NTSC Technology Security Roundup

Weekly News Roundup: September 10, 2018

September 1 Activates Two Major State Cybersecurity Laws

On September 1, two major state cybersecurity law provisions went into effect: Colorado’s strengthened consumer data privacy law and provisions related to the New York Department of Financial Services’ regulations around cybersecurity. According to The National Law Review:

  • “Colorado’s updated statute expands the definition of ‘personal information’ to include ID numbers, medical information, and biometric information and places a proactive obligation on companies to investigate potential breaches. If notification is required, it will now have to be provided within 30 days of the company determining that the breach has occurred, and Colorado now joins many other states in having content requirements for breach notices.”
  • “…the [New York Department of Financial Services] regulation applies to ‘covered entities’ under New York’s Banking, Insurance, and Financial Services laws, and has rolling effective dates. The September 1 date brought into effect the need for covered entities to, inter alia, (1) conduct risk assessments for in-house developed and externally developed applications that are brought into the company’s environment, (2) have policies that limit retention of nonpublic personal information the entity no longer needs, (3) monitor access to nonpublic information in their systems, and (4) encrypt nonpublic information at rest and in transit.”

NSA Warns About Devastating Intellectual Property Theft from Nation State Hackers

While threats to critical infrastructure and elections more often make headlines, the theft of intellectual property by nation state hackers remains a devastating blow to businesses to the tune of $600 billion each year. NSA Deputy Director George Barnes talked about the seriousness of the problem at a recent conference. According to CyberScoop, “Rather than one, devastating cyberattack, Barnes said there has been a ‘slow drip’ of ‘continual theft of intellectual property from our industries.’ […] For Barnes, the key to better defending U.S. trade secrets from hackers is to share threat information across ‘the public-private divide.’ ‘Our [threat] information is no good unless we can get it into the hands of critical infrastructure’ as well as government personnel defending federal networks, he said.”

DHS and Intelligence Chiefs Comment on Cyberthreats

Last week, Department of Homeland Security (DHS) Secretary Kirstjen Nielsen and Director of National Intelligence Dan Coats made comments about cyberthreats from nation states. Quoted in The Hill, Nielsen said at an event at George Washington University, “We will no longer tolerate the threat of our data. We will no longer stand idly by while our networks are penetrated, exploited, or held hostage. Instead we will respond, and we will respond decisively.” And at the Intelligence and National Security Summit last Tuesday, Coats said (quoted in FCW), “The cyber threats to the U.S. are not just limited to U.S. elections, a point that is too often missed in the crush of our 24-hour news cycle. Foreign influence efforts online are being used around the globe, not just for elections. This threat more than any other demonstrates how the interconnectedness of our world […] has a downside. [The] relative lack of global guard rails in the cyber domain significantly increases the risk that a discrete act will have enormous strategic implications.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Trend Micro Survey Finds IoT Deployment Decisions Made Without Consulting Security Teams: Reported in IT SECURITY GURU, “A survey of 1,150 IT and security decision makers in Germany, France, Japan, the UK and US revealed that 79 percent involve the IT department in choosing industrial IoT solutions, but only 38 percent involve their security teams.”
  • Data Breaches Hit Share Prices, Too: Reported in Dark Reading, “Comparitech analyzed 28 breaches suffered by 24 companies with shares listed on the New York Stock Exchange. While they found wide variations in share performance in the weeks and months following a breach, on average companies that suffered a breach under-performed the NASDAQ by -3.7% after one year.”
  • Business Email Fraud Attacks Jump 25%: Reported in Infosecurity Magazine, “Cyber-criminals are sending more emails than ever before to defraud organizations, according a new report, Protecting People, from Proofpoint. The firm analyzed more than 600 million emails, revealing that the number of email fraud attacks per targeted company rose 25% from the previous quarter, and 85% from the same time last year.”
  • Fileless Malware Attacks Are on the Rise, SentinelOne Finds: Reported in eWeek, “According to SentinelOne’s Enterprise Risk Index Report for the first half of 2018, fileless malware attacks are growing in number and sophistication. Fileless malware, which antivirus software cannot find, makes up about 70 percent of executables that are unknown to reputation services.”
  • How leadership implements cyber resiliency across their organizations: Reported in Help Net Security, “Over 450 companies across the globe were asked about their strategies and the challenges they face in building a cyber resilient organization. Almost 40 percent of executives surveyed felt that the board should oversee cyber, compared with 24 percent who felt it should be the role of a specialized cyber committee.”
  • USA Is the Top Country for Hosting Malicious Domains According to Report: Reported in Bleeping Computer, “The US continues to be the top country hosting domains that serves web-based threats and the main source for exploit kit distribution at a global level, according to new research.”
  • Orgs Still Feel Vulnerable Despite Cyber Standards: Reported in Infosecurity Magazine, “Even though the majority of companies across the globe have implemented cybersecurity standards, a new report from IT Governance USA found that companies still believe they are the likely target of an attack.”
  • Study: Grid security needs to be a team sport: Reported in FCW, “Electrical grid providers and the federal government should develop collaborative response templates to handle cyber and physical attacks on power supply infrastructure, according to a new study by a member of the Homeland Security Advisory Council and grid expert.”

Department of Commerce Launches Collaborative Privacy Framework Effort

According to a press release, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced last Tuesday that it has launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk. The envisioned privacy framework will provide an enterprise-level approach that helps organizations prioritize strategies for flexible and effective privacy protection solutions so that individuals can enjoy the benefits of innovative technologies with greater confidence and trust. To collect input from stakeholders, NIST will kick off the effort with a public workshop on October 16, 2018, in Austin, Texas—in conjunction with the International Association of Privacy Professionals’ Privacy. Security. Risk. 2018 conference.