NTSC Technology Security Roundup

Weekly News Roundup: May 21, 2018

DHS and White House Cybersecurity Strategies Roughly Rolled Out

While the DHS released its Cybersecurity Strategy last Tuesday, the White House delayed its National Security Council cyber strategy over arguments related to active defense. According to CyberScoop, “[Several] National Security Council staffers are seeking edits that emphasize repercussions if an adversary attacks either the U.S. government or a U.S.-based company in cyberspace.” And while the DHS strategy has been released, some members of Congress have complained that it was delayed multiple times. The Hill summarizes the DHS report as “[hinging] on five ‘pillars’ to limit and address threats to digital systems in the United States. These involve gaining a better understanding of threats and vulnerabilities to critical U.S. assets in cyberspace; reducing ‘systemic vulnerabilities’ in U.S. networks; disrupting cyber crime; limiting the impact of potentially massive cyber incidents; and supporting policy to broadly bolster security of digital systems.”

White House Eliminates Cybersecurity Coordinator Position

Last Tuesday, Politico reported that the White House eliminated the Cybersecurity Coordinator position most recently held by Rob Joyce (who returned to the National Security Agency). Politico said, “According to an email sent to National Security Council staffers Tuesday, the decision is part of an effort to ‘streamline authority’ for the senior directors who lead most NSC teams. ‘The role of cyber coordinator will end,’ Christine Samuelian, an aide to Bolton, wrote in the email to NSC employees, which POLITICO obtained from a former U.S. official.” Efforts exist to keep this role in some form, according to The Week: “[Last] Tuesday, Reps. Jim Langevin (D-R.I.) and Ted Lieu (D-Calif.) introduced legislation to create a new White House National Office for Cyberspace, to be led by a Senate-confirmed presidential appointee who would fill the role that Bolton just cut and also advise federal agencies on cybersecurity tactics and resources and protect federal information technology in the event of an attack.”

Department of Energy Releases Cybersecurity Strategy Centered on Critical Infrastructure

Many cybersecurity experts believe US critical infrastructure is vulnerable to cyberattacks from nation states and other adversaries—and the Department of Energy noted that threat in its new cybersecurity strategy. Quoted in the Washington Examiner, the DOE report says, “The frequency, scale and sophistication of cyber threats have increased, and attacks have become easier to launch. Nation-states, criminals, and terrorists regularly probe energy systems to actively exploit cyber vulnerabilities in order to compromise, disrupt, or destroy energy systems. […] As nation-states and criminals increasingly target energy networks, the federal government must help reduce cyber risks that could trigger a large-scale or prolonged energy disruption.”

Former Intel Researcher Reports on Microprocessor Security Vulnerability

The Spectre vulnerability isn’t going away any time soon as it continues to cause havoc with cybersecurity. Bloomberg reported last week that Eclypsium CEO Yuriy Bulygin, a former researcher for Intel, says that microprocessors can be exploited through Spectre—a vulnerability that emerged in early 2018. According to Bloomberg, “Cloud computing services may be at the greatest risk, Bulygin says, because the glitch could be used to breach protections for keeping companies’ data separate on physical servers. The hackers who access those systems’ firmware can not only move between the databases and steal information but also look through the firmware’s own code to reveal some of the servers’ most heavily defended secrets, including encryption keys and administrative passwords.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Sometimes employees follow cybersecurity best practices beyond company policies: Reported in Help Net Security, “Nearly two-thirds (64%) of employees use a company-approved device for work. However, less than half (40%) of those who use a personal device are regulated when using that personal device, according to a new survey of 1,000 full-time employees published by Clutch.”
  • Flaws in Open Source Components Pose Increasing Risk to Apps: Reported in SecurityWeek.com, “The 2018 Open Source Security and Risk Analysis (OSSRA) report […] shows that 78% of the examined codebases were plagued by at least one open source vulnerability, compared to 67% in the previous year. The average number of flaws discovered per codebase in 2017 was 64, which represents an increase of 134%.”
  • Cross-site scripting a top vulnerability, hackers find: Reported in Computer Weekly, “Cross-site scripting (XSS) is the most commonly exploited vulnerability, according to HackerOne, currently the largest platform aimed at connecting organisations with a community of white hat hackers who can identify cyber risks, which currently has around 200,000 members.”
  • Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies: According to Kenna Security, “Common strategies are about as effective as rolling dice. Most current approaches for prioritizing and fixing vulnerabilities – whether that is based on vendors with most CVEs [Common Vulnerabilities and Exposures], using CVSS [Common Vulnerability Scoring System] scores, or relying on reference lists – are roughly as effective as random chance.”
  • The pace of vulnerability disclosure shows no signs of slowing: Reported in Help Net Security, “Unless the pace of vulnerability disclosure slows down in the coming quarters, we are looking at yet another record-breaking year, according to Risk Based Security’s 2018 Q1 Vulnerability QuickView Report.”
  • Cyber Attacks Increase as IT Security Budgeting Remains Static: Reported in Healthcare Informatics, “More than 90 percent of healthcare organizations have experienced a data breach since the third quarter of 2016, and nearly 50 percent have had more than five data breaches during the same timeframe, according to a recent report from Black Book Research.”