NTSC Technology Security Roundup

Weekly News Roundup: May 11, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

  • Senate expected to approve House-passed surveillance powers bill next week: According to The Hill, “Senators are expected to vote [this] week on House-passed legislation to extend the FBI’s surveillance powers, setting up a battle between civil libertarians who want to curtail the Foreign Intelligence Surveillance Act (FISA) and allies of the intelligence community and law enforcement. The legislation will extend core surveillance powers of the lapsed USA Freedom Act: the power to collect business records relevant to a counterterrorism or counter espionage investigation; the authority to use roving wiretaps to track suspects; and the ability to surveil ‘lone wolf’ suspects not connected to a known terrorist group or foreign power.”
  • Senate Intelligence chair pledges quick action on DNI nominee as Ratcliffe stresses cyber bona fides: According to Inside Cybersecurity, “Senate Intelligence Chairman Richard Burr (R-NC) strongly endorsed the nomination of Rep. John Ratcliffe (R-TX) to serve as Director of National Intelligence, as the nominee touted his experience on cybersecurity issues during an appearance [last] Tuesday before the intelligence panel.”
  • U.S. Senate approves Trump security nominee after nearly two-year hold: According to Reuters, “The U.S. Senate [last] Wednesday approved William Evanina, President Donald Trump’s nominee for a top counterintelligence position, after he was blocked for almost two years over a Republican request for documents related to the investigation of Russia and Trump’s 2016 election campaign. The Senate voted 84 to 7 to approve Evanina as director of the National Counterintelligence and Security Center.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • Homeland Security’s Biometrics Database Is on Its Way to the Amazon Cloud: According to NextGov, “The Homeland Security Department is in the midst of migrating its central biometric database—used to store, manage and disseminate biometric data on U.S. citizens and foreign nationals—to the Amazon Web Services GovCloud, the first step in a major overhaul of the decades-old legacy system.”
  • Standards body for info-sharing groups offers guide to state and local cybersecurity laws, rules: According to Inside Cybersecurity, “The ISAO Standards Organization, which works with a variety of cyber info-sharing groups, has pulled together a report detailing laws and regulations at the state and local level that could affect information sharing activities, including privacy rules ‘influenced by the European Union’s General Data Protection Regulation.’”
  • FCC Wants Help Interpreting Law to Fund Replacement of Huawei, ZTE Equipment: According to NextGov, “The Federal Communications Commission is inviting comment on a rule [it has] proposed for reimbursing service providers that must replace any equipment in their systems from Huawei or ZTE in order to participate in a publicly funded program to increase access to broadband, in light of complementary legislation Congress passed in March.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • Authorities warn that hackers are targeting health care and essential services: According to The Hill, “The top cybersecurity agencies in the United States and the United Kingdom [last] Tuesday warned that hackers are targeting health care organizations and essential services during the COVID-19 pandemic. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre (NCSC) put out a joint alert warning that advanced persistent threat (APT) groups are using the pandemic to zero in on vulnerable organizations involved in fighting the virus.”
  • CISA issues guide outlining supply chain risk management ‘essentials’: According to Inside Cybersecurity, “The Cybersecurity and Infrastructure Security Agency has released a six-step guide for organizations to improve their supply chain risk management strategy and build resilience into systems.”
  • Software flaws often first reported on social media networks, PNNL researchers find: According to Science Daily, “Software vulnerabilities are more likely to be discussed on social media before they're revealed on a government reporting site, a practice that could pose a national security threat, according to computer scientists at the U.S. Department of Energy's Pacific Northwest National Laboratory.”
  • NIST project examines incorporating security into electric grid IoT solutions: According to Inside Cybersecurity, “The National Institute of Standards and Technology is promoting its collaboration with companies on securing the Internet of Things in a distributed energy resources environment, including with a ‘how-to’ guide and ‘example solution’ for operators.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • 76% Security Professionals Face Cybersecurity Skills Shortage: Reported in CISO Mag, “76% of respondents believe there is a shortage of cybersecurity skills in their organization, which represents an improvement when compared to 2019 (88%). Nearly 72% of organizations are still struggling to procure cybersecurity talent with no improvement from 2019.”
  • Enterprises throw money at cybersecurity but half of attacks are still a success: Reported in ZDNet, “[On] average, an enterprise company will have between 30 and 50 security solutions in place -- but this is no guarantee of their effectiveness. In total, 53% of attacks performed were successful and infiltration without detection was achieved. 26% of attacks were successful but were detected, while 33% of attacks were prevented by security solutions. However, only 9% of attacks led to an alert being generated.”
  • Financial Phishing Attacks Take Off, Malware Declines: Reported in Dark Reading, “Threat activity targeting financial institutions, including phishing attacks and malware, rose 48% in 2019, as cybercriminals and online attackers made use of easy-to-use commodity tools and services to conduct attack campaigns against victims, according to a new report by threat-protection firm ZeroFOX.”
  • Global Firms Cut IT Security Budgets Due to #COVID19: Reported in Infosecurity Magazine, “Over two-fifths (41%) of global businesses have cut cybersecurity budgets due to COVID-19-related financial pressures, according to new research from Barracuda Networks.”
  • Nearly 2,000 malicious COVID-19-themed domains created every day: Reported in TechRepublic, “A new report from researchers with Palo Alto Networks' Unit 42 found that more than 86,600 domains of the 1.2 million newly registered domain (NRDs) names containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 are classified as ‘risky’ or ‘malicious.’”
  • Consumers will opt for competitors after a single ransomware-related service disruption: Reported in Help Net Security, “[As] consumers become more educated and cyberattacks become well-known, perceived trust becomes more influential in their purchasing decisions, with the study also finding that nearly nine of ten consumers consider the trustworthiness of a business prior to purchasing a product or service and 59% of consumers would likely avoid doing business with an organization that had experienced a cyberattack in the past year.”
  • 13% of SMBs have already experienced a cyberattack since the COVID-19 pandemic began: Reported in TechRepublic, “Nearly one in seven senior decision makers said their organization has already experienced at least one cyberattack since the start of the COVID-19 pandemic, according to a new report by Alliant Cybersecurity.”
  • Survey Suggests Businesses are Overconfident About Their Security During COVID-19: Reported in NextGov, “Cybersecurity officials and business decision-makers may be overestimating the state of their security in the wake of the COVID-19 pandemic, according to findings from a global survey released this week by cyber firm CrowdStrike. CrowdStrike’s Work Security Index found that 89% of the more than 4,000 decision-makers across nine countries polled in mid-April believed their devices were secure against cybersecurity threats while working at home.”
  • Survey Surfaces Root Causes of DevSecOps Tension: Reported in DevOps.com, “Results of a survey published by SaltStack, a provider of IT automation tools, suggests tensions between cybersecurity and IT professionals on the one side and DevOps teams on the other are running high. According to the survey of 130 cybersecurity and IT leaders, 70% of respondents said their organization is sacrificing data security for faster innovation, with most cybersecurity and IT managers making a case for prioritizing data protection over innovation, speed to market and cost.”
  • Survey: Most Firms Not Adding to Cyber Training During Pandemic: Reported in MeriTalk, “Most businesses are not providing additional security training during the COVID-19 pandemic despite greater numbers of employees teleworking, cybersecurity services provider CrowdStrike said this week. According to the company’s figures, 53 percent of participants in its Work Security Index said their firms have not provided additional cybersecurity training on the risks associated with remote work.”
  • Entrust Datacard Uncovers Poor Password Behavior Among Remote Workers: Reported in Mobile ID World, “[Nearly] half (42 percent) of the respondents physically write down their passwords, while roughly a third store them digitally on either a smartphone or a computer workstation (34 and 27 percent, respectively). A full 20 percent also reuse the same password for multiple work accounts.”

Cybersecurity Acquisitions

News about two major cybersecurity company acquisitions was reported last week:

  • Zoom Buys Keybase, Enhances Cybersecurity: Reported in MediaPost, “Addressing concerns over the security of its platform, Zoom just bought encryption startup Keybase. With the purchase -- the financial terms of which were not disclosed -- Zoom can now build end-to-end encryption into its video conferencing platform.”
  • Microsoft Reportedly in Talks to Acquire CyberX: Reported in Dark Reading, “Microsoft is reportedly in the process of acquiring CyberX, an Israeli cybersecurity company focused on building technology to fight threats to the Internet of Things (IoT), the Industrial IoT, and connected devices.”