NTSC Technology Security Roundup

Weekly News Roundup: November 11, 2019

Federal and State Legislative Cybersecurity News Update

Here, we’ve provided a roundup of federal and state legislative cybersecurity news stories from last week.

  • Senators introduce cybersecurity workforce expansion bill: According to The Hill, “Four members of the Senate Commerce, Science and Transportation Committee from both sides of the aisle introduced a bill [last] Tuesday to expand America's cybersecurity workforce. The Harvesting American Cybersecurity Knowledge through Education Act would enhance existing science education and cybersecurity programs in the National Institute of Standards and Technology, National Science Foundation, National Aeronautics and Space Administration, and Department of Transportation. It would do so by incentivizing the recruitment of educators in the field, designing clear paths for professionals and increasing coordination between the agencies listed above.”
  • DOE, Senate Energy Committee Line Up on Power Grid Cyber Legislation: According to MeriTalk, “The Department of Energy (DOE) supports legislative efforts in Congress to fund more investment in power grid cybersecurity nationwide, DOE Assistant Secretary Daniel Simmons testified at a Nov. 6 Senate Subcommittee on Energy hearing about current legislation. The subcommittee discussed 11 pending bills – including the Protecting Resources on the Electric Grid with Cybersecurity Technology (PROTECT) Act of 2019 and the Advanced Research Projects Agency–Energy (ARPA-E) Reauthorization Act – that are focused on preparing the Federal government for new strides in energy innovation. Subcommittee members and DOE highlighted the importance of public-private partnerships in reaching the goal of better securing the U.S. power grid.”
  • Texas Updates Data Breach Notification Requirements: According to The National Law Review, “Effective January 1, 2020, the Texas legislature will impose new notification requirements on businesses that maintain personal information of customers. House Bill 4390 amends the Texas Identity Theft Enforcement and Protection Act by requiring that Texas residents be notified of a data security breach within sixty (60) days of the determination that a breach has occurred.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • CISA Releases Cyber Essentials for Small Businesses and Governments: According to a press release last Wednesday, “[The] Cybersecurity and Infrastructure Security Agency (CISA) released its Cyber Essentials, a starting point for small businesses and government agencies to understand and address cybersecurity risk as they do other risks. Developed in collaboration with small businesses and state and local governments, Cyber Essentials aims to equip smaller organizations that historically have not been a part of the national dialogue on cybersecurity with basic steps and resources to improve their cybersecurity. Cyber Essentials includes two parts – guiding principles for leaders to develop a culture of security, and specific actions for leaders and their IT professionals to put that culture into action.”
  • Department of Energy closely watching DOD’s JEDI implementation: According to FedScoop, “The Department of Defense’s adoption of commercial cloud through the Joint Enterprise Defense Infrastructure program won’t just affect the military services and defense support agencies. The Department of Energy is closely watching the Pentagon’s JEDI implementation to see how it may change the way the two interact when sharing information, said Karen Evans, assistant secretary for the Office of Cybersecurity, Energy Security, and Emergency Response (CESER). […] Other federal agencies, like the intelligence and law enforcement communities, are also likely watching DOD’s implementation of JEDI, both for partnership and information sharing purposes but also to learn lessons in what’s positioned to be a massive migration — worth up to $10 billion over 10 years with contract extensions.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • New Study: Hospital Breaches Could Be Killing Patients: Reported in Infosecurity Magazine, “Data breaches at hospitals appear to be having a serious impact on patient care, increasing mortality rates for years after an incident, according to new research. […] What they found was shocking: an increase in 30-day mortality rate for heart attacks that translated to 36 additional deaths per 10,000 heart attacks per year. Mortality rates apparently continued to rise for about three years after a breach before tapering off.”
  • Healthcare Data Breaches Costs Industry $4 Billion by Year's End, 2020 Will Be Worse Reports New Black Book Survey: According to a press release, “Hospital systems expenditure on protections as part of IT budgets increased 6% year-to-year but physician organization cybersecurity spend has decreased since 2018, and 92% lack full-time security staff.”
  • Cybersecurity: Under half of organizations are fully prepared to deal with cyberattacks: Reported in ZDNet, “Only 49% of CISOs and other senior executives are fully confident that their organization could deal with the fallout of a hacking incident or data breach right now, and most think the threat from cyberattacks will get worse.”
  • Fewer than half of cybersecurity professionals have a plan in place to deal with IoT attacks, despite the fact that ninety percent worry about future threats: Reported in Dark Reading, “Fewer than half (47%) of cybersecurity professionals have a plan in place to deal with attacks on their IoT devices and equipment, despite that fact that nine out of ten express concerns over future threats, according to new research from the Neustar International Security Council (NISC).”
  • Cybercriminals are testing exposed credentials for future account takeover attacks: Reported in Help Net Security, “Fraud increased 30% overall in Q3 2019 and bot-driven account registration fraud is up 70% as cybercriminals test stolen credentials in advance of the holiday retail season, according to Arkose Labs.”
  • Employees know vulnerabilities exist, but they can’t resolve them quickly enough: Reported in Help Net Security, “There is a sharp remediation gap between when organizations first detect vulnerabilities and when those issues are ultimately resolved, [an] Adaptiva survey reveals. The survey also found that companies overwhelmingly do not have the staff to handle today’s security demands, and leveraging current vulnerability management tools is one of their greatest cybersecurity challenges.”
  • Gurucul-Cybersecurity Insiders Survey Finds Nearly Half of Companies Can’t Respond to Insider Threats Until it’s Too Late: According to a press release, “[Nearly] half of the companies surveyed for the 2020 Insider Threat Report are unable to remediate insider threats until after data loss has occurred. The Cybersecurity Insiders and Gurucul study found that lack of visibility into anomalous activity, especially in the cloud, and manual SIEM workloads have increased the risk of insider threats for organizations and prevent many from detecting and stopping data exfiltration.”
  • Cybersecurity workforce must grow 145% to close talent gap: Reported in HR Dive, “To fill the talent gap for cybersecurity experts, the cybersecurity workforce would need to grow 145%, according to (ISC)², a membership association for cybersecurity professionals. The 2019 (ISC)² Cybersecurity Workforce Study estimated that an additional 4.07 million trained professionals will be needed.”
  • AI Stats News: Humans Plus AI 20X More Effective In Cybersecurity Defense Than Traditional Methods: Reported in Forbes, “Combining cybersecurity talent and AI-enabled technology results in 20x more effective attack surface coverage than traditional methods; using AI accelerates by 73% the time to evaluate the breach-worthiness of a vulnerability; by augmenting humans with AI, companies are able to find and close critical vulnerabilities 40% faster, reducing the vulnerability risk window; organizations that have utilized an augmented approach to security testing for two or more years are up to 200% stronger against cyber attacks than they were in their first year.”
  • Cybersecurity Executives Say Cost of Security Reasonable: Reported in OODA Loop, “A majority (57%) of IT security decision makers across the globe think that cybersecurity solutions are reasonably priced considering the value they provide, a new survey by FireEye indicates. In addition, a quarter (25%) of respondents said cybersecurity is inexpensive, while only 18% consider it to be expensive.”

Proofpoint Enters into Definitive Agreement to Acquire ObserveIT for $225 Million in Cash

According to a press release, Proofpoint has entered into a definitive agreement to acquire ObserveIT, an insider threat management platform. Closing of the transaction is expected to occur late in the fourth quarter of 2019. With this acquisition, Proofpoint will extend its data loss prevention (DLP) capabilities with endpoint joining email, CASB, and data-at-rest to form an enhanced enterprise DLP offering. ZDNet notes, “Founded in 2006, ObserveIT specializes in endpoint security and insider threat detection. Catering for 1,900 customers in 87 countries, ObserveIT provides solutions for real-time enterprise network management, alerts when suspicious behavior is detected, and also assists firms in cybersecurity-related legal compliance.”