NTSC Blog

Weekly News Roundup: March 11, 2019

DHS Identifies China as Major Threat Priority

During our NTSC Mid-Atlantic Regional CISO Policy Roundtable last week, Rick Driggers (Deputy Assistant Secretary for Cybersecurity and Communications at the U.S. Department of Homeland Security) gave a preview of the Cybersecurity and Infrastructure Security Agency’s (CISA) top priorities. One of those priorities was the threat from China, which CISA director Christopher Krebs talked about more last week at RSA and in an interview with CSO Online. Krebs pointed out specific threats such as VPN apps and Chinese technology suppliers having access to US networks. At RSA (quoted in PCMag India), Krebs said, “The good news is, particularly at the executive level, everybody is much more keenly aware of the threat environment, particularly posed by China, than ever before. (However) from a supply chain perspective, we all recognize we have a lot more work to do. We are just scratching the surface on understanding what's connected.”

FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules

According to a press release last Tuesday, the Federal Trade Commission is seeking comment on proposed amendments to two rules that protect the privacy and security of customer information held by financial institutions. In separate notices to be published in the Federal Register, the FTC is seeking comment on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. Specifically:

• The FTC is proposing changes to the Safeguards Rule to add more detailed requirements for what should be included in the comprehensive information security program mandated by the Rule. For example, the proposal generally would require financial institutions to encrypt all customer data, to implement access controls to prevent unauthorized users from accessing customer information, and to use multifactor authentication to access customer data. The FTC also has proposed improving compliance with these programs by requiring companies to submit periodic reports to their boards of directors.
• The FTC also is proposing to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to specifically include so-called “finders,” those who charge a fee to connect consumers who are looking for a loan to a lender. This proposed change would bring the Commission’s Rule in line with other agencies’ interpretation of the Gramm Leach Bliley Act.

Legislative and Federal Cybersecurity News Roundup

Many federal cybersecurity news stories appeared last week. Here’s a roundup.

• Cyber strategy short on specifics and metrics, says GAO: According to FCW, “The Trump administration's national cybersecurity strategy is a good start but more accountability is needed, the head of the Government Accountability Office told two congressional panels on March 6. […] Cybersecurity across the federal government remains a critical concern, even with the administration's National Cyber Strategy released last September. The security of critical infrastructure is also an issue.”
• NSA-Cyber Command Chief Recommends No Split Until 2020: According to NextGov, “The commander of the nation’s top military cybersecurity organizations, the National Security Agency and U.S. Cyber Command, has recommended they split from each other next year… […] That’s another delay for an organizational change first planned for in 2016 and since slowed to allow officials time to sort out the authorities for the civilian agency and military command and ensure that both entities can perform well independently.”
• Cyber group calls for coordinated vulnerability disclosure policies: According to FCW, “A white paper released March 6 by the Cybersecurity Coalition, an industry group led by former White House Senior Cybersecurity Director Ari Schwartz, recommends that organizations and governments adopt coordinated vulnerability disclosure (CVD) frameworks. The paper also suggests placing the Department of Homeland Security or another civilian department in charge of developing a policy framework for federal agencies, and it calls for more federal funding for resources like the Common Vulnerability and Exposures and National Vulnerability Database programs.”
• Former NSA Director: Public and private sectors must unite to prevail against advanced cyberattacks: At an event last week, SC Magazine quoted former NSA Director Mike Rogers as saying, “Expecting the private sector to literally withstand the focused efforts of entire nation states that are working in a very synchronized strategy way to attempt to gain advantage, I don’t think that’s realistic. Likewise, going, ‘Well, this is the government’s problem,’ is not going to work. It’s our ability to team together that I think [is] one of our big challenges as I look to the future.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• IT teams can’t plug security gaps because they don’t know what they are – research: Reported in Information Age, “20% of IT managers surveyed are unaware of how their most significant cyberattack entered their organizations. The research also found that 17% don’t know how long the threat was in the environment before it was detected.”
• Phishing Attacks Spiked by 250% in 2018: Reported in Infosecurity Magazine, “A new report from Microsoft found that phishing attacks increased 250% over the course of 2018. According to Microsoft’s Security Intelligence Report (SIR) volume 24, attackers have shifted tactics and are now targeting multiple points of attacks within one campaign.”
• Cybercrime is increasing and more costly for organizations: Reported in ZDNet, “The average cost of cybercrime for an organization has increased $1.4 million over the past year, to $13.0 million, and the average number of security breaches in the last year rose by 11 percent from 130 to 145.”
• Survey: Cybersecurity Threats from Careless Insiders and Foreign Governments Reach All-Time Highs: Reported in NextGov, “The survey, conducted by Market Connections, polled 200 federal IT decision-makers and influencers between December 2018 and January 2019 regarding eight security threats: careless/untrained insiders, foreign governments, general hacking community, hacktivists, malicious insiders, terrorists, for-profit crime and industrial spies. Six of the eight threat sources were at all-time highs this year, with the majority of respondents listing careless/untrained insiders (56 percent) and foreign governments (52 percent) as their greatest source of security threats.”
• 3 ways geopolitical attacks could impact your business this year: Reported in TechRepublic, “Nearly 75% of CEOs say their companies are affected by geopolitical cyberattacks, but only 15% feel resilient, according to a PwC report.”
• APWG Report: Phishers Shift Efforts to Attack SaaS and Webmail Services: According to a press release, “Phishing that targeted SaaS and Webmail services jumped from 20.1 percent of all attacks in Q3 to almost 30 percent in Q4. Attacks against cloud storage and file hosting sites continued to drop, decreasing from 11.3 percent of all attacks in Q1 2018 to 4 percent in Q4 2018.”
• A third of 2018’s vulnerabilities have public exploits, 50% can be exploited remotely: Reported in Help Net Security, “32.7% of 2018’s vulnerabilities have public exploits and 50.5% can be exploited remotely, meaning that few of the reported vulnerabilities require any type of physical proximity to a system or a device to be exploited. Another revealing finding, 27.1% of vulnerabilities had no known solution, which unfortunately is up 5% from 2017 based on current data.”

Comcast Acquires BluVector, Developer of AI-Powered Cybersecurity Technology

Last Monday, Comcast announced it acquired BluVector, a company that uses advanced artificial intelligence and machine learning to provide cybersecurity protection to companies and government agencies. With a proprietary machine-learning engine, BluVector detects, analyzes, and contains a wide range of sophisticated cyber-threats including ‘fileless malware,’ zero-day malware and ransomware. The two companies will work together to grow BluVector’s existing business and also collaborate on the development of new cybersecurity technologies. According to Comcast, “BluVector has won a wide array of cybersecurity industry awards and recognition for its innovation and unique technological approach. It is a trusted partner to both Fortune 500 companies and large government agencies working to tackle some of the nation’s most critical challenges.”