NTSC Blog

Weekly News Roundup: December 9, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

• Senators sound alarm on dangers of ransomware attacks after briefing: According to The Hill, “Senators from both sides of the aisle sounded the alarm [last] Wednesday on the dangers posed to small businesses and government entities by ransomware cyberattacks following a classified briefing from a key Department of Homeland Security (DHS) official. The Senate Cybersecurity Caucus, led by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.), hosted the meeting with Christopher Krebs, the director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA), who briefed members on threats posed by ransomware attacks.”
• At Senate, consensus on federal law until you get to 'private right of action': According to IAPP, “The Dec. 4 hearing in front of the Senate Committee on Commerce, Science and Transportation sought to revisit topics that lawmakers have discussed in detail in the past, this time with a more sophisticated agenda; the questions are no longer about whether the U.S. needs a bill or whether it should look like the EU General Data Protection Regulation. Conversations are focused on the places that are likely going to get sticky before bills start getting votes: Should citizens be granted a private right of action for violations of the law? What constitutes ‘sensitive’ data? Should it be treated differently? […] While all witnesses agree there should be strong enforcement of a law, Blumenthal, a fierce privacy advocate, couldn't get them to agree that it should preserve the kinds of powers enshrined in state laws with private rights of action already, like the California Consumer Privacy Act and Illinois' Biometric Information Privacy Act.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• SEC names new Cyber Unit chief: According to FCW, “The Securities and Exchange Commission announced that senior advisor Kristina Littman will become the new Cyber Unit chief for its Enforcement Division. Littman has been at the commission since 2010, previously serving as a staff attorney in the division’s Philadelphia office and senior attorney in the Market Abuse and Trial Units.”
• Small Contractors Struggle to Meet Cyber Security Standards, Pentagon Finds: According to DefenseOne, “Small companies are struggling to meet the Pentagon’s newish network security rules, and even larger contractors aren’t doing as well as they think they are, a recent department study has found.”
• US Government Will Welcome Ethical Hackers: According to Infosecurity Magazine, “The [Cybersecurity and Infrastructure Agency (CISA)] has published a proposed directive forcing agencies to play nicely with voluntary bug reporters. Under the draft rules, federal agencies would have to provide and monitor clear channels (an email or web form) through which people could report security flaws. They would also have to respond and keep researchers updated on efforts to fix the bugs. The rules go beyond basic courtesy, though. Agencies could no longer publish threatening language discouraging bug hunters. Neither could they forbid hackers from publishing the bugs after waiting for an acceptable period.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

• Russian 'Evil Corp' cybercrime gang bilked millions in hacking spree, officials charge: According to Politico, “U.S. and U.K. law enforcement officials [last] Thursday announced charges against two alleged Russian leaders of a cybercrime gang dubbed Evil Corp, which the DOJ believes is behind ‘two of the worst computer hacking and bank fraud schemes of the past decade.’ The unsealed computer hacking and bank fraud charges blame Maksim Yakubets and Igor Turashev for deployment of the Zeus and Bugat/Dridex malware. Officials estimate that Zeus caused at least $70 million in bank account losses and that Bugat is responsible for ‘millions’ in losses, said Brian Benczkowski, assistant attorney general for the DOJ Criminal Division.”
• Huawei to sue US over new FCC restrictions: According to The Hill, “The Chinese tech giant Huawei is planning to sue the U.S. government over a Federal Communications Commission (FCC) order, the company said Wednesday. The FCC barred Huawei from a federal subsidies program last month due to the Trump administration’s security concerns about the company’s connections to the Chinese government.”
• US Govt Alerts Financial Services of Ongoing Dridex Malware Attacks: According to Bleeping Computer, “The Department of Homeland Security [last Thursday] alerted institutions from the financial services sector of risks stemming from ongoing Dridex malware attacks targeting private-sector financial firms through phishing e-mail spam campaigns. The alert was published by the Cybersecurity and Infrastructure Security Agency (CISA) via the US National Cyber Awareness System, a tool designed to provide industry and users with info on current security topics and threats.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Banking Trojans Are Top Financial Services Threat: Reported in Infosecurity Magazine, “Banking Trojans represent the biggest potential threat to financial institutions and their customers, and are on the rise, according to new research from Blueliv. […] Nearly a third (31%) of respondents claimed banking Trojans were the biggest threat to financial services firms, followed by mobile malware (28%), a category also increasingly comprised of Trojans designed to access customer accounts.”
• Hackers primed to exploit 5G to Wi-Fi handover flaws: Reported in Computer Weekly, “With 5G networks rapidly coming on-stream, wireless carriers are increasingly handing off calls and data to Wi-Fi networks to save bandwidth, and flaws in this process will allow hackers to compromise security, say researchers at the WatchGuard Technologies Threat Lab.”
• ThreatList: 90% of SMBs Believe Nation-State Actors Are Targeting Them: Reported in Threatpost, “A full 93 percent of all SMB executives in a recent survey from AppRiver believe that nation-state-backed attackers are attempting to use businesses like theirs to breach the country’s digital security. And, this already-high figure jumps to 97 percent among larger SMBs with 150–250 employees.”
• Thales study: U.S. financial institutions have highest rate of data breaches despite strict compliance mandates: According to a press release, “A new global study from Thales, with research from global market intelligence firm IDC, reveals that U.S. financial institutions have the highest rate of data breaches compared to other industries. In fact, nearly two thirds (62%) have experienced a breach in their history, and 41% had one occur in the last year alone.”
• Report: 'Smishing,' Deepfakes to Continue to Rise in 2020: Reported in NextGov, “According to consumer credit reporting company Experian’s 2020 data breach industry forecast, smishing is the top threat individuals will likely be targeted by in the coming year, followed by drones that steal consumer data, disruptive deepfakes, hacktivism, and identity theft through mobile payment systems.”

Cybersecurity Acquisitions

News about three major cybersecurity company acquisitions was reported last week:

• HelpSystems Acquires UK-based Content Protection Firm Clearswift: Reported in Security Week, “RUAG, a Switzerland-based firm that develops and markets civil and military technology applications for use in space, in the air and on land, has announced the sale of its cybersecurity subsidiary, Clearswift, to Minneapolis, Minnesota-based HelpSystems (itself bought by California private equity firm HGGC for $1.1 billion in 2018). RUAG is in the process of withdrawing from the cybersecurity market to focus on the aerospace market.”
• Tenable Buys Industrial Security Startup Indegy To Boost OT Protection: Reported in CRN, “Tenable has purchased industrial security startup Indegy for $78 million to provide visibility, protection and control across operational technology (OT) environments. The Columbia, Md.-based security and cyber risk vendor said its acquisition of New York-based Indegy will extend the depth of Tenable’s OT expertise and intelligence as well as the breadth of its OT-specific capabilities in areas like vulnerability management, asset inventory, configuration management, and threat detection.”
• Ernst & Young Acquires Sila Solutions Group’s Cybersecurity Practice: Reported in MSSP Alert, “Ernst & Young (EY), a Top 200 MSSP for 2019, has acquired the cybersecurity practice of Sila Solutions Group, a North American technology and management consulting firm. The acquisition will help EY deliver identity governance and administration (IGA), privileged access management (PAM), cyber risk assessment, privacy and data protection and third-party risk management to global organizations, the companies said. Sila’s cybersecurity team will join EY’s cybersecurity practice, according to the companies. In addition, EY has acquired Sila’s cyber delivery methodologies, training curriculum and other cybersecurity assets as part of the transaction.”