NTSC Technology Security Roundup

Weekly News Roundup: August 19, 2019

Cybersecurity Legislation at the Recess: A Recap by National Law Review

While Congressional cybersecurity news may be a tad slow during the August recess, many bills and cybersecurity-related activities are still in play between now and the end of the year. Last Monday, the National Law Review published a summary of current cybersecurity bills and legislative priorities in process. The summary includes:

  • Cybersecurity language in the National Defense Authorization Act
  • IoT cybersecurity bills advanced by House and Senate committees
  • S. 1846 (State and Local Government Cybersecurity Act of 2019)
  • DoD Inspector General report on cybersecurity risks for Commercial Off the Shelf (COTS) purchases
  • Government Accountability Office cybersecurity report
  • Cybersecurity bills advanced by the House Energy & Commerce Committee

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • US Cyber Command has publicly posted malware linked to a North Korea hacking group: According to TechCrunch, “U.S. Cyber Command, the sister division of the National Security Agency focused on offensive hacking and security operations, has released a set of new samples of malware linked to North Korean hackers. […] The uploaded malware sample is named Electric Fish by the U.S. government. Electric Fish is a tunneling tool designed to exfiltrate data from one system to another over the internet once a backdoor has been placed.”
  • DHS Funds Research to Improve Software Security Analysis: According to NextGov, “The Homeland Security Department [on August 9] awarded a noncompetitive, sole-source contract that could eventually help the government better find and patch vulnerabilities in its IT infrastructure. Under the contract, GrammaTech, a New York-based software developer, will create a standardized process for evaluating open-source static analysis tools [that] tech agencies use to scan software for known vulnerabilities. The company’s work will support the Static Tool Analysis Modernization Project, or STAMP, an effort by Homeland Security’s Science and Technology Directorate to improve the software security tools available across government.”
  • Feds plan to use SecureDrop as a vulnerability reporting portal: According to CyberScoop, “The U.S. government is experimenting with a secure and anonymous portal for reporting software vulnerabilities to encourage closer collaboration with ethical hackers. The initiative is a recognition of the lingering reluctance that some security researchers have felt in flagging bugs for federal officials, despite a longstanding program run by the Department of Homeland Security. The project would use SecureDrop, the open-source software that some news organizations rely on for anonymous tips, to submit vulnerability information.”
  • The Pentagon's Research Arm Wants AI to Help Design More Secure Tech: According to NextGov, “[Last] Tuesday, the [Defense Advanced Research Projects Agency] kicked off a research initiative that will focus on building AI-powered tools that help the Pentagon rapidly assess different blueprints for cyber physical systems. According to DARPA, the tech developed under the Symbiotic Design for Cyber Physical Systems program would ‘be a game changer, and may result in a new generation of unexpected, counterintuitive design solutions.’”
  • CISA Releases Consumer Internet Security Recommendations: According to Fifth Domain, “The organization within the Department of Homeland Security is tasked with protecting the nation’s critical infrastructure from cyberattacks and, as part of the lead up to National Cybersecurity Awareness Month in October, the agency released a toolkit Aug. 14 for preventing attacks. Created in partnership with the National Cyber Security Alliance, the toolkit contains best practices for citizens to protect themselves online.”
  • Energy is Updating Its Cyber Posture Assessment Tool: According to NextGov, “The Energy Department is upgrading its toolkit for measuring how effectively organizations protect themselves against cyberattacks. The department [last] Wednesday announced it would update the Cybersecurity Capability Maturity Model, a framework that helps federal agencies and private companies better assess the strength of their cyber defenses.”
  • NIST seeks industry feedback as Internet of Things cybersecurity standards take shape: According to Federal News Network, “The internet of things covers a wide range of devices, from smart speakers to medical devices, but the National Institute of Standards and Technology is looking to build a common foundation of cybersecurity practices for IoT manufacturers and consumers. At an IoT workshop at its headquarters in Gaithersburg, Maryland, NIST sought feedback from industry partners on an internal report released in June that focused on next steps for IoT security and privacy. [Last] Tuesday’s meeting also stemmed from a roadmap the agency released in April that laid out areas where the agency could further advance its work on its cybersecurity framework.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • New approach to risk management needed, says Gartner: Reported in Computer Weekly, “The majority (83%) of organizations that engage third parties to provide business services identified third-party risks after conducting due diligence, a Gartner study has revealed. […] Only 29% of business and IT executives globally know how diligently their partners are working regarding security, with 56% relying on trust alone, a recent survey revealed.”
  • Hundreds of Thousands of People Are Using Passwords That Have Already Been Hacked, Google Says: Reported in VICE, “‘Since our launch, over 650,000 people have participated in our early experiment,’ Google told Motherboard in a statement. ‘In the first month alone, we scanned 21 million usernames and passwords and flagged over 316,000 as unsafe—1.5% of sign-ins scanned by the extension.’”
  • Human Factor is a Persistent Cybersecurity Threat, Survey Says: Reported in Security Magazine, “A new survey says that people consider malicious insiders (30 percent) and human error (25 percent) to be the two top cybersecurity threats. According to the Canon Office of the Future survey, malware and ransomware are other pertinent cybersecurity threats. More than one-third of respondents consider malware and ransomware a first priority threat. Yet, 25 percent of respondents say that employees have limited to no security awareness, nor do they understand their role in prevention.”
  • Clickjacking Evolves to Hook Millions of Top-Site Visitors: Reported in Threatpost, “In crawling data from the Alexa top 250,000 websites, researchers discovered 437 third-party scripts that intercepted user clicks on 613 websites – which in total receive around 43 million visits on a daily basis. Making matters worse, click interception links are using new techniques – such as making the links larger – that are making them harder to avoid.”
  • Adware, Trojans Hit Education Sector Hard: Reported in Dark Reading, “The education sector continues to suffer from malware because of tight budgets, a shortfall in necessary security workers, and a lack of security awareness among students, according to new analysis published by security firm Malwarebytes. Schools and universities were the top targets of Trojan horse programs, such as Emotet and Trickbot, for all of 2018 and the first half of 2019, Malwarebytes' data shows. Almost three of every 10 devices owned by educational institutions encountered malware in the past 18 months, while a third of student-owned systems were actually infected with a Trojan, according to Malwarebytes.”
  • Cryptocurrency scammers have netted $4.26B so far this year, report: Reported in TNW, “Cryptocurrency scammers continued to swindle funds throughout Q2 2019, netting approximately $4.26 billion so far this year. According to CipherTrace’s latest report, insider thefts were by far the largest offenders, netting massive losses on investors and cryptocurrency exchange users.”
  • Healthcare cybersecurity market poised for growth over the coming years: Reported in Healthcare Finance News, “The healthcare cybersecurity market was valued at $8.2 billion in 2018, and it's only expected to grow from there, with a projected compound annual growth rate of 19.1% from this year through 2025. The cybersecurity market is in a good position to become an avenue of investment over the coming years, driven in part by the fast-paced digital transformation of the worldwide healthcare industry, according to data from Global Market Insights.”