NTSC Technology Security Roundup

Weekly News Roundup: March 26, 2018

880,000 Payment Cards Compromised in Orbitz Data Breach

Last Tuesday, travel website and services company Orbitz (a subsidiary of Expedia) reported a data breach of 880,000 payment cards that occurred between 2016 and 2017. According to Reuters, “…an investigation showed that the breach may have occurred between Jan. 1, 2016 and Dec. 22, 2017 for its partner platform and between Jan. 1, 2016 and June 22, 2016 for its consumer platform. Information such as names, phone numbers, email and billing addresses may have been accessed, the travel website operator said, adding that its website, Orbitz.com, was not impacted.”

House Passes “DHS Cyber Incident Response Teams Act of 2018”

Last Monday, the US House of Representatives passed the DHS Cyber Incident Response Teams Act of 2018. Sponsored by Michael McCaul (R-Texas), the bill was passed “to authorize cyber incident response teams at the Department of Homeland Security, and for other purposes.” According to The Hill, “The legislation would authorize the ‘cyber hunt and incident response teams’ at Homeland Security to help owners and operators of critical infrastructure respond to cyberattacks as well as provide strategies for mitigating cybersecurity risks. The bill would also allow Secretary of Homeland Security Kirstjen Nielsen to add cybersecurity specialists from the private sector to the response teams.”

NIST Seeks Public Input for Special Publication About Cyber Resiliency

NIST is seeking public input by May 18 for a Special Publication titled “Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems.” The abstract describes it as “a handbook for achieving the identified cyber resiliency outcomes based on a systems engineering perspective on system life cycle processes, allowing the experience and expertise of the organization to determine what is correct for its purpose. Organizations can select, adapt, and use some or all of the cyber resiliency constructs (i.e., goals, objectives, techniques, approaches, and design principles) described in this publication and apply them to the technical, operational, and threat environments for which systems need to be engineered.”

Federal Cybersecurity News Roundup

Here is a roundup of some important federal cybersecurity news from last week:

  • Military looks to boost pay for cyber talent: According to Defense Systems, “Lt. Gen. Paul Nakasone, Army Cyber Commander and nominee to be head of U.S. Cyber Command and the National Security Agency, said failure to translate cyber workers' past civilian work experience into an appropriate military rank with commensurate pay is hampering recruitment and retention.”
  • Navy consolidates chief information officer amid restructuring: According to Federal News Radio, “A memo signed [March 16] by Thomas Modly, the new undersecretary of the Navy, effectively eliminates the office of the Department of the Navy chief information officer, formerly an influential, separate position within the Secretary of the Navy’s organizational chart.”
  • DHS Chief: Election Security Now Top Priority Among Critical Systems: According to Dark Reading, “US Department of Homeland Security Secretary Kirstjen Nielsen told the Senate Intelligence Committee [last Wednesday] that the agency is ‘prioritizing election efforts ... over all other critical infrastructure sectors’ including finance, energy, and communication critical infrastructure.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Cryptocurrency exchanges have pretty weak password security: Reported in The Next Web, “Password manager app Dashlane examined the password protocols of 35 leading cryptocurrency exchange desks and discovered over 70 percent of these companies let users secure their accounts with inadequate passwords.”
  • Businesses lack cyber security confidence after majority were breached in past year: Reported in Computer Weekly, Balabit recently conducted research that revealed “only 48% of respondents said they would be fully confident knowing a breach had even happened, which means that more could have taken place without their knowledge. Only 42% feel very confident about what data was accessed, and a mere 39% were fully confident that they could identify the source of a breach.”
  • SiteLock Website Security Insider Q4 2017: According to SiteLock, “Websites experienced 44 attacks per day on average in Q4 2017, a 25 percent decrease from the previous quarter. Despite this decrease, a single website can still experience 16,000 attacks in one year alone.”
  • Understanding Email Fraud: A Global Survey: Conducted by Proofpoint, the survey reported that “77 percent of businesses expect they will fall victim to email fraud in the next 12 months, and yet only 40 percent have full visibility into email threats.”
  • Cybercriminals Launder Up to $200 Billion in Profit Per Year: Reported in Dark Reading, “Cybercriminals launder an estimated $80-200 billion in illegal profit each year, which amounts to 8-10% of all illegal proceeds laundered around the world.”