NTSC Blog

Weekly News Roundup: March 4, 2019

Cybersecurity Legislation and Congressional News Roundup

Last week, Congress continued to press forward on some key cybersecurity priorities.

• Cybersecurity Disclosure Act of 2019 Introduced in the Senate: This legislation was introduced by U.S. Senators Jack Reed (D-RI), Susan Collins (R-ME), Mark Warner (D-VA), John Kennedy (R-LA), and Doug Jones (D-AL). According to a press release, “The Reed-Collins-Warner-Kennedy-Jones legislation would require publicly traded companies to include in its Securities and Exchange Commission (SEC) disclosures to investors information on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the company. The legislation does not require companies to take any actions other than to provide this disclosure.”
• Senator Mark Warner (D-VA) Asks Agencies for Recommendations on Reducing Cybersecurity Vulnerabilities in Health Care Industry: According to a press release, “U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote [last Monday] to the leaders of four federal agencies and departments, seeking details on any measures being taken by the federal government to reduce vulnerabilities in the health care sector. In the letters, Sen. Warner pointed to apparent gaps in oversight, expressed concern about the impact of cyber-attacks on the health care industry, asked for strategic recommendations, and conveyed his desire to work alongside federal agencies and health care entities to develop strategies that strengthen information security.”
• Credit reporting agencies face pressure from skeptical U.S. Congress: According to Reuters, “The nation’s major credit reporting agencies faced renewed scrutiny from Congress on Tuesday, as lawmakers consider legislation overhauling the industry. Top executives from the three major credit reporting agencies - Equifax Inc, Experian Plc and TransUnion - had to defend their business models before skeptical lawmakers who appeared eager to order changes to the sector following Equifax’s massive data breach, disclosed in 2017. […] Legislation beefing up protections around consumer data is seen by analysts and lobbyists to be a rare area of common ground in the current Congress, where Democrats control the House and Republicans control the Senate.”

NYSDFS Cybersecurity Regulation Now Fully in Effect

After its effective date of March 1, 2017, the New York State Department of Financial Services Cybersecurity Regulation is now fully in effect as of March 1, 2019. While most organizations have implemented the majority of the required recommendations, the two-year period was given “to address [the risks each Third Party Service Provider poses to their data and systems] and expects Covered Entities to have completed a thorough due diligence process on all Third Party Service Providers by March 1, 2019.” According to Reuters, “The rules require DFS-covered entities including financial firms, mortgage brokers, charities and Health Maintenance Organizations to use encryption, multi-factor authentication and tighter third party risk assessments, such as penetration tests, to limit outsiders’ access to corporate data. Covered entities also must notify regulators about a data breach within 72 hours and appoint an executive to lead corporate security efforts. DFS has not provided details about possible penalties for compliance failures.”

Data Breach Exposes 2.4 Million+ Dow Jones Watchlist Records

A Dow Jones watchlist containing information about high-risk individuals was recently compromised in a data breach that exposed more than 2.4 million records. While the data originates from publicly sourced information, the watchlist itself is private, proprietary, and guarded. According to TechCrunch, “Many financial institutions and government agencies use the database to approve or deny financing, or even in the shuttering of bank accounts, the BBC previously reported. Others have reported that it can take little or weak evidence to land someone on the watchlists. The records […] vary wildly, but can include names, addresses, cities and their location, whether they are deceased or not and, in some cases, photographs.”

ICANN Calls for Full DNSSEC Deployment, Promotes Community Collaboration to Protect the Internet

According to a press release, the Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure. In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems. As one of many entities engaged in the decentralized management of the Internet, ICANN is specifically responsible for coordinating the top-most level of the DNS to ensure its stable and secure operation and universal resolvability. On 15 February 2019, in response to reports of attacks against key parts of the DNS infrastructure, ICANN offered a checklist of recommended security precautions for members of the domain name industry, registries, registrars, resellers, and related others, to proactively take to protect their systems, their customers’ systems and information reachable via the DNS.

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Moody's - Credit implications of cyberattacks will hinge on long-term business disruptions and reputational impact: According to a press release, “As the potential for significant cyberattacks rises globally, the growing intersection of supply chains, connectivity and access to data is creating new vulnerabilities for governments and businesses. Banks, securities firms, financial market infrastructures and hospitals [which, together, have $11.7 trillion in rated debt], all of which rely heavily on technology for operations, distribution of content or customer engagement are at high risk, says Moody's Investors Service in a new report.”
• 2019 Global ICS & IIOT Risk Report: According to CyberX, “The data shows that industrial control systems continue to be soft targets for adversaries, with security gaps in key areas such as plain-text passwords (69%), direct connections to the internet (40%), weak anti-virus protections (57%), and WAPs (16%).”
• Attackers continue to enhance their performance, apply smart business techniques: Reported in Help Net Security, “During the second half of 2018, attackers bulked up existing tactics, rapidly evolved new performance enhancements, and applied smart business techniques to vastly accelerate attack growth rate, according to the latest Threat Landscape Report by Netscout.”
• Retailers Most Common Credential Stuffing Attack Victim; Points To Dramatic Rise In API Traffic As Key Trend: According to a press release, “[Hackers] directed credential abuse attempts at retail sites more than 10 billion times from May to December last year, making retail the most targeted segment studied. The [Akamai 2019 State of the Internet / Security: Retail Attacks and API Traffic] report also spotlights two other pressing security concerns, the preponderance of API-call traffic on the web and the apparent misrepresentation of IPv6-based traffic.”
• Healthcare Breaches Affected 11.5 Million People in 2018: Reported in Infosecurity Magazine, “The number of breaches reached a three-year low at 290 breaches total; however, the number of exposed records nearly doubled from 2017. Also notable in the report was that nearly half (46%) of the 11.5 million individuals who were affected by healthcare breaches in 2018 were so because of hacking and IT incidents.”
• 4G and 5G protocols prone to privacy attacks, new study reveals: Reported in TechCrunch, “A group of academics have found three new security flaws in 4G and 5G, which they say can be used to intercept phone calls and track the locations of cell phone users. The findings are said to be the first time vulnerabilities have affected both 4G and the incoming 5G standard, which promises faster speeds and better security, particularly against law enforcement use of cell site simulators, known as ‘stingrays.’”
• Attackers Continue to Focus on Users, Well-Worn Techniques: Reported in Dark Reading, “In 2018, security firm Trend Micro detected 20.6 million phishing URLs, an increase of 82% over 2017, according to the firm's ‘2018 Annual Security Roundup.’ And in its Q4 2018 ‘Quarterly Threat’ report, security firm Rapid7 found that suspicious attempts to log in were the most common attack detected by companies.”
• Ransomware has been abandoned in favor of cryptojacking attacks against the enterprise: Reported in ZDNet, “[Ransomware] attacks declined by 45 percent in Q4 2018 in comparison to Q1 2018, whilst cryptojacking attack attempts quadrupled by 450 percent in the same timeframe.”
• Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints: Reported in The Register, “A company's internal network, once compromised, is now more likely to be ransacked by automated scripts than a piece of malware. This according to researchers with IBM's X-Force, who found that in 2018 just 43 per cent of the attacks it analyzed utilized any sort of locally installed files. Rather, the hackers utilized PowerShell scripts to execute their dirty deeds in memory without significantly touching file systems, if at all.”
• Social Engineering Employed to Steal Data: Reported in Infosecurity Magazine, “Criminals who launched phishing campaigns during the final quarter of 2018 employed social engineering tactics in nearly one in three targeted attacks, according to Positive Technologies.”