NTSC Technology Security Roundup

Weekly News Roundup: August 5, 2019

100 Million Applications and Accounts Breached in Capital One Data Breach

Last Monday, Capital One announced that a security incident took place in March 2019 that involved the data breach of 100 million applications and accounts. We’ve summarized some of the key coverage below:

  • A hacker gained access to 100 million Capital One credit card applications and accounts: According to CNN, “In one of the biggest data breaches ever, a hacker gained access to more than 100 million Capital One customers' accounts and credit card applications earlier this year. Paige Thompson is accused of breaking into a Capital One server and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information, according to the bank and the US Department of Justice.”
  • What’s in Your Wallet? A Misconfigured Firewall: According to Politico, “The massive breach could renew momentum for a federal data privacy standard, although past major breaches haven’t proven enough to generate real movement. The alleged hacker, Paige A. Thompson, prompted many a head-scratch in the information security world over her methods, which a criminal complaint revealed involved precautions like using Tor anonymous web-surfing technology but seemingly careless moves like dumping the information on GitHub. And there may be more from her.”
  • Congress wants Capital One, Amazon to explain data breach: According to The Associated Press, “Leaders of House and Senate committees want Capital One and Amazon to explain to Congress how a hacker accessed personal information from more than 100 million Capital One credit card customers and applicants. […] Ohio Rep. Jim Jordan, the top Republican on the House Oversight and Reform Committee, asked for a staff-level briefing by Aug 15 on the breach that was reported late Monday. The chairman of the Senate Banking, Housing and Urban Affairs Committee also said the committee will look into the matter.”
  • New York Attorney General opens investigation into Capital One data breach: According to The Hill, “New York Attorney General Letitia James announced Tuesday that her office is opening an investigation into the Capital One data breach that resulted in the personal information of about 100 million American customers being illegally accessed.”

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • Moran Tees Up Data Privacy Bill As Senate Effort Splinters: According to Bloomberg Law, “A bipartisan pair of senators has drafted a data privacy bill that would give the Federal Trade Commission more enforcement tools, while pre-empting state laws. Sens. Jerry Moran (R-Kan.) and Richard Blumenthal (D-Conn.) had been working with a group of other Senate Commerce, Science and Transportation Committee members to draft a bill, but that effort stalled in recent months. Moran said he and Blumenthal are now writing their own bill in a bid to see if they can attract the support of other lawmakers, as the August recess looms.”
  • Senators introduce bill to secure U.S. supply chains against Chinese threats: According to The Hill, “Sens. Mike Crapo (R-Idaho) and Mark Warner (D-Va.) introduced legislation [last] Tuesday intended to secure U.S. technological supply chains from exploitation from countries such as China. The Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property and Supply (Microchips) Act would establish a National Supply Chain Security Center within the Office of the Director of National Intelligence. This new center would be charged with collecting information on threats to supply chains for the government and the military as well as for key telecommunication infrastructure like 5G, and sharing this with relevant federal agencies. The bill would also require the director of national intelligence to develop a plan to increase supply chain intelligence within 180 days of the bill being signed into law.”
  • New Senate bill seeks improvements to federal cybersecurity: According to Homeland Preparedness News, “U.S. Sens. John Cornyn (R-TX) and Maggie Hassan (D-NH) introduced cybersecurity legislation [last] week, seeking to improve the work of the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program. Their solution is the Advancing Cybersecurity Continuing Diagnostics and Mitigation Act, which would make several demands of those involved with the program. Under the bill, DHS would need to codify the work of the CDM program thus far.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • Senate confirms Trump's first chief technology officer: According to The Hill, “The Senate voted [last] Thursday to confirm Michael Kratsios as the Trump administration's first chief technology officer and the White House's top tech adviser. Kratsios had been serving in the position on an acting basis and as a deputy assistant to the president since 2017. During that time, he has led the White House Office of Science and Technology Policy, advising the president on issues like next-generation wireless networks and artificial intelligence.”
  • Defense contractors aren't securing sensitive information, watchdog finds: According to FCW, “Contractors routinely fail to secure the Defense Department's unclassified information from cyberthreats when it's housed on their systems and networks, according to a new report from the department's watchdog agency. The DOD inspector general released a report July 25 after reviewing how DOD information is protected on contractor's networks and systems. The IG found that contractors were not consistently adhering to DOD's cybersecurity standards, which are based on controls created by the National Institute of Standards and Technology.”
  • Agencies Still Falling Short on Cyber Standards, GAO Says: According to NextGov, “Many major federal agencies are dropping the ball when it comes to basic cybersecurity practices despite thousands of watchdog recommendations and an expanding array of digital threats, according to the Government Accountability Office. Last year, federal auditors revealed that most agencies don’t understand the cybersecurity risks they face, and even fewer have put in place sufficient safeguards to defend against those threats, GAO said in a report published [last] Friday. Many also lack proper policies for responding to intrusions and recovering from attacks, according to auditors.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Financial Services Cybersecurity Still Porous: Reported in Forbes, “More than half [of security practitioners within the FSI] acknowledge that sensitive customer information has been stolen from their organization at some point. Most organizations use financial software and systems supplied by third parties, and 74% of respondents said they worry about security vulnerabilities in those products. But fewer than half require those vendors to comply with cybersecurity requirements or to verify their security practices.”
  • Ponemon Institute and Devo Technology Study Reveals 65% of Cybersecurity Analysts Consider Quitting Due to Burnout, Lack of Visibility: According to a press release, “[While] the SOC is considered an essential or important component of business, most respondents rate their SOC’s effectiveness as low, and 49 percent say it is not fully aligned with business needs. Problems such as a lack of visibility into the network and IT infrastructure, a lack of confidence in the ability to find threats, and workplace stress on the SOC team are diminishing its effectiveness. Further, security professionals say working in the SOC is painful, leading 65 percent to report having considered changing careers or quitting their jobs.”
  • Over half of enterprise firms don’t have a clue if their cybersecurity solutions are working: Reported in ZDNet, “On average, enterprise firms are spending $18.4 million every year on cybersecurity and 58 percent are planning to increase this level of investment by up to 14 percent over the 2019 - 2020 period. However, those surveyed admitted that after deployment, cybersecurity solutions monitoring is thin on the ground and a total of 53 percent have no idea how well the tools and software implemented in corporate networks are performing.”
  • Surprise: Healthcare Organizations Confident in Their Cybersecurity Efforts: Reported in Security Boulevard, “58% [of participants working within healthcare including hospitals, physician group practices and payers] believe that the cybersecurity of their patient portal is above average or superior when compared to other patient portals, 93% use username and password as the patient portal authentication method, [and] 65% report that their individual state budgets for patient identity management will not increase in 2019.”
  • Demand for cyber insurance grows as volatility scares off some providers: Reported in CyberScoop, “Direct cyber insurance premiums grew to $2 billion last year, up 26 percent since 2015, according to figures published July 25 by Moody’s Investors Service. That figure represents less than 1 percent of premium insurance revenue in the U.S., but it’s clear the increasing claims over the past three years are driven largely by concerns about data breaches, distributed denial-of-service attacks and, perhaps most notably, ransomware.”
  • Extortion Revival: Reported in Politico, “Email extortion scams, especially those centered on sextortion and bomb threats, have been on the rise since mid-2018, Symantec observed in research out [last Tuesday]. The company said it blocked 300 million such emails in the first five months of the year. The attacks don’t appear particularly targeted, but they spiked in February.”
  • Cybersecurity training is up, but a hiring gap remains: Reported in HR Dive, “Despite cybersecurity job training growth, hiring hasn't kept up with demand, according to a report from analytics firm Burning Glass Technologies. Citing data from the National Center for Education Studies, the company said that postsecondary cybersecurity training and the number of graduates in the field rose by 33% and 40%, respectively, between 2013 and 2017. But the field's ratio of employed workers to job openings has changed little in four years, it noted.”