NTSC Technology Security Roundup

Weekly News Roundup: August 20, 2018

Elimination of PPD-20 Opens Door to More Offensive Cyber Capabilities

Last week, the Trump administration eliminated Presidential Policy Directive 20 (PPD-20), an Obama-era directive that required the military, State Department, and intelligence community to consult with each other before launching offensive cyberattacks on an adversary. According to Politico, “In rescinding PPD-20, Trump put cyberattacks on the same level as kinetic operations, which do not require high-level approval or interagency discussions. Now, U.S. Cyber Command can conduct attacks based on the administration’s strategic decisions without needing to get White House signoff on individual digital strikes.”

President Trump Signs “NIST Small Business Cybersecurity Act”

Last Monday, President Trump signed the NIST Small Business Cybersecurity Act (S.770) into law. According to a press release from Rep. Daniel Webster (R-Florida), “The bill directs the NIST Director to disseminate clear and concise resources, which are defined as guidelines, tools, best practices, standards, methodologies, and other ways of providing information. Implementation of the NIST Framework into these small businesses will protect business owners, their employees, and their customer base, all while contributing positively to the economy.” SC Media notes that “S.770 also tasks NIST, a division of the U.S. Commerce Department, with considering the needs of small businesses when developing these recommendations, which among other key qualities should be widely applicable and technology-neutral and ‘include elements that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships.’”

FBI Announces Executive Cyber-Related Appointments

Last Tuesday, the FBI announced several cyber-related appointments including:

  • Amy Hess, Executive Assistant Director of the Criminal, Cyber, Response, and Services Branch
  • Matt Gorham, Assistant Director of the Cyber Division
  • Michael Gavin, Assistant Director of the IT Applications and Data Division
  • Marlin Ritzman, Assistant Director of the Information Management Division

The Washington Post notes that “while Hess, like other bureau officials, has argued that the spread of strong encryption can hinder investigations, her reputation for being willing to pursue other investigative tools seems to set her apart at a time when other law enforcement officials have suggested that legislation forcing companies to create a so-called ‘back door’ into encryption may be the only solution.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Vulnerability Disclosures in 2018 So Far Outpacing Previous Years': Reported in Dark Reading, “Nearly 17% of 10,644 vulnerabilities disclosed so far this year have been critical, according to new report from Risk Based Security.” Additionally, “Risk Based Security's vulnerability database contained more than 3,275 vulnerabilities that were not published in MITRE's CVE and the National Vulnerability Database (NVD) in the first half of 2018. Of these, more than 23% had a CVSS score between 9.0 and 10.0.”
  • Cloud computing remains top emerging business risk: Reported in Help Net Security, “In Gartner’s latest quarterly Emerging Risks Report, 110 senior executives in risk, audit, finance and compliance at large global organizations identified cloud computing as the top concern for the second consecutive quarter. Additional information security risks, such as cybersecurity disclosure and GDPR compliance, ranked among the top five concerns of the executives surveyed.”
  • White hat, black hat, and the emergence of the gray hat: the true costs of cybercrime: According to Malwarebytes Labs, “An organization of 2,500 employees in the United States can expect to spend nearly $1.9 million per year for cybersecurity-related costs (that’s nearly $760 per employee). While the costs are lower in most of the other countries that we surveyed, the global average exceeds $1.1 million for a 2,500-employee organization.”
  • Baddies of the internet: It's all about dodgy mobile apps, they're so hot right now: Reported in The Register, “Fraud from mobile browsers and mobile applications made up 71 per cent of total fraudulent transactions recorded (of approximately 402,000) in Q2 2018, compared to 61 per cent in Q2 2017. RSA Security detected 9,185 rogue applications (compared to approximately 8,000 last quarter) which collectively accounted for 28 per cent of all fraudulent attacks recorded.”
  • Cryptojacking is still “a bit of a black box” for 71% of CISOs: Reported in Coin Insider, “71% of the survey respondents, mainly Chief Information Security Officers (CISOs) are still stating that [crypto mining] cyber attacks are ‘a bit of a black box’ for them and they still ‘not quite know how or when they will affect’ their organization.”
  • NSA Research Looks at How Stress Impacts Cyber-Security Operations: Reported in eWeek, “The NSA study found that the average operation length is approximately 5 hours, but as operation length increases beyond that, there is a corresponding increase in fatigue and frustration. Operators experienced approximately 10 percent more fatigue and frustration when operations exceeded 5 hours compared with operations of less 5 hours.”
  • The future of IoT? State-sponsored attacks, say security professionals: Reported in ZDNet, “During Black Hat, IoT security firm Armis surveyed over 130 IT and security professionals attending the conference… […] The vast majority -- 93 percent of respondents -- saw the future of IoT not necessarily as something smarter, but more dangerous, as they predict nation states will target or exploit connected devices in their droves over the coming year.”

EZShield Acquires IdentityForce

EZShield, a digital identity protection and resolution company that is part of The Wicks Group portfolio, announced the acquisition of IdentityForce on Wednesday. According to a press release, “The acquisition expands EZShield’s identity protection ecosystem by nearly 50 percent, providing partners in every industry, businesses of all sizes, and consumers with the most secure capabilities and rapid restoration services. […] EZShield protects U.S. consumers and small businesses against fraud and identity crimes by partnering with enterprises, financial institutions, insurance companies, benefits providers, and warranty companies. Both companies share a powerful commitment to educate and develop identity crime prevention strategies.”