NTSC Technology Security Roundup

Weekly News Roundup: November 19, 2018

Cybersecurity and Infrastructure Security Agency Act of 2018 Signed Into Law

Last Friday, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. According to DHS, “This landmark legislation elevates the mission of the former National Protection and Programs Directorate (NPPD) within DHS and establishes the Cybersecurity and Infrastructure Security Agency (CISA).” CISA’s webpage describes its mission as “protecting the Nation’s critical infrastructure from physical and cyber threats. This mission requires effective coordination and collaboration among a broad spectrum of government and private sector organizations.” CISA’s areas of focus include proactive cyber protection, infrastructure resilience, and emergency communications. In a tweet, Rep. Michael McCaul (R-Texas) said: “#CISA has become public law thanks to the hard work of many! I want to especially thank @POTUS, @SecNielsen, @CISAKrebs, and our partners @DHSgov for their overwhelming support in making this longstanding goal of mine a reality. ‘Defend today, secure tomorrow.’ - @CISAgov”.

Pentagon Cybersecurity News Roundup

We’ve rounded up a few news items from last week related to the Pentagon and cybersecurity:

  • Pentagon, Homeland Security Helping Private Companies Defend Against Cyber Threats: According to Roll Call, “The Pentagon and the Department of Homeland Security reached an agreement in the weeks before the midterm elections to jointly defend the United States against strategic cyber threats, including offering assistance to private companies, top officials from both agencies told lawmakers [last] Wednesday.”
  • Pentagon cyber official warns U.S. companies against 'hacking back': According to The Hill, “A top cyber official at the Defense Department [last] Tuesday urged companies to refrain from ‘hacking back’ when they are the victim of a cyberattack, saying it could negatively affect the already unclear rules of engagement in cyberspace.”
  • Pentagon Researchers Test 'Worst-Case Scenario' Attack on U.S. Power Grid: According to NextGov, “The Defense Advanced Research Projects Agency exercise, which took place from Nov. 1 to Nov. 7, was fictional, but it was designed to mimic all the hurdles and uncertainty of a real-world cyberattack that took out power across the nation for weeks on end–a scenario known as a ‘black start.’ To add realism, the exercise took place on Plum Island, a federal research facility off the north fork of Long Island, where DARPA researchers were able to segregate a portion of the island on its own electric grid.”

GSA Proposes New Data Breach Notification Rules for Government Contractors

In response to cybersecurity issues with the federal government supply chain, the General Services Administration (GSA) has proposed new data breach notification rules for government contractors. According to a GSA document, “The General Services Administration (GSA) is proposing to amend the General Services Administration Acquisition Regulation (GSAR) to provide requirements for GSA contractors to report cyber incidents that could potentially affect GSA or its customer agencies. […] The rule establishes a contractor’s responsibility to report any cyber incident where the confidentiality, integrity, or availability of GSA information or information systems are potentially compromised or where the confidentiality, integrity, or availability of information or information systems owned or managed by or on behalf of the U.S. Government is potentially compromised.” Worthy of note is the access required by GSA and agencies: “[The] rule clarifies both GSA's and ordering agencies’ authority to access contractor systems in the event of a cyber incident. It also establishes the role of GSA in the cyber incident reporting process and explains how the primary response agency for a cyber incident is determined. Further, it establishes the requirement for contractors to preserve images of affected systems and ensure contractor employees receive appropriate training for reporting cyber incidents.” NextGov notes that this rule is likely spurred in response to past cybersecurity incidents related to government contractors.

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Law firms are increasingly investing in cybersecurity programs: Reported in Help Net Security, “[Law] firms are increasingly investing in cybersecurity programs, but most law firms are not implementing many of the protocols that will comprehensively protect them and their clients over time. […] Fifty-four percent of law firms report being audited by one or more clients at least once – a 13% increase since the last scorecard.”
  • Study finds medical device security pros may have false sense of security: Reported in SC Magazine, “The 2018 Zingbox Second Annual Connected Medical Device Survey sought input from more than 200 healthcare IT professionals and 200 clinical and biomedical engineers and found 87 percent of healthcare IT professionals are ‘confident’ that their connected medical devices are protected in the event of a cyberattack. The survey also found this confidence is based on the prevailing misconception that traditional IT security solutions can adequately secure connected medical devices.”
  • Opus & Ponemon Institute Announce Results of 2018 Third-Party Data Risk Study: 59% of Companies Experienced a Third-Party Data Breach, Yet Only 16% Say They Effectively Mitigate Third-Party Risks: According to a press release, “59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent -- up 5 percent over last year’s study and a 12 percent increase since 2016. What’s more, many breaches go undetected: 22 percent of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months.”
  • Venafi Survey: Majority of Security Pros Say Government Officials Should Complete Basic Cyber Security Training: According to a press release, “88 percent of respondents believe all government officials should be required to complete a basic cyber security training course. In addition, 66 percent believe governments should not be able to force technology companies to grant them access to encrypted user data.”
  • Ransomware attacks see huge year-on-year rise: Reported in TechRadar, “[SonicWall] detected a 44 percent increase in the amount of malware infecting users' machines between January and October of this year. At the same time, ransomware […] saw a 117 per cent jump during the same period.”
  • Employees’ cybersecurity habits worsen, survey finds: Reported in WeLiveSecurity, “Three in every four respondents admitted to reusing passwords across accounts. In the survey’s 2014 edition, the same was true for ‘only’ 56% of the employees.”
  • 60% of firms believe a major security event will hit in the next few years: Reported in Help Net Security, “Only 30 percent of 1,250 senior executives, management and security practitioners in the U.S., U.K. and Canada are confident their business will avoid a major security event in the coming two years and 60 percent believe an attack will hit in the next few years, according to eSentire.”
  • Misconfiguration a Top Security Concern for Containers: Reported in SecurityWeek.com, “Thirty-five percent of respondents to a new survey believe their company does not adequately invest in container security, while a further 15% don't think their company takes the threat to containers seriously.”
  • U.S. Chip Cards Are Being Compromised in the Millions: Reported in ThreatPost, “A full 60 million U.S. cards were compromised in the past 12 months. While 93 percent of those were EMV chip-enabled, merchants continued to use mag stripes.”
  • Workers unaware of travel-related cybersecurity threats, survey finds: Reported in ZDNet, “A little over three-quarters (77 percent) of workers say they connect to free or public WiFi while traveling. Some 63 percent will use public WiFi to access work emails and files.”

Cybersecurity Acquisition News

Last Friday, BlackBerry announced it had entered into a definitive agreement to wholly acquire Cylance, an artificial intelligence and cybersecurity company, for $1.4 billion. According to a press release, “Cylance is a pioneer in applying artificial intelligence, algorithmic science, and machine learning to cybersecurity software that has proven highly effective at predicting and preventing known and unknown threats to fixed endpoints.” And, although not officially announced, Reuters reported last Monday that “Israeli cyber surveillance company NSO Group is in talks to buy Fifth Dimension, a start-up chaired by former Israel Defence Forces Chief of Staff Benny Gantz, Israeli media reported [last] Monday. Fifth Dimension has developed technology to assist police investigators in solving cases.”