Forescout Cyber Weekly Roundup March 29, 2019
The Forescout Cyber Roundup is a weekly blog series that highlights some of the major cyber headlines, as well as some of the more obscure stories from the week. The purpose of this curation is to raise cyber awareness, provoke thought and encourage discussion among cyber professionals at all levels. Articles are categorized by industry, not necessarily priority.
- To lose something is to recognize its value: We noted earlier this year that NIST resources were unavailable during the last government shutdown. That sudden—and seemingly unnecessary—absence outraged many security researchers and cyber experts. Put simply, when the site went offline, forward progress halted and code broke. Moving forward, it sounds like the NIST Computer Security Resource Center (CSRC) is hoping to at least keep published content online in the event of another shutdown.
- Snip away the slowdowns: The Department of Homeland Security (DHS) is taking some admirable strides in a critical area of cyber defense—finding, hiring and retaining top talent. General Schedule restrictions, however, are but one of many speedbumps in the way of progress that Chris Krebs and the Cybersecurity and Infrastructure Security Agency (CISA) will have to remove.
- But does that work underwater and in space? The Intelligence, Information, Cyber, Electronic Warfare and Space battalion (I2CEWS) was activated this past January. Now, Army leadership is seeking multi-domain collaboration and coordination across the Army, Navy, Air Force and Marine Corps. And, the service men and women will have to be multi-talented too.
- Weapons of Deniability: At the Black Hat Asia keynote, Mikko Hypponen shed light on the state of the current cyber arms race, highlighting that technology has changed where wars are fought, and in the race towards better cyber defenses and tools—where artificial intelligence and machine learning are often leveraged—caution and care have fallen in the stack of priorities. “Digital weapons are poor in creating deterrence because nobody knows who has which tools…very few weapons have deniability…[but] cyber weapons have that.”
- Like Consumer Reports, but for cyber: The full details of how cybersecurity products will be scored haven’t yet been released, but one can’t help but wonder about the type of ranking algorithm an insurance company might produce. What’s important to remember is that most often, organizations have unique security needs based on their size, infrastructure, network complexity, and business mission. Even a top-ranking product might not meet their needs.
- Office Depot’s PC Health Check turns out to be more like a blank check: In this latest fear, uncertainty, and doubt (FUD)-based scandal, Office Depot and Support.com were accused of tricking customers into buying unneeded tech support services, ultimately resulting in $25 million and $10 million fines respectively.
- Nine bad clicks, 350,000 patients, 2 million emails: This latest headline has different numbers and different impacted parties, but sadly, it’s really the same story that’s reported every week, sometimes daily. Despite the prevalence of information on phishing attacks, employees and end users repeatedly fall victim to targeted phishing emails. If an email asks you to confirm personal information, the sender address looks suspicious or includes misspellings, the email includes a questionable attachment you weren’t expecting, or the message contains a sense of urgency designed to create panic or rapid action, there’s a high probability that email is part of a targeted phishing campaign.
- Does $75M equate to cyber progress? This article highlights the scope and size of the attack, as well as the length of time it took for patients to be notified. Many of today’s breach stories highlight the impact, and sometimes include examples of how security is getting better—fines drive improved, more secure processes and accountability, but are cyber settlement agreements really driving improvements in cybersecurity best practice adoption?
- Lessons Learned: “We should not look back unless it is to derive useful lessons from past errors, and for the purpose of profiting by dearly bought experience.” ― George Washington
This article offers a look back on financial attacks from the 1990s to present day and suggests that trusted engagement and collaboration, simplified security and disruptive deterrence methods are critical to thwarting future cyberattacks on financial institutions.
- Hack your debt away, literally: A recent GAO audit of the U.S. Treasury found that the systems used to track debt in the U.S. are vulnerable to cyberattack. It’s not clear what exactly might become compromised, but unauthorized access and imagination are typically a dangerous cocktail. What’s most disturbing about the audit’s findings is that fact that some of the deficiencies, although previously identified, still remain unresolved.
- 50% of Industrial Control Systems show evidence of attempted malicious activity: This article highlights the threats to ICS and the specific methods of attack. Interestingly, a portion of the Internet-based attacks do not target ICS specifically, but gain access simply on account of public exposure, unsecured ports and services, and generally poor security practices.
- Skyfall Part II: Drones typically make headlines due to controversy over how they can legally be used—from worry that Chinese-manufactured drones conduct aerial surveillance to debates over cluttered air space and no-fly zones. More recently, however, drones are under scrutiny as another vector of attack for malicious actors.
- Cyber Reservists? Following Michigan and Wisconsin, Ohio is now forming a cyber national guard. Reservists would be unpaid during training, but paid when called into action. This proactive approach seems to be vetted by a cost to benefit analysis, with a $3,000 per day deployment cost significantly lower than the $4 million average cost of a data breach.
- What do you want to be when you grow up? Cyber-related jobs have increased more than 75% since 2010, resulting in a worldwide cyber skills shortage. Indiana is but one of many states in this case promoting cyber education. At best, the U.S. will gain a cyber workforce influx, and at worst, today’s youth will be more cyber-aware.
- Saudi Arabia and United States top APT33 targets: APT33 targets government, research, chemical, engineering, manufacturing, consulting, finance and telecommunications in the Middle East and other parts of the world.
- London—bring your cyber risk umbrella: Data breaches more common than rain in the UK: “it may come as a surprise to find that in the UK the chance of experiencing a data breach is higher than that of encountering a rainy day.”
- Who wouldn’t want to hack a megabot? With a giant grapple arm and a five-foot, 50 horsepower trencher chainsaw on the left arm, megabots are no longer limited to science fiction. Time will tell if all the heavy armor and fancy weaponry grants them resistance to cyberattack.
Operational Technology / Industrial Control Systems
State, Local & Education