NTSC Technology Security Roundup

Weekly News Roundup: November 27, 2017

Uber’s Data Breach Catches Attention of FTC and Congress

Uber recent revealing of a data breach that occurred in October 2016 is catching the attention of the FTC and Congress. Bloomberg reported that 57 million Uber users (50 million passengers and 7 million drivers) had some personal information compromised. Uber paid the hackers $100,000 in ransom and kept the data breach quiet until now. After members of Congress urged the FTC to investigate, the FTC said on Wednesday that they were “closely evaluating the serious issues raised.”

We’ve included a collection of articles about the Uber data breach.

Joint ESG / ISSA Report Shows Correlation Between Cybersecurity Talent Shortage and Security Incidents

A recent joint report from the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) titled “The Life and Times of Cybersecurity Professionals” shows a direct correlation between the ongoing cybersecurity talent shortage and security incidents. Summarized by CSO, the report pointed out the following four root causes of security incidents:

  • “31 percent [of respondents] say a lack of training for non-technical employees.”
  • “22 percent say the cybersecurity team is not large enough for the size of their organization.”
  • “20 percent say business and executive management tend to treat cybersecurity as a low priority.”
  • “18 percent say the existing cybersecurity team can’t keep up with the workload.”

Different Research Reports Indicate Big Criminal Profits and Devastating Costs to Companies from Ransomware

A recent research report from Bitdefender (summarized by Cyberscoop) says that criminals will make $2 billion from ransomware in 2017—an increase from $1 billion in 2016 and $24 million in 2015. Another report looks ahead to the cost for companies. Citing research by Cybersecurity Ventures, CSO reports that “ransomware damages will cost the world $5 billion in 2017 and climb to $11.5 billion in 2019. Those figures are up from just $325 million in 2015.” Cybersecurity Ventures says that “there will be a ransomware attack on businesses every 14 seconds by the end of 2019. This does not include attacks on individuals, which occurs even more frequently than businesses.”

Supreme Court to Consider Case that May Eventually Require Warrants to Access Mobile-Phone Location Data

Currently, law enforcement agencies do not need a warrant to access location data from mobile-phone towers. That may change in a case that the Supreme Court will hear on Wednesday and decide upon next June. According to Bloomberg, “The case could have a far-reaching impact. Prosecutors seek phone-location information from telecommunications companies in tens of thousands of cases a year. […] Beyond location data, the case has implications for the growing number of personal and household devices that connect to the cloud -- including virtual assistants, smart thermostats and fitness trackers.”

Cyberscoop Reports Difficulties and High Costs with AIS Signups

The Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS) program is supposed to facilitate the sharing of cyber threat indicators between the public and private sector. However, Cyberscoop recently reported on difficulties with the program including logistical difficulties for companies signing up and the high costs required to receive the information (which are not reimbursed by the federal government). According to an anonymous executive quoted in the article, “You have to negotiate a special deal, which means lawyers’ time. You have to buy and install special equipment … You need people working on it … When you add it all up, it was a six-figure proposition with no [return on investment] you can show on a balance sheet … Try explaining that the board…”