NTSC Technology Security Roundup

Weekly News Roundup: November 27, 2018

DoD and DHS News Roundup

Despite a Thanksgiving holiday week, the Department of Defense (DoD) and Department of Homeland Security (DHS) stayed in the news with several cybersecurity-related stories:

  • Defense, Homeland Security Secretaries Spearhead Cyber Cooperation Agreement: Reported in NextGov, “Homeland Security Secretary Kirstjen Nielsen and Defense Secretary Jim Mattis [recently] spearheaded an agreement […] about how their agencies will work together on future cybersecurity challenges, Homeland Security Undersecretary Chris Krebs said... […] Officials from the Pentagon and Homeland Security’s cyber strategy and operations division met to hammer out high-level details of that cooperation and to sign the memorandum of understanding…”
  • $1B Department of Defense Audit Stresses Cybersecurity Failings: Reported in GovTech, “The Defense Department has spent nearly $1 billion on its first agencywide audit, which has revealed widespread problems with cybersecurity, Pentagon officials said [on November 15]. […] [The] audit, which began in December 2017, revealed many issues including inventory accuracy and complying with cybersecurity discipline.”
  • DHS Aims to ID Critical Functions to Protect from Cyberattacks by Year’s End: Reported in NextGov, “The Homeland Security Department hopes to complete before the end of this year a list of the nation’s most vital functions that must be protected against cyberattacks, the department’s top cyber official said [on November 16]. Once those ‘critical functions’ are identified, Homeland Security will work with federal research facilities and other organizations to map out which of those functions are most vital and how they rely on each other, said Chris Krebs, director of Homeland Security’s newly authorized Cybersecurity and Infrastructure Security Agency.”

Two Major Postal Data Breaches

Last week, two major data breaches impacted the mail and what often uses the mail:

  • USPS Site Exposed Data on 60 Million Users: According to Krebs on Security, “U.S. Postal Service [recently] fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf.”
  • Amazon admits it exposed customer email addresses, but refuses to give details: Reported in TechCrunch, “Amazon emailed users [last] Tuesday, warning them that it exposed an unknown number of customer email addresses after a ‘technical error’ on its website. When reached for comment, an Amazon spokesperson told TechCrunch that the issue exposed names as well as email addresses. […] The company denies there was a data breach of its website of any of its systems, and says it’s fixed the issue, but dismissed [TechCrunch’s] request for more info including the cause, scale and circumstances of the error.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Losses from online payment fraud to reach $48 billion annually: Reported in Help Net Security, “A new study from Juniper Research has found that annual online payment fraud losses from eCommerce, airline ticketing, money transfer and banking services, will reach $48 billion by 2023; up from the $22 billion in losses projected for 2018.”
  • DNS Attacks Cost Organizations $715,000 On Average During 2018: Reported in Softpedia News, “During 2018, 77% of all organizations experienced at least one DNS-based cyberattack according to the data collected through a survey conducted by research firm Coleman Parkes on a sample of 1,000 organizations from all over the world.”
  • Telcos struggling to mitigate the threats of cyberattacks: Reported in Information Age, “The telecommunications sector ranks as one of the worst business sectors in its handling of cyber threats. According to the report from EfficientIP, 43% of telco organizations suffered from DNS-based malware over the past 12 months. It was also highlighted that 81% took three days or more to apply a critical security patch after notification.”
  • Securities Markets at High Risk of Cyberattack: Reported in Dark Reading, “In the financial sector, the global securities market is more vulnerable to short-term cybersecurity threats than the banking and payments market, foreign exchange (forex) market, and trade finance segment, new analysis shows.”
  • Hackers are not main cause of health data breaches: Reported in Reuters, “Most health information data breaches in the U.S. in recent years haven’t been the work of hackers but instead have been due to mistakes or security lapses inside healthcare organizations, a new study suggests.”
  • Divide Remains Between Cybersecurity Awareness and Skill: Reported in Dark Reading, “Three-quarters of board directors are holding C-suite executives accountable for critical data protection. And while most organizations say they see the value and importance of a cybersecurity governance group, finding individuals with the right expertise is far more difficult.”
  • Almost 50 Percent of 2018 Vulnerabilities Can Be Exploited Remotely: Reported in Softpedia News, “Approximately half of all vulnerabilities disclosed during 2018 come with a remote attack vector while only 13% of them require local access according to Risk Based Security's 2018 Q3 Vulnerability Quick View Report.”
  • Remote working may boost productivity, but also leave you vulnerable to attack: Reported in Help Net Security, “New flexible working practices could pose a security risk to small businesses, with one in five of employees (21%) stating they are most productive when working in public spaces like a cafe or library, but only 18% concerned with the security implications this could have.”

Reports and Deep Reading

A few reports and analyses emerged last week that pertain to topics of interest to the NTSC:

  • Special Report: Is the US Ready to Escalate in Cyberspace?: Defense One has published an in-depth report that covers the US’s increasing offensive posture in cyberspace, specific areas where our offensive capabilities may be weakened, and how to define “online criminality.”
  • The SEC and Cybersecurity Regulation: Lawfare discusses how increasing SEC regulation around cybersecurity has arrived in the vacuum of a patchwork of federal and state laws. Its article “tracks the commission’s strategy for incentivizing investment in cybersecurity defenses by mandating disclosure and imposing liability on the victims of data breaches.”
  • Why military veterans might be key to closing the cybersecurity jobs gap: With a potential cybersecurity talent shortfall of 3 million people during the next few years, employers will look for not only talent but also experience to ramp up new hires as quickly as possible. TechRepublic examines “why military personnel make the best cyber defenders” who can hit the ground running and how to increase their numbers in the workforce.