NTSC Technology Security Roundup

Weekly News Roundup: September 17, 2018

As US Cyber Command Grows, So Does Its Acquisition Strategy

Last year, US Cyber Command was elevated to a unified combatant command. This year, it continues to grow and evolve—and that growth includes its acquisition strategy. FCW, reporting on the recent Billington Cybersecurity Summit, quoted from Stephen Schanberger, command acquisition executive for U.S. Cyber Command, in a recent article. According to FCW, “Cyber Command has only had acquisition authority for two fiscal years, but Congress extended that authority through 2025 in the fiscal year 2019 National Defense Authorization Act. That advances the authority four years from the original sunset date of 2021. […] Schanberger seeks to more than triple Cyber Command's acquisition to $250 million to allow for multi-year contracts. Congressional scrutiny has been the main impediment to securing additional acquisition funds because the command needs to prove its contracting abilities, but Schanberger said increasing staff and getting things right will help.”

Internet Association Seeks to Head Off Flurry of State Data Privacy Laws

Similar to how states enacted 50 different data breach notification laws instead of Congress creating one national law, data privacy laws may head in the same direction. The California Consumer Privacy Act possibly sets a precedent for other states, and that’s what the Internet Association wants to avoid. According to SC Media, “The Internet Association, which represents more than 40 companies, including Facebook, Alphabet, Microsoft and Twitter, came out [last] Tuesday in favor [of] ‘an economy-wide, national approach to regulation that protects the privacy of all Americans’ rather than adhere to a bundle of individual state laws like the recently passed California Consumer Privacy Act. The group seeks ‘meaningful controls over how personal information they provide [is collected, used, and shared],’ and supports the rights of consumers to delete information…”

Committee Passes Data Security and Notification Requirement Bill

According to a press release, the House Financial Services Committee passed H.R. 6743, the Consumer Information Notification Requirement Act, last Thursday. The legislation, sponsored by Subcommittee on Financial Institutions and Consumer Credit Chairman Blaine Luetkemeyer (MO), will institute a new statutory requirement that all financial institutions notify consumers in the event of a breach involving their personal information. In an earlier press release, Rep. Luetkemeyer said, “My bill […] enhances the Gramm-Leach-Bliley Act, ensuring customers of financial firms are protected and informed in the event of a breach.”

Proposed Cyber Ready Workforce Act Will Help Fill Critical Cybersecurity Talent Shortages

Cybersecurity talent is hard to find. As the cybersecurity industry grows and jobs are created, there are not enough people to fill the necessary roles. Last Thursday, Rep. Jacky Rosen (D-Nev.) introduced the Cyber Ready Workforce Act that proposes to “establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity.” According to The Hill, “Under the bill, the programs would be required to offer certain cybersecurity certifications and help connect participants with local businesses or other entities for apprenticeships in hopes to boost the number of qualified workers for federal cyber jobs.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Analysis of half-a-billion emails reveals malware-less email attacks are on the rise: Reported in Help Net Security, “[The] majority of attacks blocked (90%) during analysis were malware-less, with phishing attacks alone making up 81% of the blocked malware-less emails, almost doubling from January to June 2018.”
  • DDoS attacks are experiencing a dramatic surge this year: Reported in Silicon Republic, “According to research from Corero Network Security, the frequency of these has risen by 40 percent year on year. While frequency has increased, the duration of the attacks decreased, with 77 percent lasting 10 minutes or less and 63 percent of those lasting five minutes or less.”
  • Barrage of Mobile Fraud Attacks Will Increase: Reported in SecurityWeek.com, “Fifty-eight percent of digital transactions now originate from mobile devices, and one-third of attacks are via mobile. It is worse in the U.S., which saw a 44% increase year on year compared to a 24% global increase (perhaps partly reflecting the predicted switch from card-present to online fraud following the introduction of EMV cards in the U.S.).”
  • Why higher education is one of the worst industries at handling cyberattacks: Reported in TechRepublic, “Nearly three-quarters of participants (73%) took three or more days to create and apply a patch after notification of an attack, said EfficientIP's 2018 Global DNS Threat Report […]. Additionally, the cost for DNS-based threats rose by 68% to $690,000 in the education sector in 2017.”
  • Phishing warning: One in every one hundred emails is now a hacking attempt: Reported in ZDNet, “Researchers at FireEye have examined over half-a-billion emails sent between January and June 2018 and found that one in 101 emails are classed as outright malicious, sent with the goal of compromising a user or network. When spam is discounted, only one third of emails are considered 'clean'.”
  • Threatlist: Email Attacks Surge, Targeting Execs: Reported in Threatpost, “Regular employees accounted for 60 percent of highly targeted malware and credential phishing attacks, according to the ‘Protecting People’ report from Proofpoint (analyzing customer attack data gathered April through June 2018). Executives only received 23.5 percent and 5.2 percent of targeted attacks, respectively. However, this [is] still ‘a disproportionately large share of attacks’ for upper management, given how few executives there are compared the total workforce.”