NTSC Technology Security Roundup

Weekly News Roundup: February 26, 2018

California Assembly Bill 2658 Seeks to Revise Definition of Electronic Records and Signatures to Include Blockchain Technology

As blockchain technology becomes more prominent as a part of legal documentation, state legislatures are starting to recognize that trend. While some states such as Florida and Arizona have already adopted legislation related to blockchain technology, California’s Assembly Bill 2658 is significant because of the way that California often sets precedents for the rest of the United States. According to CoinDesk, “Assembly Bill 2658, submitted by Assemblymember Ian Calderon last week, expands the definition of electronic records and signatures - contained in the Uniform Electronic Transactions Act - to include records and signatures on the blockchain, notably stipulating: ‘A record that is secured through blockchain technology is an electronic record.’”

SEC Adopts Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures

According to a press release, the Securities and Exchange Commission voted unanimously to approve a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The guidance provides the Commission’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.

Federal Cybersecurity News Roundup

Here is a roundup of some important federal cybersecurity news from last week:

  • Secretary of Homeland Security Kirstjen M. Nielsen Statement on Cybersecurity for the Nation’s Election: In a statement on Tuesday, Nielsen said, “[The] DHS and our federal, state and local partners have been working together for more than a year to bolster the cybersecurity of the nation’s election infrastructure. Last week, I had the opportunity to meet with the Executive Board of the National Association of Secretaries of States, who were in town along with representatives from all 50 states and a number of local jurisdictions for a series of meetings and briefings on this important issue. I thanked them for their partnership and pledged the Department will continue its support to state and local election officials, primarily through sharing timely and actionable threat information and offering cybersecurity services.” (CNET also published an interview with Jeanette Manfra, DHS’s top cybersecurity official, about this issue.)
  • Attorney General Sessions Announces New Cybersecurity Task Force: According to a press release, “Attorney General Jeff Sessions has ordered the creation of the Justice Department’s Cyber-Digital Task Force, which will canvass the many ways that the Department is combatting the global cyber threat, and will also identify how federal law enforcement can more effectively accomplish its mission in this vital and evolving area.”
  • Army requests $429 million for new cyber training platform: According to Defense News, “In the Army’s research and development budget documents, the service requested $65.8 million in fiscal 2019 for the training environment and $429.4 million through fiscal 2023.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • IBM X-Force IRIS Uncovers Active Business Email Compromise Campaign Targeting Fortune 500 Companies: According to IBM Security in a recent report, “IBM X-Force Incident Response and Intelligence Services (IRIS) assesses that threat groups of likely Nigerian origin are engaged in a widespread credential harvesting, phishing and social engineering campaign designed to steal financial assets. Beginning in the fall of 2017, X-Force IRIS experienced a significant increase in clients reporting instances of fraud or attempted fraud via wire transfer payments. These threat groups successfully used business email compromise (BEC) scams to convince accounts payable personnel at some Fortune 500 companies to initiate fraudulent wire transfers into attacker-controlled accounts, resulting in the theft of millions of dollars.”
  • 2017 Annual Security Roundup: The Paradox of Cyberthreats: Summarizing the Trend Micro report, Help Net Security noted “the company’s researchers believe that, with the advent of GDPR, it’s likely that some criminals will try to extort money from enterprises by first determining the GDPR penalty that could result from an attack, and then demanding a ransom of slightly less than that fine, which CEOs might opt to pay.”
  • New Global Cybersecurity Report Reveals Cybercrime Takes Almost $600 Billion Toll on Global Economy: According to a press release, “McAfee, in partnership with the Center for Strategic and International Studies (CSIS), [on Wednesday, February 20] released ‘Economic Impact of Cybercrime – No Slowing Down,’ a global report that focuses on the significant impact that cybercrime has on economies worldwide. The report concludes that cybercrime costs businesses close to $600 billion, or 0.8 percent of global GDP, which is up from a 2014 study that put global losses at about $445 billion.”
  • Cybersecurity Talent: The Big Gap in Cyber Protection: According to a press release, “Sixty-eight percent of organizations reported high demand for cybersecurity skills compared to 61% demanding innovation skills and 64% analytics skills. Demand for these skills was then set against the availability of proficient skills already present in the organization. This identified a 25 percentage point gap for cybersecurity skills (with 43% availability of proficient skills already present in the organization), compared to a 13 percentage point gap for analytics (51% already present) and a 21 percentage point gap for innovation (40% already present).”
  • Fortinet Threat Landscape Report Q4 2017: In a blog post, Fortinet said, “over Q4 of 2017 we detected an average of 274 attacks per firm, which is a staggering 82% increase over the previous quarter. The number of existing malware families also increased by 25%, to 3,317, and unique malware variants grew 19%, to 17,671, which not only indicates a dramatic growth in volume, but in the evolution of malware itself.”
  • F-Secure Incident Response Report: Summarizing the report, Infosecurity Magazine said, “the majority of incidents were targeted (55%) rather than opportunistic (45%) attacks, with the former employing a greater range of TTPs than the latter. Phishing emails (16%) and malicious email attachments (18%) together formed the biggest threat.”

Axio’s Scott Kannry Outlines Four Myths About Cybersecurity Maturity

In a recent article for Help Net Security, Scott Kannry (CEO of Axio) outline four myths about cybersecurity maturity. He says “security continues to struggle as much today as it did a decade ago. A large part of the problem is that security professionals and their leaders have bought into myths that hamper their ability to move their organizations forward and achieve maturity – the kind of maturity that’s necessary to be able to survive and recover from a cyber attack.” His four myths are:

  • Cybersecurity risk can be eliminated.
  • There’s a cybersecurity silver bullet somewhere-we just haven’t found it yet.
  • The security organization effectively operates as a silo.
  • Regulatory compliance = security.