NTSC Technology Security Roundup

Weekly News Roundup: March 5, 2018

House Hearing to Take Place Discussing “Data Acquisition and Technology Accountability and Security Act”

After Representative Blaine Luetkemeyer (R- Missouri) submitted his draft “Data Acquisition and Technology Accountability and Security Act” to the House, many industry groups have given heated input about certain provisions (or lack thereof) in the bill. To accommodate these multiple and conflicting views, Rep. Luetkemeyer will hold a hearing on Wednesday, March 7. According to InsideSecurity.com, “Luetkemeyer as well as House Energy and Commerce digital commerce and consumer protection subcommittee Chairman Bob Latta (R-OH) have been holding separate meetings with industry groups to discuss data breach legislation in the aftermath of the Equifax hack.”

Will the Supreme Court or Legislation Solve the Cloud Data Privacy Conundrum?

While some members of the Supreme Court seem sympathetic toward the Justice Department’s view that a warrant should include all of a company’s data no matter where it’s stored, other members seemed to indicate that it would be more appropriate for Congress to instead pass a law. These views pertain to the ongoing Microsoft v. Department of Justice case that has finally reached the Supreme Court. According to Reuters, “Bipartisan legislation has been introduced in Congress to update the 1986 statute, a move backed by both Microsoft and the administration. The bill would let U.S. judges issue warrants while giving companies an avenue to object if the request conflicts with foreign law. Passage of the bill likely would render the case moot.”

Federal Cybersecurity News Roundup

Here is a roundup of some important federal cybersecurity news from last week:

  • DHS Supply Chain Cybersecurity Program Pitched at Private Event: According to CyberScoop, “Secretary of Homeland Security Kirstjen Nielsen is pitching a new supply chain cybersecurity program in an effort to engage with some of the country’s largest critical infrastructure providers, including the oil, electric and water treatment industries. […] The program is focused on DHS authoring and providing digital risk assessments to companies and government agencies about products that they may acquire or install on their systems.”
  • Congress and Pentagon Considering Expanding USCYBERCOM Powers to Better Match SOCOM’s Authority: According to Defense News, “the commander of SOCOM can move special operations forces around the world based on demands and particular theaters. With its global reach and small staff cells located at each geographic combatant command, SOCOM can be much more flexible to respond to threats around the world. […] Leaders in Congress and at the Pentagon have examined replicating this authority for Cyber Command.”
  • FTC Recommends Steps to Improve Mobile Device Security Update Practices: According to a press release, “A new Federal Trade Commission report finds that the complexity of the mobile ecosystem means that the security update process for patching operating system software on some mobile devices is intricate and time-consuming. While noting that industry participants have taken steps to streamline the process, the report recommends that manufacturers consider taking additional steps to get more security updates to user devices faster. It also recommends that manufacturers consider telling users how long a device will receive security updates and when update support is ending.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Cisco 2018 Annual Cybersecurity Report: Major findings included “‘Burst attacks’ [growing] in complexity, frequency, and duration. In one study, 42 percent of the organizations experienced this type of DDoS attack in 2017. Also, “Thirty-one percent of security professionals said their organizations have already experienced cyber attacks on OT infrastructure.”
  • 2018 CrowdStrike Global Threat Report: This report says, “The distinctions between state-sponsored actors and cybercriminals are becoming blurred, as nation-state adversaries adopt eCrime TTPs such as ransomware, and criminal groups perpetrate more sophisticated targeted intrusion-type attacks.”
  • 725% increase in cryptocurrency mining threatens more than just your CPU: According to a Cyren blog post, “Based on the monitoring of a sample of 500,000 sites, we've found a 725% increase in the number of domains running scripts on one or more pages -- knowingly or not -- in the four-month period from last September to January 2018.”
  • A Qualitative View of 2017 (Dragos Report): Summarized by CNET, “During 2017, Dragos looked at 163 vulnerability advisories, most of which offered no real solutions. More than 60 percent of vulnerability warnings said critical infrastructure could get hijacked, while 71 percent of reported vulnerabilities that year could disrupt a person's ability to monitor systems, according to the report. In these warnings, up to 72 percent of the advisories told IT teams only to patch their systems. Except "patch your system" means nothing for 64 percent of critical infrastructure, according to the report.”
  • eSentire 2017 Annual Threat Report: Key findings included a “400% growth in brute force and dictionary attacks (user passwords are still considered high-value targets).”

Two Major Cybersecurity Acquisitions Last Week

On Monday, February 26, a private equity consortium acquired phishing defense solution company PhishMe and rebranded it as Cofense. Valued at $400 million, Cofense said that it “now has the added backing of multiple private equity firms to support future innovation via organic and inorganic growth initiatives.” And last Tuesday, machine data company Splunk announced plans to acquire security orchestration company Phantom Cyber Corporation for $350 million. According to a press release, “Once integrated with the Splunk platform, IT teams will be able to leverage these automation capabilities to help solve automation challenges in a widening range of use cases, including Artificial Intelligence for IT Operations (AIOps).”