NTSC Technology Security Roundup

Weekly News Roundup: August 6, 2018

DHS Announces Creation of National Risk Management Center

Last Tuesday, the Department of Homeland Security announced the establishment of a National Risk Management Center. According to DHS, the National Risk Management Center will create a cross-cutting risk management approach between the private sector and government to improve the defense of our nation’s critical infrastructure—focused initially on financial services, electricity, and telecommunications. The Hill said, “The new center’s goal will be to bolster coordination between the federal government and private sector companies — which own and operate the vast majority of critical assets — and to improve the protection of critical infrastructure from potential threats, according to a document outlining its mission.”

Other news and announcements from the DHS’s New York cybersecurity summit on Tuesday included:

  • A warning by DHS Secretary Kirstjen Nielsen about the probability of a major Internet-based attack. Quoted in the Washington Examiner, Nielsen said, “DHS was founded 15 years ago to prevent another 9/11, but today I believe the next major attack is more likely to reach us online than on an airplane. Cyber threats collectively now exceed the danger of physical attacks against us. This is a major sea change for my department and for our country’s security.”
  • A speech by Vice President Mike Pence supporting the Cybersecurity and Infrastructure Security Agency and stronger public-private partnerships. According to Pence, “America also needs a central hub for cybersecurity. And today we call on the United States Senate to follow the lead of the House of Representatives and, before the end of this year, enact legislation to create a new agency under the authority of DHS. The time has come for the Cybersecurity and Infrastructure Security Agency to commence.”
  • Head of NSA and US Cyber Command, General Paul Nakasone, supports more cyberthreat intelligence sharing and partnering with the private sector. Reported in Fifth Domain, “Ninety percent of America’s critical infrastructure is in private hands, Nakasone said. Therefore, the Department of Defense is kicking off the new risk center with a ‘90 day sprint’ to identify companies that are most essential to the U.S. way of life in an effort to protect them from foreign cyberattacks. ‘Not all risks are created equal,’ Nakasone said of the initial effort.”

Cybersecurity Legislation News Roundup

Here is a roundup of some important legislative news from last week:

  • Senate passes National Defense Authorization Act: Last Wednesday, the Senate passed the final version of the National Defense Authorization Act, which includes language about the US increasing its offensive cyber capabilities.
  • U.S. Congress passes bill forcing tech companies to disclose foreign software probes: According to Reuters, “The U.S. Congress is sending President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military. The legislation, part of the Pentagon’s spending bill, was drafted after a Reuters investigation last year found software makers allowed a Russian defense agency to hunt for vulnerabilities in software used by some agencies of the U.S. government, including the Pentagon and intelligence services.”
  • International Cybercrime Prevention Act and Defending the Integrity of Voting Systems Act Introduced: According to The Hill, the International Cybercrime Prevention Act “would allow federal prosecutors to shut down ‘botnets,’ or networks of infected devices that foreign hackers could use to spread disinformation. […] The act would also prohibit people from selling botnets. The second piece of legislation, the Defending the Integrity of Voting Systems Act, introduced by [Richard Blumenthal (D-Conn.)], would allow the Department of Justice to pursue federal charges against anyone who hacks voting systems used in federal elections.”

Dragos Identifies Sophisticated Hacker Group Attacking US Electric Utility Companies

Widely reported last week, industrial cybersecurity software company Dragos identified a hacker group they are calling “RASPITE” that has accessed electric utility companies in the US. According to Dragos, the company “has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • US retailers lead world in data breaches: Reported in Retail Dive, “U.S. retailers lead the world in security breaches, according to the 2018 Thales Data Threat Report, Retail Edition. U.S. retail data breaches more than doubled since the last Thales report, rising to 50% from 19% in the 2017 survey. The global average of retail executives reporting data breaches is 27%.”
  • Symantec Warns of Increasingly Sophisticated Tech Support Scams: Reported in eWeek: “Symantec issued a report on Aug. 3 revealing that technical support fraud scammers are using call optimization services to improve their results. The new techniques come as the volume of tech support scams blocked by Symantec continues to grow.”
  • Spam is getting smarter and we're still falling for it: Reported in ZDNet, “According to an analysis of spam emails by security company F-Secure, nearly half (46 percent) are pushing dating scams, just under a third (31 percent) are links to malicious websites and just under a quarter (23 percent) have malicious attachments. Just five file types - ZIP, .DOC, .XLS, .PDF, and .7Z - make up about 85 percent of malicious attachments.”
  • Two-thirds of organizations acknowledge suffering supply chain attacks in 2017: Reported in Cyware, “A new global survey, conducted by Vanson Bourne on behalf of CrowdStrike, has found two-thirds of companies across the world were hit by supply chain attacks in 2017, despite maintaining a proper defense strategy. […] Although organizations claimed to have security protocols in place, these proved ineffective in protecting them from attacks.”