NTSC Technology Security Roundup

Weekly News Roundup: October 14, 2019

Senators Concerned FTC May Weaken COPPA

On July 25, 2019, the Federal Trade Commission (FTC) requested public comment on its implementation of the Children's Online Privacy Protection Act (COPPA)—with comments due October 23, 2019. As the deadline approaches, some senators have shown concern over the FTC possibly weakening this law. According to The Hill, “A bipartisan group of senators on [October4] sent a letter urging the Federal Trade Commission (FTC) to avoid weakening the country's children's online privacy rules as the agency works to update them. The senators, including leading voices on children's privacy such as Sen. Ed Markey (D-Mass.), urged the FTC to prioritize the interests of children as the agency updates the rules to enforce the Children's Online Privacy Protection Act (COPPA). […] Just last month, Google settled with the FTC for $170 million over charges that it has made millions of dollars from violating COPPA. Though it was a record fine under the 1998 law, some lawmakers on Capitol Hill slammed the FTC for failing to impose a harsher penalty on a company with a revenue of $136.8 billion in 2018 alone.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • DHS cyber unit wants to subpoena ISPs to identify vulnerable systems: According to TechCrunch, “Homeland Security’s cybersecurity division is pushing to change the law that would allow it to demand information from internet providers that would identify the owners of vulnerable systems, TechCrunch has learned. Sources familiar with the proposal say the Cybersecurity and Infrastructure Security Agency (CISA), founded just less than a year ago, wants the new administrative subpoena powers to lawfully obtain the contact information of the owners of vulnerable devices or systems from internet providers. CISA, which warns both government and private-sector businesses of security vulnerabilities, privately complained of being unable to warn businesses about security threats because it can’t always identify who owns a vulnerable system.”
  • The Pentagon is Standing Up a Nonprofit to Assess Vendor Cybersecurity: According to NextGov, “The Defense Department is looking to stand up a nonprofit organization to measure the strength of its contractors’ cybersecurity practices. The group would be responsible for running the vendor accreditation process under the Pentagon’s new Cybersecurity Maturity Model Certification, or CMMC. The framework, which was released in draft form last month, will serve as a yardstick for determining if contractors are taking sufficient steps to protect the sensitive military data that resides on their networks.”
  • NIST looking for partners to secure energy IoT: According to FCW, “The National Institute for Standards and Technology is looking to enter into cooperative research agreements for products and technical expertise that can secure energy-related internet-of-things devices. In a posting [on] Oct. 8 in the Federal Register, NIST is asking all interested organizations to submit letters of interest to enter a Cooperative Research and Development Agreement with the agency to ‘provide an architecture that can be referenced and develop guidance for securing [industrial IoT devices] in commercial and/or utility-scale distributed energy resource environments.’”
  • FERC cybersecurity report identifies 'potential compliance infractions': According to Utility Dive, “Federal Energy Regulatory Commission (FERC) staff have concluded that some users, owners and operators of the bulk electric system (BES) system are not properly categorizing cyber systems associated with the transmission network, potentially putting system reliability at risk. The finding was part of a staff report, released Oct. 4 advising BES entities on compliance with mandatory Critical Infrastructure Protection (CIP) standards and overall levels of cybersecurity.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Report finds cyberattacks on critical utility operating systems are increasing: Reported in The Hill, “A new study published [October 4] finds that cyberattacks on the operational technology (OT) involved in running critical utilities are increasing and says these attacks have the potential to cause ‘severe’ damage. The report, compiled by the manufacturing company Siemens and the Ponemon Institute, is based on survey responses from 1,700 utility professionals worldwide and focuses on cyber risks to electric utilities with gas, solar, or wind assets, and water utilities.”
  • Financial Companies Are Spending $1.3 Million On Average To Restore Services After Each DNS Attack: Reported in Cyware, “In the ‘2019 Global DNS threat Report,’ analysts from EfficientIP have revealed that on average, companies are suffering nearly 10 attacks a year. As a result, this has forced the companies to spend an average of around $1.3 million to restore services after each DNS attack. This indicates that institutions like banks are spending up to $13 million per year - which is an increase of 40 percent - to address DNS attacks. In 2017, financial services were paying $924,390 for a single DNS attack.”
  • Email scam attacks against healthcare targets see huge rise: Reported in ITProPortal, “Healthcare has always been an industry of interest for cybercriminals, but a new Proofpoint report argues that the criminals are taking their attacks to whole new levels. The company's latest Healthcare Threat Report says that the number of imposter emails rose 300 per cent, compared to the same period last year.”
  • 76 Percent of SMBs Based in United States Have Experienced Cyberattacks in Past 12 Months: Reported in Cyware, “Small and medium-sized businesses (SMBs) in the United States have become favorite attack targets for cybercriminals. This is evident from the latest study released by the Ponemon Institute. The report called ‘2019 Global State of SMB Cybersecurity’ has cited that around 76 percent of SMBs located in the U.S. have experienced a major cybersecurity incident in the past 12 months.”
  • Phishing attempts increase 400%, many malicious URLs found on trusted domains: Reported in Help Net Security, “1 in 50 URLs are malicious, nearly one-third of phishing sites use HTTPS and Windows 7 exploits have grown 75% since January. […] Phishing grew rapidly, with a 400% increase in URLs discovered from January to July 2019.”
  • Slow Response Times to Blame for Phishing Attack Success on Organizations: Reported in Cyber Defense Magazine, “[Researching] URLs in suspected phishing incidents has become a costly and time-intensive process, according to a new survey of 300-plus security decision-makers at large U.S. firms. Nearly half of all survey respondents (47%) reported URL research times of six to ten minutes or more per incident, while 24% said they averaged just three to five minutes per incident.”
  • Survey: Customers Want Cyber Education from Banks: Reported in Banking Journal, “More than 9 in 10 Americans are concerned about their security online, and 74% of consumers say they would be likely to participate in a cybersecurity education or awareness program if their bank offered it, according to a new survey conducted for bank technology firm CSI.”
  • Tripwire Survey: 93% of Cybersecurity Professionals Concerned About Cyberattacks Shutting Down Operations: According to a press release, “93% [of 263 ICS security professionals at energy, manufacturing, chemical, dam, nuclear, water, food, automotive and transportation organizations] were concerned about cyberattacks causing operational shutdown or customer-impacting downtime. In an effort to prepare against such threats, 77% have made ICS cybersecurity investments over the past two years, but 50% still feel that current investments are not enough.”
  • Global Survey Reveals How Cyber Security Teams Measure Success, Secure Budget and Minimize Stress: According to a press release, “50% of CISOs struggle to align security initiatives to business goals, 45% of CISOs can’t say how security initiatives have made a difference to their business, 45% of CISOs say [the] biggest obstacle to retaining cyber security team members is burnout/stress, [and] 48% of CISOs say showing [the] success of cybersecurity initiatives determines how budget is allocated.”