NTSC Technology Security Roundup

Weekly News Roundup: July 2, 2018

DHS Struggles to Find Organizations Reciprocating the Sharing of Cyber Threat Intelligence

As the Department of Homeland Security looks to promote and strengthen its cyber threat intelligence sharing programs, it’s taking a hard look at the numbers. According to NextGov, “…only six companies and other non-federal entities are sharing [how and when malicious hackers are trying to penetrate their computer networks]. […] That’s compared with about 190 such entities and about 60 federal departments and agencies that are receiving cyber threat data from Homeland Security’s automated indicator sharing program…” Recently, the DHS has been promoting its Automated Indicator Sharing (AIS) program and articulating a vision toward the nation’s “collective defense”—in which it is critical for companies to start sharing information back to DHS (as well as receiving it).

Cybersecurity Legislation News Roundup

Here is a roundup of some important legislative news from last week:

  • As the military's cyber units change guard, a battle over control rages on: According to CyberScoop, “During a time of rapid change for the U.S. military’s top cyberwarfare teams, the current version of the 2019 defense bill is challenging the president’s ability to exert his authority with regards to those units. […] Amendments introduced in the NDAA would require the executive branch to develop and adhere to a cyberwarfare strategy document that draws lines around what types of malicious foreign activity should result in retaliatory measures, such as attacking an enemy’s server with destructive computer code.”
  • Bill to Reinstate and Elevate Top Cyber Diplomat Advances from Senate Committee: According to NextGov, “The Senate Foreign Relations Committee [last] Tuesday forwarded its version of a bill that would reverse a Trump administration move that effectively downgraded State Department cybersecurity efforts. The Cyber Diplomacy Act would create an Office of Cyberspace and the Digital Economy inside the State Department with a Senate-confirmed director responsible for leading the cybersecurity efforts across numerous spheres.”
  • House passes bill to addressing industrial cybersecurity: According to The Hill, “House lawmakers approved legislation Monday aimed at securing technology used to power critical infrastructure from cyberattacks. The bill offered by Rep. Don Bacon (R-Neb.) would codify work the Department of Homeland Security is currently doing to identify cyber threats to industrial control systems and mitigate them. […] The House passed the legislation in a voice vote Monday evening, after it cleared the House Homeland Security Committee [in early June].”

Three Serious Data Breaches Announced in One Week

Last week saw three serious data breaches announced from various companies:

  • Exactis: According to Wired, “Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses.”
  • Adidas: According to Engadget, “Adidas announced [last] week that its systems might have suffered a data breach and that millions of customers' data could have been exposed. […] Contact information, usernames and encrypted passwords might have been exposed, according to the company's preliminary investigation, but as of now, credit card and fitness information aren't thought to be included in any stolen data.”
  • Facebook / Nametests: According to Newsweek, “Sensitive Facebook information for up to 120 million users was put at risk for years by a leaky quiz application company called Nametests.com, a security researcher disclosed [last week]. […] According to internet records, the flaw had existed since 2016. Nametests, which has 120 million monthly active users thanks to Facebook pages in different languages, offers tests and quizzes which spread across social media.”

CIO and CISO Councils Release CISO Handbook

Last week, the CIO and Chief Information Security Officer Councils released the “Chief Information Security Officer Handbook.” According to the executive summary, “This handbook aims to give CISOs important information they will need to implement Federal cybersecurity at their agencies. It is designed to be useful both to an executive with no Federal Government experience and to a seasoned Federal employee familiar with the nuances of the public sector.” The three sections include information about CISO roles and responsibilities, managing risk across the enterprise, and management resources.

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Botnets Evolving to Mobile Devices: Reported in Dark Reading, “[A new report titled] ‘Mobile Bots: The Next Evolution of Bad Bots’ examined requests from 100 million mobile devices on the Distil network from six major cellular carriers during a 45-day period. The company found that 5.8% of those devices hosted bots used to attack websites and apps – which works out to 5.8 million devices humming away with activity that their owners know nothing about.”
  • DDoS attacks continue to rise in frequency, sophistication and severity in 2018, researchers find: Reported in Cyware, “In their recently published Summer 2018 State of the Internet Security report, security researchers at Akamai state that DDoS attacks have risen by 16% in 2018 as cybercriminals continue to employ new techniques to enhance these attacks.”
  • Security Cited as the Top Reason Why Organizations Use Web Filtering at the Workplace, Survey Finds: Reported in Tripwire, “In its report Data snapshot: How web filtering affects workplace security and productivity, Spiceworks observed that more than half (58 percent) of organizations monitor their employees internet activity. […] Specifically, 90 percent of enterprises said they used web filtering to prevent and protect against malware infections.”
  • High-Profile Incidents Have Made Boards Cyber Savvy: Reported in Infosecurity Magazine, “Half of all respondents claimed that visibility of cyber-threats had grown at a board-level thanks to the impact attacks like WannaCry and NotPetya had on the bottom line of major multi-nationals in 2017.”
  • Cyber Researchers Don’t Think Feds or Congress Can Protect Against Cyberattacks: Reported in NextGov, “Only 13 percent of researchers ‘believe that Congress and the White House understand cyber threats and will take steps for future defenses,’ according to the poll of attendees at the Black Hat cybersecurity conference. Only 15 percent of the researchers believe the U.S. government and private industry are prepared to respond to a major breach of critical infrastructure.”