NTSC Technology Security Roundup

Weekly News Roundup: September 3, 2019

Congressional Cybersecurity News Update

Here, we’ve provided a roundup of Congressional cybersecurity news stories from last week.

  • At Central New York roundtable, Rep. John Katko compares cybersecurity threat to pre-9/11: According to auburnpub.com, “U.S. Rep. John Katko didn't equivocate when assessing the cybersecurity threats facing the country. ‘This is like pre-9/11,’ Katko, R-Camillus [New York], said during a cybersecurity roundtable [last] Friday at the Onondaga County Water Authority in Salina [New York]. ‘There is a lot of indicators that something really bad could happen if we let our guard down. We let our guard down before 9/11 and paid a dear price for it.’ Katko's roundtable featured […] Onondaga County Executive Ryan McMahon and Syracuse Mayor Ben Walsh, and representatives from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.” Rep. Katko has worked with the NTSC on H.R. 1975, the Cybersecurity Advisory Committee Authorization Act of 2019.
  • Senators Question NHTSA on Risks of Connected Vehicles: According to SecurityWeek.Com, “Two United States senators have sent a letter to the National Highway Traffic Safety Administration (NHTSA) to inquire about cyber-risks associated with connected vehicles. In their letter, Senator Edward J. Markey (D-Mass.) and Senator Richard Blumenthal (D-Conn.), members of the Commerce, Science and Transportation Committee, also expressed concerns regarding the lack of publicly available information on the cyber-vulnerabilities associated with these automobiles. The letter also asks NHTSA to share details on actions it has taken regarding the cyber-flaws in Internet-connected cars, pointing out that these vehicles could be hacked and even controlled remotely and putting human lives at risk.”

Federal Cybersecurity News Roundup

In federal cybersecurity news last week…

  • NIST Wants Insight on Combatting Telehealth Cybersecurity Risks: According to NextGov, “The National Institute of Standards and Technology wants to hear from vendors who can deliver technical expertise and products that can help secure health organizations’ telehealth capabilities. According to a notice [published] in the Federal Register [last] Thursday, the agency wants vendors to provide insight and demonstrations to support the National Cybersecurity Center of Excellence’s health care sector-specific use case, ‘Securing Telehealth Remote Patient Monitoring Ecosystem.’”
  • DHS Asks for Feedback on Vulnerability Disclosure Program: According to NextGov, “The Homeland Security Department is seeking feedback on an enterprise-wide vulnerability disclosure program that will make it easier for the public to report weaknesses in the agency’s IT infrastructure. The program would allow the cybersecurity community to scour select Homeland Security systems for vulnerabilities and alert department officials to their findings without fear of punishment. The effort would bring the department up to speed with the Pentagon and General Services Administration’s tech office, which have both already established vulnerability disclosure policies.”
  • US cyberattack took out Iran's ability to target oil tankers: Reported in The Hill, “A cyberattack carried out by U.S. Cyber Command against Iran in June severely impacted a database used by Iran to target oil tankers, The New York Times reported [last] Wednesday. Government officials told The New York Times that the secret cyberattack temporarily hurt Iran’s ability to target shipping traffic in the Persian Gulf.”
  • The Pentagon Wants to Bolster DIU’s Cyber Defenses: According to NextGov, “The Pentagon is looking for vendors to conduct penetration testing and other security services to bolster the defenses of its startup outreach office. Department officials [last] Monday began seeking a contractor to provide cyber testing and training services for the Defense Innovation Unit, the now-permanent group charged with adapting Silicon Valley tech for the country’s national security apparatus. Under the contract, vendors would provide penetration testing, red teaming, cyber training and active defense services to plug security gaps in the unit’s networks.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

  • Cybersecurity analysts overworked, undertrained and buckling under volume of alerts: Reported in TechRepublic, “Digital security firm CriticalStart released a survey of more than 50 people working in cybersecurity across a variety of industries and found a number of alarming trends. Last year, just 45% of those who spoke to CriticalStart said they dealt with 10 or more security alerts each day. That figure has now jumped to 70% of those surveyed. To make matters a bit worse, a majority of security analysts now believed their job was not to analyze and address security threats but to reduce the amount of time spent on each alert or the volume of alerts.”
  • Business Losses to Cybercrime Data Breaches to Exceed $5 trillion by 2024: According to a press release, “A new report from Juniper Research found that the cost of data breaches will rise from $3 trillion each year to over $5 trillion in 2024, an average annual growth of 11%. This will primarily be driven by increasing fines for data breaches as regulation tightens, as well as a greater proportion of business lost as enterprises become more dependent on the digital realm.”
  • Survey suggests manufacturers believe medical devices' cybersecurity can improve: Reported in Medical Plastics News, “82% have experienced an IoT-focused cyberattack in the past year. Of the organizations hit by an attack, 30% report experiencing compromised end-user safety. A total of 98% of manufacturers in the healthcare sector and users of IoT devices state that the cybersecurity of the IoT devices they manufacture or use could be improved either to a great extent or to some extent.”
  • Stagnant Corporate Systems & Cybersecurity Plague Payments Professionals, Survey Reveals: Reported in PaymentsJournal, “‘According to TD Bank, 42% of respondents cited organizations’ struggles to improve legacy systems as the greatest challenge facing payments professionals. […] Treasury professionals named cybersecurity as their second greatest challenge this year, coming in at 30%, which is in line with 2018, when 32% reported this as a top obstacle. Few respondents expressed concerns about other challenges such as cross-border transactions (11%), potential for fintech regulations (7%) and data regulations like GDPR or PSD2 (6%).’”
  • AI Stats News: 69% Of IT Executives Say They Cannot Respond To Cybersecurity Threats Without AI: Reported in Forbes, “69% of organizations acknowledge that they will not be able to respond to critical cybersecurity threats without AI; 64% said it lowers the cost of detecting breaches and responding to them—by an average of 12%; 74% said it enables a faster response time: reducing time taken to detect threats, remedy breaches and implement patches by 12%; 69% also said AI improves the accuracy of detecting breaches, and 60% said it increases the efficiency of cybersecurity analysts, reducing the time they spend analyzing false positives and improving productivity; 73% are testing use cases for AI in cybersecurity.”
  • Tech Skills Gap Cited as Major Cybersecurity Concern by Employers: Reported in Security Sales & Integration, “Malicious insiders (30%) and employee error (25%) pose the greatest cybersecurity threats in the workplace, according to a nationwide survey of employers released by Canon.”
  • The Importance Of Training: Cybersecurity Awareness As A Firewall: Reported in Forbes, “A recent Forbes Insights survey of over 200 CISOs found that talent and training constraints have a significant impact on security organizations. Even more, the results showed that those organizations with a siloed approach to security experience a greater negative impact than those with a strong, enterprise-wide strategic approach.”
  • One-Third of Security Vulnerabilities Remain Unpatched: Reported in The National Law Review, “Although the number of security vulnerabilities reported in the first half of 2019 have reported dropped a bit from last year, a new report by Risk Based Security states that 34 percent of the 11,092 vulnerabilities identified have not been patched to date.”
  • New Android Fraud Warning: 1.5M Users Forced To Click Ads: Reported in Forbes, “[As] many as 1.5 million Android users are having ads clicked for them in what appears to be shady practices by apps hosted on Google Play.”
  • Hackers Report First Security Vulnerability to 77% of Customers Within 24 Hours HackerOne Report Reveals: According to a press release, “When a new bug bounty program is launched, in 77% of the cases, hackers report the first valid vulnerability within 24 hours. Twenty-five percent of valid vulnerabilities found are classified as being of high or critical severity. Every five minutes, a hacker reports a vulnerability through a bug bounty or vulnerability disclosure program.”
  • First half of 2019 belonged to WannaCry and other five other ransomware variants: Reported in Cyware Hacker News, “The infamous WannaCry ransomware, which created massive havoc worldwide in 2017, remained the most active malware in the first half of 2019. The ransomware detection stood at somewhere between 40,000 and 45,000 incidents during the first six months of the year.”
  • McAfee Report Uncovers Ransomware Resurgence: According to a press release, “The most active ransomware families of the quarter appeared to be Dharma (also known as Crysis), GandCrab and Ryuk. Other notable ransomware families of the quarter include Anatova, which was exposed by McAfee Advanced Threat Research before it had the opportunity to spread broadly, and Scarab, a persistent and prevalent ransomware family with regularly discovered new variants. Overall, new ransomware samples increased 118%.”
  • Research: Hacktivism activity and chatter has markedly dropped since 2016: Reported in SC Media, “After peaking in 2016, the number of active hacktivist groups have since dipped precipitously, as has overall online chatter regarding hacktivism, according to a new report from researchers at Recorded Future. Furthermore, the researchers found a marked reduction in the frequency of large-scale international hacktivism campaigns.”