NTSC Technology Security Roundup

Weekly News Roundup: November 12, 2018

DHS Signals Need to Share Critical Infrastructure Training with More People

Two weeks ago, the DHS’s new National Risk Management Center began meeting with three of its 16 identified critical infrastructure sectors. Those sectors will need training that reaches thousands, not hundreds, of people as signified by an RFI from DHS. According to NextGov, “The department is seeking a video conferencing service that it can use to provide cybersecurity webinars to 5,000 or more critical infrastructure operators simultaneously… […] Homeland Security already provides training webinars on a variety of cyber topics to critical infrastructure owners as well as to state and local governments using the Adobe Connect tool, but the current system can’t serve more than 500 simultaneous attendees, the contracting document states.” This RFI shows that DHS is seriously planning to engage more with critical infrastructure companies in the United States.

US Cyber Command Promotes More Cyber Threat Intelligence Sharing and Transparency with New Malware Initiative

Over the past few years, the NTSC has tracked and discussed our observations of efforts by the federal government to improve cyber threat intelligence sharing. Taking a step in that direction, the Cyber National Mission Force (a unit subordinate to U.S. Cyber Command) said in a press release that it had “posted its first malware sample to the website VirusTotal. Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity.” The CNMF also set up a Twitter feed that will “highlight when #CNMF posts malware samples to VirusTotal.” Quoted in Threatpost, Tom Kellermann (Chief Cybersecurity Officer at Carbon Black) said, “This is a huge leap forward for the cybersecurity community. For too long, the U.S. has overclassified cyber threat intelligence. This empowers the cybersecurity community to mobilize on clandestine threats in real time, thus aiding the U.S. government in protecting and securing American cyberspace.”

Eaton Researcher Warns About Side-Channel Attacks on Industrial Control Systems

According to SecurityWeek.com, “Demos Andreou, a lead engineer at power management company Eaton, has conducted an analysis of protection devices typically used in the energy sector, specifically in power distribution stations. Side-channel attacks can be used to extract data from a system based on information gained by observing its physical implementation. There are several side-channel attack methods, but Andreou’s research looked at timing and power analysis attacks. […] A malicious actor could cause the system to fail or have it send false data back to its operator. These devices are distributed and they are controlled by a master system. Incorrect readings from one device can have repercussions for a different part of the network. […] Power analysis attacks can pose a serious threat because they are practically impossible to detect, as an attacked device could seemingly continue performing its normal operations even after it has been compromised…” (Last year, the NTSC published an article from Georgia Tech’s Dr. Raheem Beyah titled “Ransomware for Industrial Control Systems–the Next Frontier?” that also addresses ICS security concerns.)

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Enterprises Sinking Under 100+ Critical Flaws Per Day: Reported in Infosecurity Magazine, “Enterprises are forced to deal with an estimated 100+ critical vulnerabilities each day, with Flash and Microsoft Office accounting for the majority of top app flaws, according to new research from Tenable. […] It predicted that the industry is set to disclose 19,000 new vulnerabilities this year, up 27% from last year — although other estimates put the 2017 figure at nearly 20,000.”
  • Despite Fraud Awareness, Password Reuse Persists for Half of U.S. Consumers: Reported in Threatpost, “Despite almost half of U.S. consumers (49 percent) believing their security habits make them vulnerable to information fraud or identity theft, 51 percent admit to reusing passwords/PINs across multiple accounts such as email, computer log in, phone passcode and bank accounts.”
  • Formjacking: Major Increase in Attacks on Online Retailers: According to Symantec, “Symantec has seen a major uptick in formjacking attacks recently, with publicly reported attacks on the websites of companies including Ticketmaster, British Airways, Feedify, and Newegg by a group called Magecart being the most notable examples. […] Formjacking is not a new technique, but recent campaigns are interesting as they are large, sophisticated, and have increased dramatically since mid-August 2018.”
  • Hackers are increasingly destroying logs to hide attacks: Reported in ZDNet, “[According] to [a recent] Carbon Black report, 72 percent of all its partner IR professionals saw counter-IR operations in the form of destruction of logs, which appears to have become a standard tactic in the arsenal of most hackers.”
  • Users Stop Engaging With Brands After Data Breaches, Report Finds: Reported in eWeek, “According to the Ping Identity 2018 Consumer Survey: Attitudes and Behavior in a Post-Breach Era, 78 percent of consumers reported they would stop engaging with a brand online after a data breach.”

Threat Stack Announces Acquisition of Runtime Application Security Vendor, Bluefyre

According to a press release, cloud infrastructure security company Threat Stack announced last Thursday that it acquired application security vendor Bluefyre “to deliver full stack security observability from the control plane to the application layer. With the addition of Bluefyre, Threat Stack will empower developers to build secure, cloud-native applications that can detect and prevent threats at runtime, including applications running on Kubernetes. […] By adding the application layer to its existing cloud infrastructure security capabilities, Threat Stack will enable its customers to truly integrate development, security, and operations into a completely unified DevSecOps program.” The Bluefyre team will be based in Threat Stack’s Boston headquarters.