NTSC Technology Security Roundup

Weekly News Roundup: June 25, 2018

Book Excerpt Cautions Against the Dangers of US Cyber Command’s New Offensive Approach

An excerpt (published in The New York Times) from David Sanger’s new book “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age” cautions against unintended consequences of US Cyber Command (now a unified combatant command) taking a more aggressive approach against threat actors. Some of Sanger’s concerns include the risks of starting a war with other countries, the current readiness of US Cyber Command, and the White House’s gutting of top-level cybersecurity leadership. According to Sanger, “The change in approach was not formally debated inside the White House before it was issued, according to current and former administration officials. […] It is unclear how carefully the administration has weighed the various risks involved if the plan is acted on in classified operations.”

White House Selects New VEP Leader and Considers a Flavor of GDPR for the US

With the Vulnerabilities Equities Process (VEP) made more transparent by the Trump administration last year, CyberScoop reported on Thursday that the White House has selected a new VEP leader. According to CyberScoop, “Grant Schneider, the National Security Council’s senior director for cybersecurity policy, has been named chairman of the Vulnerability Equities Process (VEP) board, an NSC spokesperson told CyberScoop. Schneider is also currently serving as the acting federal chief information security officer.” Also, Axios reported that the White House is considering stronger data privacy laws in the wake of GDPR. According to the publication, “Gail Slater, special assistant to President Trump for tech, telecom and cyber policy at the White House National Economic Council, has met with industry groups to discuss possible ways to put in place guardrails for the use of personal data, according to multiple sources familiar with the matter.”

FY2019 Homeland Security Appropriations Bill Pushes for Stronger Cybersecurity Funding

A FY2019 Homeland Security appropriations bill cleared a Senate subcommittee last week and moves to the Senate. Summarized in NextGov, the bill boosts cybersecurity funding in several areas:

  • “$406 million for a collection of intrusion detection and prevention systems known as Einstein”
  • “A $47 million boost over the administration’s request for Continuous Diagnostics and Mitigation, or CDM, a suite of vetted cybersecurity tools and services that Homeland Security offers across the government”
  • “$813 million for Homeland Security’s Science and Technology Directorate, which is $230 million over the administration’s request”
  • “A $6 million funding boost for the U.S. Secret Service to train state and local officials in computer forensics and cyber investigations”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Employee negligence is the biggest cyber risk to US businesses, study finds: Reported in Yahoo! Finance, “47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization.”
  • Why enterprises invest in next-gen security, and then don't use it: Reported in SC Media, “The 2018 SANS 'Endpoint Protection and Response' report reveals that 42 percent of those surveyed [admitted] their endpoints had been breached, with the most popular threat vectors for these attacks being web drive-by (63 percent), social engineering/phishing (53 percent) and ransomware (50 percent).”
  • Study finds nearly half of web applications put user data at risk: Reported in SC Media, “Positive Technologies conducted various tests using automated tools and manually by using a combination of black-, gray-, and white-box methods on 23 web applications and found that attackers could obtain personal data from 44 percent of applications handling that information, such as those for bank websites, e-commerce stores, and telecoms companies, according to the firm's Web Applications for Statistics report.”
  • Business Scams, Everywhere, Phishing For Funds: Reported in PYMNTS.com, “Email attacks seem to be gaining ground. Of those surveyed, 81 percent said email attacks have been on the rise. Of that, 25 percent said the increases have been ‘dramatic’ in scope. The costs are dramatic, too, as 67 percent have said they had to divert resources from other priorities to deal with attacks. As many as 35 percent of firms were hit by ransomware attacks, and when ransoms were demanded, 12 percent opted to pay up. Finance departments were most vulnerable.”
  • How are cyber-criminals targeting financial services firms?: Reported in Silicon Republic, “Vectra detected significantly more hidden command-and-control tunnels per 10,000 devices in financial services than all other industries combined, and more than twice as many hidden data-exfiltration tunnels per 10,000 devices in financial services than all other industries.”
  • Despite advancements, employees still practice bad cyber-hygiene: Reported in SC Media, “OpenVPN surveyed 500 US full-time employees about their cyber-security habits to pinpoint areas of weakness that could potentially harm their organization and found 25 percent of them reuse the same password for everything while 23 percent admit to very frequently clicking on links before verifying they lead to a website they intended to visit.”

F-Secure to Acquire MWR InfoSecurity

Last Monday, F-Secure announced it would acquire MWR InfoSecurity, which describes itself as “a global provider of world class research-led cyber security solutions with a range of products and services for clients worldwide.” According to a press release, “The acquisition is a significant milestone in the execution of F-Secure’s growth strategy, and makes it the largest European single source of cyber security services and detection and response solutions. […] With close to 400 employees, MWR InfoSecurity is among the largest cyber security service providers serving enterprises globally. MWR InfoSecurity has highly skilled experts in offensive techniques who understand the attacker mindset and is well-known in the industry for its technical expertise and research.”