Articles

Articles

Leader of new NSA Cybersecurity Directorate outlines threats, objectives

Articles, Blog, News
featured image

Director Anne Neuberger says her group will focus on ransomware, threats to US elections, and nation-state influence operations.

Ransomware, Russia, China, Iran and North Korea are the top cybersecurity threats that will be the focus of a new division within the National Security Agency (NSA), the Cybersecurity Directorate, which is set to be operational on October 1, according to NSA director of cybersecurity Anne Neuberger. She was tapped in July by Director General Paul Nakasone to head the group. The Directorate aims to bring the agency’s foreign intelligence and cyber operations together and “operationalize [its] threat intelligence, vulnerability assessments and cyber defense expertise,” the agency announced when launching the new division.

“NSA really had to up its game,” Neuberger said in a fireside chat with Niloofar Razi Howe, cybersecurity venture investor and executive at the Billington Cybersecurity Summit in Washington on September 4. “And that’s what drove this desire to stand up a directorate and frankly to set a pretty aggressive mission, which is to prevent and eradicate cyber actors from national security systems and critical infrastructure with a focus on the defense industrial base.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Regional municipal ransomware attacks soar; MS-ISAC can help

Articles, Blog, News
featured image

Recent regional ransomware attacks underscore the importance of information sharing among municipalities.

More than 70 cities and towns have been hit with ransomware attacks so far this year with all levels of state and local governments the intended victims of nearly two-thirds of all ransomware attacks according to new analysis by the cybersecurity firm Barracuda Networks. These statistics include the recent sweep of attacks that struck 22 Texas towns and cities, which officials say was led by a single threat actor.

Barracuda’s researchers conducted a deeper dive on 55 ransomware attacks on state, county and local governments that have taken place this year and found that 38 were on local governments, 14 were on county governments, and three were on state governments. Nearly half of the government victims, around 45%, were small municipalities with populations of fewer than 50,000 residents, and 24% had fewer than 15,000 residents.

Two towns and one county government payed the ransoms. Lake City, Florida, paid around $500,000 (42 bitcoin), and Riviera Beach paid about $600,000 (65 bitcoin). In La Porte County, Indiana, officials paid $130,000 in ransom.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Capital One hack shows difficulty of defending against irrational cybercriminals

Articles, Blog, News
featured image

The motivation of the malicious actor who stole data of more than 100 million people was driven by emotional distress and did not follow traditional hacker patterns.

Software engineer Paige Thompson was arrested in late July for an unprecedented hack into a cloud server containing the personal data of over 100 million people who had filed credit card applications with leading financial institution Capital One. Thompson, who at the time of her arrest ran a hosting company called Netcrave Communications, had held a series of engineering jobs, including a stint at Amazon Web Services (AWS) in 2015 and 2016, where she presumably gained the skills to exploit a vulnerability in an application firewall on Capital One’s AWS server.

Thompson’s ultimate theft of the 100 million customer records, 140,000 Social Security numbers and 80,000 linked bank details of Capital One customers was apparently only one of her many hacks. In a legal filing related to keeping her remanded into custody, federal prosecutors say she hit more than 30 other targets, including companies and educational institutions.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

 

Image from Webaroo, a guide on how to start a website.

U.S. Rep Lieu hopeful for election security bill prospects

Articles, Blog, News
featured image

Congressman sees Republican softening on gun legislation as a sign they might be willing to consider election security. Calls on the security community to expose election system weaknesses.

U.S. Representative Ted Lieu (D-CA) thinks that Senate Majority Leader Mitch McConnell’s weakening opposition to gun legislation bodes well for the prospects of passing an election security bill. Several election security measures have stalled in Congress since the 2016 presidential election because McConnell has refused to take them up on the Senate side.

“I know that public sentiment has shifted on the gun issue so that Mitch McConnell is now willing to consider background checks on guns and red flag laws,” Lieu tells CSO Online. “That wasn’t something he had been saying a few weeks ago. So, you never know when something can happen that will shift public sentiment in such a way that will force him to take up a vote for election security.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

11 new state privacy and security laws explained: Is your business ready?

Articles, Blog, News
featured image

States from Maine to California have recently enacted privacy, data security, cybersecurity, and data breach notification laws. We break down what each of these laws entails.

While at the federal level security and privacy legislation are lost in a morass of partisan politics and corporate lobbying delays, states have been moving ahead to push through an impressive number of important bills that help fill in the gaps. A search of the Legiscan database reveals that hundreds of bills that address privacy, cybersecurity and data breaches are pending across the 50 states, territories and the District of Columbia.

The most comprehensive piece of state-level legislation across these often-intertwined categories that has been enacted over the past two years is the sweeping California Consumer Privacy Act (CCPA), enacted and signed into law on June 28, 2018. Inspired by the EU’s groundbreaking General Privacy Data Protection Regulation (GDPR), the legislation aims to give the state’s consumers greater control over how businesses collect and use their personal data.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Equifax’s data breach disaster: Will it change executive attitudes toward security?

Articles, Blog, News
featured image

Equifax’s 2017 breach will cost it billions in fines, customer restitution and mandated and voluntary security improvements. All organizations that profit from consumer data should take notice.

Equifax announced on Monday that it has agreed to a record-breaking settlement related to its massive 2017 data breach, which exposed the personal and financial records of more than 148 million people. The settlement requires the beleaguered credit ratings agency to spend at least $1.38 billion to resolve consumer claims against it. It creates a non-reversionary fund of $380.5 million to pay benefits to the class of consumers harmed by the breach, including cash compensation, credit monitoring, and help with identity restoration.

The settlement also requires Equifax to spend another $125 million for cash compensation and potentially much more if the number of class members who sign up for credit monitoring exceeds 7 million. The company will further pay $175 million in fines to settle state attorneys’ general investigations and $100 million to resolve probes by the Consumer Financial Protection Bureau and the Federal Trade Commission (FTC).

Finally, Equifax must also spend $1 billion over the next five years to improve its data security. That’s on top of the $1.25 billion in security and tech investments Equifax said it has made since the breach occurred.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

To pay or not pay a hacker’s ransomware demand? It comes down to cyber hygiene

Articles, Blog, News
featured image

A recent call for city leaders to stop paying ransomware demands underscores the need for municipalities to step up their cyber practices and have a good backup process in place.

Baltimore Mayor Jack Young announced last week that the U.S. Conference of Mayors (UCSM) passed a resolution calling on mayors to oppose the payment of ransomware attackers. The resolution states that “at least 170 county, city or state government systems have experienced a ransomware attack since 2013” with 22 of those occurring in 2019 so far.

One of those cities is Young’s own Baltimore, which was crippled by a Robbinhood ransomware attack on May 7, causing well more than a month’s worth of turmoil and city service outages that brought down real estate sales in the city and ultimately cost $18 million (and counting) in recovery costs and lost revenues. Baltimore applied for federal disaster funds, and the city’s IT chief publicly apologized for doing a “poor job” of communicating in the wake of the attack. Mayor Young and IT experts say it will still be months before Baltimore’s systems are fully functional.

Baltimore’s ransomware disaster could have theoretically been minimized if the city had paid the hacker’s initial ransom demand of what was then about $76,000 in bitcoin, less than 1% of the ultimate cost of the attack. At least two other cities recently hit by ransomware made their own calculations and decided to do just that.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

What is the CISA? How the new federal agency protects critical infrastructure from cyber threats

Articles, Blog, News
featured image

The U.S. Congress created The Cybersecurity and Infrastructure Security Agency to identify threats, share information and assist with incident response in defense of the nation’s critical infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA) is a new federal agency, created to protect the nation’s critical infrastructure.

It was created through the Cybersecurity and Infrastructure Security Agency Act of 2018, which was signed into law on November 16, 2018. That legislation “rebranded” the Department of Homeland Security’s (DHS’s) National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency and transferred resources and responsibilities of NPPD to the newly created agency. Prior to the passage of the bill, NPPD managed almost all of DHS’s cybersecurity-related matters.

CISA is responsible for protecting the nation’s critical infrastructure from physical and cyber threats. Its mission is to “build the national capacity to defend against cyber attacks” and to work “with the federal government to provide cybersecurity tools, incident response services and assessment capabilities to safeguard the .gov networks that support the essential operations of partner departments and agencies.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Telecom insiders detail hardships posed by Chinese technology ban

Articles, Blog, News
featured image

Banning Chinese Telecom vendors Huawei and ZTE creates fear, uncertainty and doubt as well as new supply chain security ideas among small telcos.

Democratic Federal Communications Commission (FCC) Commissioner Geoffrey Starks hosted a workshop on June 27 entitled “Find IT, Fix It, Fund It” to hear from “interested parties on how to address the national security threats posed by insecure equipment within our communications networks.” Although not explicitly stated in the Commission’s public notice or its press release, the issue addressed in the workshop is whether and how to remove from the nation’s communications networks technology from Chinese suppliers given the recent executive order banning American companies from using any telecommunications equipment deemed to be a security risk.

That order was squarely aimed at China’s top telecom tech providers Huawei and ZTE as well as any other Chinese tech vendor whose products appear in the nation’s communications networks. The half-day workshop featured a range of speakers including academics, small telecom providers, rival telecom tech providers and small telecom trade association representatives. Almost all spoke about the uncertainty and fear the ban has created and the stark financial and opportunity costs it will impose.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Why the Huawei ban is bad for security

Articles, Blog, News
featured image

Many believe the ban on exporting U.S. technology to Chinese company Huawei could hurt American tech vendors and do little to mitigate supply chain threats.

Last week, Google reportedly warned the Trump Administration that its current ban on exports to Huawei might actually jeopardize national security by forcing Huawei to create an insecure fork of its Android operating system, according to the Financial Times.

That ban was imposed as part of a Commerce Department effort announced in mid-May which placed the Chinese telecom and tech giant on a U.S. export blacklist, the “entity list,” for its purported efforts to spy on behalf of the Chinese government. Two other companies — the telecom giant ZTE and a memory chip maker, Fujian Jinhua Integrated Circuit — were also placed on the list and the administration is now reportedly considering adding video surveillance company HikVision to it.

Two days before Google’s reported warning was made public, the Washington Post released the results of a survey of 100 cybersecurity experts from government, academia and the private sector who mostly concluded that the ban would only end up hurting U.S. tech companies and further diminish U.S. influence over the security of new products. One of the experts, former Facebook security chief Alex Stamos, now a Hoover Fellow at Stanford University, said that the ban could cause China to “emerge as the indispensable nation in consumer technology.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]