The Forescout Cyber Roundup is a weekly blog series that highlights some of the major cyber headlines, as well as some of the more obscure stories from the week. The purpose of this curation is to raise cyber awareness, provoke thought and encourage discussion among cyber professionals at all levels. Articles are categorized by industry, not necessarily priority.
- Public Sector
- A cessation of cooperation: Britain’s decision this week to move forward with Huawei for 5G capabilities has stirred controversy with the United States. From a U.S. perspective, many would agree that doing business with Huawei doesn’t automatically imply guilt by association, but it does raise security concerns and alters the lens through which the U.S. views its cooperative relationship with its long-time ally.
- Cyber skills sharing: The cyber skills shortage is a global problem, but the Federal Rotational Cyber Workforce Program Act of 2019, if passed, may significantly help federal agencies address some of the security challenges associated with the shortage. By allowing federal employees to rotate in and out of multiple federal organizations, individual employees can hone and improve their skills, while federal agencies can benefit from cross-agency cooperation.
- Strength in numbers: At the Future Security Forum in Washington, senior defense leaders highlighted partnerships and relationship building as critical facets to improve interoperability and cyber defense against adversaries.
- Defend, dissuade or deter? This article offers an interesting exploration of the U.S. stance on cyber deterrence tactics—from the realization that classic cold war deterrence (i.e., mutually assured destruction) might not be an effective tactic, to the recognition of non-cyber methods (i.e. indictments and sanctions) as more effective deterrence tactics when employed over the long-term.
- A risky investment: Cyber insurance has been a topic of heated debate recently, with many companies and individuals asking if cyber insurance should be a line item in their security budget. Underwriters are frustrated by the mainstream media suggestions that anyone looking to buy coverage should be cautious. It’s a new concept and most of the policies simply lack the maturity needed to be effective; that immaturity, coupled with numerous exclusion and exception clauses has made many companies across various industries reluctant to purchase a policy. When an attack happens and it’s not covered, insurance suddenly becomes just as much of a risk as the risks it’s supposed to cover.
- Retail competition and customer-centric climate overshadow cybersecurity: This article explains the unique security challenges the retail industry faces, and highlights the recognition and reward of employees—a positive reinforcement model—when they take appropriate cyber actions.
- Healthcare needs hygiene: There’s a tremendous amount of effort within the healthcare industry to ensure patient safety. However, as this article points out, the explosion of connected medical devices poses a significant risk. A device designed to save a life, if compromised, could also be used to take one.
- Which industry is really the worst? Healthcare is commonly cited as the industry hardest hit by cyberattacks, but according to this latest research, there are actually a few other industries that rank poorer than healthcare when it comes to cybersecurity. Interestingly, the industry rankings vary by region.
- How much is 516 GB of financial data worth? Hackers were originally requesting $1 million, but when the ransom wasn’t paid, the 51,000 files were posted for free. This type of public extortion is incredibly difficult for victims. In traditional ransomware schemes, a backup of the data is all that’s really needed to avoid paying the ransom and losing the data, but with extortion, a backup can’t prevent hackers from publishing the data they steal. This particular case is even more difficult because the data isn’t just the company’s data, it’s also client data. Taking into account potential lawsuits and reputational damages, the original ransom might have been the cheaper option.
- Greater spend doesn’t always mean better security: Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC) performed a study that highlighted how much banks and other investment firms spend on security. Of note, some of the larger financial institutions have tripled cyber defense budgets in the last three to four years, and they’re spending as much $3,000 per employee to defend their networks. Despite the big spend, financial institutions remain a top target for bad actors.
- Prudence over panic: The recent disruptions to power grid operations in California shed light on the growing challenge that Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) operators face—identifying the source of disruption and knowing when to sound the cyber alarm bells. There isn’t always a hacker behind every cyber event. Sometimes, it’s just bad programming.
- Not-so-secure security cameras: New research warns that two factor authentication and encryption are rarely built-in to many Internet of Things (IoT) devices such as security cameras and baby monitors. Research indicates that iLnkP2P is a brand new vector not currently exploited in the wild, but it’s only a matter of time.
- The cyber capability gap: Small cities often lack the funds necessary to adequately defend against cyberattacks. Consequently, there might only be a single person in charge of security—and they’re also responsible for IT. And, that person’s role as the cyber and IT expert only comprises a third of their total responsibilities.
- Get your cyber exercise: Designed by the National Cyber Security Centre (NCSC), a new free online tool is aimed at helping small businesses and local government authorities test their cyber defenses and improve their cyber resilience.
- Terrible is an understatement: A number of this week’s events are covered in this story, but Facebook’s attempt at email verification is the headliner. User passwords aren’t just stored, they are stored in plain text. Users should not only think twice when a service asks for a password, but should really evaluate how beneficial the service will be—are the benefits worth the risk?
- DevOps forgot SecOps: Docker, an opensource containerization and virtualization platform, recently announced that it had been hacked. The reported numbers are bad, but many agree the reach of the overall incident is much worse—recovery will likely be a difficult and lengthy process.
Operational Technology / Industrial Control Systems
State, Local & Education