersecurity experts say are more critical [than updating passwords and antivirus protection], such as using two-factor authentication. Only 50.5 percent use a VPN when on public Wi-Fi, and just 50.5 percent regularly change security settings on their browsers, social media accounts, or email.”
• Phishing Attacks Continue to Rise, Proofpoint Reports: Reported in eWeek, “83 percent of global infosecurity respondents were impacted by phishing attacks, up from 76 percent in 2017. Targeted phishing attacks known as spear phishing also were on the rise from 53 percent in 2017 up to 64 percent in 2018.”
• Cloud Customers Faced 681M Cyberattacks in 2018: Reported in Dark Reading, “The most common cloud-focused threats leveraged known software vulnerabilities, involved brute-force and/or stolen credentials, targeted the Internet of Things (IoT), or aimed for Web applications with SQL injection, cross-site scripting, cross-site request forgery attacks, or remote file inclusion.”