NTSC Technology Security Roundup

Weekly News Roundup: October 28, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • House Committee Advances Bill to Expand DHS Cyber Monitoring Program: According to NextGov, “The House Homeland Security Committee [last] Wednesday gave its stamp of approval to legislation that would significantly expand the scope of one of the government’s signature cybersecurity programs. […] Under a bill introduced last month by Reps. John Ratcliffe, R-Texas, and Ro Khanna, D-Calif., the program would become a permanent part of the agency’s cyber toolkit and receive a few upgrades to make tools easier for agencies to use. The Advancing Cybersecurity Diagnostics and Mitigation Act would also give state and local governments free access to the tools provided under the program.”
  • Democrats offer cybersecurity bill for “internet of things”: According to The Hill, “Democratic lawmakers in the House and Senate [last] Tuesday introduced legislation to increase the security of internet-connected devices. The Cyber Shield Act, sponsored by Sen. Ed Markey (D-Mass.) and Rep. Ted Lieu (D-Calif.), would establish an ‘advisory committee’ comprised of cyber experts from government, industry and academia to create ‘cyber benchmarks’ for internet-connected devices, also known as Internet of Things (IOT) devices.”
  • House bill would require IoT cybersecurity training for federal employees: According to FedScoop, “Cybersecurity training would be required of all federal employees if a bill introduced in the House by Rep. Ro Khanna, D-Calif., [last] Monday becomes law. The Internet of Things Cybersecurity Training for Federal Employees Act specifically directs the Office of Management and Budget to ensure employees understand the vulnerabilities of IoT devices.”
  • Senate passes legislation to combat “deepfake” videos: According to The Hill, “The Senate [last] Thursday passed bipartisan legislation intended to help further understand the risks posed by ‘deepfake’ videos, or those altered by artificial intelligence to change the meaning of the video. The Deepfake Report Act would require the Department of Homeland Security to publish an annual report on the use of deepfake technology that would be required to include an assessment of how both foreign governments and domestic groups are using deepfakes to harm national security. The bipartisan bill was passed by unanimous consent and now heads to the House for consideration.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • CISA to kick off “year of vulnerability management” with updated threat disclosure policy: According to Federal News Network, “CISA will open up its upcoming directive on vulnerability disclosure policy for comment in the coming months, giving agency and industry partners an opportunity to compare notes on the best way to securely share threat information. The updated vulnerability disclosure policy will help formalize the process for researchers and ethical hackers, enlisted through agency bug-bounty programs, to give agencies a heads-up about previously unknown cyber weaknesses without alerting malicious actors. The vulnerability disclosure policy will also help bolster the National Risk Management Center DHS stood up last year, which serves as a cyber threat sharing hub for government and 16 industrial sectors that own much of the critical infrastructure in the U.S.”
  • NIST to Improve MSP Cybersecurity Guidelines: According to MeriTalk, “The National Institute of Standards and Technology (NIST) is tackling managed service provider (MSPs) cybersecurity by developing a customizable reference model that MSPs can adapt to fit their program needs. The first draft of the guidance, Improving Cybersecurity of Managed Service Providers, is open for public feedback until Nov. 8. Once the draft is finalized, the leaders of the project at the National Cybersecurity Center of Excellence (NCCoE) will outline solutions that align with the NIST Cybersecurity framework and industry best practices.”
  • Fresh draft of DOD contractor cybersecurity standards coming next month: According to FedScoop, “The Department of Defense will publish the second draft of its newly created Cybersecurity Maturity Model Certification early next month. Undersecretary for Acquisition and Sustainment Ellen Lord said in a press conference that version 0.6 of the CMMC will be released for comment the first week of November.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • US ban on China tech giant faces uncertainty a month out: According to The Hill, “Concerns among U.S. lawmakers over Chinese telecom giant Huawei remain heightened one month out from a deadline by the Trump administration for American companies to stop doing business with the firm, with questions lingering about the timing of the ban itself. The Commerce Department added the firm to a prohibited ‘entity list’ in May before issuing temporary extensions through mid-August. Those were renewed again until Nov. 19, with Saturday marking the one-month deadline for companies to cut off business with the firm.”
  • Russian hackers cloak attacks using Iranian group: According to the BBC, “An Iranian hacking group was itself hacked by a Russian group to spy on multiple countries, UK and US intelligence agencies have revealed. The Iranian group - codenamed OilRig - had its operations compromised by a Russian-based group known as Turla. The Russians piggybacked on the Iranian group to target other victims.”
  • Why did Cyber Command back off its recent plans to call out North Korean hacking?: According to CyberScoop, “U.S. Cyber Command was on the verge of again publicly calling out North Korean hackers for targeting the financial sector in late September, but ultimately backed off the plan by early October, multiple sources familiar with the decision tell CyberScoop. The announcement was to be part of a Cyber Command effort to publicly share malware samples on VirusTotal, a web platform dedicated to tracking malware. Led by Cyber Command’s Cyber National Mission Force, those postings are intended to call out adversary-linked hacking in the hopes that it will deter groups from similar efforts in the future. It wasn’t clear why the decision was made to refrain from publicly posting malware samples this time around, despite the fact that Cyber Command has done so numerous times in recent months.”
  • Tech, security vendors form group to address operational technology cybersecurity risks: Reported in ZDNet, “Tech vendors including ABB, Microsoft and Fortinet are launching a cybersecurity alliance focused on operational technology to hone defenses. Operational Technology Cyber Security Alliance (OTCSA) is designed to mitigate risk and assess business impact from cyberattacks on utilities, manufacturing and oil and gas industries and physical control devices. The group is launching as operational technology operators are increasingly targeted by nation-state actors as well as cybercriminals.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Supply Chain Impersonation Attack Increased By 25% In Q2 2019, Study Finds: Reported in Cyware, “According to the FBI’s latest public service announcement, the global financial loss from impersonation attacks is more than $26 billion. New research revealed that impersonation attacks are increased by 25% in the second quarter of 2019.”
  • Healthcare Organizations have Become Hotbed for Phishing Email Attacks in First Quarter of 2019: Reported in Cyware, “There has been a 300% jump in imposter emails sent to healthcare organizations during the first quarter of 2019. 77% of email attacks launched used malicious URLs.”
  • Outdated OSs Still Present in Many Industrial Organizations: Reported in Security Week, “According to the latest data from CyberX, 62% of analyzed sites house devices running outdated and unsupported versions of Windows, such as Windows XP and 2000, and the percentage jumps to 71% if Windows 7, which reaches end of support in January 2020, is also included.”
  • Lack of Diversity Persists in Cybersecurity: Reported in Infosecurity Magazine, “Last year, only 10% of survey respondents were female. This year, that percentage dropped to a measly 9%, indicating, at best, little change in the cybersecurity industry's gender imbalance. A further finding of the survey was that the majority of respondents—65%—identified as Caucasian. Asian professionals and Latino or Hispanic employees made up just 13% and 9% of respondents, respectively. Two of the most under-represented groups in the survey were people from the Middle East and African Americans, who made up just 4% and 3% of respondents, respectively.”
  • 5G and AI Expected to Bring Heightened Cybersecurity Risks, Study Finds: According to a press release, “An overwhelming majority of cybersecurity and risk management leaders believe that developments in 5G wireless technology will create cybersecurity challenges for their organizations. Their top three 5G-related concerns are greater risk of attacks on Internet of Things (IoT) networks, a wider attack surface and a lack of security by design in 5G hardware and firmware.”
  • Survey Says Quantum Computing a Cybersecurity Threat: Reported in Security Boulevard, “A survey of IT leaders from 400 organizations conducted by ReRez Research on behalf of DigiCert, a provider of encryption tools, finds 71% view the emergence of quantum computers as a threat to cybersecurity. The majority of those respondents expect quantum computers will be employed to crack encryption codes within the next three years.”
  • Tripwire Report Surveys Cybersecurity Professionals On State of ICS Security: Reported in CPO Magazine, “93% of cybersecurity professionals [said] that they were concerned about potential cyber attacks shutting down operations or leading to customer-impacting downtime.”
  • Survey: Most Enterprises Still Blame End-User Incompetence for Security Lapses: Reported in Data Center Knowledge, “‘Employees lacking security awareness’ was named as the single greatest threat to security by 50 percent of respondents. The next biggest threat, cybercriminals, was far behind at just 18 percent.”
  • Lawyers are failing at cybersecurity, says ABA TechReport 2019: Reported in ABA Journal, “Lawyers are failing on cybersecurity, according to the American Bar Association Legal Technology Resource Center’s ABA TechReport 2019. […] The survey found that the most popular security measure being used by 35% of respondents was secure socket layers, which encrypt computer communications, including web traffic. Only 27% make local data backups. Since 2018, the number of respondents reading vendor privacy policies fell from 38% to 28%. [A] mere 23% investigated a vendor’s history, even though 94% said vendor reputation mattered when deciding who to contract with.”

Cybersecurity Acquisitions

Two major cybersecurity company acquisitions were reported last week:

  • Trend Micro picks up Cloud Conformity for $70 million: Reported in ZDNet, “Trend Micro has announced the acquisition of Australian-based cloud security posture management firm Cloud Conformity for $70 million. According to Trend Micro, the acquisition will help address commonly overlooked security issues caused by cloud infrastructure misconfigurations.”
  • Sumo Logic In Talks To Acquire Cybersecurity Startup JASK: Reported in CRN, “Data analytics vendor Sumo Logic is in negotiations with JASK about purchasing the four-year-old cybersecurity startup, according to multiple sources familiar with the situation.”