NTSC Technology Security Roundup

Weekly News Roundup: February 18, 2019

Two Senate Bills Address Cybersecurity Workforce Development

Two Senate bills were recently introduced that address cybersecurity workforce development.

  • Cyber Security Exchange Act: According to SecurityWeek.Com, “Senators Amy Klobuchar (D-MN) and John Thune (R-SD) [last] Monday introduced the bipartisan Cyber Security Exchange Act, which establishes a public-private exchange program. Experts from the private sector and academia would be recruited for limited ‘tours of duty’ in the government for up to two years. In addition, experts working for the government would do tours of duty in the private sector to learn best practices that can be applied to secure government systems.”
  • Federal Rotational Cyber Workforce Program Act: According to NextGov, “Sens. Gary Peters, D-Mich., John Hoeven, R-N.D., Maggie Hassan, D-N.H., and Ron Johnson, R-Wis., on [February 7] reintroduced a bill that would create a program that allows government cyber specialists to gain professional experience at multiple agencies. Under the Federal Rotational Cyber Workforce Program Act, feds with cyber experience would be able to do stints at agencies with less robust security infrastructures, which would bolster those organizations’ digital defenses. By giving feds exposure to a diverse array of security challenges, lawmakers aim to make government cyber jobs more appealing.”

31 Attorneys General Submit Letter to FTC About Identity Theft Rules

In a letter sent to the FTC, 31 attorneys general commented upon the importance of identity theft rules and urged the FTC to keep these rules. The letter states that “the Identity Theft Rules (‘the Rules’), known as the ‘Red Flags Rule’ and the ‘Card Issuers Rule,’ appropriately place the burden on certain entities to detect, prevent and mitigate identity theft. Only these entities have the ability to stop a fraudulent account from being opened at their own place of business or to notify a consumer of a change of address in conjunction with a request for an additional or replacement card, which is a strong indicator that the account may have been taken over by an identity thief. We see evidence of many businesses taking their responsibilities under the Rules seriously through the course of our investigations – particularly in investigations that are unrelated to data security. […] We strongly believe there is a continued need for the Rules, as repealing the Rules would leave consumers more vulnerable to identity theft.” SC Media notes that “the FTC’s identify theft rules have been flexible enough to keep up with the changing times, but the AGs said they need to be amended to reflect changes in communications means (including email addresses and cell phone numbers), and to highlight best practices as well as expand the ‘Unusual Use Of, or Suspicious Activity Related to, the Covered Account’ section.”

Critical Infrastructure News

Last week, two news items highlighted continued concerns about cybersecurity related to critical infrastructure:

  • Increased use of natural gas exposes U.S. to cyber attacks, FERC chairman says: According to MarketWatch, “A Senate hearing [last] Thursday focused on the threats to energy infrastructure from hackers, including to natural gas pipelines. The Senate Committee on Energy and Natural Resources’ hearing follows the U.S. intelligence community’s publication of worldwide threats, which include the ability of China, Russia, Iran, and North Korea to disrupt critical infrastructure. Neil Chatterjee, chairman of the Federal Energy Regulatory Commission, discussed the need for bolstering the U.S.’s ability to defend against cyber attacks that could paralyze access to power.”
  • Cyber threats to utilities on the rise, firm warns: According to The Hill, “Cybersecurity risks to utilities' systems increased in 2018, with more intrusions into those networks and malware that infected those systems, according to a new report from a threat assessment firm released Thursday. Dragos, which specializes in industrial cybersecurity, found that the threat for systems such as electric grids have grown over the last year, even without a substantial attack taking place.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Here's the latest evidence that security burnout is very real: Reported in CyberScoop, “Thirty-two percent of security practitioners say they believe they would either lose their job or receive an official warning in the event of a data breach. Ninety-one percent reported moderate or high stress, with a quarter saying the job has affected their mental or physical health.”
  • Most US Firms Expect Critical Attack this Year: Reported in Infosecurity Magazine, “An estimated 80% of US businesses expect to be hit by a critical security breach at some point in the coming year, according to new research from Trend Micro.”
  • Cyber criminals increasingly used 'formjacking' to carry out attacks in 2018: study: Reported in The Hill, “Cyber criminals increasingly turned to ‘formjacking’ as their go-to means of carrying out attacks against companies last year, according to tracking by Symantec. Using that method, hackers have stolen sensitive customer data by inserting a few lines of malicious code onto e-commerce websites.”
  • Phishing, Humans Root of Most Healthcare Attacks: Reported in Infosecurity Magazine, “Nearly half (48%) of all respondents identified two different categories of major threat actors, which included online scam artists (28%) and negligent insiders (20%). The hospitals that participated in the survey said that when looking at the security incidents that occurred in the last 12 months, the initial point of compromise for 69% of the attacks was the result of phishing emails. […] Among all the survey participants, 59% said that the most commonly cited point of compromise was email and 25% were human error.”
  • RATs and Business Email Compromise Attacks on the Rise: Proofpoint: Reported in Computer Business Review, “The number of RATs (Remote Access Trojans) infecting machines globally doubled each quarter of 2018, scratching their way from comprising just 0.04 percent of observed malware in 2017 to over eight percent of all malicious payloads in Q4 of 2018.”

Cybersecurity Acquisitions

Several cybersecurity company acquisitions were reported last week:

  • Symantec Acquires Zero Trust Access Pioneer Luminate Security: According to a press release, “Luminate’s Secure Access Cloud™ technology further extends the power of Symantec’s Integrated Cyber Defense Platform to users as they access workloads and applications regardless of where those workloads are deployed or what infrastructure they are accessed through. […] [Luminate’s] technology allows enterprises to scale private, ‘no DNS’ access control, granting user connections only to the specific applications and resources for which they are authorized.”
  • Israeli spyware firm NSO Group 're-acquired' by founders: Reported in Boing Boing, “[Last] Thursday, NSO Group announced it has been ‘re-acquired’ by its founders. Security researchers found evidence NSO sold spyware to governments that are established human rights abusers. The company has been accused of creating tools that help bad regimes invade privacy, conduct abusive surveillance, and target political enemies for detention, torture, and assassination.”
  • GBG acquires Atlanta-based IDology: According to a press release, “GBG, the UK-headquartered Identity Data Intelligence specialist, [announced last Monday] that it has conditionally agreed to acquire the entire issued share capital of IDology, a US-based provider of identity verification and fraud prevention services, for a total consideration of £233m ($300m) in an all-cash transaction. IDology is a fast-growing provider of identity verification services that helps remove friction both in onboarding customers and in the detection of fraud. Its market-leading US identity verification and fraud prevention services, led by its ExpectID product range, are the perfect strategic complement to GBG’s identity verification solutions.”