NTSC Technology Security Roundup

Weekly News Roundup: October 29, 2018

Critical Infrastructure Security Vulnerabilities Highlighted During Last Week of National Cybersecurity Awareness Month

Last week, different cybersecurity experts talked about US critical infrastructure security vulnerabilities during the final week of National Cybersecurity Awareness Month. Some of the commentary included:

  • National Cyber Security Alliance (NCSA): As part of promoting the final week of National Cybersecurity Awareness Month, the NCSA said, “Our day-to-day life depends on the country’s 16 sectors of critical infrastructure, which supply food, water, financial services, public health, communications and power along with other networks and systems. A disruption to this system, which is operated via the internet, can have significant and even catastrophic consequences for our nation.”
  • Michael Daniel, former Special Assistant to the President and Cybersecurity Coordinator at the White House: Reported in Yahoo News, Daniel said, “The power grid has long been a target of a lot of different adversaries because of its interconnectedness, because of our dependence on it and because of the fact that it is often accessible from the internet. […] We are very vulnerable as a country, as are most countries. We have a long way to go to improve our cybersecurity and to improve our resilience, because ultimately you can never drive the risk of a cyber incident to zero. We need to be ready to respond and to recover from and to be able to operate through incidents when they occur.”
  • Joseph Weiss, managing partner of Applied Control Solutions: Reported in The Plain Dealer, Weiss said the following at a conference last Tuesday: “People who operate pumps, valves, and similar equipment are not responsible for cyber. It's network people who have never seen a pump, a valve or a turbine. There is no security in any sensor. How can you be safe if you cannot trust your sensors? […] This vulnerability is especially a concern because much of the grid equipment supports ... legacy communications protocols that were designed without security in mind, which means any attacker that can communicate with the device can control it and use its vulnerability to destroy it.”

DHS Releases “Cyber Risk Economics Capability Gaps Research Strategy” Report

Last Tuesday, DHS released a report titled “Cyber Risk Economics Capability Gaps Research Strategy.” It includes areas of interest to the NTSC including the role of government regulation, the role of law and liability, and supply chain accountability. According to a summary in NextGov, “The report doesn’t describe current government research efforts but is essentially a research game plan for public and private organizations that want to reduce economic, legal and bureaucratic barriers to improving the nation’s cybersecurity. […] Regulation-focused research topics include how government can write rules that are flexible enough to not become outdated as technology adapts and an analysis of when government’s better off facilitating industry-driven cyber standards rather than top-down regulation. Researchers should also examine possible second and third order consequences of government regulation and other interventions in the market to help policymakers contemplate whether those interventions will be worthwhile in the long run, the report states.”

NSA’s Rob Joyce Downplays Risks Related to More Offensive Cyber Deterrence Strategy

Last Tuesday at a Palo Alto Networks conference, Rob Joyce, a senior advisor at the NSA, downplayed some of the risks associated with a more offensive cyber deterrence strategy as articulated by the White House. Quoted in FCW, Joyce said, “There's the question of how often do you want everybody to get what I call free shots on goal? The ability to come in, at a time and place of their choosing, without contest, and rattle the doorknobs and probe the defenses and find out where you're strong and where you're weak. […] You can look at things like Presidential Policy Directive 20…we rewrote that recently. It was characterized at the time as ‘we've thrown out PPD-20’ and people imagined this is the Wild West where everyone can hack everything. It wasn't, it was a thoughtful rewrite that puts new process and policy in place, improving what we've done for several years based on that experience and knowledge.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Online phishing sites skyrocket in number during past year: Reported in CNET, “Analyzing data from the third quarter of last year to Q3 2018, Riskified and IntSights found a 297 percent increase in retail phishing sites.”
  • Abandoned Web Applications: Achilles' Heel of FT 500 Companies: According to research from High-Tech Bridge, US companies “have just 2.94% of web servers with an ‘A’ grade for properly implemented security hardening and configuration, mostly for security and privacy related HTTP headers. Vast majority - 76.9% - have a failing ‘F’ grade.”
  • Most consumers have cyber security concerns, but a fraction take action: Reported in ZDNet, “Almost half of consumers (46 percent) have done nothing to adjust their privacy settings on social media, and less than half (45 percent) have checked to see if their data has been compromised over the past 12 months according to a new report.”
  • Plaintext Passwords Often Put Industrial Systems at Risk: Report: Reported in SecurityWeek.com, “69 percent of industrial sites had their networks traversed by plaintext passwords. The problem is often related to the use of legacy protocols, such as SNMP and FTP, which can expose sensitive credentials and make it easier for malicious actors to conduct reconnaissance and hack systems…”
  • Security budgets are rising, but is it enough?: Reported in Help Net Security, “A majority of companies (54 percent) are worried that they will soon outgrow their security solutions, according to Threat Stack. While budgets are expected to increase by 19 percent over the next two years, organizations are struggling with a disconnect between security and DevOps and are facing difficulties in determining where to allocate this budget in the face of rapidly evolving infrastructure.”
  • State of Software Security Moving Forward Slowly, Veracode Reports: Reported in eWeek, “The state of software security in 2018 is marginally better than what it was in 2017, but there is still lots of room to improve, according to the 2018 State of Software Security report from CA's Veracode division. Among the high-level findings in the SOSS report is that 69 percent of discovered flaws were remediated or mitigated by organizations, which is a 12 percent improvement over the 2017 report.”

Check Point Software to Acquire Israeli-Based Dome9

According to a press release, Check Point acquired Israeli-based Dome9. Check Point says, “This acquisition enhances Check Point’s fully consolidated Infinity architecture and its Cloud Security offering with advanced active policy enforcement and multi-cloud protection capabilities.” Founded in 2011, Dome9 enables security and compliance for rapid public cloud adoption. Dome9 customers use its platform to secure multi-cloud deployments across Amazon AWS, Microsoft Azure and Google Cloud. The company provides significant cloud-native security capabilities including intuitive visualization of security posture, compliance and governance automation, privileged identity protection, and cloud traffic and event analysis.