NTSC Technology Security Roundup

Weekly News Roundup: October 7, 2019

House Passes Cybersecurity Vulnerability Remediation Act

On September 26, the US House of Representatives passed the Cybersecurity Vulnerability Remediation Act. According to the bill, the law would require the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security to submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on how the Agency is coordinating vulnerability disclosures, including disclosures of cybersecurity vulnerabilities, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities. SC Media also notes that “the proposed act would also include a section stating that the DHS’ under secretary for science and technology and CISA’s director may establish a competitive incentives program to encourage the private sector, individuals, academic institutions and other key players to create remediation solutions for cyber vulnerabilities.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • NSA Launches New Cybersecurity Directorate: According to a press release, “Under the new Cybersecurity Directorate — a major organization that unifies NSA’s foreign intelligence and cyberdefense missions — NSA will work to prevent and eradicate threats to national security systems and critical infrastructure, with an initial focus on the defense industrial base and the improvement of our weapons’ security. The Cybersecurity Directorate will reinvigorate NSA’s white hat mission by sharing critical threat information and collaborating with partners and customers to better equip them to defend against malicious cyber activity.”
  • The lack of cybersecurity talent is ‘a national security threat,’ says DHS official: According to TechCrunch, “One of the most senior officials tasked with protecting U.S. critical infrastructure says that the lack of security professionals in the U.S. is one of the leading threats to national cybersecurity. Speaking at TechCrunch Disrupt SF, Jeanette Manfra, the assistant director for cybersecurity for Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), said that the agency was making training for new cybersecurity professionals a priority. ‘It’s a national security risk that we don’t have the talent regardless of whether it’s in the government or the private sector,’ said Manfra. ‘We have a massive shortage that is expected [to] grow larger.’”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • U.S. Steps Up Scrutiny of Airplane Cybersecurity: According to the Wall Street Journal, “Concerns that planes could be targeted in cyberattacks are prompting U.S. officials to re-energize efforts to identify airliners’ vulnerability to hacking. The revived program, led by the Department of Homeland Security and involving the Pentagon and Transportation Department, aims to identify cybersecurity risks in aviation and improve U.S. cyber resilience in a critical area of public infrastructure, a DHS official said. DHS is offering few details on the program but says it will involve some limited testing of actual aircraft.”
  • Report: Nation state hackers and cyber criminals are spoofing each other: According to ZDNet, “Nation-state hackers and cyber criminals are increasingly impersonating each other to try and hide their tracks as part of advanced attack techniques says Optiv Security in its 2019 Cyber Threat Intelligence Estimate report. The top industries being targeted are retail, healthcare, government and financial institutions. Cryptojacking and ransomware are new exploits that join the traditional list of computer threats from botnets, Denial-of-Service (DDoS), phishing, and malware.”
  • U.S. Warns Cybersecurity Flaws Could Impact Medical Devices: According to Bloomberg (via Yahoo! Finance), “U.S. government officials [last] Tuesday issued a warning about cybersecurity vulnerabilities in operating systems that power a variety of medical devices. Computer security researchers discovered 11 vulnerabilities that could allow a hacker to take control of medical devices, the U.S. Food and Drug Administration warned in an ‘urgent’ advisory along with the Department of Homeland Security.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Rogue fears rise inside corporations as hacks evolve into ‘home invasions’: Reported in CNBC, “The percentage of technology executives who said state-sponsored cyberwarfare was the most dangerous cyberthreat their company faced declined from 38% to 26% in the third-quarter 2019 CNBC Technology Executive Council survey. But concerns about rogue employees rose, from 14% to over 18% of executives citing it as the biggest danger. And for the first time, rogue vendors showed up in the results, with near-6% of tech executives saying this was their biggest cyberthreat.”
  • Ransomware's mounting toll: Delayed surgeries and school closures: Reported in CBS News, “A new study documents 621 [ransomware] cyberattacks this year, including incidents that closed public schools and delayed surgeries as administrators sought to respond to the threats. The costs could be upwards of $186 million, based on the publicly disclosed costs of ransomware attacks, according to cybersecurity firm Emsisoft, which issued the report [last] Tuesday.”
  • Cybersecurity Programs Shown to Have Tangible Value in M&A Assessments: According to a press release, “77% of M&A experts have recommended one acquisition target over another based on the strength of a cybersecurity program; 57% of survey respondents said an acquiring company they work with has been surprised to learn of an unreported data breach during the audit process; Nearly half (49%) indicated that they had witnessed a merger or acquisition agreement fall through as a result; [and] 52% of respondents indicated that the share value of publicly-traded clients has been negatively affected as a result of an acquired company's post-acquisition data breach.”
  • Report: Cyber Criminals Target More Firms in Search of Bigger Paydays: Reported in NextGov, “In a report published [last] Tuesday, researchers at the cybersecurity company CrowdStrike said some 61% of the malicious campaigns they uncovered during the first half of 2019 were conducted by cyber criminals, while the other 39% were launched by state-sponsored actors. That represents a sharp spike from last year, when online criminals were responsible for only about one-quarter of targeted intrusion campaigns, they said.”
  • More than 60% of spam activities originate from US, Russia, Ukraine: Data61: Reported in ZDNet, “Spamming activities that originated from the United States, Russia, and Ukraine collectively contributed to more than 60% of all spam activities between 2007 to 2017, according to new cybersecurity insight developed by researchers from CSIRO's Data61.”
  • Nearly 60% of businesses suffered a data breach in the past 3 years: Reported in TechRepublic, “[A] recent Bitdefender study outlined the cybersecurity conditions of infosecurity companies across the globe. The report found that cybersecurity breaches persist: 57% of companies have experienced a breach in the past three years, and 24% have already suffered a breach halfway through 2019.”
  • CSI Survey: Vast Majority of Consumers Eager for Cybersecurity Education: According to a press release, “Nearly three-quarters of consumers (74%) would be likely to participate in a cybersecurity awareness or education program from their financial institution if they offered it, according to a recent survey conducted by The Harris Poll on behalf of Computer Services, Inc. (CSI) (OTCQX:CSVI). The survey also found that an overwhelming majority of consumers (92%) have concerns about the security of their personal confidential data online.”
  • Most Fortune 500 companies still opaque about security measures: Reported in TechRepublic, “[Nearly] 40% of the companies on the 2019 Fortune 500 do not have a chief information security officer and of those, only 16% have another executive that is listed as responsible for cybersecurity strategy. Of the 62% of companies that do have a chief information security officer, just 4% have them listed on their company leadership pages. Almost 80% of the companies make no indication on their websites of who is responsible for their security strategy.”
  • Many organizations are careless with sensitive paper documents. It's increasing the risk of data breaches: Reported in Fierce IT Healthcare, “Seven in 10 managers at healthcare organizations have seen or picked up documents containing confidential or sensitive information left in the printer. Close to two-thirds (63%) say they are concerned their employees or contractors have printed and left behind a document that could lead to a data breach, according to a survey by the Ponemon Institute.”
  • Independent Market Survey Reveals in the Last Year 64% of ERP Deployments Have Been Breached: Reported in ERP Solutions Review, “Amid the 64 percent of enterprises that have experienced breaches of large ERP platforms in the last 24 months, reported compromised information includes sales data (50 percent), HR data (45 percent), customer personally identifiable information (41 percent), intellectual property (36 percent) and financial data (34 percent).”