NTSC Technology Security Roundup

Weekly News Roundup: April 16, 2018

Discussion About Expanding U.S. Cyber Command Authority Continues

According to CyberScoop, “Lawmakers and Pentagon leadership are considering plans that could one day provide U.S. Cyber Command with additional authorities to more easily operate outside declared war zones, two senior U.S. officials acknowledged [last] Wednesday during an open congressional hearing. […] Such a shift in policy may allow Cyber Command to offer more protection to private companies, including those that own and operate what the U.S. government considers ‘critical infrastructure.’” These discussions have been taking place in the context of legal ambiguity about how U.S. Cyber Command can respond to cyberattacks from nation states and other international threat actors.

Federal Cybersecurity News Roundup

Here is a roundup of some important federal cybersecurity news from last week:

  • National cyber strategy could come by summer: According to FCW, “Defense Department Assistant Secretary for Domestic and Global Security Kenneth Rapuano hinted during an April 11 House Armed Services Subcommittee on Emerging Threats and Capabilities hearing that the much-anticipated national cyber strategy ‘should be forthcoming in the near future.’”
  • DHS 'Cyber Storm' exercise tests manufacturing and transportation sectors: According to CyberScoop, “More than 1,000 people, including corporate executives, law enforcement personnel and intelligence and defense officials, are participating in this sixth iteration of the exercise known as Cyber Storm, which DHS touts as ‘the most extensive government-sponsored cybersecurity exercise of its kind.’”
  • TRANSCOM chief calls on Congress for national cybersecurity standard: According to Federal News Radio, “Last year, TRANSCOM ran two exercises: One explored how TRANSCOM would operate if the U.S. was not able to operate fully in the sky or sea; the other was to see how TRANSCOM would run in a cyber-contested environment. [U.S. Transportation Command chief Gen. Darren McDew] said the war games showed how vulnerable TRANSCOM is because of its heavy reliance on commercial companies. Ninety percent of TRANSCOM’s ability to take troops to war uses private industry, McDew said during a Senate Armed Service Committee hearing April 10. Now he is calling on Congress and the Defense Department to do something to shore up the gap.”

Two Industry Groups Offer Cybersecurity Guidance

In the wake of Facebook’s data breach, Reuters reported that the Securities Industry and Financial Markets Association has responded by “releasing a framework on Thursday [April 12] aimed at ensuring customers’ private data remains safe when they give third parties access to it.” According to a press release, “The Principles provide a path to a more secure chain that will help to better protect consumers’ private financial data, while still providing the holistic experience they are looking for today.” And on Monday, April 9, The Industrial Internet Consortium announced the publication of the IIC IoT Security Maturity Model: Description and Intended Use whitepaper. According to a press release, “Building on concepts identified in the IIC Industrial Internet Security Framework, the Security Maturity Model (SMM) defines levels of security maturity for a company to achieve based on its security goals and objectives as well as its appetite for risk. This enables decision makers to invest in only those security mechanisms that meet their specific requirements.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • More Than Half of CISOs Around the World Concerned About the Cybersecurity Skills Gap: Reported in SecurityIntelligence, “…more than 60 percent of global security leaders said they are negatively affected by the skills shortage. In addition, 69 percent of respondents said their team was under-resourced, and 72 percent said their team had experienced ‘alert and agent fatigue.’”
  • Cyber attackers can breach targets in hours: Reported in Computer Weekly, “The majority of cyber attackers (71%) can breach a targeted organization within 10 hours, and 18% claim they could breach a target in the hospitality and food and beverage industries within an hour…”
  • One in five serverless apps has a critical security vulnerability: Reported in Network World, “According to the audit of more than 1,000 apps by Israeli security firm PureSec, most vulnerabilities and weaknesses were caused by copying and pasting insecure sample code into real-world projects, poor development practices, and lack of serverless education.”
  • Developers Failing to Use Secure Open Source Components: Reported in Infosecurity Magazine, “Only half of developers using open source components in their software update them to use the most secure version, according to CA Veracode.”
  • Attacker Dwell Time Still Too Long: Reported in Dark Reading, “The most recently measured dwell time - that is, the time between initial attack and discovery of the incident - equals an average of about 101 days for organizations worldwide.”
  • Mobile phishing: The biggest unsolved problem in cybersecurity: According to Lookout, “The rates of phishing on mobile have grown a shocking 85 percent year over year for the past five years.”
  • How many can detect a major cybersecurity incident within an hour?: Reported in Help Net Security, “Less than half of all organizations were able to detect a major cybersecurity incident within one hour. Even more concerning, less than one-third said that even if they detected a major incident, they would be unable to contain it within an hour, according to LogRhythm.”
  • Cyber-Criminals Could Earn CEO-Level Salary: Reported in Infosecurity Magazine, “High-earning cyber-criminals make as much as $2m per year, almost as much as the average FTSE CEO, a new study from Bromium has claimed.”
  • Ransomware reigns supreme in 2018, as phishing attacks continue to trick employees: Reported in TechRepublic, “Ransomware was the cause of 39% of malware-related data breaches, more than double that of last year, according to Verizon's annual Data Breach Investigations Report.”
  • Malware Activity Slows, But Attacks More Sophisticated: Reported in Security Week, “Malware activity declined in the first quarter of 2018, with both detections for ransomware and cryptominers lower than the last quarter of 2018, according to anti-malware vendor Malwarebytes. However, major reductions in consumer instances mask an increase in both activities against businesses, the company says.”
  • Security professionals admit patching is getting harder: Reported in Computer Weekly, “57% of security professionals acknowledge their organization is at a disadvantage because of the reliance on manual processes to respond to vulnerabilities.”

Two Major Cybersecurity Acquisitions Last Week

Last Monday, CA Technologies announced that they were acquiring San Francisco-based Software Composition Analysis (SCA) solution company SourceClear. According to a blog post, CA Technologies said, “SourceClear's SCA solution not only tells you which applications have a vulnerable component, it tells you whether or not the functionality is being used. […] This greatly reduces the false positives related to functions that exist in the open source library but pose no practical risk because they are not used by the application.” And last Tuesday, Palo Alto Networks announced its intent to acquire automated endpoint security and incident response company Secdo. According to a press release, “The acquisition brings sophisticated endpoint detection and response, or EDR, capabilities – including unique data collection and visualization – to Palo Alto Networks Traps™ advanced endpoint protection and the Application Framework…”