NTSC Technology Security Roundup

Weekly News Roundup: December 10, 2018

US Senate News Roundup

The US Senate introduced a cybersecurity bill and talked about other possible cybersecurity legislation last week:

  • Senators Introduce Bill to Let Hackers Reports Bugs to DHS: According to NextGov, “A bipartisan pair of senators introduced a bill that would require the Homeland Security Department to create an ongoing program to allow security experts to report bugs on agency websites. The Public-Private Cybersecurity Cooperation Act, introduced [last] Thursday by Sen. Rob Portman, R-Ohio, and Maggie Hassan, D-N.H., requires Homeland Security to create a vulnerability disclosure program so hackers can report problems they find to the proper authorities without being prosecuted for breaking laws like the 1986 Computer Fraud and Abuse Act.”
  • Sen. Warner calls for a ‘whole-of-society’ U.S. cyber doctrine: According to CyberScoop, “In a speech [last] Friday, Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, proposed a ‘whole-of-society’ cyber doctrine rather than one that treats the cybersecurity challenges in government and private sector separately.”
  • Senators Call For A Data Security Law: According to NextGov, “Senators called for national data privacy legislation to safeguard consumer information and hold companies accountable for mishandling people's data” in the wake of the Marriott data breach. The Senators wanting such legislation included Mark Warner (D-Va), Ed Markey (D-Mass), and Richard Blumenthal (D-Conn).

Quora Data Breach Impacts Approximately 100 Million Users

In an email to its users last Monday, Quora said “On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to our systems” and that some of the information compromised included “account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, [and] personalization data.” While Quora and other media outlets somewhat downplayed the breach due to Quora’s user data seen as being less damaging than the data held by organizations like Equifax, Gizmodo reported that “the website is more like a social network than it might seem. People ask personal questions that could help draw a personality profile and others give answers that could do the same. Earlier this year, when Facebook admitted that it had lost control of 87 million users’ data, the general public was reminded that data breaches aren’t just about identity theft. In that case, a firm working for the 2016 Trump presidential campaign obtained access to the data, raising concerns that it was used for targeted political messaging.”

Recent Analyses and Assessments of the Cybersecurity and Infrastructure Security Agency

After the Cybersecurity and Infrastructure Security Agency Act redesignated the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA) in October, many in the cybersecurity space have been tracking its progress. Two examples last week include the following:

  • New cyber agency marks its territory: The Washington Examiner notes progress that includes rebranding and “multiagency collaborations with the business community on vulnerabilities in supply chains — long bemoaned as the nation’s cyber Achilles’ heel — as well as on protecting ‘lifeline’ industries like telecommunications, electricity and information technology from cyberattacks.”
  • New DHS Agency Will Provide Needed Emphasis on Cybersecurity: In a blog post, McAfee said “Establishing CISA as a stand-alone agency within DHS elevates both the mission of cybersecurity in the federal government and cybersecurity’s importance and solidifies the position of cybersecurity in our economy. This is a smart decision on the part of Congress and the White House. It will help the newly created agency outline its priorities, advocate for a separate budget, and further develop recruitment efforts. CISA’s leaders will have the ability to continue to drive a culture of cybersecurity within our federal agencies and workforce while enhancing their capabilities to partner with the private sector to address our nation’s most critical cybersecurity threats.”

Quantum Computing Report from National Academy of Sciences Outlines Serious Cryptography Issues

While quantum computing may seem far off today, a National Academy of Sciences report suggests that development may occur so fast that we fail to take security into proper consideration—especially as the technology makes traditional encryption obsolete. According to the MIT Technology Review, “The experts who produced the report […] say widespread adoption of quantum-resistant cryptography ‘will be a long and difficult process’ that ‘probably cannot be completed in less than 20 years.’ It’s possible that highly capable quantum machines will appear before then, and if hackers get their hands on them, the result could be a security and privacy nightmare.” Gizmodo adds “The report warns about the state of funding into quantum research, especially in the U.S. Other countries, including China, have committed lots of money and people to developing quantum technologies. Here in the U.S., much of our quantum science is privately funded—but might not provide immediate commercial benefits. ‘If near-term quantum computers are not commercially successful, government funding may be essential to prevent a significant decline in quantum computing research and development,’ the report authors write.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Fileless malware surge, warns Malwarebytes report: Reported in Computer Weekly, “Fileless malware is a ‘hard to remediate’ class of malware that is growing in popularity among cyber attackers, according to the latest threat report from security firm Malwarebytes. […] This growing gap in protection has led to a tremendous increase in attacks, compromises, and resulting data theft from fileless attacks, the report said, citing a Ponemon Institute report that said fileless malware attacks account for about 35% of all attacks so far in 2018, and are almost 10 times more likely to succeed than file-based attacks.”
  • USB Threats to Cybersecurity of Industrial Facilities: Reported in Tripwire, “[Almost] half of […] customers (44 percent) have detected and blocked at least one file with a security issue. In addition, 26 percent of the detected threats were capable of significant disruption to the operations, including loss of view or loss of control.”
  • Consumers believe social media sites pose greatest risk to data: Reported in Help Net Security, “Surveying 10,500 consumers globally, Gemalto found that, across all ages, 93% are placing the blame squarely on businesses and would think about acting against them. Social media sites worry consumers most, with 61% concerned companies in this space don’t adequately protect consumer data, followed by banking websites (40%).”
  • Trend Micro Research Uncovers Major Flaws in Leading IoT Protocols: According to a press release, Trend Micro “warned organizations to revisit their operational technology (OT) security after finding major design flaws and vulnerable implementations related to two popular machine-to-machine (M2M) protocols, Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).”
  • Financial firms to further increase cybersecurity spending: Reported in American Banker, “In a survey of 100 senior security officers, 84% said their firms are planning to spend more this year on cybersecurity, up from 78 percent a year ago, data-security provider Thales eSecurity said in a report [released last] Tuesday.”