NTSC Technology Security Roundup

Weekly News Roundup: December 30, 2019

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

  • Senate unanimously approves anti-robocall legislation: According to The Hill, “The Senate voted unanimously on [December 19] to approve legislation passed by the House earlier this month to tackle robocalls, sending the bill to the president's desk. According to a source familiar with Trump's plans, the president is expected to sign the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, named after its sponsors in the House and Senate, Rep. Frank Pallone Jr. (D-N.J.) and Sen. John Thune (R-S.D.).”
  • States Step Up Cybersecurity Regulation of Insurers: According to Bloomberg Law, “New Hampshire will join eight other states in imposing cybersecurity requirements on insurers with a new law that takes effect Jan. 1. The law gives licensees a year to implement requirements such as an information security program based on a risk assessment. Insurers will have two years from the effective date to enact oversight requirements for third-party service providers. Licensees will have to investigate cybersecurity events and notify the state regulator within three business days after discovering a security incident.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • CyberCom mulls aggressive tactics if Russia interferes in next election: According to The Hill, “The U.S. is working on information warfare tactics that could be used to counter possible Russian interference in the 2020 election, The Washington Post reported [last] Wednesday, citing current and former officials. The U.S. Cyber Command (CyberCom) is mulling one strategy that would go after top Russian officials and elites to demonstrate that their personal information could be hit if interference continues, according to the Post.”
  • CISA Releases Draft Documentation to Provide Guidance for TIC 3.0: According to CISA, “[On December 20, CISA released] draft documentation to provide guidance for TIC 3.0, which we’ve developed to assist agencies in protecting modern information technology architectures and services, less focused on a perimeter. […] The success of the new TIC iteration is a group effort of over 50 participating federal agencies and industry. CISA encourages readers to provide any comments, feedback, or questions via the TIC GitHub repository. An official request for comments (RFC) period will begin December 23, 2019 and conclude on January 31, 2020.”
  • Government information sharing efforts remain a mixed bag: According to FCW, “The rollout of a new tool in 2017 has improved information sharing across the federal government, but other once-promising programs are withering on the vine, according to an audit released Dec. 19. […] [Auditors] gave mostly tepid reviews for the Automated Indicator Sharing program run by DHS' Cybersecurity and Infrastructure Security Agency. Once viewed as a potential crown jewel of the federal government's information sharing efforts with the private sector, the program has suffered from lack of engagement with only half a dozen or so entities actually sharing data back with the government. That reality has largely stagnated efforts to improve the quality of the data produced by the program and build out more actionable information around ongoing cyber threats.”
  • Not so IDLE hands: FBI program offers companies data protection via deception: According to Ars Technica, “An FBI flyer shown to Ars by a source broadly outlined a new program aimed at helping companies fight data theft ‘caused by an insider with illicit access (or systems administrator), or by a remote cyber actor.’ The program, called IDLE (Illicit Data Loss Exploitation), does this by creating ‘decoy data that is used to confuse illicit… collection and end use of stolen data.’ It's a form of defensive deception—or as officials would prefer to refer to it, obfuscation—that the FBI hopes will derail all types of attackers, particularly advanced threats from outside and inside the network.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • CISOs Are Skeptical About Cybersecurity Vendor Claims, Study Shows: Reported in Security Boulevard, “Around half of those surveyed felt downright deceived by their vendor. For example, 44% of security pros believe most, if not all, vendors obfuscate their technology with hard-to-understand descriptions. 53% said their vendors use ambiguous data that makes it hard to verify their claims. And 35% say their vendors don’t meet their promises half of the time.”
  • Only 54% of security pros have a written policy on length and randomness for keys for machine identities: Reported in Help Net Security, “Just half (54%) of organizations have a written policy on length and randomness for keys for machine identities, but 85% have a policy that governs password length for human identities.”
  • New Study Shows Just How Bad Vehicle Hacking Has Gotten: Reported in Communications of the ACM, “Upstream says there were 150 cases of vehicle hacking in 2019, a 99% increase from 2018. Moreover, the auto industry has experienced 94% year-over-year growth in hacks since 2016.”

Cybersecurity Acquisitions

News about four major cybersecurity company acquisitions was reported last week:

  • Mastercard To Acquire RiskRecon: Reported in FinSMEs, “Global payments technology company Mastercard (NYSE: MA) is to acquire RiskRecon, a Salt Lake City, Utah-based provider of artificial intelligence and data analytics solutions to support companies in protecting their cyber systems and infrastructure. The amount of the deal – which is anticipated to close in the first quarter of 2020, subject to customary closing conditions, was not disclosed.”
  • Dell Likely to Purchase Remaining Stake in Secureworks: Reported in Yahoo! Finance, “Dell Technologies is considering buying the remaining outstanding shares of Secureworks, according to a Bloomberg report. Secureworks is engaged in managing and outsourcing cybersecurity services for corporate clients. The company also develops software to detect and respond to cybersecurity threats. Dell owns 86.2% of Secureworks through ownership of the entirety of the company’s Class B shares as of Nov 1, 2019. By acquiring the remaining 13.8% shares, Dell will be able to fully consolidate Secureworks with its business.”
  • Palo Alto Buys Aporeto, Boosts Profile with Microsegmentation: Reported in Yahoo! Finance, “Palo Alto Networks recently completed the acquisition of machine identity-based microsegmentation entity Aporeto. With this, the company further strengthens its Cloud Native Security Platform delivered by Prisma Cloud. The addition of Aporeto to its portfolio will help the company identify workloads and apply microsegmentation across all infrastructures, which will ensure better application of security to customers. In November this year, Palo Alto Networks had announced that it will pay approximately $150 million in cash to acquire Aporeto.”
  • OpenText Completes Carbonite, Webroot Acquisition: Reported in ChannelE2E, “OpenText has completed the Carbonite acquisition, which includes the Webroot business. OpenText, an enterprise-focused information management software company, gains cloud-based data protection, backup, disaster recovery and endpoint security software that MSPs promote to small and midsize businesses (SMBs). The deal’s value: $1.45 billion.”