The Forescout Cyber Roundup is a weekly blog series that highlights some of the major cyber headlines, as well as some of the more obscure stories from the week. The purpose of this curation is to raise cyber awareness, provoke thought and encourage discussion among cyber professionals at all levels. Articles are categorized by industry, not necessarily priority.
- The Fifth Domain: Former White House counterterrorism coordinator Richard Clarke and senior fellow at the Council on Foreign Relations, Robert Knake, have released “The Fifth Domain” in an effort to shed light upon the current cyber landscape, threats and malware and provide an overview of the current state of cyber affairs within the United States.
- Cyber security teams are in an arms race with hackers: UK businesses are racing to automate their defenses. Attackers are increasingly using automated threats to thwart defenses and gain network access, and as this article explains, network defenders often simply cannot keep up with the bad guys. This article explores several of the ways organizations can leverage automation and machine learning to find the signal in the noise and get human eyes on real attacks.
- Bureaucratic inertia to blame for cyber unpreparedness: Last month, national security adviser John Bolton publicly stated that the U.S. has stepped up its offensive cyber-assaults since last year. The message to America’s adversaries, he said, is “You will pay a price.” However, many cite bureaucratic inertia and a general failure to comprehend cumulative cyber damage as primary reasons why the U.S. is losing the current, albeit undeclared, cyber war.
- Cyber Lightning 2019—Lessons Learned: Cyberspace is not all that different from a physical wartime arena, in certain regards: situational awareness—knowing what’s happening real-time on the battlefield, and coordination—being able to provide what’s needed on the battlefield in a timely manner, are both critical to success.
- Privacy law sea change: Under the California Consumer Privacy Act (CCPA), which is set to begin January 1, 2020, personal information is defined as information that can be linked, directly or indirectly, with a particular consumer or household. And, that includes anything from browser history to products and services purchased—things that create inferences about the individual consumer. While it may take time for the impact of the CCPA to be felt, there may soon be a wave of potentially massive damage awards against insureds.
- Amazon Prime Day Phishing Scam: One of the biggest shopping events of the year, Prime Day 2019 ran from midnight July 15 to 11:59 PT July 16 this year; however, it’s also an opportunity for cyber criminals to steal sensitive consumer information. While this article warns of a Prime Day-specific phishing scam, safe online shopping practices shouldn’t be limited to the two-day event only.
- In last week’s roundup, we noted that certain anesthesia machines may be subject to compromise. This week, there’s another cyber problem healthcare delivery organizations (HDOs) are facing. The U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said all versions of the Philips Holter 2010 Plus are affected. While this vulnerability has a relatively low severity, it’s important to remember the potential impact of multiple vulnerabilities when exploited simultaneously.
- Convenience ≠ security: Recent research has found that 70% of healthcare providers have deployed an online patent portal, with another 18% projected to deploy a portal in the near future. Yet, only 65% of those providers use multifactor authentication (MFA), considered by many as a first step to securing patient data.
- Was there a spike, or were cyber incidents just not disclosed before? While this apparent spike is startling, what’s really troubling is that there might not be a ‘true’ spike at all. Instead, the introduction of the EU’s General Data Protection Regulation (GDPR) simply requires that organizations now report cyber incidents. In other words, actual cyber activity may not have spiked at all—but we now have a better idea of just how much cyber activity went unreported.
- Veridian Credit Union v. Eddie Bauer LLC: Almost three years ago, Eddie Bauer LLC announced that its point of sale (PoS) systems at retail stores were affected by malware, which enabled unauthorized parties to access payment card information. Earlier this year, a settlement agreement was reached at $2.8 million for claims related to compromised cards, but the retailer denied all material allegations of the complaint. Now, it appears the ordeal has expanded to a class action settlement.
- Gain access, map the network, test, repeat: Following the brief power outage in New York over the weekend, there’s not much beyond speculation as to the root cause, although New York City Mayor Bill de Blasio has stated that the event was not a cyber attack or act of physical terrorism. The threat to the U.S. power grid, however, is real and is gaining traction in Congress, as this story details.
- Whoever controls infrastructure also controls society: The United States is often criticized in headline news for underinvesting in critical infrastructure cyber defenses, but this week, Australia is all under fire as being ‘largely unaware’ of cyber threats to its critical infrastructure. This article calls for government action to drive policy, regulation and discussion to secure operational technology (OT) as it increasingly converges with information technology (IT).
- Cyber Disruption Response Plans: Last week the National Governors Association (NGA) released a brief to examine state cyber disruption response plans. The brief is aligned with the DHS National Cyber Incident Response Plan and includes recommendations for state leaders as they create or revise their own response plans.
- NASCIO announces endorsement of State and Local Government Cybersecurity Act of 2019: The National Association of State Chief Information Officers (NASCIO) announced last week its endorsement of S. 1846, the State and Local Government Cybersecurity Act, which provides for additional federal grant opportunities to state, local and tribal governments to safeguard against cyber threats. The bill aims to grow state and federal cyber collaboration, partly on account of the increased volume of ransomware attacks.
- The strange case of Dr. Jekyll and Mr. Tekide: This is a story that will likely become a documentary or full feature film in the coming years—a young man who loves pets and hopes to become a veterinarian must fulfill devious and malicious cyber requests to repay his government. If the descriptions of this tale are true, this story is an example of how the financial gains of malicious cyber dabbling can push even the most well-intentioned, but financially strapped individuals to work for the dark side.
- What you see might not actually be what you get: While the headline might leave you with the impression that the vulnerability isn’t that serious—that someone could simply photoshop a photo; however, there’s potential for far more serious damages—altering map directions, changing invoice figures or altering other sensitive information that’s shared over the ‘secure’ messaging apps.
- It’s a different kind of Banner-Grabbing: Sixty-two universities were hit by a cyberattack following exploit of Ellucian “Banner” product security vulnerabilities. “More than 1,400 colleges and universities use Banner, according to the company’s website.” Apparently, hundreds or thousands of fake student records were created. But that leaves the conscientious hacker with a lingering question: did they get the financial aid they needed to get their diplomas?
- The 15th rule of WaterISAC is to participate in the ISAC: “The Water Information Sharing and Analysis Center (WaterISAC) recently released an updated cybersecurity fundamentals guide for water and wastewater utilities. The guide includes cybersecurity best practices, grouped into 15 categories.” Asset Inventory remains #1, while we can’t help but appreciate the solutions to #13: Secure the Supply Chain, and #14: Address All Smart Devices (IoT, IIoT, Mobile).
Operational Technology / Industrial Control Systems
State, Local & Education