NTSC Technology Security Roundup

Weekly News Roundup: December 11, 2017

NIST Cybersecurity Framework Version 1.1 Released for Public Comments

According to a press release, “NIST published the second draft of the proposed update to the Framework for Improving Critical Infrastructure Cybersecurity. This second draft update aims to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use. This latest draft reflects comments received to date, including those from a public review process launched in January 2017 and a workshop in May 2017. Public comments for the latest draft of Cybersecurity Framework version 1.1 and the draft Roadmap are due to NIST by […] January 19, 2018.” Quoted in SC Media, Larry Clinton, president and CEO of the Internet Security Alliance (ISA), said, “…the new draft makes it clear that our goal is not some undefined metric for use of the Framework, but for effective use of the Framework. Moreover, this use-metric needs to be tied not to some generic standard, but to be calibrated to the unique threat picture, risk appetite and business objective of a particular organization.”

EU Wants Privacy Shield Pact Concerns Addressed by End of 2018

Despite the European Union and the United States agreeing to the Privacy Shield pact that ensures that US data complies with EU law, EU regulators (specifically the Article 29 Working Party) want some concerns addressed with US law. Otherwise, the EU regulators have said they will take their concerns to court if these issues are not resolved. According to Reuters, “The Privacy Shield framework - which is used by over 2,400 companies including Google, Facebook, and Microsoft - has already been challenged in the courts by privacy activists who say it does not go far enough to protect Europeans’ data. The data protection authorities asked for ‘further evidence or legally binding commitments’ to back up U.S. assertions that its data collection under Section 702 is not indiscriminate and that access to the data is not conducted on a generalized basis.” Section 702, which will expire December 31, also continues to concern companies, privacy advocates, and citizens in the United States as ZDNet recently reported that “The US government does not need the approval of its secret surveillance court to ask a tech company to build an encryption backdoor.”

Two Research Reports Discuss Incident Response and Industrial Information Security Trends

CrowdStrike released its annual Cyber Intrusion Services Casebook which provides insights into attack tactics, techniques and procedures (TTPs), and the state of breach readiness across industries. The findings include:

  • The average attacker dwell time was 86 days. This statistic reflects the number of days between the first evidence of a compromise and its initial detection.
  • The use of fileless malware and malware-free attacks made up 66 percent of all attacks. Notable examples include attacks where code was executed from memory or where stolen credentials were leveraged for remote logins.
  • Companies are getting better at self-detection. In 68 percent of the reviewed cases, the companies were able to internally identify the breach. This represents an 11 percent increase over prior years.

Also, Honeywell recently released a report titled “Putting Industrial Cyber Security at the Top of the CEO Agenda.” In a summary by ZDNet, the “in-depth poll of 130 industrial companies revealed that almost two-thirds of those surveyed -- a total of 63 percent -- admitted they do not monitor for suspicious behavior, and 45 percent do not even have a cybersecurity expert or manager in place. Despite over half of these companies, 53 percent in total, reporting that they have already been the victim of at least one cybersecurity breach, 20 percent still do not conduct regular risk assessments.”

2018 Cybersecurity Trends Roundup

We continue to round up various 2018 cybersecurity trends articles that cover topics important to CISOs and the security community.

  • Cyber Trends Defenders Can Expect to See in 2018: Justin Fier’s trends in his article for Security Week include:
    • Attacks by nation states and APT threat groups are on the rise.
    • Insider threat will remain a blind spot for most corporations.
    • The use of tools from the NSA and CIA leaks will lead to more sophisticated and machine-speed attacks.
    • Supply chains will continue to be a vulnerability for most organizations.
    • Artificial intelligence will become a common feature in the toolkit of cyber-criminals.
  • Trend Micro’s Paradigm Shifts: Security Predictions for 2018 include:
    • The ransomware business model will still be a cybercrime mainstay in 2018, while other forms of digital extortion will gain more ground.
    • Cybercriminals will explore new ways to abuse IoT devices for their own gain.
    • Global losses from business email compromise scams will exceed $9 billion in 2018.
    • Cyberpropaganda campaigns will be refined using tried-and-tested techniques from past spam campaigns.
    • Threat actors will ride on machine learning and blockchain technologies to expand their evasion techniques.
    • Many companies will take definitive actions on the General Data Protection Regulation (GDPR) only when the first high-profile lawsuit is filed.
    • Enterprise applications and platforms will be at risk of manipulation and vulnerabilities.

Banks Participate in Sheltered Harbor Project to Prepare for Worst-Case Cyberattack Scenario

What if ATMs stop working? What if a cyberattacker destroys or locks financial data at a major bank? Some cybersecurity experts in the financial sector fear that a major cyberattack may not only cause a run on the bank affected but also on other banks. To head off this worst-case scenario, the Wall Street Journal recently reported that banks and credit unions have created the Sheltered Harbor project. According to the Wall Street Journal, “Its 34-member board is composed of representatives of individual big banks, groups of smaller firms, trade associations, clearinghouses and broker-dealers. […] The idea is to ensure that every U.S. bank has the kind of backups that some of the biggest banks have been using since the 1990s: protected in vaults, whether digital or physical, and unalterable once recorded.”