Cyber Connections News Roundup: August 14

Get the latest cybersecurity news from leading companies, news outlets and blogs.

Cyber Connections News Roundup is a bi-weekly brief of online links to news stories and commentary of interest to the cybersecurity community, delivered on the second and fourth Tuesday of each month. Articles are selected for their newsworthiness, timeliness, potential impact, and reach.

August 14, 2018

This week in Las Vegas, some of the most talented cybersecurity minds have gathered to take part in two of the year’s biggest hacker conferences, Blackhat and Defcon.

The highlights of these conferences are often what can best be described as cyber magic tricks, where technicians show off their skills by proving how they can break into various devices, such as computers inside cars, voting machines and medical instruments.

News From Black Hat and Defcon: Recent Reports Offer Insights into Current Cyber Threat Vulnerabilities

Two of the largest hacker conferences on the calendar wrapped up in Las Vegas last week. Blackhat USA 2018 (August 4-8) and Defcon (August 9-12). Check out http://www.cnet.com for day-by-day highlights from both events, including news about election vulnerabilities, smart cities, cryptocurrencies, and Google’s current view on cybersecurity. Read more.

Meanwhile, as part of its report on the two cybersecurity events, http://www.crn.com asked 10 security executives and technical leaders attending Black Hat 2018 what election-related threats should be most worrisome to the government and general public. Read more.

Also reporting from Black Hat, Martin Giles, in an August 11 MIT Technology Review report, lays out the pros and cons of relying on machine learning and artificial intelligence to help guard against cyberattacks. Read more.

Is the Healthcare Industry More Vulnerable to Cyber Threats than Others?

According to a recent article on http://www.techcrunch.com, healthcare organizations on average spend only half as much on cybersecurity as other industries. Hospitals especially, with their massive amounts of personal records, are attracting an unusually high number of hackers. Read more.

TVA Invests in Cybersecurity Operations Center

Recognizing the increasingly high stakes of cyber threats on power grids and public utilities, the Tennessee Valley Authority (TVA), according to a recent report from The News Courier, has invested in state-of-the-art monitoring systems and equipment for a new cybersecurity operations center designed to combat the thousands of daily hacking attempts on the nation’s largest public power utility. Read more.

Are Employees an Organization’s Greatest Cybersecurity Risk?

As reported on http://www.holmesreport.com, a new Finn Partners study confirms what many organizations already suspect – employees are their biggest cybersecurity risk. The study, based on a survey of 500 US employees, found that breaches are largely due to the use of personal devices for work. The survey revealed, for example, that nearly two in five workers have clicked on a link or opened an attachment from a sender they did not recognize. Read more.

 

 

Cyber Connections News Roundup: July 24

Get the latest cybersecurity news from leading companies, news outlets and blogs.

Cyber Connections News Roundup is a bi-weekly brief of online links to news stories and commentary of interest to the cybersecurity community, delivered on the second and fourth Tuesday of each month. Articles are selected for their newsworthiness, timeliness, potential impact, and reach.

July 24, 2018

What Is the Biggest Risk Cybersecurity Today?

According to a new survey from DataSolutions, it’s human error. A recent article on http://www.siliconrepublic.com dives deeper into the survey results, explaining that companies must invest more money in educating employees against carelessness with respect to phishing attacks and other threats that could be avoided through increased awareness and training. Read more.

[Lack of] Cybersecurity Awareness in the C Suite

A recent http://www.securityboulevard.com report examines the disconnect between c-suite executives and cybersecurity. Specifically, the article cites a variety of surveys that establish a failure among business executives to understand that cybersecurity strategy starts at the top. For example, a recent CSO Online report found that “six out of 10 boards still see cyber risk as primarily an IT issue.” Read more.

These sentiments were echoed in a recent article on http://www.freightwaves.com where cybersecurity in the trucking industry has emerged as a major issue for carriers. However, it is largely overlooked at the executive level and, when addressed, is only dealt with from a defensive posture. Read more.

Who Is Responsible for Cybersecurity? The CTO or the CISO?

In a recent http://www.informationage.com article, Nick Ismael agrees that today’s boards have historically overlooked cybersecurity, instead leaving the issue to the experts in within the organization. Now, however, many boards are finally taking on the issue, but struggling to decide who has ultimate responsibility – the Chief Technology Officer (CTO) or the Chief Information Security Officer (CISO). Read more.

US Army Commissions First Civilian Cyber Officers

James Gusman and Timothy Hennessy have become the first civilians commissioned as officers in US Army Cyber. As reported on http://www.wjbf.com, their commission is the result of the US Army’s Cyber Direct Commissioning Program’s initiative to begin commissioning civilians as cyber operations officers, something that only happened in the medical and legal fields as well as seminary. The pilot program kicked off in October 2017. Read more.

AT&T Acquires Start-up AlienVault to Boost Cybersecurity Offerings for Businesses

AT&T announced that it would acquire AlienVault, a cybersecurity start-up based in San Mateo, California. AlienVault offers tools that detect and respond to threats through its Unified Security Management platform as well as its online platform called Open Threat Exchange. As reported on http://www.fortune.com, the acquisition will serve to strengthen AT&T’s security portfolio for small- and medium-sized businesses. Read more.

 

The NIST Framework and its Implications on Cybersecurity and the Internet of Things

Felix Uribe, University of Maryland University College (UMUC) adjunct associate professor of Cybersecurity Management and Policy, provides an overview of NIST and its implications on cybersecurity and IoT at recent Dominican Republic Cyber Event.

At the II Digital Forensic and Cybersecurity Conference, held at the Ocean Blue and Sand Resort in Punta Cana, Dominican Republic from May 17-20, 2018, Uribe joined an international roster of speakers from Spain, Colombia, Chile, Mexico and the United States to discuss a host of topics related to digital forensics, cybersecurity and cybercrime, as well as the Dominican Republic’s “digital government” initiative and its cybersecurity and privacy challenges and solutions.

For his part, Uribe presented an overview of the NIST Risk Management Framework (RMF) and the NIST Cybersecurity Framework and its implications on the Internet of Things (IoT). He kicked off his talk with a brief history of NIST and an explanation of what it is.

Established in 1901 as the National Bureau of Standards, the National Institute of Standards and Technology (NIST), as the agency has been known since 1988, is a measurement standards laboratory that is a non-regulatory agency of the US Department of Commerce. The institute’s official mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations, from nanoscale devices to earthquake-resistant skyscrapers and global communication networks.

The Computer Security Resource Center (CSRC) provides access to NIST’s cybersecurity and information security related projects, one of which is the Risk Management Framework (RMF), six steps (Categorize, Select, Implement, Assess, Authorize and Monitor) to ensure that organizations integrate security, privacy and risk management activities into the system development life cycle.

NIST developed the RMF to provide a more flexible, dynamic, approach for effective management of information system-related security and privacy risk in highly diverse environments and throughout the system development life cycle.

In short, the RMF addresses risk management by:

  • Building security and privacy capabilities into information systems throughout the System Development Life Cycle.
  • Maintaining awareness of the security and privacy posture of information systems on an ongoing basis through continuous monitoring processes.
  • Providing information to senior leaders and executives to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of systems.

The voluntary NIST Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Framework’s goal is promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.

Cybersecurity and Privacy Challenges in the Internet of Things (IoT)

Uribe also discussed IoT cybersecurity and privacy challenges. He defines IoT as the network of devices (things) capable of interacting with other devices and/or living things via the Internet or through a private local or global network not connected to the Internet. He explained that the components of an IoT device can be microcontrollers, sensors, actuators, memory, storage, and other components that is embedded or connected to the device and that forms part of its operation.

IoT projections suggest that by the year 2020 the number of connected devices worldwide will reach approximately 20 billion (The Gartner Group 2017, retrieved from https://www.gartner.com/newsroom/id/3598917). As such, the number of IoT devices compromised by cybercriminal is also expected to intensify. Both the NIST RMF and the Cybersecurity Framework strive to provide organizations security and privacy safeguards to protect information and information systems and the future of complex interconnected IoT environments.

NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations was developed to addresses the selection of security controls (“Select” step in the RMF). It provides guidelines for selecting the security controls for organization and information systems.

The latest version of SP 800-37 (Revision 5) provides a comprehensive set of safeguarding regarding Internet of Things (IoT) devices. As stated by NIST, “privacy is now fully integrated throughout the new draft. For example, one privacy control addresses the data captured by sensors such as those used in traffic-monitoring cameras in smart cities. The control advises configuring such sensors in a way that minimizes their capturing data about individuals that’s not necessary for the traffic-monitoring system to carry out its function.” In addition, “…an IT system may employ cameras. Security experts determine security controls for the camera sensor, while privacy professionals decide on privacy controls such as a control to preserve a passerby’s privacy.”

The exponential growth of IoT devices and their everyday applications calls for the use of the NIST RMF and the Cybersecurity framework in order to address today’s security and privacy concerns affecting the trustworthiness of the world’s current IoT domain. IoT device manufacturers should take into account the security and privacy controls provided by the RMF when designing and manufacturing IoT devices and its components to ensure that security and privacy is implemented by design and does not come up as an afterthought during the IoT device development life cycle.

About the Author

UribeFelix Uribe is an information technology (IT) security professional with extensive experience in the field of information security, cybersecurity, privacy, software development and teaching in the private and public sectors. He currently serves as an IT security analyst at the US Department of the Interior serving as associate privacy officer for the National Park Service. Prior to this, he served as an IT security auditor (Infosec) at the US Department of Justice Office of the Inspector General. As an academic, Uribe serves as adjunct associate professor at UMUC in the Cybersecurity Management and Policy program.

Uribe holds a Bachelor’s and Master’s degree in Computer Science from the Herbert H. Lehman College of the City University of New York.

Cyber Connections News Roundup: June 26

Get the latest cybersecurity news from leading companies, news outlets and blogs.

Cyber Connections News Roundup is a bi-weekly brief of online links to news stories and commentary of interest to the cybersecurity community, delivered on the second and fourth Tuesday of each month. Articles are selected for their newsworthiness, timeliness, potential impact, and reach.

June 26, 2018

The Intersection of Cybersecurity and Domestic Abuse

Sadly, the latest pattern of behavior in domestic abuse cases, according to a recent New York Times report, involves smart home technology, whereby abusers are using apps on their smartphones to manipulate the Internet-connected locks, speakers, thermostats, lights and cameras that their victims use in their homes to harass, monitor and control. Read more.

SEC Outlines Changes After EDGAR Hack

The US Securities and Exchange Commission (SEC) is proposing reforms to its cybersecurity practices in light of the review of the 2016 breach of its EDGAR filing system. As reported on financial-planning.com, SEC Chairman Jay Clayton, in a testimony submitted to the House Financial Services Committee, outlined changes the commission is putting in place in response to the incident. Among other initiatives, Clayton has tasked a number of units within the commission to analyze the security gaps that had facilitated the breach. Read more.

Senate Wants Tougher Action on Russian Hacking

As reported by Derek Hawkins on washingtonpost.com, the massive defense policy bill the Senate approved on June 18 calls on Trump to curb Russian aggression in cyberspace, giving him the green light to direct the US Cyber Command to “disrupt, defeat and deter” cyber attacks by the Russian government, conduct surveillance on Kremlin-backed hackers and partner with social media organizations to crack down on disinformation campaigns such as the ones that disrupted the 2016 election. Read more.

China Cyber Group May Be Targeting US Satellites

According to a recent report on newsweek.com, a cyber-espionage group operating from computers inside China is currently targeting US satellite communications and defense sectors. As party of a wide-ranging operation, they may soon seek to disrupt critical systems, according to cybersecurity firm Symantec’s Security Response Attack Investigation Team. The hacking collective, codenamed “Thrip,” has been using powerful malware against targets in the U.S. and Southeast Asia. Read more.

Human Error Main Cause of Data Breaches According to New Report

According to a new report by information security company Shred-it, employee negligence is the main cause of data breaches. As reported recently on cnbc.com, the study found that 47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization. More than 1,000 small business owners and C-suite executives in the US were surveyed online in April for the report. Read more.

Cyber Connections News Roundup: June 12

Get the latest cybersecurity news from leading companies, news outlets and blogs.

Cyber Connections News Roundup is a bi-weekly brief of online links to news stories and commentary of interest to the cybersecurity community, delivered on the second and fourth Tuesday of each month. Articles are selected for their newsworthiness, timeliness, potential impact, and reach.

June 12, 2018

Has Brexit Put European Cybersecurity at Risk?

Sylvia Thompson of the Irish Times writes about the cybersecurity implications of Britain’s exit from the European Union. Britain, after all, historically has been the link between the intelligence network of the US, Canada, Australia and New Zealand and the European Union. So, the question remains: If Britain goes, does the link break? Read more.

New Study Outlines Recommendations for Preventing Identify Theft

The National Cybersecurity Society (NCSS), a national non-profit created to address small business cybersecurity, recently released a study focuses on business identity theft, how it is perpetrated and how we can prevent it. Titled “Business Identify Theft in the US,” the study was funded through a grant provided by the Identity Theft Resource Center and the Department of Justice, Office for Victims of Crime. Read more.

New Ridge Institute to Focus on Global Resiliency Against Cyber Threats

The Washington Business Journal reports that Tom Ridge, the first secretary of the Department of Homeland Security, has launched the Ridge Global Cybersecurity Institute. The organization’s mission is to advise and educate business leaders on navigating cybersecurity threats. Read more.

States and Counties Ramp Up Security Prior to Key Elections

As we get closer to key election dates, state and county governments across the country are intensifying their efforts to mitigate cyber threats in light of Russian attempts to meddle with the 2016 presidential election.

As reported on wnyt.com, for example, officials in New York are conducting cybersecurity drills in an effort to determine how vulnerable their state’s election system is to hacking. The exercises will simulate scenarios in which a hostile group seeks to tamper with voting systems, change election tallies or otherwise undermine voter confidence. Read more.

Meanwhile, in Collier County, Florida, Trish Robertson of the elections staff reports on www.hellowfl.com that the county has been ramping up preparations to prevent threats for the past few weeks, notably by installing a security networking monitoring system called “Albert.” Read more.

[Cyber] Securing the 2018 World Cup

On www.securityintelligence.com, Camille Singleton writes that security at the 2018 World Cup must move beyond the physical, which normally includes increased local police, physical barriers and identification checks. The widespread use of digital devices and social media warrant enhanced awareness and preventative measures to protect fans, foreign dignitaries and celebrities from malicious actors. Read more.

Five Misconceptions About Cybercrime

Take a look inside the new book by cyber expert and University of Maryland University College (UMUC) adjunct professor Richard A. White, PhD.

Reading “Cybercrime: The Madness Behind the Methods” by Richard White, adjunct professor, cybersecurity information assurance at UMUC, is like going on a wild ride-along with a seasoned police officer.

The book exposes the true nature of cybercrimes and takes the reader into the psychology and motivations of the criminal. Through in-depth interviews with real-life hackers, cyber-bullies and a former FBI special agent, White delivers a holistic view of perpetrator and victim behaviors, and the steps we need to take to reduce the menace presented by hacking.

The bottom line is that cybercrime not going away and many people beyond the intended victim are affected. Technology alone is neither the sole cause nor the solution.

To help better understand cybercrime, White offers these five common misconceptions:

  1. Cybercrime originates from disadvantaged or “third-world” countries.

Cybercrime is one of the most highly organized crime syndicates ever to exist. In reality, the majority of the world’s hacks originate in developed countries such as China, Russia, the U.S., Taiwan, Romania and Hungary. Many players fulfill many roles, each for a profit exacted from victims. Tools are sold and methods are discussed on the Internet. Often programmers sell their tools with a money-back guarantee. Money has no conscience and does not care who earns it or how it is earned. No matter the country of origin, cyber criminals will always put their top-earning talents to work.

  1. Cybercrime is victimless because it is nonviolent.

Cybercrime may be perceived as victimless because it fits into the category of white-collar crime. White-collar crime is not trivial or victimless, as most white-collar criminals would have you believe. A single cybercrime effort can result in multiple victims. The original victim may have something stolen, data held for ransom or their identity used to fleece other organizations. One event can leave a single person dealing with an issue for years, but that event can also impact a person’s family, friends and co-workers who must deal with the issue and, of course, the taxpayers often take a hit.

  1. Cybercrime is committed by highly skilled and computer savvy people.

People with only basic computer skills commit most cybercrime. These criminals use simple and proven methods, many of which have been around for a long time, and seek the easiest way into a computer system. The software and methods used are readily available on the Internet for free or at a minimum cost. Phishing attacks are an example of how easy it really is. Too many people, even if they are suspicious of an email, will open it to see what is inside and, worse yet, will click a link to see where it goes.

  1. Cybercrime requires a technically complex and sophisticated solution.

As noted earlier, actual cyberattacks are not technically complex and sophisticated. But the organized crime aspects of the criminal network itself are, by their very nature, complex and sophisticated because they are designed to avoid detection and prosecution while exploiting the fruits of the actual cybercrime. Think of cybercrime as akin to a business where the actual thief is just one of many along a seemingly traditional hierarchy. With the sky being the limit and very little risk required to start, many potential hackers experiment at entry-level just to test their moxie and give it a try.

  1. Victims of cybercrimes are usually made whole again.

The sad fact is that victims often spend years trying to resolve issues created by cybercrime and rarely see the return of stolen funds. The onus is on the victim to prove that they did not apply for that credit card or transfer funds from their accounts. Imagine discovering one day that your house has a second mortgage loan on it for tens of thousands of dollars that you did not take out? And now the bank is foreclosing on your property because you did not make your loan payments. Cybercrime creates real victims dealing with long-lasting issues. But cybercrime is not always about money. Consider the fear and psychological trauma associated with cyber-stalking and cyber bullying.

“Cybercrime: The Madness Behind the Method,” published in late 2017, is available on Amazon.

Kick Off the New Year With a Comprehensive Cybersecurity Reading List

When you assemble your 2018 cybersecurity reading list, there may be no better place to start than with BookAuthority, a website based on thousands of recommendations made by hundreds of industry leaders. Hone your skills and increase your knowledge base by adding the following top entries from BookAuthority’s “100 Best Cyber Security Books of All Time” to your 2018 reading list.

“Blue Team Field Manual,” by Alan J. White, is a cybersecurity incident response guide aligning with the NIST Cybersecurity Framework consisting of the five core functions—identify, protect, detect, respond, and recover—by providing the steps to follow and commands to use when encountering a cybersecurity incident.

“Cyber Security Handbook: Protect Yourself Against Cyber Crime,” by W. Muse Greenwood, is an information resource to help business owners, leaders and team members develop policies and procedures.

“Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It,” by Marc Goodman, offers a journey into the digital underground to expose the ways in which criminals, corporations, and even countries are using new and emerging technologies.

“Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon,” by Kim Zetter, recounts the story behind the virus that sabotaged Iran’s nuclear efforts. Zetter’s book describes how a digital attack can have the same destructive capability as the most destructive bomb.

“The Plot to Hack America: How Putin’s Cyberspies and WikiLeaks Tried to Steal the 2016 Election,” by Malcolm Nance, is must reading for anyone concerned with the way in which cyber thieves hacked the Democratic National Committee and stole sensitive documents, emails, donor information, and voice mails with the singular goal of getting Donald Trump elected president.

Finally, you will want to add “Cybersecurity Leadership: Powering the Modern Organization,” by University of Maryland University College’s own Mansur Hasib, widely acclaimed as the definitive book on cybersecurity leadership and governance. It defines cybersecurity and expands upon its three key tenets—people, policy and technology.