NTSC Blog

Weekly News Roundup: July 23, 2018

Advancing Cybersecurity Diagnostics and Mitigation Act Introduced

Last Wednesday, Rep. John Ratcliffe (R-Texas) introduced the Advancing Cybersecurity Diagnostics and Mitigation Act (H.R. 6443) in order to codify the Department of Homeland Security’s Continuous Diagnostics Mitigation (CDM) program. According to a press release, “The bill will require DHS to develop policies and procedures for reporting systemic cybersecurity risks and potential incidents based on data collected under CDM. It will also require regular improvements to CDM that keep pace with the emerging technologies, and it will help ensure that CDM continues to evolve and adjust to the changing cyber threat landscape.” NextGov notes that “The bill would also give Secretary Kirstjen Nielsen 180 days to put a comprehensive CDM strategy in writing.”

Grant Schneider Becomes Federal CISO

Last Thursday, the Office of Management and Budget announced that it selected Grant Schneider to become the federal Chief Information Security Officer. Previously, Schneider had served as acting federal Chief Information Security Officer and senior director for Cybersecurity Policy on the National Security Council staff. According to CyberScoop, “In June, the White House tapped Schneider to head the Vulnerabilities Equities Process (VEP), the U.S. government mechanism for deciding whether to horde software bugs for intelligence purposes or disclose them to the private sector so they can be fixed. Schneider will continue in his role at NSC in addition to the CISO job, a Trump administration official told CyberScoop. That means he will maintain control over the VEP, an NSC spokesperson confirmed.”

Federal Government Signals Cybersecurity Improvements

Various announcements were made last week about improvements to federal cybersecurity that will help tackle systemic issues:

• Cyber Workforce Shortages: According to NextGov, “The administration has already begun the first part of [its] cyber workforce plan by polling agencies about skills gaps among their current cybersecurity employees […]. The reorganization plan’s longer-term cyber workforce goal is to standardize cyber job categories using a framework developed by the Commerce Department and to make those jobs more competitive by reducing hiring bureaucracy and raising pay.”
• Battling Cybercrime: The Department of Justice released a report about battling election meddling and overall cybercrime. Summarized in Politico, “Chapter 2 [of the report] discusses the types of cybercrime that the department investigates, from distributed denial-of-service attacks to ransomware infections. Chapter 3 explains how the government fights back, including prosecution tools like the Computer Fraud and Abuse Act, techniques like surveillance of suspects and other response options like dismantling botnets. Chapter 4 describes the government’s private-sector partnerships, information-sharing channels and interagency response plans.”
• Cyber Deterrence: Reported in CyberScoop, “In remarks [last] Wednesday at the American Enterprise Institute, [Rep. Michael] McCaul [R-Texas] highlighted the strong hacking capabilities at the Trump administration’s disposal – should the White House want to escalate their usage. ‘We have the capability to shut down governments. We have the capability to conduct major offensive cyber-operations,’ McCaul said. ‘Our adversaries have that now, too,’ he added, citing cyberattacks on the U.S. financial sector that U.S. officials have blamed on Iran.”

FERC Requires Expanded Cyber Security Incident Reporting

According to a press release, “The Federal Energy Regulatory Commission (FERC) [last Thursday] directed the North American Electric Reliability Corp. (NERC) to develop, within six months of the effective date of this final rule, modifications to the Critical Infrastructure Protection Reliability Standards to improve mandatory reporting of cybersecurity incidents, including attempts that might facilitate subsequent efforts to harm reliable operation of the nation’s bulk electric system.” Reuters notes that “FERC requested the increased disclosure after the administration of President Donald Trump blamed the Russian government in March for a campaign of cyber attacks stretching back at least two years that targeted the U.S. power grid. That marked the first time the United States had publicly accused Moscow of hacking into American energy infrastructure.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• Share of cryptomining attacks grew from 7% to 32% of all attacks in just six months: Reported in SC Media, “[A] new report from Skybox Security, Vulnerability and Threat Trends Report shows use of cryptomining by cyber-criminals for personal gain hasn't abated. Between January and June this year, malicious cryptomining accounted for 32 percent of all attacks while ransomware attacks accounted for just eight percent.”
• Cybersecurity no longer top risk for telecom industry: Reported in Help Net Security, “Perceived risk from cyber threats falls back to #7 in the risk top 10 after it had jumped up 23% last year, when 39% of executives were concerned after ransomware attacks.”
• ThreatList: Sizing Up The Scourge of Credential-Stuffing: Reported in ThreatPost, “Last year, 2.3 billion credentials were stolen from 51 different organizations, including Ancestry.com, Imgur and Virgin America. Where do all those user names go? In Shape Security’s second annual Credential Spill Report, it found that billions of stolen digital IDs are contributing to an epidemic of credential-stuffing and account-takeover fraud.”
• 35 Percent of People Never Change Their Passwords: Reported in PCMag UK, “A new PCMag survey of 2,500 US consumers, conducted between June 30 and July 2, reveals that 35 percent of people never change their passwords; they only do it if they're prompted.”
• Microsoft tops list of brands impersonated by phishers: Reported in Help Net Security, “The number one brand spoofed by phishers in Q2 2018 in North America was Microsoft, says email security company Vade Secure. The company credits the surging of adoption of Microsoft Office 365 for this unfortunate statistic.”
• Disclosing trade secrets increases risk of cyberattack, study finds: Reported in Phys.org, “U.S. firms that disclosed the existence of trade secrets have a significantly higher probability of becoming targets of hackers, according to a new study led by a University of Kansas accounting professor.”
• Downward Trend in Healthcare Ransomware Attacks May be Temporary: Reported in Security Week, “Cryptonite believes that one of the reasons for the decline in ransomware is general improvements in healthcare security. […] However, it suspects that this may be only a temporary respite. ‘We do believe that ransomware still presents a formidable threat to healthcare and expect new variants, such as AI based malware, to present very difficult challenges to healthcare institutions later in 2018 and into 2019.’”
• Gartner Survey Finds Only 65 Percent of Organizations Have a Cybersecurity Expert: According to Gartner, “Despite 95 percent of CIOs expecting cyberthreats to increase over the next three years, only 65 percent of their organizations currently have a cybersecurity expert…”
• Organizations need a zero trust model for cyber security, Unisys survey finds: Reported in IT Security Guru, “New research from Unisys Corporation found that IT professionals reported three incidents on average where sensitive information had been lost last year, with some respondents reporting 11 losses for the year. Respondents also reported an average of nine incidents per month where they had to address highly severe security issues.”
• FICO Survey: US Firms Are Too Confident About Their Cybersecurity: According to a press release, “Despite the growth in data breaches, senior executives at US firms think their cybersecurity protection is top-notch, according to a new survey conducted by research and consultancy firm Ovum for Silicon Valley analytics firm FICO. 68 percent of executives from US firms said their firm was better prepared than their competitors, and 37 percent said their firm was a top performer.”
• BEC Scam Losses Top $12 Billion: FBI: Reported in Security Week, “The losses and potential losses reported as a result of business email compromise (BEC) and email account compromise (EAC) scams exceed $12 billion globally, according to an alert published last week by the FBI.”