The Forescout Cyber Roundup is a weekly blog series that highlights some of the major cyber headlines, as well as some of the more obscure stories from the week. The purpose of this curation is to raise cyber awareness, provoke thought and encourage discussion among cyber professionals at all levels. Articles are categorized by industry, not necessarily priority.
- Public Sector
- Big Losses, but they could have been bigger: According to the FBI’s Internet Crime Compliant Center (IC3), there were more than 350,000 reported complaints of Internet-related crimes and scams resulting in $2.7 billion in losses—a drop in the bucket compared to the nearly $47 billion inventory shrinkage costs reported by the retail industry last year. But, IC3 figures reflect the reported incidents. Realistically, many believe that global cyber damages exceeded $600 billion in 2018 and are expected to exceed $6 trillion by 2021.
- Eleph-ant: There was a lot of talk about elephants and ants—big nations and smaller nation-states—at the International Cyber Engagement Conference in Washington. As evidenced in other headlines this week related to the U.S. stance on Huawei and other Chinese companies, the Trump administration is seeking alliances and partnerships with other nations to not only limit the reach of certain foreign companies, such as Huawei, but is also seeking collective acts of deterrence and international cyber norms.
- Thinking outside the gate: The National Guard is standing up a new team in a pilot program to protect critical infrastructure that serves military installations. The ‘Cyber Mission Assurance Team’ will focus on vital infrastructure to military installations and related vulnerabilities, from power to water.
- Alone on the front lines: A recent report from the secretary of the Navy suggested that the U.S. is losing the global cyber-enabled information war and provided a call to action for public-private collaboration, highlighting that the private sector must often defend itself in isolation against cyber threats.
- Free credit monitoring for all: More than one-third of consumers have reported that their personal information has been exposed in a data breach. Although affected companies often offer free credit monitoring to consumers, this latest report found that less than 50 percent took advantage of the free service. Does that mean that the other half already have free credit monitoring from another breach, they are jaded by the onslaught of breaches, or they just don’t care?
- Cyber economics: This is gated—but free—content, but worth the read. This paper covers the cost of preventing perceived harm and the cost of actual harm, consumer expectations with respect to cyber, regulation and self-regulation, among other topics and offers an alternative perspective on consumer Internet of Things (IoT).
- Human error behind the healthcare security problem: A new study highlights the prevalence of IoT devices, a general lack of segmentation, and reliance on legacy Windows as major reasons that attackers focus on healthcare targets. However, the study also highlights that human error and system misuse mark a departure from ransomware as the primary method of attack.
- EmCare patients beware: Physician staffing company EmCare this week acknowledged that hackers gained access to data on roughly 31,000 patients and 30,000 employees and contractors. The response in this case is classic and very similar to the responses of other similar organizations that have experienced a breach—committed to care, continuing the investigation, improving security measures, adding employee training, etc.—and highlights that, so often, security only becomes a priority when it becomes a problem.
- Sharing is caring: The CyberUK Conference took place this week, and the Head of British Government Communications Headquarters, Jeremy Fleming, highlighted a ‘national effort’ to boost UK security, highlighted the need for trust as a means to operate in cyberspace, and explained that GCHQ is going to start sharing intelligence with British banks in an effort to tackle fraud and cyberattacks.
- Six seconds to manipulation: This article highlights resilience methods—identifying, protecting, detecting, responding and recovering—as critical practices to ensure banks don’t succumb to common financial attacks.
- Should we be more concerned about gas prices or cyber risks? This article explains that the oil and gas sector has seen increasing cybersecurity risks in recent years and notes Distributed Denial of Service (DDoS) attacks and Operational Technology (OT) threats as primary security weaknesses.
- When will ‘connected’ equal ‘smart’? Smart cities and smart initiatives are on the rise, but it’s important to realize that the concept is still immature—and in reality, while there’s a growing number of connected cities, smart does not always equate to secure.
- Taking a bite out of crime: This article highlights how traditional crimes such as financial fraud, identify theft, narcotics trafficking, money laundering and child exploitation have simply migrated to cyberspace and explains that the Homeland Security Investigations (HIS) unit’s ability to rescue victims and arrest perpetrators is proportionate to its ability to bring traditional crimefighting methods to the cyber arena.
- County vote clickers beware: A county election was recently targeted, but it’s still unclear if the attack was politically targeted, or simply a target of opportunity.
- Injection is the root of all evil: But this OWASP application security motto has a different ring to it when we’re talking about injecting code into the data context of healthcare protocols like DICOM. Although the threat vector of hiding executable code inside images in order to trip up parsers isn’t new, it’s still a fresh idea that medical picture archiving and communication systems (PACS) may house malware in their data stores.
- Backups are the scrimmage that prepare you for the game: Last Friday the Weather Channel went dark for about an hour as a result of a ransomware attack. The FBI is investigating, but thanks to ‘backup mechanisms’ the channel was able to restore service. Backups are only an exercise until they are used for full system restoration.
- ‘Smart Watch’ not so smart: Ken Munro of Pen Test Partners highlighted a number of hackable ‘smart devices’ for parents and kids earlier this year at RSA. The discovery of these latest flaws highlights the immature and insecure state of many IoT devices.
Operational Technology / Industrial Control Systems
State, Local & Education