NTSC Technology Security Roundup

Weekly News Roundup: December 3, 2018

Marriott Breach of Starwood Data Exposes Up to 500 Million Guests’ Information

In what might now be the second worst data breach in history, Marriott disclosed that a data breach affecting up to 500 million guests’ information took place in 2014—and that information remained accessible until recently. According to NBC News, “For about 327 million of the guests […], the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. There are some customers who may have also had their credit card information taken. While that data would have been encrypted, Marriott said it can't rule out the information may have been decoded.”

Other reports on the data breach include:

  • Marriott says data breach may affect up to 500 million Starwood hotel guests (ABC News)
  • Marriott reveals data breach of 500 million Starwood guests (CNN)
  • Marriott discloses massive data breach affecting up to 500 million guests (Washington Post)
  • Marriott Breach Exposes Data of Up to 500 Million Guests (New York Times)
  • Marriott Says Starwood Data Breach Affects Up to 500 Million People (Wall Street Journal)
  • Marriott Says Up To 500 Million Customers' Data Stolen In Breach (NPR)

Russia Continues to Target US Electric Grid

Russia has targeted US critical infrastructure for a long time, possibly planting the seeds for a future cyberattack. According to a recent report from Wired, this activity continues unabated. Wired says, “At the CyberwarCon forum in Washington, DC [last] Wednesday, researchers from threat intelligence firm FireEye noted that while the US grid is relatively well-defended, and difficult to hit with a full-scale cyberattack, Russian actors have nonetheless continued to benefit from their ongoing vetting campaign. […] In many ways, [the Russia-linked hacking group] TEMP.Isotope's actions are in the interest not of triggering large-scale blackouts, but of traditional intelligence-gathering. The group seems to deliver information that can be used both to expand Russian energy capabilities and to vet US systems for weaknesses that could potentially be exploited in attacks. But the FireEye researchers point out that the canvassing also serves other more subtly aggressive counterintelligence goals as well.”

US Cyber Command Talks About the Fruits of “Defending Forward”

It’s only been about six months since US Cyber Command became the 10th US combatant command during a year which the White House, DoD, DHS, and other federal agencies have directed efforts toward a more aggressive cyber posture to deter adversaries. According to an article in Fifth Domain, US Cyber Command is feeling the difference. Lt. Gen. Vincent Stewart is quoted as saying: “Over the last six months we’ve been given sufficient authorities that allow us to implement the approach of defending forward. We can no longer have policy that runs all the way to the very senior levels of our organizations before we can take action. We need the flexibility to act as we see emerging threats and opportunities in this space.” As a tangible example, the article also notes that “Cyber Command had individually targeted Russian cyber operators ahead of the 2018 midterm elections to deter them from spreading misinformation a la the 2016 presidential election.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Security firm predicts hackers will increasingly use AI to help evade detection in 2019: Reported in The Hill, “McAfee Labs's 2019 ‘Threats Predictions Report’ released [last] Thursday says hackers will likely turn to A.I. to ‘increase their chances of success,’ pointing to ‘an entire underground economy’ where hackers can access new services and products to help them fly under the radar.”
  • Three Key Trends from Proofpoint’s Latest Cybersecurity Research: According to Proofpoint, its three key trends included the following insights:
    • “While C-level executives, directors, and department heads may be targeted disproportionately more often, individual contributors and lower-level management accounted for 67% of highly targeted malware and phishing attacks.”
    • “Email-based corporate credential phishing attacks rose 4x vs. the previous quarter. At the same time, email fraud rose 80% over the year-ago quarter.”
    • “Biotech, medical device makers and real estate firms are targeted with email fraud more than other industries.”
  • Hackers are using leaked NSA hacking tools to covertly hijack thousands of computers: Reported in TechCrunch, “More than a year after patches were released to thwart powerful NSA exploits that leaked online, hundreds of thousands of computers are unpatched and vulnerable. […] New findings from security giant Akamai say that the previously reported UPnProxy vulnerability, which abuses the common Universal Plug and Play network protocol, can now target unpatched computers behind the router’s firewall.”
  • Internal negligence to blame for most data breaches involving personal health information: Reported in Help Net Security, “New research from Michigan State University and Johns Hopkins University found that more than half of the recent personal health information, or PHI, data breaches were because of internal issues with medical providers – not because of hackers or external parties.”

Deep Reading

A couple of reports and analyses emerged last week that pertain to topics of interest to the NTSC:

  • An Outcome-Based Analysis of U.S. Cyber Strategy of Persistence & Defense Forward: Lawfare discusses legal issues with “defending forward” and says, despite advantages to this strategy, that “the ‘medicine’ prescribed by the Defense Department and USCYBERCOM should be further scrutinized. Indeed, the side effects of the strategy of ‘persistent engagement’ and ‘defense forward’ are still ill-understood. [A] United States that is more powerful in cyberspace does not necessarily mean one that is more stable or secure. More research is required to better understand adversarial adaptive capacity and escalation dynamics.”
  • How Corporate Boards Can Be More Proactive Mitigating Cyber Risks: In this Forbes article, author Harry Broadman says, “Many corporate boards have made significant progress about understanding the importance of cyber security to the competitive health and sustainability of the companies they oversee. They’ve certainly gotten the message that cyber security is not just an IT issue. And, within the portion of board meetings devoted to risk assessment, cyber security is almost always one of the top items on the agenda. But most board directors have yet to move far enough along to become as effectively equipped as they should be to intelligently gauge the extent to which their firms’ management teams are at the top of their games in the war on corporate cyber-attacks.”