NTSC Technology Security Roundup

Weekly News Roundup: December 4, 2017

Data Security and Breach Notification Act Seeks Punishment for Execs Who Don’t Quickly Report Breaches

Last Thursday, Senators Tammy Baldwin (D-Wisconsin), Bill Nelson (D-Florida), and Richard Blumenthal (D-Connecticut) introduced the Data Security and Breach Notification Act. According to a press release, the bill “would require companies to quickly notify consumers of data breaches and impose new criminal penalties for corporate personnel who deliberately conceal breaches.” This bill arrives in the wake of a data breach from Uber that took the company over a year to report. More specifically, “The legislation would require companies to notify consumers of data breaches within 30 days and make it a crime punishable by as much as five years in prison for knowingly concealing them, among other things. […] [The] legislation also directs the Federal Trade Commission (FTC) to develop security standards to help businesses protect consumers' personal and financial data and provide incentives to businesses who adopt new technologies that make consumer data unusable or unreadable if stolen during a breach.”

Bipartisan Student Right to Know Before You Go Act Includes Proposed Use of Advanced Encryption

Introduced by Senators Ron Wyden (D-Oregon), Marco Rubio (R-Florida), and Mark Warner (D-Virginia), the Student Right to Know Before You Go Act includes the proposed use of advanced encryption to protect the information shared from universities to prospective students. According to a press release, “The updated bill requires the use of secure multi-party computation (MPC), an advanced encryption technique, to generate statistical data based on student information from colleges and universities as well as loan and income information from government agencies such as the Internal Revenue Service (IRS) and Department of Education. The process ensures the protection of the underlying data, so no entity is forced to ‘give up’ sensitive information in a form that is accessible to others.”

PhishMe Releases 2017 Enterprise Phishing Resiliency and Defense Report

On Thursday, PhishMe released its 2017 Enterprise Phishing Resiliency and Defense Report that looks at phishing susceptibility trends. According to a press release, key findings include:

  • Susceptibility rates are declining; repeated phishing simulations have shown a shrinking susceptibility rate for three years running, leading to an overall five percent drop.
  • Reporting rates have climbed a healthy six percent in three years: Incorporating a one-click email reporting button has proven to lower phishing susceptibility among employees.
  • As reporting or engagement increased, susceptibility to phishing attacks declined.
  • In previous years fear, urgency, and curiosity were the top emotional motivators behind successful phishes. Now they’re closer to the bottom, replaced by entertainment, social media, and reward/recognition.
  • Emails with malicious URLs are the most reported, with almost 15% of the emails employees reported in this study found to be malicious.

Acquisitions Update

Last week saw three major cybersecurity-related acquisitions:

  • Enterprise security company Proofpoint will acquire browser isolation solutions company Weblife.io. According to Proofpoint, “Weblife.io will allow Proofpoint customers to extend [Proofpoint’s corporate email] protection to personal email accounts, while preserving the privacy of their users.”
  • Private equity investment firm Thoma Bravo will acquire Barracuda for $1.6 billion. According to Barracuda, the company “will operate as a privately-held company with a continued focus on email security and management, network and application security, and data protection solutions that can be deployed in cloud and hybrid environments.”
  • McAfee acquired cloud access security broker Skyhigh Networks: According to McAfee, “Skyhigh Networks and McAfee will complement each other’s portfolio and mission, allowing customers to modernize their cybersecurity environments and protect their most valuable asset – data – as it moves to the cloud.”

2018 Cybersecurity Trends Roundup

As the year ends, the inevitable 2018 cybersecurity trends articles are starting to appear. Here’s a roundup of a few:

  • Enterprise security incident response trends to watch in 2018: These trends include automation acceptance, lower SOC entry level, continuous response, savvy MSSP shoppers, SOC as IR thought leader, SIR platform required, SOC developed automation, possible CSIRT resurgence, and more movement to MSSPs.
  • McAfee Labs Previews Five Cybersecurity Trends for 2018: In this report, McAfee predicts that an adversarial machine learning “arms race” will develop between defenders and attackers, and that ransomware will pivot from traditional extortion to new targets, technologies, and objectives.
  • 60 Cybersecurity Predictions For 2018: This long list includes predictions about “attacks on the US government and critical infrastructure, determining authenticity in the age of fake news, consumer privacy and the GDPR, the Internet of Things (IoT), Artificial Intelligence (AI) as a new tool in the hands of both attackers and defenders, cryptocurrencies and biometrics, the deployment of enterprise IT and cybersecurity, and the persistent cybersecurity skills shortage.”