NTSC Technology Security Roundup

Weekly News Roundup: April 30, 2018

Cybersecurity Legislation News Roundup

Here is a roundup of some important legislative news from last week:

  • Senate confirms new director for spy agency, cyber command: According to Reuters, “The U.S. Senate confirmed on Tuesday President Donald Trump’s choice to lead the U.S. Cyber Command and National Security Agency, Army Lieutenant General Paul Nakasone. Nakasone has an extensive background in cyber issues, having held positions including serving as chief of the U.S. Army’s cyber command since late 2016.”
  • Defense Bill Would Send Military Reinforcements to DHS’ Cyber Mission: According to NextGov, “Military cyber pros would help the Homeland Security Department ensure the cybersecurity of critical infrastructure, such as energy plants, hospitals and airports, under the House version of a major defense policy bill released Wednesday.”
  • House bill would create a 'naughty list' for nation-state hacking groups: According to FCW, “While the details of the new cyber doctrine remain secret, the Trump administration has spent the past year publicly sketching the outlines of their national strategy for deterring nation-state hacking operations, marshalling the federal government's technical and intelligence resources on a number of occasions to trace and attribute major cyber attacks back to nation-state sponsors.”
  • Bipartisan Senate bill presses for privacy protections on social media: According to SC Media, “[Two] senators [last] Tuesday introduced the bipartisan Social Media Privacy Protection and Consumer Rights Act of 2018 aimed at protecting user privacy. The bill, penned by Sen. John Kennedy, R-La., and Sen. Amy Kobluchar, D-Minn., would compel social media firms to provide users with a copy of the data that has been collected on them and who had accessed it as well as compel the companies to present their terms of service agreement in plain language and in plain sight.”

DHS Provides Updates to Homeland Security Committee at Hearing

Last Thursday, a Homeland Security Committee hearing provided some updates on DHS progress. According to NextGov, those updates included:

  • “The Homeland Security Department plans to formalize a method for ethical hackers to share with the department hackable vulnerabilities they find in its public-facing websites and other internet tools… […] That would bring Homeland Security up to speed with the Defense Department and the General Services Administration’s tech transformation wing, which already have vulnerability disclosure policies.”
  • “[Secretary Kirstjen] Nielsen defended, during Thursday’s hearing, the Trump administration’s plan to shift Homeland Security’s $41 million cyber research and development efforts from its science and technology wing to the department’s cyber operations division. […] [Rep. Jim Langevin, D-R.I.] said he opposed the move and is worried Homeland Security’s cyber operations division is so busy with its primary responsibilities that research will become an afterthought.”
  • “Nielsen also told lawmakers that a long-awaited government cybersecurity strategy will be released within the next two weeks. One key element of that strategy will be a program for Homeland Security to provide cyber tools directly to critical industry…”

Cybersecurity Standards News Roundup

Here is a roundup of some important news related to cybersecurity standards from last week:

  • NIST offers plan for future updates to cybersecurity framework: According to Inside Cybersecurity, “The National Institute of Standards and Technology intends to ask stakeholders every three years whether they would like a ‘new iteration’ of the framework of cybersecurity standards, but will keep a ‘features list’ of recommended updates to debate each year at an annual NIST-run cyber conference.”
  • NSA encryption plan for ‘internet of things’ rejected by international body: According to WikiTribune, “An attempt by the U.S. National Security Agency (NSA) to set two types of encryption as global standards suffered a major setback [last] Tuesday, after online security experts from countries including U.S. allies voted against the plan, for use on the ‘internet of things.’”
  • New standard accepted by Federal Energy Regulatory Commission for critical infrastructure protection: According to SC Media, “The Federal Energy Regulatory Commission (FERC) approved a new standard to improve electronic access controls to low impact Bulk Electronic Systems (BES), mandatory security controls for mobile devices and develop modifications to critical infrastructure protection (CIP) reliability standards.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Misconfigured Clouds Compromise 424% More Records in 2017: Reported in Dark Reading, “Insider mistakes like networked backup incidents and misconfigured cloud servers caused nearly 70% of all compromised records in 2017, according to new data from IBM X-Force. These types of incidents affected 424% more records last year than the year prior, they report.”
  • Concern Rises About Cyber-Attacks Physically Damaging Industries: Reported in eWeek, “Seven out of every 10 IT and operational technology professionals worry that a cyber-attack will lead to physical damage to computer and industrial systems that require expensive repairs or even kill people.”
  • Cybersecurity strategies neglected in wake of the boardroom’s quest for digital: Reported in IT Security Guru, “Only 9% of organizations have made cybersecurity a board-level priority. This is despite respondents acknowledging that digital is opening their businesses to more cybersecurity vulnerabilities than ever, with 60% of respondents saying there are more emerging cyber threats than they can currently control.”
  • Small merchants are not effectively engaging with PCI programs: Reported in Help Net Security, “Smaller merchants are systematically failing to engage with PCI compliance programs, according to a new acquirer survey from Sysnet Global Solutions. The survey revealed that all acquirers believe small merchants are not effectively engaging with PCI programs, with many identifying the challenges small merchants face, including a lack of knowledge, a lack of urgency and a lack of time to dedicate to security and compliance – a worrying trend.”
  • Research from Ponemon Institute and ObserveIT Reveals Insider Threat Incidents Increasing in Frequency and Cost: According to a press release, “The average cost of an insider-related incident over a 12-month period is $8.76 million, and it takes more than two months, on average, to contain an insider incident.”
  • SOCs require automation to avoid analyst fatigue for emerging threats: Reported in Help Net Security, “A survey conducted by LogicHub at RSA Conference 2018 identified 79 percent of respondents believe both human expertise and security automation is needed for a powerful security infrastructure to keep enterprises safe from breaches.”
  • Who Is Behind Most Data Breaches?: Experian summarizes some key findings from Verizon’s 2018 Data Breach Investigations Report including that “73% of cyber attacks were triggered by "outsiders," 28% of data breaches involve insiders, and less than 2% involved company partners.”