NTSC Technology Security Roundup

Weekly News Roundup: February 10, 2020

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • House Passes Bill to Codify—and Improve—GSA's Cloud Security Program: According to NextGov, “Just over eight years after the Federal Risk and Authorization Management Program, or FedRAMP, was established, House lawmakers passed a bill that would codify the program in law, add annual funding for the next five years and mandate much-needed reforms. The FedRAMP Authorization Act passed the House by a voice vote [last] Thursday, authorizing up to $20 million a year for the next five years and requiring the FedRAMP program management office to make some improvements, including automating the process.”
  • FBI still not pushing for encryption legislation: According to FCW, “At a Feb. 5 House Judiciary Committee hearing, [FBI Director Christopher Wray] was asked by Rep. Matt Gaetz (R-Fl.) if there is any ‘meaningful legislation that Congress should consider so that technology partners have a yellow brick road to work with the government’ on encryption. Wray did not rule [out] the possibility but stopped short of calling for Congress to draft such a bill, beyond saying it was a decision ‘that should be made by the American people through their elected representatives, not through one company making a business decision on behalf of all of us.’”
  • Top Homeland Security Democrat voices opposition to facial recognition moratorium: According to The Hill, “House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) [last] Thursday voiced concern about placing a federal moratorium on facial recognition technology, a proposal floated by several lawmakers on both sides of the aisle. ‘I want to put the safeguards in place so that as we roll out technology we can assure the public that this is not an invasive technology,’ Thompson told reporters after his committee held a hearing on the technology used to identify individuals by scanning their faces.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • Three agencies team on cyber defense of energy infrastructure: According to FCW, “The Departments of Energy, Homeland Security and Defense have extended their joint effort to develop common cyber threat indicators and cyber defense capabilities to protect critical infrastructure in the energy sector. The agencies signed a new memorandum of understanding to develop common, cross-agency threat data and to collaborate on cyberattack response playbooks for energy infrastructure stakeholders. The MOU extends the Pathfinder information sharing effort for critical infrastructure sectors among the agencies begun in 2018.”
  • FCC says wireless location data sharing broke the law: According to Axios, “Federal Communications Commission Chairman Ajit Pai told lawmakers [January 31] he intends to propose fines against at least one U.S. wireless carrier for sharing customers' real-time location data with outside parties without the subscribers' knowledge or consent.”
  • ODNI Plans to Share More About Cyber Threats Under New Counterintelligence Strategy: According to NextGov, “The Office of the Director of National Intelligence will take a ‘whole of society’ approach that hopes to encourage greater private-sector participation in protecting the country from cyber threats, according to [Bill Evanina, director of ODNI’s National Counterintelligence and Security Center]… […] His announcement is in line with pledges by government agencies such as the Cybersecurity and Infrastructure Security Agency and the National Security Agency to share more contextual information about cyber threats—without sharing classified sources or methods—with industry.”
  • How NIST is exploring new data security best practices: According to Fifth Domain, “The cybersecurity leaders at the National Institute of Standards and Technology want industry help on two new projects related to data confidentiality. […] The first project, ‘Data Confidentiality: Identifying and Protecting Assets and Data Against Data Breaches,’ seeks to provide practical solutions to identifying and protecting the confidentiality of data. The second project, ‘Data Confidentiality: Detect, Respond to, and Recover from Data Breaches,’ will provide guidance on handling and recovering from confidentiality breaches.”
  • NIST releases publication on how businesses can minimize cybersecurity risk: According to Homeland Preparedness News, “A new publication by the National Institute of Standards and Technology (NIST) outlines a set of risk management techniques for businesses to reduce cybersecurity risk to global supply chains. The publication, called Key Practices in Cyber Supply Chain Risk Management, addresses the vulnerabilities in the cyber supply chain and offers strategies to minimize them.”
  • NIST Hires Symantec VP Jeff Greene to Lead NCCoE: According to MeriTalk, “Jeff Greene, former vice president of global government affairs and policy at Symantec, began a new role as director of the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) on Feb. 3. For several years, Greene has served as an appointed member of NIST’s Information Security and Privacy Advisory Board, and as a special government employee at NIST to support the President’s Commission on Enhancing National Cybersecurity.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • Mysterious New Ransomware Targets Industrial Control Systems: According to Wired, “Over the last month, researchers at security firms including Sentinel One and Dragos have puzzled over a piece of code called Snake or EKANS, which they now believe is specifically designed to target industrial control systems, the software and hardware used in everything from oil refineries to power grids to manufacturing facilities. […] While crude compared to other malware purpose-built for industrial sabotage, [its] targeting can nonetheless break the software used to monitor infrastructure, like an oil firm's pipelines or a factory's robots. That could have potentially dangerous consequences, like preventing staff from remotely monitoring or controlling the equipment's operation.”
  • Report: DOD efforts to counter China cyber threats require tougher export controls: According to Inside Cybersecurity, “A report by a bipartisan think tank on countering threats from China says Defense Department efforts could be bolstered by tougher technology export controls developed by a government-wide rulemaking process, a recommendation that underscores an ongoing regulatory debate prompted by a Commerce Department proposal.”
  • U.S. Finance Sector Hit with Targeted Backdoor Campaign: According to Threatpost, “The financial services sector in the U.S. found itself under a barrage of cyberattacks last month, all bent on delivering a powerful backdoor called Minebridge. The attack chain employed a known method called ‘VBS Stomping’ to avoid detection. According to researchers at FireEye, the campaigns, aimed at enabling further malware infections and espionage efforts, were initiated via phishing emails with attached documents containing malicious macros. The emails were coming from fake domains that were geared to add legitimacy to the messages, resulting in a convincing theme running throughout the proceedings.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Global Cybersecurity Study: Insider Threats Cost Organizations $11.45 Million Annually, up 31 Percent from 2018: According to a press release, “[On] average, impacted organizations spent $11.45 million annually on overall insider threat remediation and took 77 days to contain each incident.”
  • 40 Million Americans Affected by Health Data Breaches in 2019: Reported in Security Magazine, “Forty million Americans were affected by health data breaches in 2019 — a 65-percent increase from 14 million in 2018. The Fortified Health Security 2020 report, titled The State of Cybersecurity in Healthcare, compiled annual data from 2009 through 2019 and found last year was the highest number recorded since 2015 when 113.27 million records were exposed — an increase of 84 percent from 17.4 million in 2014.”
  • Attacks on Web Applications increased by 52% in 2019, Says New Report: Reported in Cyware, “A study from SonicWall disclosed that cyberattacks on web applications are up by 52% in 2019. […] Web applications such as Slack, Microsoft 365, G Suite. Salesforce and Dropbox have become a new target of interest for cybercriminals.”
  • Only 17% of Organizations Globally Considered “Leaders” in Cyber Resilience, According to Accenture Study: According to a press release, “Despite higher levels of investment in advanced cybersecurity technologies over the past three years, less than one-fifth of organizations are effectively stopping cyberattacks and finding and fixing breaches fast enough to lower the impact, according to a new report from Accenture. […] From detailed modeling of cybersecurity performance, the study identified a group of elite “leaders” — 17% of the research sample — that achieve significantly better results from their cybersecurity technology investments than other organizations.”
  • Why financial professionals say cybersecurity is the toughest risk to manage: Reported in Yahoo! Finance, “A new survey from The Association of Financial Professionals finds cybersecurity is ‘the most challenging risk to manage,’ a drastic change from 2009 when it was a much smaller concern for financial professionals. […] The survey of roughly 365 treasury and financial professionals conducted with Marsh & McLennan shows that 53% of respondents say that cybersecurity is the most challenging risk to manage, compared to just 12% of respondents citing cybersecurity in 2009.”
  • Why many security pros lack confidence in their implementation of Zero Trust: Reported in TechRepublic, “The report found that confidence levels around the implementation of Zero Trust are about split down the middle. Some 53% of those polled said they're confident in their ability to set up Zero Trust, while 47% admitted that they lack such confidence.”
  • Cybersecurity breach a top reason for reviewing manager mandates – CoreData: Reported in Pensions and Investments, “More than half, 57%, of asset owners cited a cybersecurity breach at a money manager as a key reason for an unplanned review of a mandate, according to a survey of 117 institutional investors conducted by CoreData Research that was released [last] Tuesday.”
  • CISOs burdened by unhealthy stress levels, survey study finds: Reported in SC Media, “In a recent survey of 400 U.S.- and UK-based chief information security officers, an overwhelming number, 88 percent, said they find themselves under a moderate or high amount of job-related stress. Moreover, 48 percent admitted that the stress has affected their mental health, while 31 percent said their job performance has suffered…”

Cybersecurity Acquisitions

News about two major cybersecurity company acquisitions was reported last week:

  • Private Equity Acquiring Forescout Cybersecurity; Will More Bidders Emerge?: Reported in MSSP Alert, “Forescout Technologies, which develops device visibility, control and cybersecurity solutions, is being acquired by private equity firm Advent International for $1.9 billion. Crosspoint Capital Partners also is involved in the deal.”
  • HPE acquires zero-trust networking, security firm Scytale: Reported in ZDNet, “HPE has secured a pool of experienced engineers from enterprise companies through the acquisition of startup Scytale. The deal was made public [last] Monday. According to HPE general manager of the Cloud Initiative Dave Husak, the agreement will play a fundamental role in HPE's plans to deliver dynamic, open, edge-to-cloud platforms with security at their core.”