NTSC Blog

Weekly News Roundup: April 13, 2020

Legislative and Federal Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation and federal cybersecurity news stories from last week.

• Coronavirus surveillance concerns ramp up pressure to pass federal privacy law: According to The Hill, “Concerns around the use of personal data to track and halt the spread of the ongoing coronavirus pandemic led senators and tech industry groups [last] Thursday to urge Congress to ramp up its efforts to put in place a national consumer privacy law. ‘The collection of consumer location data to track the coronavirus, although well intentioned and possibly necessary at this time, further underscores the need for uniform, national privacy legislation,’ Senate Commerce, Science and Transportation Committee Chairman Roger Wicker (R-Miss.) wrote in an opening statement submitted as part of a historic ‘paper hearing’ on big data and the coronavirus.”
• Armed Services ‘Solarium’ hearing was postponed as senators still aim for in-person hearing: According to Inside Cybersecurity, “The Senate Armed Services Committee’s move to paper hearings has slowed efforts to fold Cyberspace Solarium Commission recommendations into the fiscal 2021 National Defense Authorization Act, as the Senate panel’s leaders want to hear directly from members of the high-profile advisory panel at an in-person hearing, according to a committee staffer.”
• Washington, D.C. Amends Data Breach Notification Law, Adds Data Security Requirements: According to a Hunton Andrews Kurth blog post, “On March 26, 2020, Washington D.C. enacted bill number B23-0215, amending D.C.’s data breach notification law (the “Bill”). Among other requirements, the Bill requires the provision of identity theft prevention services in certain data breaches, establishes a new regulatory reporting requirement in the event of a cognizable data breach affecting 50 or more residents of D.C., and imposes certain data security requirements on covered businesses.”
• NIST releases draft cloud system access control guidance for public comment: According to Inside Cybersecurity, “A new NIST draft guidance on access controls for cloud systems is out for public comment, noting that ‘different service delivery models need to consider managing different types of access on offered service components,’ and that, so far, ‘primarily ad hoc solutions’ have addressed ‘specific cloud applications and do not provide comprehensive views of cloud [access control].’”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

• President issues executive order establishing committee to review foreign participation in telecom sector: According to Inside Cybersecurity, “President Trump [on April 4] issued an executive order setting up a committee to assist the FCC in assessing national security threats associated with telecom applications and licenses, and to make recommendations on rejecting or modifying such applications to mitigate cyber and other risks.”
• Top agencies warn cyber criminals are using coronavirus to step up hacking efforts: According to The Hill, “The top cybersecurity agencies in the United States and the United Kingdom [last] Wednesday issued an alert warning that cyber criminals are stepping up attacks on health care groups and those working from home during the ongoing coronavirus pandemic. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) noted in the alert that the attacks often involved malicious phishing emails or ransomware attacks, in which an attacker locks up a system and demands payment to give the user access again.”
• FERC acts to prioritize energy critical infrastructure approvals, compliance changes: According to Inside Cybersecurity, “The Federal Energy Regulatory Commission is taking steps to ensure the energy sector has the resources to operate effectively throughout the COVID-19 health crisis by collaborating with state utilities on critical infrastructure and issuing temporary waivers to ensure continuity of operations.”
• FBI Warns of Cloud-Based BEC Attacks: According to Infosecurity Magazine, “The Federal Bureau of Investigation (FBI) has issued a warning over cloud-based business email compromise (BEC) scams that have cost US companies more than $2bn. […] In a statement released on April 6, the FBI said: ‘Cyber criminals are targeting organizations that use popular cloud-based email services to conduct Business Email Compromise (BEC) scams. The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds.’”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Americans want an internet bill of rights to protect their online data: Reported in ZDNet, “Ninety percent of Americans use the internet, but the majority do not think they are protected when they are online. They want specific rights. The survey found that over half (55%) of Americans agree the US needs a set of laws governing the rights and use principles of the internet, including regulating the use of personal data for companies.”
• Study: Preventing Cyberattack Penetration Can Save Enterprises Up To $1.4 Million Per Incident: According to a press release, “The Ponemon Institute released its latest report, ‘The Economic Value of Prevention in the Cybersecurity Lifecycle.’ The independent study, sponsored by Deep Instinct, determined for the first time that the economic value of cyberattack prevention - which takes into account the entire cybersecurity lifecycle of detection, containment, remediation, and recovery - ranges from $396,675 to $1,366,365, depending on the nature of the attack.”
• Increase in Exploited Zero-Days Shows Broader Access to Vulnerabilities: Reported in Security Week, “The number of identified zero-day vulnerabilities being exploited has increased in 2019, revealing a broadened access to these security flaws, according to security firm FireEye. FireEye research found that more zero-days were exploited last year than in any of the previous three years, while also observing that more tracked actors have gained access to such capabilities.”
• Encryption is finally being used primarily to protect personal data rather than just for compliance: Reported in Help Net Security, “For the first time, protecting consumer personal information is the top driver for deploying encryption (54% of respondents), outranking compliance, which ranked fourth (47%). Traditionally compliance with regulations was the top driver for deploying encryption, but has dropped in priority since 2017, indicating that encryption is transitioning from a requirement to a proactive choice to safeguard critical information.”
• Cybercriminals Hide Malware & Phishing Sites Under SSL Certificates: Reported in Dark Reading, “Nearly 52% of the top 1 million websites were available over HTTPS in 2019, Menlo Security researchers report. Nearly all (96.7%) user-initiated online visits are served over HTTPS; however, only 57.7% of URLs in emails are HTTPS links. This means a web proxy or next-gen firewall — which many businesses have long relied on for online access visibility and control, researchers note — could miss the threats present on malicious websites if SSL inspection is not enabled.”
• Only 40% of Small Business Owners Have a Cybersecurity Policy: Reported in Dark Reading, “Millions of businesses have ordered employees to work from home in the past several weeks, but not all are prepared to protect them: Only 40% of small businesses have implemented a cybersecurity policy, a number that drops to 25% for companies with less than 20 workers.”
• The cybersecurity posture of financial services companies: IIF/McKinsey Cyber Resilience Survey: Reported by Finextra, “A recent joint survey on cyber resilience by the Institute of International Finance (IIF) and McKinsey found significant concerns regarding third-party security, and [the] survey determined that 33 percent of financial-services firms do not have proper vendor remote-access management with multifactor-authentication controls.”

Cybersecurity Acquisitions

News about four major cybersecurity company acquisitions was reported last week:

• Accenture acquires cybersecurity firm Revolutionary Security: Reported in Silicon Angle, “Accenture plc [last Wednesday] said it has acquired the privately held cybersecurity firm Revolutionary Security for an undisclosed price. The company had raised a single round of $2.5 million prior to acquisition. Founded in 2016, Revolutionary Security offers a range of cybersecurity products including risk assessment, breach and attack simulation testing, insider threat assessments and framework bases assessment.”
• Zscaler snaps up cloud security startup Cloudneeti: Reported in Silicon Angle, “Publicly traded cybersecurity provider Zscaler Inc. [last Thursday] said it’s acquiring Cloudneeti Corp., a Seattle startup that helps companies find configuration-related vulnerabilities in their cloud applications. The financial terms were not disclosed. Zscaler expects the transaction to complete by month’s end. Cloudneeti’s namesake product scans cloud applications for poorly defined security settings and other configuration issues with the potential to open the door to hackers.”
• German security firm Avira has been acquired by Investcorp at a $180M valuation: Reported in TechCrunch, “Avira, a cybersecurity company based out of Germany that provides antivirus, identity management and other tools both to consumers and as a white-label offering from a number of big tech brands, has been snapped up by Investcorp Technology Partners, the PE division of Investcorp Bank. Investcorp’s plan is to help Avira make acquisitions in a wider security consolidation play. The financial terms of the acquisition are not being disclosed in the companies’ joint announcement, but the CEO of Avira, Travis Witteveen, and ITP’s MD, Gilbert Kamieniecky, both said it gives Avira a total valuation of $180 million.”
• Cybersecurity Vendor Nyotron Eyeing Private Equity Buyer: Reported in CRN, “Nyotron is looking for a private equity buyer and accepting first-round bids as part of the sales process, according to a PE Hub report. The Santa Clara, Calif.-based cybersecurity vendor first came to market earlier this year and targeted strategic buyers, but paused the process when the coronavirus pandemic hit, three people familiar with the matter told PE Hub. Nyotron has now returned to the auction block and opened the process up to include private equity-backed firms as well, PE Hub reported.”