NTSC Technology Security Roundup

Weekly News Roundup: June 4, 2018

Colorado Consumer Data Privacy Bill Signed Into Law

Last Tuesday, the State of Colorado signed into law a bill that strengthens consumer data privacy. According to the Colorado General Assembly website, “[The] bill requires covered and governmental entities in Colorado that maintain paper or electronic documents (documents) that contain personal identifying information (personal information) to develop and maintain a written policy for the destruction and proper disposal of those documents.” Law firm Ballad Spahr notes, “Perhaps the most significant change is that covered entities now must notify affected individuals within 30 days after determining that a security breach occurred that resulted in, or is likely to result in, misuse of personal information. Colorado’s 30-day deadline is the shortest of any state.”

U.S. Departments of Commerce, Homeland Security Release Report to President on Promoting Action Against Botnets and Other Automated Threats

On Wednesday, the U.S. Department of Commerce and the U.S. Department of Homeland Security released a report, “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats,” that has the aim of dramatically reducing the threat of botnets and similar cyberattacks. According to a press release, “The report lists five complementary goals that would improve the resilience of the Internet ecosystem, as well as more than 20 suggested actions that key stakeholders can take to achieve those goals. The recommended actions [include] new initiatives, such as increasing software component transparency and initiating a public campaign to support awareness of IoT security. The report also finds several ongoing activities that should be continued or expanded, including establishing federal procurement guidelines to provide market incentives for vendors that significantly reduce the incidence of security vulnerabilities in their products.”

NIST Releases Report Assessing US Cybersecurity Workforce

Also on Wednesday, NIST released a report, “Supporting the Growth and Sustainment of the Nation's Cybersecurity Workforce: Building the Foundation for a More Secure American Future,” that argues the US “needs immediate and sustained improvements in its cybersecurity workforce.” According to a press release, the report “recommends that the private and public sectors strengthen ‘hands-on, experiential, and work-based learning approaches,’ including apprenticeships, research experiences, cooperative education programs and internships. Both sectors should ‘align education and training with employers’ cybersecurity workforce needs, improve coordination, and prepare individuals for lifelong careers.’”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Study shows admins are doing a terrible job of patching servers: Reported in Network World, “78% of the codebases examined contained at least one unpatched vulnerability, and an average of 64 known exploits per codebase. In the internet of things, where 77% of the code is open source, the audit found an average of 677 vulnerabilities per application.”
  • Still only 1/3 of companies have cyber insurance despite increasing risks and costs: Reported in SC Media, “Despite the Equifax breach costing the company more than $242 million only about 35 percent of companies have cybersecurity insurance…”
  • The Energy Grid Isn’t Insured Enough to Handle a Catastrophic Hack: According to Bloomberg, “Insurers are limiting how much coverage energy companies can buy to protect themselves against a major attack by hackers, potentially leaving investors, customers and taxpayers on the hook for sizable losses. […] The result is an industry largely unprepared for a hacker-triggered catastrophe, according to cybersecurity experts.”
  • Cybercriminals on average have seven-day window of opportunity to attack: Reported in SC Media, “Once a vulnerability is announced, the average attacker has a seven-day window of opportunity to exploit the flaw before a defender is even aware they are vulnerable, according to [a] report from Tenable.”
  • Banking Trojans dominate the malware landscape in the first months of 2018: According to Proofpoint, “For the first time since Q2 2016, banking Trojans displaced ransomware as the top malware in email, accounting for almost 59% of all malicious email payloads in Q1. Emotet was the most widely distributed banking Trojan, accounting for 57% of all bankers and 33% of all malicious payloads.”

FireMon Announces Agreement to Acquire Lumeta

Last Tuesday, network security policy management company FireMon announced it would acquire Lumeta—a company focused on cyber situational awareness products and services. According to a press release, “Lumeta’s technology will enable FireMon customers to extend intent-based security to on-premise and cloud assets that were previously unknown and ensure the right security measures are in place in an automated way utilizing an organization’s existing security infrastructure.” The acquisition is expected to be completed within the second quarter of 2018.