NTSC Technology Security Roundup

Weekly News Roundup: March 2, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

  • Murkowski, Manchin introduce major energy legislation: According to The Hill, “Sens. Lisa Murkowski (R-Alaska) and Joe Manchin (D-W.Va.) [last] Thursday introduced a long-awaited energy package that's shaping up to be the best chance this year for passing legislation to expand the use of cleaner forms of energy. The American Energy Innovation Act would touch nearly every aspect of the energy industry, incorporating more than 50 bills advanced by the Senate Energy and Natural Resources Committee. […] [It] includes a number of cybersecurity and grid modernization efforts to prevent electric grids from being hacked by adversaries.”
  • Senate passes ‘rip and replace’ bill to remove old Huawei and ZTE equipment from networks: According to TechCrunch, “The U.S. Senate [last Thursday] voted unanimously to pass the Secure and Trusted Telecommunications Networks Act. Written as a response to recent concerns around Chinese hardware manufacturers, the bill would ban purchase of telecom equipment from embattled Chinese manufactures like Huawei and ZTE. H.R. 4998, which passed the House last December, would also include $1 billion in funding to help smaller rural telecoms ‘rip and replace’ existing equipment from specific manufacturers.”
  • House Committee reviews controversial Washington Privacy Act: According to IAPP, “Following a 46-1 vote in the Senate, the proposed Washington Privacy Act has moved over to the House of Representatives, where a previous version stalled last spring. The proposed legislation’s lack of private right of action for consumers, preemption of local laws and ordinances, regulations on commercial uses of facial recognition, and the Washington attorney general’s exclusive enforcement authority raised concerns from those who spoke before the Innovation, Technology and Economic Development Committee during its first public hearing on Senate Bill 6281 [on February 21].”
  • Uniform Law Commission takes up privacy law endeavor: According to IAPP, “The ULC has formed a drafting committee for the Collection and Use of Personally Identifiable Data Act, which was presented at the committee’s first drafting meeting Feb. 21 and 22 in Washington. The committee’s goal is to draw up legislation by 2021 for states to adopt, potentially creating a more unified approach to privacy law across the country.”
  • U.S. Congress should not override California privacy law - state attorney general: According to Reuters, “California Attorney General Xavier Becerra [last] Tuesday sent a letter to four top U.S. lawmakers urging them not to pre-empt the state’s new privacy law with a watered down federal legislation. […] Federal lawmakers contemplating a federal privacy law are looking at California as a guide, but disagree over whether the federal law would preempt state laws, whether users should be allowed to sue companies over privacy, and other issues.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • NIST Releases Roadmap on How to Build Cybersecurity Workforce: According to MeriTalk, “The National Institute for Standards and Technology (NIST) released a report outlining best practices in building the cybersecurity workforce through regional partnerships. […] In September 2016, the National Initiative for Cybersecurity Education, led by NIST, awarded funding for five pilot programs for Regional Alliances and Multistakeholder Partnerships to Stimulate Cybersecurity Education and Workforce Development. […] The report, which includes a summary of the work and accomplishments from each of the programs, concludes by stating there is no one right way to build a regional alliance. The act of having an organization in a convener role, the report states, can help cybersecurity workforce development in a region and lead to national impact.”
  • FTC Releases 2019 Privacy and Data Security Update: According to a press release from the FTC, “The Federal Trade Commission [last Tuesday] released its annual privacy and security update for 2019, highlighting a record year for enforcement actions aimed at protecting consumer privacy and data security. For example, the Commission levied a $5 billion penalty—the largest consumer privacy penalty ever—against Facebook for violating its 2012 FTC privacy order and imposed new restrictions on the social network’s business operations. The FTC also obtained a record $170 million penalty against YouTube and Google for alleged violations of the Children’s Online Privacy Protection Act (COPPA).”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • New Report Highlights Lack of Ransomware Attack Prevention Training for US Government Employees: Reported in Cyware, “Recently, IBM Security released the results of a new study containing responses from close to 700 US local and state employees across various sectors namely IT, education, emergency services, and security departments. Only 38% of local and state employees received any training in general ransomware prevention.”
  • ISACA’s Cybersecurity Study Shows Skills Gaps, Hiring and Retention Struggles Persist: According to a press release, “62% [of survey respondents] say their organization’s cybersecurity team is understaffed; 57% say they currently have unfilled cybersecurity positions on their team. 72% of cybersecurity professionals believe their HR departments do not regularly understand their needs.”
  • Modern malware is increasingly leveraging evasive behaviors: Reported in Help Net Security, “Modern malware is increasingly leveraging evasive behaviors, a new report by VMware Carbon Black released at RSA Conference 2020 has revealed. […] Defense evasion behavior was seen in more than 90 percent of the 2,000 samples they analyzed. Ransomware has seen a significant resurgence over the past year. Defense evasion behaviors continue to play a key role with ransomware (95 percent of analyzed samples).”
  • Emotet Resurfaces to Drive 145% of Threats in Q4 2019: Reported in Dark Reading, “Emotet is back with a bang, driving a 145% spike in threat activity throughout the fourth quarter of 2019, researchers report in a new analysis of 202 billion emails from the past quarter. Of the messages analyzed, 92 billion were rejected.”
  • Healthcare industry at greatest risk of data breach: Reported in Help Net Security, “The healthcare industry has significantly more exposed attack surfaces than any other industry surveyed, according to Censys’s research findings of cloud risks and cloud maturity by industry, revealed at RSA Conference 2020. Leveraging the Censys SaaS Platform, company researchers measured the occurrence of exposed databases and exposed remote login services – two key indicators of modern security risks – for the ten largest companies by revenue in seven major industries (Automotive, Energy, Hotels, Insurance, Manufacturing, Healthcare and Financials). The healthcare industry showed significantly more exposed databases and more exposed remote login services.”
  • Almost Half of Orgs Have Dedicated Cyber-Threat Intelligence Team: Reported in Infosecurity Magazine, “A new survey from SANS has revealed that almost 50% of organizations have a team dedicated to cyber-threat intelligence (CTI).”
  • Mismanagement of Device Identities Could Cost Businesses Billions: Reported in Security Week, “In a report sponsored by cryptographic key and digital certificate management firm Venafi, AIR Worldwide suggests the cost [of poorly protected device identities] to U.S. business is between $15 billion and $21 billion; or between 9% to 13% of the total U.S. economic loss caused by cyber events (estimated to be $163 billion).”
  • Verizon: Attacks on Mobile Devices Rise: Reported in Dark Reading, “‘About 40% of our respondents across the board report having a mobile security compromise,’ says Bryan Sartin, executive director of global security services at Verizon. That's an increase from 33% of organizations in Verizon's 2019 report.”
  • Cloud-based collaboration tools are a major driver of data exfiltration: Reported in Help Net Security, “Cloud-based collaboration technologies and workforce turnover have become major drivers of data exfiltration as insider threat programs fail to keep pace with today’s digital workplace, a Code42 survey reveals.”
  • Tech Industry is the Least Secure Industry, Say Hackers: Reported in Infosecurity Magazine, “New research from HackerOne has revealed that hackers believe the technology industry is the least secure industry. […] Of those polled, 18% said that the technology industry has the furthest to go to improve its cybersecurity, followed by government (16%) and finance (14%).”
  • 97% of IT leaders worried about insider data breaches: Reported in Help Net Security, “A staggering 97% of IT leaders say insider breach risk is a significant concern, according to a survey by Egress. 78% think employees have put data at risk accidentally in the past 12 months and 75% think employees have put data at risk intentionally. When asked about the implications of these breaches, 41% say financial damage would be the area of greatest impact.”
  • Users still engaging in risky password, authentication practices: Reported in Help Net Security, “IT security practitioners are aware of good habits when it comes to strong authentication and password management, yet often fail to implement them due to poor usability or inconvenience, according to Yubico and Ponemon Institute.”
  • Increased monetization means more ransomware attacks: Reported in Help Net Security, “Organizations are detecting and containing attacks faster as the global median dwell time, defined as the duration between the start of a cyber intrusion and it being identified, was 56 days. This is 28% lower than the 78-day median observed in the previous year, according to FireEye.”
  • Organizations lack confidence in their network security: Reported in Help Net Security, “9 out of 10 IT professionals are not confident that their network is secured against attacks or breaches. Financial services IT professionals are the most concerned about security, with 89% saying they are not confident their networks are secured against breaches.”
  • Nearly Half of CISOs Have “Given Up” on Proactive Approach to Security: Reported in Computer Business Review, “42 percent of CISOs are suffering from cybersecurity fatigue: defined as ‘virtually giving up’ on proactively defending against malicious actors.”

McAfee to Acquire Light Point Security

According to a press release, McAfee, the device-to-cloud cybersecurity company, announced last Monday that it has entered into a definitive agreement to acquire Light Point Security, LLC. Upon the close of the acquisition, the Light Point Security team will join McAfee. Founded by former NSA employees, Light Point Security’s solution can protect users from zero-day and other emerging malware like ransomware and credential phishing attacks by isolating browser sessions in a remote virtual environment outside of the corporate network. McAfee plans to integrate Light Point Security’s browser isolation technology into McAfee Secure Web Gateway, complementing its existing comprehensive inbound and outbound protection for all web and cloud traffic.