NTSC Technology Security Roundup

Weekly News Roundup: May 26, 2020

Legislative Cybersecurity News Update

Here, we’ve provided a roundup of cybersecurity legislation news stories from last week.

  • Bipartisan bill would restrict purchases of airport equipment from Chinese companies: According to The Hill, “Lawmakers [last] Monday introduced bipartisan legislation that would prohibit the use of federal funds to purchase airport equipment made in countries that may pose a national security threat to the United States, such as China. The Airport Infrastructure Resources Security Act would apply to purchases of passenger boarding bridges and other infrastructure from countries deemed by federal officials to pose a national security threat, and those involved in stealing U.S. intellectual property (IP).”
  • Senate Commerce Advances Cyber Grand Challenge Bill with Some Tweaks: According to NextGov, “The Senate Commerce Committee unanimously approved a bill that would offer cash and non-cash prizes for cybersecurity innovations—though it received a bit of a haircut from Sen. Mike Lee, R-Utah. […] It passed the committee [last Wednesday] with an amendment from Lee eliminating the Commerce Secretary’s authority to establish additional grand challenges. Another Lee amendment clarifies that an advisory committee the bill calls for to inform aspects such as metrics for judging the competitions would not be compensated beyond travel reimbursements.”
  • Senate Intelligence panel, under Rubio, advances Ratcliffe nomination: According to Inside Cybersecurity, “The Senate Intelligence Committee [last] Tuesday advanced by party-line vote the nomination of Rep. John Ratcliffe (R-TX) to serve as Director of National Intelligence, moving one day after Sen. Marco Rubio (R-FL) was named acting chairman of the panel.”

National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • FBI offers US companies more details from investigations of health care hacking: According to CyberScoop, “The FBI has provided U.S. companies more information on the extent of recent criminal and foreign government-backed hacking operations against the health care sector and warned of ongoing efforts to steal U.S. research data. Criminal and state actors continue to target U.S. clinical trial data, trade secrets, and the ‘sensitive data and proprietary research of U.S. universities and research facilities,’ the FBI told industry in an advisory this week.”
  • Federal watchdog finds chemical facilities vulnerable to cyberattacks: According to The Hill, “Chemical facilities are vulnerable to crippling cyberattacks due to outdated government cybersecurity guidance, the Government Accountability Office (GAO) concluded in a report released [on May 14]. The report […] found that the Department of Homeland Security (DHS), which oversees the security of ‘high-risk’ chemical facilities through the Chemical Facilities Anti-Terrorism Standards program, hasn't updated cybersecurity guidance for those facilities in more than a decade.”
  • NIST Wants Help Demonstrating Security Compliance in 5G: According to NextGov, “The National Institute of Standards and Technology is looking for organizations to contribute products and expertise they’ve developed for implementing cybersecurity standards into fifth-generation networking technology toward creating a special publication of best practices.”
  • NIST releases energy sector guide for Operational Technology assets: According to Inside Cybersecurity, “The National Institutes of Standards and Technology has released a practice guide for energy sector organizations to establish, enhance and manage their Operational Technology assets.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Verizon's data breach report highlights how unsecured cloud storage opens door to attacks: Reported in ZDNet, “22% of breaches this year involved cloud assets and on-premises assets were in 71% of reported incidents. 45% of breaches featured hacking and 22% involved social attacks. 22% also involved malware.” Also, reported in CyberScoop, “Eighty-six percent of the data breaches in 2019 were motivated by money, according to Verizon’s annual Data Breach Investigation Report, which was released [last] Tuesday. While the techniques have shifted, the figure is a significant uptick from the 71% of breaches that were financially motivated in 2018.”
  • Nearly 70% of major companies will increase cybersecurity spending post-coronavirus: Reported in TechRepublic, “Nearly 70% of major organizations plan to increase cybersecurity spending due to the effects of the coronavirus pandemic, a LearnBonds report found.”
  • ‘Flight risk’ employees involved in 60% of insider cybersecurity incidents: Reported in ZDNet, “Employees planning to leave their jobs are involved in 60% of insider cybersecurity incidents and data leaks, new research suggests. According to the Securonix 2020 Insider Threat Report, published [last] Wednesday, ‘flight risk’ employees, generally deemed to be individuals on the verge of resigning or otherwise leaving a job, often change their behavioral patterns from two months to two weeks before conducting an insider attack.”
  • FTI Consulting Survey Shares Data Privacy Budget and Solutions Forecast: According to a press release, “97 percent of organizations will increase their spend on data privacy in the coming year, with nearly one-third indicating plans to increase budgets by between 90 percent and more than 100 percent.”
  • Military Active-Duty Personnel Are 76% More Likely to Report Identify Theft, FTC Reports: Reported in Hot for Security, “A five-year analysis of data gathered by IdentityTheft.gov reveals that ‘active duty service members are 76% more likely than other adults to report that an identity thief misused an existing account,’ and ‘nearly three times as likely’ to report the fraudulent use of a debit card to steal funds from their bank account.”
  • Only 36% of critical infrastructures have a high level of cyber resilience: Reported in Help Net Security, “The research investigated the cyber resilience of organizations operating in the energy, finance, health, telecommunications, transport and water industries, located in the world’s five largest economies: UK, US, Germany, France and Japan. Of the 370 companies surveyed, only 36 percent had achieved a high level of cyber resilience.”
  • Financial Services Companies Lack Trusted Data to Make Cybersecurity Decisions: Reported in Security Magazine, “Over a third (36.72 percent) of security leaders said that their biggest challenge in creating metrics to measure and report on risk is ‘trust in the data,’ followed by the resources required to produce them (21.34 percent), the frequency of requests (14.64 percent) and confusion over knowing what metric to use (15.3 percent). Less than half of respondents (47.75 percent) could claim to be ‘very confident’ that they are using the right security metrics to measure cyber risk.”

Cybersecurity Acquisitions

News about three major cybersecurity company acquisitions was reported last week:

  • Smarsh Acquires Entreda: According to a press release, Smarsh announced last Thursday the acquisition of Entreda, an award-winning developer of integrated cybersecurity risk and compliance management software and services for the wealth management market. Entreda will continue to operate under its own brand and under the leadership of Co-Founder and CEO Sid Yenamandra, as a stand-alone, wholly owned subsidiary of Smarsh.
  • Open Systems Acquires Born in the Cloud: According to a press release, Open Systems last Wednesday announced its acquisition of Born in the Cloud, a specialist in cybersecurity threat detection, prevention and response. This addition bolsters Open Systems' ability to serve the large and expanding market for Azure Sentinel services with enterprises worldwide.
  • Advent Puts $1.9 Billion Acquisition of ForeScout on Hold: Reported in Bloomberg, “Private equity group Advent International doesn’t plan to conclude the acquisition of cybersecurity company ForeScout Technologies Inc. by the May 18 deadline, though talks are continuing regarding timing and price.”