NTSC Technology Security Roundup

Weekly News Roundup: November 5, 2018

DHS’s National Risk Management Center Begins Meeting with Critical Infrastructure Sectors

The DHS’s new National Risk Management Center, created in July 2018, began meeting last Thursday with three of its 16 identified critical infrastructure sectors. According to NextGov, “The meeting with officials from the communications, electricity and finance sectors will be followed by meetings with the other 13 critical infrastructure sectors in coming weeks, Mark Kneidinger, deputy director of Homeland Security’s National Risk Management Center told reporters after speaking before a Commerce Department advisory board. Based on those meetings, risk management center officials will work with industry on future steps for how to both identify and protect the nation’s most vital digital assets, Kneidinger said.” Focused on long-term concerns, the National Risk Management Center will, according to DHS, create a cross-cutting risk management approach between the private sector and government to improve the defense of our nation’s critical infrastructure.

Ohio Incentivizes Companies to Have a Written Cybersecurity Program in Place

A data breach law in Ohio became effective last Friday (Senate Bill 220) that provides legal safe harbor if a covered entity implements a cybersecurity program. According to The National Law Review, “Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, and that failure resulted in a breach. The definition of breach (and personal information that if impacted gives rise to a duty to notify) is identical to Ohio’s existing breach notification law. The defense is available if the company has a written program in place, and that program conforms to ‘industry-recognized frameworks’ like the National Institute of Standards and Technology’s Framework, ISO 27000, FedRAMP, PCI Standards, the Security Rule of the Health Insurance Portability and Accountability Act, or the Safeguards Rule of the Gramm-Leach-Bliley Act.”

Digital Millennium Copyright Act Exemptions Help Protect Security Researchers

Ambiguities in the Digital Millennium Copyright Act can lead to a lack of legal protection for security researchers trying to do good. To help protect security researchers, the Librarian of Congress and US Copyright Office recently (according to Motherboard) “renewed several key exemptions (and added a few new ones) to the Digital Millennium Copyright Act. This go round, they’ve extended some essential exemptions ensuring that computer security researchers won’t be treated like nefarious criminals for their contributions to society.” Motherboard also notes “The exemptions still have some caveats. Specifically, the Copyright Office ruling only applies to ‘use exemptions,’ not ‘tools exemptions’—meaning security researchers still can’t release things like pen-testing tools that bypass DRM, or even publish technical papers exploring how to bypass bootloaders or other Trusted Platform Modules to test the security of the systems behind them.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Wider breach awareness fosters more security conversations: Reported in Help Net Security, “[Wider] awareness of risks – including third-party data breaches, ransomware and geopolitical conflicts – spurs more security dialogue in the boardroom. However, C-Suite and security leaders struggle to frame risk in productive decision-making terms and keep an eye on whether companies are operating within their proper risk appetite.”
  • Gathering Insights on the Reemergence and Evolution of Old Threats Through Managed Detection and Response: According to Trend Micro, “Smart Protection Network (SPN) data and observations from Managed Detection and Response (MDR) for the North American region show the persistence of older threats and tactics: delivery methods such as spam emails are still going strong, while ransomware attacks have seen a renewed vigor alongside newer threats such as cryptocurrency mining malware in the third quarter of 2018.”
  • Majority of Top 30 Sites Don't Offer Wide Range of 2FA Options: Reported in BleepingComputer, “The Dashlane password management company has released research showing that the majority of the top 30 consumer sites do not offer a complete range of two factor authentication (2FA) options for login authentication. Of the top 30 sites, only 8 offered all of the tested for 2FA options.”
  • 53 Percent of All SMBs Experienced at Least a Security Breach in the Last Year: Reported in Softpedia, “Around 53% of all SMBs, small companies with up to 250 employees and medium-sized ones with up to 499, have been affected by a security breach during the last year according to Cisco's 2018 Annual Cybersecurity Report.”
  • Energy, Utilities Attacks Inside IT Networks Rise: Reported in Infosecurity Magazine, “According to a new report published by Vectra, there is a key distinction between attacks that probe IT networks for information about critical infrastructure and those attacks that actually target industrial control systems (ICSs). The 2018 Spotlight Report on Energy and Utilities found that most cyber-attacks against energy and utilities firms occur and succeed inside enterprise IT networks, not in the critical infrastructure.”
  • Social media support fraud is up nearly 500%, reaches highest level ever: Reported in TechRepublic, “Social media support fraud, also referred to as ‘angler phishing,’ has reached an all-time high, according to Proofpoint's Quarter 3 Threat Report. The report found angler phishing to have increased by 486% since this quarter last year, said the report, revealing how social media cyberattack methods are changing.”

API Releases “Defense-in-Depth: Cybersecurity in the Natural Gas and Oil Industry Report”

According to a press release, API and the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) “released a report describing the industry’s resilience and preparedness to defend itself and energy consumers against malicious cyber threats and providing insight for policymakers into the comprehensive cybersecurity programs of the natural gas and oil industry.” Key points from the report include:

  • “Cyber threats are not new or unique to pipelines; they are present across the energy system, including at coal and nuclear plants. Pipeline companies have layers of security in place to protect against cascading failure, which also include mechanical controls that are not capable of being overridden through any cyber compromise of ICS.”
  • “The natural gas system is highly resilient because the production, gathering, processing, transmission, distribution and storage of natural gas is geographically diverse, highly flexible and elastic, characterized by multiple fail-safes, redundancies and backups.”
  • “Reliance upon voluntary mechanisms including proven frameworks and public-private collaboration, rather than prescriptive standards or regulations, is the best way to bolster the cybersecurity of natural gas and oil companies and the energy infrastructure they operate, and to afford the necessary flexibility and agility to respond to a constantly-changing cyber threat landscape.”