NTSC Blog

Weekly News Roundup: March 30, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

• California attorney general's office: No delay on CCPA enforcement amid COVID-19: According to IAPP, “[California Attorney General Xavier Becerra’s] office rebuffed any ideas of keeping the CCPA from taking full force, following suit with its position on past calls to delay enforcement. ‘Right now, we're committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,’ an advisor to Becerra said. ‘We're all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers' privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.’”
• Pentagon drafts legislation for flexible funding of cyber capabilities: According to Inside Cybersecurity, “The Pentagon is asking Congress to pass legislation allowing Defense Department organizations to use operations and maintenance funding to develop cyber offensive and defensive measures, or ‘peculiar’ capabilities, in response to immediate threats or incidents.”
• Senator sounds alarm on cyber threats to internet connectivity during coronavirus crisis: According to The Hill, “Sen. Mark Warner (D-Va.) [last] Wednesday expressed serious concerns about cyber threats to internet connectivity for Americans working from home during the ongoing coronavirus pandemic. Warner, who serves as the vice chairman on the Senate Intelligence Committee, wrote letters to network device vendors including Google asking that they shore up the security of their products and bolster defenses against potential attacks.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

• White House Releases National Strategy for 5G Security: According to NextGov, “The White House [last] week released its National Strategy to Secure 5G of the United States to formally frame how the nation will safeguard fifth-generation wireless infrastructure at home and abroad. The 7-page policy document sets forth the president’s ‘vision for America to lead the development, deployment, and management of secure and reliable 5G communications infrastructure worldwide, arm-in-arm with [its] closest partners and allies.’”
• DHS Labels Integrators as ‘Essential Critical Infrastructure Workers’: According to Security Sales & Integration, “Integration companies may be exempted from coronavirus regulations that call for a work stoppage in a local area. That’s because the U.S. Department of Homeland Security (DHS) has identified integrators as ‘essential critical infrastructure workers during the COVID-19 response.’ The DHS guidelines from the Cybersecurity and Infrastructure Agency (CISA) are intended to assist both state and local officials when making decisions regarding essential workers in their own jurisdictions. CISA’s identification of ‘essential critical infrastructure workers’ is ‘intended to be overly inclusive reflecting the diversity of industries across the United States.’”
• NIST seeks industry proposals for protecting IT supply chain from counterfeit components: According to Inside Cybersecurity, “The National Institute of Standards and Technology is requesting industry proposals for demonstrating how organizations can verify that purchased computing products do not contain counterfeit components, a key element of broader federal efforts for securing the nation's information technology supply chain.”
• NIST seeks comment on guide for merging cybersecurity with enterprise-wide risk management: According to Inside Cybersecurity, “The National Institute of Standards and Technology has issued for comment draft guidelines on how an organization can integrate cybersecurity into its broader risk-management practices, which can include addressing financial and regulatory risks.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

• Experts report recent increase in Chinese group's cyberattacks: According to The Hill, “A prolific Chinese government-backed cyber group has recently stepped up its attacks on health care, pharmaceutical and other sectors, according to research released [last] Wednesday by cybersecurity group FireEye. FireEye experts discovered that the Chinese cyber threat group known as APT41 had launched what they described as ‘one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.’ The group, which FireEye previously assessed with ‘high confidence’ is state-sponsored, was found to have widely targeted companies in almost two dozen countries in a variety of sectors between January and March. Beyond health-related industries, APT41 also went after firms involved in the banking, construction, defense, manufacturing, telecommunications, media and utility sectors, among others.”
• FireEye warns about the proliferation of ready-made ICS hacking tools: According to ZDNet, “FireEye security researchers warn that the proliferation of hacking tools with capabilities for targeting industrial control systems (ICS) is lowering the entry bar for attackers and increasing risks for organizations operating in the industrial sector. In a study published [last Monday], the US cybersecurity firm said it analyzed all the hacking tools with ICS targeting capabilities that were released in recent years. […] Most of the tools were vendor agnostic, the company said, having the ability to scan for generic indicators usually found on all ICS networks. However, FireEye said it also found tools that were developed to target specific ICS vendors, suggesting they were explicitly created to hack into a particular system.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Insurance giant Marsh sees growth in U.S. cyber coverage as manufacturers, other sectors obtain policies: Reported in Inside Cybersecurity, “Purchases of standalone cybersecurity policies grew in 2019 in the United States, according to an annual trends report from global insurer Marsh, with growth in cyber coverage among the firm’s manufacturing clients and the highest growth rate coming from the hospitality and gaming sector.”
• All 4G Networks Susceptible to DoS Attacks: Reported in Infosecurity Magazine, “New research has uncovered a vulnerability affecting all 4G and some 5G telecommunications networks. A study of the security of diameter networks completed by Positive Technologies found that weaknesses in the diameter-signaling protocol meant that 100% of 4G networks are susceptible to denial of service (DoS) attacks.”
• Evasive malware increasing, evading signature-based antivirus solutions: Reported in Help Net Security, “Evasive malware has grown to record high levels, with over two-thirds of malware detected by WatchGuard in Q4 2019 evading signature-based antivirus solutions. This is a dramatic increase from the year-long average of 35% for 2019 and points to the fact that obfuscated or evasive malware is becoming the rule, not the exception.”
• Organizations struggle with patching endpoints against critical vulnerabilities: Reported in Help Net Security, “Less than 50 percent of organizations can patch vulnerable systems swiftly enough to protect against critical threats and zero-day attacks, and 81 percent have suffered at least one data breach in the last two years, according to Automox.”
• Legal sector more prone to data breaches than ever: Reported in SC Magazine, “More than a fourth (27 percent) of respondents in the legal sector say they or a colleague has accidentally shared or leaked company information externally. This is a huge leap from Egress’ previous year’s survey, where only eight percent admitted personal responsibility. Similarly, 29 percent of respondents in the legal sector said they or a colleague have intentionally shared or leaked company information externally. The figure was just eight percent in the previous year.”
• Large majority of recent AI deployments meeting expectations, says MIT survey: Reported in MarTech Today, “[By] the end of this year, coronavirus notwithstanding, 97% of the ‘large companies’ surveyed will have deployed AI technology. The top uses were quality control, customer care and fraud detection. However, there were many others beyond those, including inventory management, asset maintenance, personalization, pricing and cybersecurity.”
• Critical Infrastructure Cyberattacks a Greater Concern than Enterprise Data Breaches for Three in Four IT Security Professionals: According to a press release, “74% of IT security professionals globally are more concerned about a cyberattack on critical infrastructure than an enterprise data breach. […] 63% of U.S. IT security professionals expect a major cyberattack to be successfully carried out on national infrastructure within the next five years. However, 10% say that we will not ever see one, despite ample evidence of attacks targeting energy and other related sectors.”