NTSC Technology Security Roundup

Weekly News Roundup: February 3, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

  • Lawmakers claim progress on online privacy bill: According to The Hill, “Key lawmakers maintained [last] Tuesday that they are making progress in their efforts to put together the country's first comprehensive online privacy bill after hitting several bumps in Congress late last year. At the tech-funded State of the Net conference in Washington, D.C., lawmakers on the relevant House and Senate committees signaled they are grappling with the same obstacles that resulted in Democrats and Republicans putting out separate versions of a privacy bill last year – but insisted they're still dedicated to bipartisan negotiations.”
  • House committee advances bill that would give DHS cyber agency subpoena power: According to The Hill, “The House Homeland Security Committee approved legislation [last] Wednesday that would give the Department of Homeland Security’s (DHS) cyber agency subpoena power and increase cyber protections for the nation. The committee unanimously approved the bipartisan Cybersecurity and Vulnerability Identification and Notification Act, sending it to the full House for a vote. The bill would give DHS’s Cybersecurity and Infrastructure Security Agency (CISA) the ability to issue subpoenas to internet service providers that would compel them to release information on any cyber vulnerabilities detected on the networks of critical infrastructure groups.”
  • House Panel Approves Legislation to Establish Term for CISA Leader: According to Security Magazine, “The House Homeland Security Committee advanced the CISA Director Reform Act, which aims to improve operations and efficiency at the Cybersecurity Infrastructure Security Agency (CISA), which is charged with protecting our nation from cyber threats. The legislation was authored by U.S. Rep. John Katko (NY-24). Currently, the CISA Director lacks a set term, which creates uncertainty for those within the agency and in the position, says a release. Mandating a timeframe will empower the CISA Director and provide stability outside of ad hoc appointments and varying term lengths.”
  • House Bill Would Allow Suits Over Kids’ Privacy Violations: According to Bloomberg Government, “A House Democrat is attempting to overhaul decades-old online protections for children by giving parents the right to sue companies and expanding privacy coverage to teenagers, but the proposal may struggle to gain traction across the aisle. Rep. Kathy Castor (D-Fla.) [introduced] a bill (H.R. 5703) [last] Thursday that [will] dramatically change the enforcement of the Children’s Online Privacy Protection Act (COPPA) that was signed into law in 1998. If it becomes law, it would affect large technology companies that host content directed toward children, including Google’s YouTube, which has faced fines for kids’ privacy violations.”
  • Legislation in Washington state stirs privacy advocates' hopes for federal law: According to Inside Cybersecurity, “Movement in the Washington state Senate on a revised privacy bill is renewing hopes among privacy advocates that pressure is building for federal lawmakers to enact a national law, in part because the latest state proposal is viewed as tougher than a landmark California law often cited on Capitol Hill as a major driver for federal requirements.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • SEC Urges Better Cybersecurity Practices at Financial Firms: According to The Wall Street Journal, “The Securities and Exchange Commission is telling financial-services companies what kind of cybersecurity practices it has found during audits, giving them detailed information on how to handle sensitive data and guard against cyberattacks. The observations by the SEC are the latest in a string of moves by regulators and government agencies that demonstrate they are increasingly concerned about corporate cybersecurity practices.”
  • NIST Wants Feedback on Standardizing Cyber Guidance: According to MeriTalk, “A National Institute of Standards and Technology (NIST) draft report on a new program to standardize and centralize cybersecurity regulations is now open for public comment. The draft explains the new National Cybersecurity Online Informative References (OLIR) Program, the benefits of OLIR, how to access OLIRs, and how subject matter experts can contribute. The program stems from the need to organize large amounts of cybersecurity guidance.”
  • NIST NCCoE Releases Ransomware, Data Protection Guides: According to MeriTalk, “The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) released two draft guides on data management and protection in the wake of cyberthreats. The Jan. 27 drafts, on responding to and protecting assets from cyberthreats, were drafted by NCCoE to help organizations protect the integrity, availability, and confidentiality of data. Both reports specifically caution against the danger of ransomware attacks, a style of attack that leaves data unusable to the organization through unwanted encryption.”
  • Pentagon Rolling Out New Cybersecurity Standards for Industry: According to National Defense Magazine, “The Defense Department unveiled its plans Jan. 31 for implementing a new set of cybersecurity standards that companies must eventually adhere to if they want to do business with the Pentagon. Cybersecurity Maturity Model Certification version 1.0, or CMMC, is an effort to prod the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by foreign adversaries such as China.”
  • National Security Agency Releases Guide on Mitigating Cloud Vulnerabilities: According to Security Magazine, “The National Security Agency (NSA) has released an information sheet with guidance on mitigating cloud vulnerabilities. NSA identifies cloud security components and discusses threat actors, cloud vulnerabilities and potential mitigation measures. The document divides cloud vulnerabilities into four classes (misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities) that encompass the vast majority of known vulnerabilities.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • 97 of the world's 100 largest airports have massive cybersecurity risks: According to TechRepublic, “Swiss web security company ImmuniWeb has released an in-depth report on the cybersecurity posture of the world's biggest airports, finding that almost all of them had an alarming lack of systems in place to protect their websites, mobile applications and public clouds. The company's researchers compiled their findings in the ‘State of Cybersecurity at Top 100 Global Airports’ report, which said only three airports -- Amsterdam Airport Schiphol, Helsinki-Vantaa Airport and Dublin Airport -- passed all of their tests without a single major issue being detected.”
  • Union Leader Says Utilities Not Incentivized to Report Cyber Incidents or Implement Protections: According to NextGov, “The new leader of the Utility Workers Union of America is calling attention to a lack of public accountability for utilities’ cybersecurity practices due to a relaxed regulatory environment. Unlike gas leaks which are flagged by odors or can cause explosions that would cause the public to push the private sector entities to address failures, cybersecurity threats can fly under the radar, said Jim Slevin, who was elected president of the union in July.”
  • TIA Launches Telecom Network and Supply Chain Security Standards and Programs: According to Broadband Communities Magazine, “The Telecommunications Industry Association (TIA), which represents the manufacturers and suppliers of high-tech communications networks, announced a new initiative to build industry-driven telecommunications supply chain security standards and programs. […] Under the umbrella of its successful QuEST Forum TL 9000 Quality Management System, TIA has established an industry-led working group to assess the landscape and initiate the development of global standards that ensure the integrity of the ICT supply chain, while maintaining innovation, competition and economic growth.”
  • Cyber Threat Alliance and FS-ISAC Sign Cooperative Working Agreement: According to a press release, “The Cyber Threat Alliance (CTA) and The Financial Services Information Sharing and Analysis Center (FS-ISAC), which represent cybersecurity companies and the financial services sector, have signed a working agreement to cooperate on threat intelligence, coordinate during cybersecurity emergencies and collaborate on future cybersecurity exercises. CTA and FS-ISAC will engage in analytical exchanges on trends, specific threats, incidents and research of interest to both organizations. In addition, they will coordinate and share threat intelligence as necessary and appropriate.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Study: Mature privacy programs experience higher ROI: Reported in IAPP, “Cisco found for every $1 an organization spends, they receive a $2.70 return on investment. Robert Waitman, CIPP/US, a director in Cisco's privacy office, said the biggest ROI discrepancies were not based on company size but rather the maturity of an organization's privacy program.”
  • Enterprise Hardware Still Vulnerable to Memory Lane Attacks: Reported in Dark Reading, “Hardware makers have lagged behind in protecting even the latest systems from attacks through their ports, leaving users' and companies' systems open to exploit by anyone who can snag some alone time with the targeted system, security firm Eclypsium stated in a report published on January 30. The attacks exploit the direct memory access, or DMA, feature of some computers and servers which allow peripherals to directly access the system's memory.”
  • SEO Spam Dominated Website Infections in 2019: Reported in Security Week, “Nearly two-thirds of infected websites had a form of SEO spam present, with database spam being the most prevalent form of infection. At least one form of backdoor was found on 47% of the compromised websites, providing attackers with persistent access to the infected environment.”
  • Number of Botnet Command & Control Servers Soared in 2019: Reported in Dark Reading, “For the second year in a row, the number of servers used by attackers worldwide to control malware-infected systems increased sharply. The Spamhaus Project, which tracks both the domain names and the IP addresses used by threat actors for hosting botnet command-and-control servers (C2), identified 17,602 such servers hosted on a total of 1,210 different networks worldwide in 2019. The number represented a big 71.5% jump over the 10,263 botnet C2 servers that Spamhaus detected and blocked in 2018, and a near doubling in number from the 9,500 servers in 2018.”
  • Average Ransom Payment Has Increased by 104% in Q4 2019: Reported in Cyware, “With the increase in ransomware attacks, the average ransom payment has risen to 104% in the fourth quarter of 2019. A report from Coveware reveals that the ransomware attackers had collected an average of around $84,000 from victim organizations in the Q4 of 2019 when compared to $41,198 in Q3 of 2019.”