NTSC Technology Security Roundup

Weekly News Roundup: October 21, 2019

DocuSign taps United Airlines CISO to lead global trust and security team

According to a press release, DocuSign announced last Tuesday the appointment of former United Airlines CISO Emily Heath to the new role of chief trust and security officer. Heath will oversee a wide range of strategic and operational elements of DocuSign's business around the world—including information security (operations, engineering, risk and architecture), application security, trust services and physical security. Before joining DocuSign, Heath served as the CISO for United Airlines in Chicago. Prior to that role, she was the CISO at AECOM in San Francisco, held various technology and strategy leadership roles at companies in southern California, and began her career as a fraud squad detective in the UK police force. Heath is also a Board Member for LogicGate, the National Technology Security Coalition, and the Security Advisors Alliance.

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • CBO: Cyber Advisory Committee Bill Would Cost $2M to Implement: According to MeriTalk, “The Congressional Budget Office (CBO) said in an Oct. 11 report that H.R. 1975, the Cybersecurity Advisory Committee Authorization Act of 2019, would cost $2 million dollars over the next five years to implement.”
  • US senator introduces privacy bill that would jail CEOs for user privacy violations: According to ZDNet, “Sen. Ron Wyden (D-OR) announced [last Thursday] a new bill that introduces sweeping privacy protections for Americans' private information. Named the Mind Your Own Business Act (MYOBA), the bill includes clauses that will give Americans ‘an easy, one-click way to stop companies from selling or sharing their personal information’ and grants consumers the right to see how companies use and share their data. In addition, the bill goes one step further than any other user privacy legislation around the world by also introducing prison times for executives at companies that misuse user data and then lie about it to the government.”
  • Industry Wants More Legal Cover for Sharing Supply Chain Threats: According to NextGov, “Companies can’t protect their IT supply chain unless they know which vendors to avoid, but current laws discourage firms from sharing information about potential bad actors, according to industry cybersecurity experts. [Last] Wednesday, representatives from the tech and telecom industry told Congress that companies could face significant legal penalties if they voice concerns about vendors or products that they believe present cybersecurity risks. Sharing that sort of information is critical to locking down the IT supply chain, panelists said, but companies won’t do so unless the government gives them more legal cover.”
  • Privacy Law Favored by Tech Firms Gains Support Among House Democrats: According to Insurance Journal, “A group of more than 100 centrist Democratic House lawmakers is throwing its weight behind a privacy bill that has been praised by alliances of software and internet giants. […] The bill, which DelBene introduced in March, would allow consumers to opt out of the collection, storage and sharing of their data. It would require companies to get consumers to approve any use of sensitive data such as financial or health information and oblige companies to furnish ‘plain language’ privacy policies.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • Top civilian cybersecurity official exiting post: According to Fifth Domain, “Kevin McAleenan, the acting secretary of the Department of Homeland Security, is leaving his post, which includes leading civilian agencies on cybersecurity and additional election security responsibilities in working with states. […] DHS’ Cybersecurity and Infrastructure Security Agency, tasked with protecting the country’s critical infrastructure from cyberattacks, spearheads the department’s cybersecurity initiatives. With the cybersecurity threat landscape expanding, sources have told Fifth Domain in the past that part of CISA’s success rests on a secretary who prioritizes cybersecurity.”
  • Why CISA wants subpoena authority to probe cyber risks: According to FCW, “Officials at the Cybersecurity and Infrastructure Security Agency have told lawmakers that there have been at least a half dozen instances over the past year where they have been unable to adequately respond to known cyber risks because they could not identify the owners of vulnerable IP addresses. The agency is pressing Congress for new administrative subpoena powers to compel internet service providers to turn over subscriber information for IP addresses associated with critical infrastructure. In a legislative proposal to Congress seen by FCW, the agency claimed the lack of such authority has left vulnerabilities unmitigated and potential victims ‘exposed.’”
  • Pentagon Receives 2,000 Comments on Vendor Cyber Certification Program: According to NextGov, “The Defense Department is less than three months away from finalizing its framework for measuring vendors’ cybersecurity practices, and industry has a lot to say about the program. Over the past six weeks, the Pentagon received more than 2,000 comments on the first public draft of the Cybersecurity Maturity Model Certification, or CMMC, according to Ellen Lord, the department’s undersecretary for acquisition and sustainment. The framework would serve as a yardstick for measuring the strength of different contractors’ digital defenses, allowing Pentagon officials to ensure vendors are appropriately protecting the sensitive military data that resides on their networks.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Healthcare cybersecurity threats rise: Reported in Health Exec, “[During] the first quarter of 2019, targeted healthcare companies saw a 300% jump in imposter emails compared to the same quarter in 2018. These emails are typically arriving in mailboxes at 7 a.m. and 1 p.m. during weekdays, the report found. Nearly all––95%–of targeted healthcare companies saw spoofed emails of their own trusted domain, specifically to target patients and business partners.”
  • Stolen Data Prices on Dark Web Slug Due to Changing Data Breach Trends: Reported in Cyware, “It now costs less than $10 for full credit details on a consumer and $50 for access to a US bank account. Over 78 percent of the illicit trade of stolen cards can be attributed to only a dozen Dark Web markets. A research report by Flashpoint suggests that the rise in data breaches over the years has adversely affected the market for stolen financial information and hacker tools on the Dark Web.”
  • Avertium Survey Indicates Two of Five Cybersecurity Professionals Say Their Company is Under-Prepared to Handle a Data Breach: According to a press release, “According to the 2019 Cybersecurity and Threat Preparedness Survey, 39 percent of respondents indicate their company is under-prepared to handle a data breach and 66 percent prefer negotiating with a used car salesperson over dealing with a breach.”
  • Survey: 56 percent of utilities have faced a cyberattack in the last year: Reported in Daily Energy Insider, “The utility industry may be more vulnerable to cybersecurity threats than previously realized, according to a new report by Siemens and the Ponemon Institute. The report, ‘Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?’, looked at how prepared utilities are for future attacks, as well as offering solutions to create a more secure power grid. […] Of those surveyed, 56 percent said they experienced at least one shutdown or operation data loss in the last 12 months, with 25 percent of respondents saying they were impacted by the powerful WannaCry or NotPetya attacks in the past two years.”
  • Employers want lawyers with tech skills: Reported in National Jurist, “More than 6 in 10 lawyers (62%) surveyed by Robert Half Legal said that their hiring decisions are influenced more by job candidates' technical abilities than their soft skills. Nearly half of survey respondents (48%) cited cybersecurity as the top area of technology in which lawyers are expected to be competent.”
  • Ponemon Study: Only 28 Percent of Enterprises Say CEO and Board Approves Acceptable Level of Cyber Risk, Demonstrating Clear Lack of Accountability: According to a press release, “63 percent of survey respondents say their IT security leadership does not report to the board on a regular basis, and 40 percent say they don’t report to the board at all; 14 percent of respondents say their IT security leadership only reports to the board following a security incident; only 28 percent of respondents say the board and CEO determines and/or approves the acceptable level of cyber risk for the organization; and only 21 percent of respondents say their board and CEO require cybersecurity due diligence in a merger and acquisition process, a critical step to minimizing the potential risk.”
  • Stolen staff data could be your biggest security weakness: Reported in ZDNet, “Researchers at cybersecurity company Terbium analyzed how companies approach security risks and found that many are underestimating the damage which could be done if employee data was stolen and leaked to the dark web or wider internet. According [to] its Underrated Risks of Data Exposure report, just 11% of those surveyed believe corporate email addresses could be at high risk of exposure on the internet and even fewer believed social security numbers, names, bank accounts and payroll records of employees are the sorts of data which cyber criminals are interested in.”
  • Huge rise in rogue banking apps driving fraud attacks: Reported in Computer Weekly, “Online fraud attacks originating from fake mobile applications that appear to be from legitimate banks almost trebled in the first six months of 2019, according to RSA’s Fraud and Risk Intelligence (FRI) team, which has just released its latest report diving into the world of online fraud campaigns.”

Thoma Bravo Makes Offer to Acquire Sophos

According to a press release, “Sophos, a global leader in cloud-enabled next-generation cybersecurity, [last Monday] announced that Thoma Bravo, a US-based private equity firm, has made an offer to acquire Sophos (LSE: SOPHOS) for $7.40 USD per share, representing an enterprise value of approximately $3.9 billion. The board of directors of Sophos have stated their intention to unanimously recommend the offer to the company’s shareholders.” Crunchbase News notes, “Both the public and private markets do have an appetite for cybersecurity companies–Crowdstrike went public in June and its shares have soared since then. Some recent late-stage cyber security rounds include SparkCognition’s $100 million Series C round earlier this month and Shape Security’s Series F last month. With investors putting capital into high-growth private cybersecurity companies and public investors cheering the flotation of Crowdstrike, it looks like a hot time for startups focused on securing our increasingly digital world.”