Articles

Articles

Why local governments are a hot target for cyberattacks

Articles, Blog, News
featured image

Recent ransomware and other attacks underscore the value attackers see in the data stored in city and regional government systems. Here’s why they are vulnerable and what they can do to reduce the threat.

Despite what appears to be a recent spurt in municipal ransomware attacks, these infections are nothing new to the nation’s cities. The most high-profile municipal ransomware attack took place over a year ago in March 2018 when the city of Atlanta was crippled by SamSam ransomware. According to Wired magazine, the city of Atlanta ended up spending $2.6 million to respond to that attack, roughly 52 times the amount of the $50,000 or so in ransom demanded by the attackers.

Still, the recent spate of attacks raises the question: Are municipal ransomware infections on the rise? According to some municipal cybersecurity experts, cities have long grappling with malware and ransomware attacks at the same rate as private sector organizations, but are just now becoming more public about it.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

FEMA contractor at center of privacy violation provides services to many other agencies

Articles, Blog, News
featured image

Corporate Lodging Consultants provides lodging services to many other government agencies. Is more sensitive personal information at risk?

Late last-year, the Federal Emergency Management Agency (FEMA) was found to have exposed 2.3 million disaster survivors to identity theft and fraud by unnecessarily sending sensitive data to a government contractor administering FEMA’s emergency lodging program. The contractor, who failed to flag for FEMA the data oversharing, was found by the agency to have 11 cybersecurity vulnerabilities in its data and network facilities, seven of which won’t be remediated until 2020.

That same contractor currently supplies, and has since 2005, emergency lodging services to virtually all government agencies and sub-agencies, including the Department of Defense, the Coast Guard, the Department of Justice, the Department of Veteran’s Affairs, among others. Based on an investigation, it’s unclear if any determination has been made by the agencies that rely on the contractor for emergency lodging services whether they, too, were collecting or transmitting unnecessary sensitive data to the contractor. It’s further unclear the degree to which the identified cybersecurity vulnerabilities leave the contractor’s facilities exposed to external threats or whether the personal data of all the other agencies’ personnel are inadequately protected on the contractor’s vulnerable network.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Congress steers clear of industrial control systems cybersecurity

Articles, Blog, News
featured image

Industry resistance to regulation, complexity of securing ICS systems are roadblocks to passage of critical infrastructure cybersecurity legislation.

Rule number one about legislation affecting the cybersecurity of industrial control systems (ICS) is that no one talks about legislation affecting the cybersecurity of ICS. At least it seems that way based on a number of attempts to get industry stakeholders to talk on the record about the prospects in the 116th Congress for any legislation that affects critical infrastructure, specifically as it relates to industrial control systems.

Although a number of cybersecurity-related bills have been introduced in the new Congress, only a handful of relatively non-controversial pieces of legislation, most reintroduced from the last Congress, deal primarily with critical infrastructure industrial control systems, a surprise given the stepped-up concerns over threats to the nation’s electric grids, gas and oil pipelines, transportation systems and dams and the rise of industrial supply chain issues that have grabbed headlines over the past few years.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

New CISA director outlines top 5 priorities for protecting U.S. critical infrastructure

Articles, Blog, News
featured image

CISA’s Christopher Krebs has a two-year plan for his new cybersecurity agency, with China, supply chain and 5G as top priorities.

Last November, the former, somewhat awkwardly named National Protection and Programs Directorate (NPPD) was elevated within the U.S. Department of Homeland Security (DHS) to become the Cybersecurity and Infrastructure Security Agency (CISA) following enactment of the Cybersecurity and Infrastructure Security Agency Act of 2018. CISA is responsible for protecting the country’s critical infrastructure from physical and cyber threats, overseeing a host of cybersecurity-related activities. This includes operating the National Cybersecurity and Communications Integration Center (NCCIC), which provides round-the-clock situational awareness, analysis, incident response and cyber defense capabilities to the federal government, state, local, tribal and territorial governments, the private sector and international partners.

CISA made its first prominent mark as an independent agency during the 35-day government shut-down when, on January 22, it issued an unexpected, and to some a startling, emergency directive ordering admins at most government agencies to protect their domains against a wave of attacks on the domain name system infrastructure (DNS). The directive was prompted by a number of DNS tampering efforts at multiple executive branch agencies. This malicious, complex and widespread campaign, dubbed DNSpionage by Cisco Talos, allowed suspected Iranian hackers to steal massive amounts of email passwords and other sensitive data from government offices and private sector entities.

Christopher Krebs serves as CISA’s first director. Krebs previously headed the NPPD as assistant secretary for infrastructure protection and joined DHS as a senior counselor to the secretary after working in the U.S. Government Affairs team as the director for cybersecurity at Microsoft.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

The cybersecurity legislation agenda: 5 areas to watch

Articles, Blog, News
featured image

The 116th Congress is only a few months old, but far-reaching cybersecurity bills to protect infrastructure and the supply chain, ensure election integrity, and build a security workforce are now being considered. Here’s the list.

New digital threats that could topple business, government, military and political institutions is moving cybersecurity to the top of the congressional agenda. The newly seated 116th Congress has so far seen 30 bills introduced in the House of Representatives and seven bills introduced in the Senate that directly deal with cybersecurity issues. That does not include other pieces of legislation that have at least some provisions that deal with information and digital security.

A key problem in grappling with such a complex issue as cybersecurity in Congress — and in Washington in general — is the diffused responsibility spawned by the wide-ranging, interconnected nature of the topic. Representative Jim Langevin (D-RI), a member of the Armed Services and Homeland Security Committees, and one of the founders of the Congressional Cybersecurity Caucus, flagged this stumbling block at the 2019 State of the Net conference in January by calling for consolidation in Congress over cybersecurity.

Noting that around 80 groups within the legislative branch claim some jurisdiction over cybersecurity matters, Langevin said, “We as a Congress are going to have to move with greater agility to respond to the cybersecurity threats we face going forward, and we can’t do it under the current construct.” Langevin wants the House Homeland Security issue to take the lead on all matters related to cybersecurity.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

EFF has an encryption plan for the entire internet

Articles, Blog, News
featured image

Spurred by government surveillance of data, the Electronic Frontier Foundation is making progress toward its goal of encrypting all internet traffic using technology and scorecards.

If there is one technology that best protects internet users from scammers, hackers and nation-state threat actors it’s encryption. Fortunately, the web is currently undergoing a massive transformation from a non-secure HTTP format, the initial underlying protocol for all communications on the web, to HTTPS, which ensures communications between browsers and websites are secure via encryption.

Few organizations have done more to push encryption technologies onto the internet’s vast jumble of websites than the Electronic Frontier Foundation (EFF). “Ten years ago, there was basically no encryption on the web,” Dr. Jeremy Gillula, technical projects director at EFF, said during a talk at Shmoocon.

Internet surveillance spurs encryption efforts

In 2006, a surprise development pushed encryption higher up on EFF’s agenda. On January 26 of that year, former AT&T technician Mark Klein walked into of EFF’s offices, unsolicited, with the astounding story of how the NSA built a secret spying room in AT&T’s San Francisco facility that gave it access to all internet traffic traveling through that, and probably more, AT&T facilities.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Why one of America’s top experts is hopeful for better election security

Articles, Blog, News
featured image

Voting machines and elections in general are still vulnerable to hacking, says Matt Blaze, but adoption of risk-limiting audits and software independence gives opportunity for improvement.

In the aftermath of the 2016 presidential election, election security quickly became one of the hottest political and cybersecurity research topics. The growing unease that foreign and other adversaries might meddle in our digital voting infrastructure gave way to a growing chorus among some experts to disband digital voting technology altogether and revert to paper ballots.

Six top-tier information security experts issued an alarming report about what they had discovered when they took apart voting machines at DEF CON’s Voting Village last year. They found dozens of severe vulnerabilities in a range of voting equipment, including one in a device from top voting technology supplier Election Systems & Software that could allow an attacker to remotely hijack the system over a network and alter the vote count.

One of those experts, Georgetown University professor and noted cryptographer Matt Blaze, told attendees at this year’s annual Shmoocon conference that in the 20 years he has been studying election security, “it is the hardest security problem I’ve ever encountered.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

How Facebook’s privacy woes might change the rules of the road in 2019

Articles, Blog, News
featured image

Following a string of data privacy and protection missteps, Facebook faces potential backlash from legislators and consumers that could affect all companies that process consumer data.

The past year has been nightmare for Facebook, breaking a decade-long streak of seemingly boundless growth that placed the internet giant at the center of social, political and commercial activities of billions of people around the globe. Facebook began its precipitous downhill turn in March when a whistleblower uncovered Facebook’s role in helping political consultancy Cambridge Analytica harvest and use the personal data of tens of millions of users without their permission.

The company was rocked by a scandal or controversy every month thereafter, not all of which were privacy related. Emerging from these scandals was a portrait of a company with a voracious appetite for monetizing users’ detailed data and sloppy management in protecting the privacy and security of that data. How the company and its regulators react to these events could have a lasting impact on how all companies manage and protect consumer data.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Finally, a meaningful congressional report on stemming cybersecurity attacks

Articles, Blog, News
featured image

The Cybersecurity Strategy Report offers solutions to six problem areas in an effort to improve IT’s ability to cope with today’s cyber threat landscape.

As a new Congress arrives next month, expect a whirlwind of activity on the cybersecurity and privacy fronts. From major data breaches to the growing consumer data privacy morass, the frenetic pace of Washington developments will heat up.Most of this activity will obscure the fundamentals of why we have never-ending breaches, personal data exposures and chronic digital insecurity. A just-issued report by the House Energy and Commerce Committee’s Subcommittee on Oversights and Investigations is, however, a refreshing departure from the usual political drama because it delves into this very question.

The Cybersecurity Strategy Report released on December 7 sidesteps the crises du jour by taking a bigger picture, practical and non-partisan view of what’s going wrong and how to fix things. It seeks to articulate how “traditional information technology (IT) strategies seem largely ineffective at stemming the growing tide of cybersecurity incidents.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Who is responsible for IoT security in healthcare?

Articles, Blog, News
featured image

NIST panel debates who should own IoT security: vendors or users. The issue is especially important when it comes to protecting medical devices.

The next big challenge in cybersecurity will undoubtedly be to secure the billion-plus (and growing) internet-of-things (IoT) devices around the globe, which exponentially expand the attack vector across the increasingly interconnected IT sector. Based on statistics from Symantec, attacks that leverage internet-connected cameras, appliances, cars, and medical devices to launch attacks or infiltrate networks soared by 600 percent from 2016 to 2017.

[“It was a big year for cyberattacks,” Ken Durbin, senior strategist for global government affairs at Symantec, said speaking on a panel at NIST’s Cybersecurity Risk Management Conference. Much of that panel’s discussion focused on who should own IoT security. The nature of IoT risk makes that a hard question to answer.

[This article appeared in CSO Online. To read the rest of the article please visit here.]