NTSC Blog

NTSC Technology Security Roundup

Weekly News Roundup: September 16, 2019


DHS Cybersecurity News Roundup

Several cybersecurity stories appeared last week related to DHS.

  • DHS looks to upgrade flagging info sharing program: According to Jeanette Manfra, the assistant director for cybersecurity and communications at the Cybersecurity and Infrastructure Security Agency at DHS, quoted in FCW, “I think what we’re going to do is we will probably start differentiating more feeds, so it's not going to be a one size fits all. It was originally intended to not have much human [presence] in the loop…but garbage-in garbage-out is always a risk there. So there will probably be less quantity and higher confidence and higher quality, because that's most of the feedback we've gotten. [We've heard] ‘if it's coming from the government, we're happy to trust it but we want to know that this is no kidding the most important stuff.’”
  • As Ransomware Attacks Increase, DHS Alerts to Cybersecurity Insights: Reported in Health IT Security, “According to the DHS Cybersecurity and Infrastructure Security Agency, the US is currently facing a ransomware outbreak that has ‘rapidly emerged as the most visible cybersecurity risk playing out across US networks, locking up private sector organizations and government agencies alike.’”
  • DHS Preps New CDM Cybersecurity Dashboard for a Fall Launch: According to FedTech Magazine, “After awarding a contract in May for an updated, governmentwide cybersecurity dashboard, the Department of Homeland Security’s Continuous Diagnostics and Mitigation program plans to roll it out this fall, according to Kevin Cox, the CDM program manager. The goal of the new dashboard is to give agency IT leaders greater awareness of cybersecurity vulnerabilities and how their IT security compares to that of other agencies.”
  • Former Homeland Security secretaries call for action to address cybersecurity threats: According to The Hill, “Three former secretaries of the Department of Homeland Security (DHS) on Monday testified that cybersecurity threats to elections and other critical infrastructure are major issues that could impact the security of the nation. Former DHS Secretaries Michael Chertoff, Janet Napolitano and Jeh Johnson all discussed the severity of cyber threats to the U.S. while testifying in New York City during a field hearing at the National September 11 Memorial Museum held by the Senate Homeland Security and Governmental Affairs Committee.”


Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • Politico summary of fall Congressional cybersecurity agenda: Last week, Politico provided a summary of Congress’s fall cybersecurity agenda. According to Politico, “After years of struggling to break free, legislation creating federal standards for purchasing internet of things devices (S. 736) advanced in the Senate Homeland Security Committee. The House Homeland Security Committee is in the formative stages of writing a ransomware bill, which might drop this month. Once more, there’s a movement afoot on data breach notifications to consumers, but other sessions of Congress are littered with the corpses of similar measures. […] The Trump administration, like others before it, has floated the idea of legislation that would give law enforcement and intelligence agencies a way to get into devices protected by encryption. A bill that would give companies a way to strike against their attackers (H.R. 3270) is back, too. But the idea remains controversial, including with the NSA. Elsewhere, legislation addressing energy threats, federal network protections, lawmaker cyber training, the cyber workforce, cyber grants to state and local governments, legal protections for cyber products, defenses for U.S. research against foreign espionage and cyber assistance for small business are some of the moving pieces.”
  • CEOs from Amazon, IBM, Salesforce and more ask Congress to pass a consumer data privacy law: According to CNBC, “CEOs of 51 companies from the Business Roundtable, including Amazon, IBM and Salesforce, signed a letter to U.S. congressional leaders [last] Tuesday urging them to create ‘a comprehensive consumer data privacy law.’ The executives, who span a range of industries, said a federal law is necessary to ensure ‘strong, consistent protections for American consumers’ and allow ‘American companies to continue to lead a globally competitive market.’ The letter was addressed to leaders of the House Energy and Commerce committees and the Senate Commerce, Science and Transportation committees, in addition to House and Senate leaders.”
  • Dem introduces bill to create federal cybersecurity apprenticeship program: According to The Hill, “Rep. Jacky Rosen (D-Nev.) [last] Thursday unveiled legislation to create a Department of Labor grant program for apprenticeships in cybersecurity. The bipartisan bill, known as the ‘Cyber Ready Workforce Act,’ would establish grants to help create, implement and expand registered apprenticeship programs for cybersecurity. Under the bill, the programs would be required to offer certain cybersecurity certifications and help connect participants with local businesses or other entities for apprenticeships in hopes to boost the number of qualified workers for federal cyber jobs.”
  • Who defends the Internet?: According to FCW, “In a Sept. 10 hearing, House Armed Services Committee Chair Jim Langevin (D-R.I.) warned that even as government agencies like the Departments of Homeland Security, Defense, Commerce and others have moved to establish clearly defined roles in the cyber policy ecosystem, no one entity is responsible for overseeing the underlying infrastructure that powers the World Wide Web. ‘I'm very worried that by carving out discrete lanes in the road, there are seams left unaddressed in the middle, and I'm concerned that internet architecture security is one of those seam issues,’ said Langevin.”


National Cyber Security News Update

Here, we’ve provided a roundup of cybersecurity news stories related to national security from last week.

  • North Korean hackers target U.S. entities amid stalled denuclearization talks: According to CyberScoop, “A hacking group with ties to North Korea has been targeting U.S. entities with malicious documents as it works to hide its tracks better, according to research from Maryland-based cybersecurity firm Prevailion. The group has started placing its malware in obscure file formats, namely Kodak FlashPix (FPX) files, to evade antivirus detection products, according to Danny Adamitis, Prevailion’s director of intelligence analysis. The FPX files are embedded in Microsoft Word documents that are sent to victims, which are then launched via macro commands.”
  • New Cyber Warning: ISIS Or Al-Qaeda Could Attack Using ‘Dirty Bomb’: According to Forbes, “[Lt.-Gen Vincent Stewart, former deputy chief of U.S. Cyber Command and director of the Pentagon’s Defense Intelligence Agency] has warned that if al-Qaeda or ISIS were able to purchase cyberattack capabilities or even services from such a group then swathes of critical infrastructure could be at risk. Russia and China have such capabilities, but play the balance between impact and implications—causing damage but stopping short of prompting devastating repercussions. Terror groups have no such constraints and often operate at the margins of their capabilities.”
  • U.S. Cyber Command releases 11 malware samples linked with North Korean government hackers: According to Cyware, “U.S. Cyber Command has shared 11 malware samples with VirusTotal, which are believed to be linked with North Korean government hacker groups. Most of these samples are tied to the notorious Lazarus Group which has been active since at least 2009.”


Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Third-Party Features Leave Websites More Vulnerable to Attack: Reported in Dark Reading, “[More] than 60% of the websites [of companies that participated in a survey conducted in Tala's ‘2019 State of the Web Report’] use dynamic JavaScript loaded by static JavaScript — a significant potential attack surface. And the websites analyzed used an average of 31 third-party features, apps, or services. The data collected by the websites is exposed to an average of 15.7 third-party domains, which the report points out are 15.7 opportunities for an attacker to attempt to steal data.”
  • Business Email Compromise Is a $26 Billion Scam Says the FBI: Reported in Bleeping Computer, “FBI's Internet Crime Complaint Center (IC3) says that Business Email Compromise (BEC) scams are continuing to grow every year, with a 100% increase in the identified global exposed losses between May 2018 and July 2019. Also, between June 2016 and July 2019, IC3 received victim complaints regarding 166,349 domestic and international incidents, with a total exposed dollar loss of over $26 billion.”
  • GDPR Survey Finds Companies Still Not Prepared to Comply with Rules and Potential EU Data Breaches: According to a press release, “Nearly 50% of respondents experienced at least one personal data breach that was required to be reported under GDPR. One-quarter of respondents on average in all countries say their readiness and confidence to respond to a GDPR data breach is very low. [And only] 18% of organizations were highly confident in their ability to communicate a reportable data breach to the relevant regulator(s) within 72 hours of awareness.”
  • No Quick Fix for Security-Worker Shortfall: Reported in Dark Reading, “Eighty-seven percent of respondents maintain that the staffing levels at their organizations are adequate, while 78% of security professionals believe that companies have a gap in needed skills, not in the number of people performing security-related work.”
  • CFOs too busy to take on more despite expectations, survey finds: Reported in CFO Dive, “Almost 40% of CFOs say they're juggling too many tasks — 12 a day, on average — to worry about digitally transforming their operations or giving cybersecurity the attention it deserves, a survey released [last] Monday found.”