Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TM

SUBSCRIBE FOR FREE
CYBERSECURITY NEWS BRIEFS
September 2019
Security Analysts Overwhelmed by Alerts
It’s well established that there’s a labor shortage in the field of cybersecurity. But a recent survey reported just how that is reducing the security of companies. And spoiler alert: It’s scary. The survey queried more than 50 professionals who work in the security operation center (SOC) at their companies, and they’re fielding a lot more security alerts than they were a year ago. Last year 45 percent said they were receiving 10 or more a day. This year 70 percent are. Perhaps you see this as a good sign—a sign that their companies are getting better at detecting problems. But what happens next offers no such comfort. Almost 40 percent said they spend no more than 10 or 15 minutes on each alert. Nearly 60 percent said that when they get too many alerts, they simply modify the equipment settings to reduce the volume. And 57 percent admitted that they tell their clients little to nothing about any of this. Read more from ​TechRepublic.
Delta Airlines, Sued for Data Breaches, Sues Its Vendor
Last year Delta Airlines suffered a data breach that left the data of hundreds of thousands of customers exposed. The company was then hit with a class action lawsuit. Now Delta has sued the company that it says was responsible for the breach. It was caused by the security vulnerabilities of a vendor that provided the airline with the ability to conduct live chats with its customers. The California vendor, called [24]7.ai, allegedly represented that it had strong security controls in place and was even GDPR compliant. But Delta learned of a host of vulnerabilities when it began its investigation, according to its complaint. And to make matters worse, it took the vendor five months after it discovered the breach to say something to Delta. And even then it did not, and still has not, formally reported the breach to Delta, which only heard about it through a LinkedIn communication one of its employees received, it said. Read more from DataBreaches and see the complaint at BloombergLaw.
Hack Our Fighter Jet. Please.
We’ve written about college courses called Hacking for Defense and Hacking for Diplomacy that encourage students to consider going to work for the government. But recently the military added a literal twist. In August, the U.S. Air Force sent officials to the DefCon cybersecurity conference in Las Vegas and asked seven carefully vetted white hat hackers to hack one of its F-15 fighter jets. They were even allowed to tamper with the plane’s hardware. By the end of the two-day experiment, the hackers had done quite a number on the plane. They’d found plenty of vulnerabilities and injected malware into the system.  And, for good measure, they prodded with pliers and screwdrivers and left wires dangling out of a big metal box. The Air Force pronounced itself more than pleased. It had realized it needed lots of help to identify problems. And things went so well this year that officials suggested they’re going to greatly expand the project next year. Read more from The Washington Post.
Huawei Exploring 6G Research in Canada
If at first you don’t succeed….  Actually, it’s not at all sure that Huawei will fail to secure a place for its equipment in 5G network development. But it has been a quite a battle. The United States government has tried mightily to prevent that from happening, citing the security risk the company represents. The administration, and others, fear that Huawei could be pressured some day by the Chinese government to provide it with backdoor access to infiltrate a network. It was in this context that we noted that Huawei already seems to be working on a Plan B. It has reportedly begun research in its R&D center in the suburbs of Ottawa. Despite the fact that 5G is only now in development and 6G probably won’t start ramping up until 2028. But they say that the early bird… Read more from TechRepublic.
August 2019
U.S. Mayors Resolve Not to Pay Ransoms
The recent spate of ransomware attacks on U.S. cities and municipalities has gotten a lot of attention. It has also provoked a group of mayors to take action—at least in the form of a resolution. It came at the end of the annual U.S. Conference of Mayors, which was held in Honolulu from June 28 through July 1. More than 250 mayors declared themselves “united against paying ransoms.” Read more from The Verge.
The Biggest Cybersecurity Incidents of the First Half of 2019
These aren’t all breaches and they’re not based on money lost or even necessarily on specific incidents. They’re based on size, impact and threat. A surveillance contractor for the U.S. Customs and Border Protection suffered a breach that exposed photos and license plates of about 100,000 travelers. Ransomware attacks keep growing and expanding into new industries. Industrial and manufacturing firms were particularly hard hit this year. Read more from Wired.
British Airways and Marriott Fined Under the GDPR
Large fines always get lots of attention. But these days there’s extraordinary interest in observing what results from violations of the EU’s General Data Protection Regulation (GDPR). Two fines were announced in July. British Airways will be socked for $230 million, and Marriott International will be hit up for $123 million. Both companies suffered large data breaches. Read more from The National Law Review.
Cybersecurity Breaches Cost Businesses $45 Billion
The number of data breaches reportedly dropped in 2018, but the cost to businesses still rose to a record $45 billion. The big ticket items were the cost of ransomware attacks, which rose by 60 percent last year, and the financial impact of business email compromise, which doubled. The mixed results left experts wondering whether there’s anything to celebrate. Read more from TechRepublic.
July 2019
Warner Blasts Administration on 5G Missteps
China has taken the lead on developing a next-generation 5G wireless network. And unless the United States government does a better job, there may be a large price to pay.
     That was the message that Sen. Mark Warner (D-Va.) delivered in a speech in June at the Council on Foreign Relations. Warner blamed both the Trump and Obama administrations for complacency.
     Unless the federal government ramps up its efforts and invests more resources in cybersecurity and technology research, Warner said, American companies may be more susceptible to Chinese spying, and China could also take the lead on the development of artificial intelligence and quantum computing.
     Warner also urged intelligence agencies to share more information about Chinese hacking with U.S. companies to help them protect themselves.
     Read more from The Washington Post.
Florida City Pays Big Ransom
We keep reading about cities that are hit with ransomware attacks, but then hold the line and refuse to pay. One could get the impression that no municipalities capitulate.
    But that would be wrong.
    In June, the city of Riviera Beach, Fla. (population 35,000) paid a $600,000 ransom to unlock its computer systems.
    The development highlights the surge of ransomware attacks, and the tricky calculations that go into deciding how to respond. The payment may sound quite large, but the cost of not paying is almost always much larger.
     This is not to say, however, that paying is necessarily smarter or more cost-effective.
     Read more from The Washington Post.
Baltimore’s Response to Ransomware
Hampered by Lack of Cooperation
There are lots of ways that cooperation can benefit victims of ransomware attacks. And failure to cooperate can just as often hamper them. A closer look at the recent attack on Baltimore suggests that there was a missed opportunity—and lessons from which other cities can learn.
     The issue came up during a Maryland Cybersecurity Council meeting in May, not long after the attack on Baltimore made headlines. Maryland’s chief information security officer said that the state’s IT department was ready and eager to help the city in the wake of the attack, but it was difficult to communicate with Baltimore’s team during the first week.
     It wasn’t due to crippled technology, the CISO explained. It was because they had never established a working relationship before the attack, and so there was a lack of trust.
     The result was that the city struggled to respond with a relatively small team and budget, and was not able to take advantage of the state’s enhanced resources in a timely fashion.
     Read more from Government Technology.
AI to Counter Phishing
Phishing attacks can be hard to counter. Training can be effective, but there are always new employees between trainings. And there are always others who somehow miss the boat. And research suggests that training is only effective if it’s repeated every few months.
     Sounds grim. But what if they can be defeated electronically? 
     Three cybersecurity startups are betting that they can. And each uses artificial intelligence to anticipate scams before they’re sprung. The gambit is that machine learning will allow the startups to stay ahead of the bad guys.
     There’s money that says the startups are on to something. All three have secured venture capital.
     Read more from Fortune.
June 2019
Cybersecurity Vendors Are Sharing Intel
Corporations have begun to share cyber threat information with each other, often with the encouragement of government agencies with which they also exchange intelligence. But there’s another important alliance of sometime-competitors that hasn’t gotten much publicity.
     Cybersecurity companies have formed a nonprofit of their own specifically to share information they can pool to help protect their clients. It’s called the Cyber Threat Alliance (CTA), and its members are some of the biggest companies in the industry. They include Cisco, Fortinet, McAfee, Palo Alto Networks and Symantec.
     It started as an informal agreement in 2014 among four companies in 2014. They wrote a white paper about their idea, which attracted lots of attention in the field, and in early 2017 they launched the nonprofit.
     As nation-states began to pose the largest threats, the companies realized that they were not going to be able to thwart them alone. Nor is the U.S. government likely to be able to do so without help, the CTA maintains. That’s why the alliance may prove crucial in the cybersecurity battles ahead.
     Read more from The Washington Post.
The Business Case for Cybersecurity
A consensus seems to be building that cybersecurity is not just a good practice and the right thing to do, but good for business. And that seems to be buttressed by all the new regulations like the EU’s General Data Protection Regulation and the California Consumer Privacy Act.
     But there’s one problem. How do you prove it?  How do you measure it?
     If one indication of cybersecurity is the absence of breaches or losses, is this the data we should be counting?
     It’s a particularly thorny topic for insurance companies, which depend on their actuarial tables.
     Read more in Business 2 Community.
The Trump Administration Indicts Alleged Chinese Hackers
It’s hard to remember all of the companies that have been hit by cyberattacks. But the health insurer Anthem still stands out. In 2015, a massive data breach compromised the personal information of 78 million patients.
     Last month two Chinese citizens were indicted by the U.S. Department of Justice, which alleged that they were part of a “sophisticated China-based hacking group.”
     The indictments are the fourth time that the Trump Administration has indicted Chinese nationals in the past 18 months. That is the most of any nation.
     While the accused hackers are unlikely to travel to the United States, and thus will almost certainly never face prosecution, the indictments were intended to send a message to the alleged hackers, and their government, that they are being held accountable.
     Read more from The Washington Post.
CISA Employees Asked to Work on the Border Crisis
The Cybersecurity and Infrastructure Security Agency (CISA) has a daunting job to do, given the vulnerability of the country’s infrastructure and the volume of cyberattacks. But now it has another problem: holding onto its employees.
     It’s difficult enough for federal agencies involved in technology to retain their top people, given the salaries they can often command if they leave for jobs in the private sector. And CISA has had to deal with that challenge. But now a new twist has come from within.
     In May, Acting Secretary Kevin McAleenan of the U.S. Department of Homeland Security asked CISA to send “volunteers” to help deal with the country’s border crisis. And the agency has begun to comply.
     CISA Director Christopher Krebs testified at a recent House hearing that 10 CISA employees had deployed to the border.
     Democrats on the House Homeland Security Committee were critical of the request. Committee Chairman Bennie Thompson (D-Miss.) told reporters that CISA already has 360 vacancies, and questioned the wisdom of creating more by deploying existing employees elsewhere.
     Read more from The Hill.
CISA Director Christopher Krebs
May 2019
The Cybersecurity Dance on the Hill
The challenges cybersecurity poses can give rise to strange scenarios. We depend on government agencies to encourage companies to secure their data, and to penalize them when they’re negligent. But we frequently learn that some government agencies are negligent themselves.  
     It was particularly troubling to learn that one of them is the U.S. Department of Health and Human Services, since health care data contains so much sensitive information. But an Office of Inspector General report seems to leave little doubt that HHS has serious deficiencies.
     The other part of the story is that we know that many of our aging politicians are far from knowledgeable about, and comfortable with, technology. But they are frequently the ones who must call to account entities with poor security.
     And so it was that in April, Senate Finance Committee Chairman Chuck Grassley (R-Iowa) sent a letter to HHS Secretary Alex Azar demanding that he provide information about the department’s cybersecurity policies, and asking him to explain the lapses.
     Read more from Health IT Security.
Chuck Grassley
IBM Study Reveals Widespread Cybersecurity Deficiencies
In April, IBM Security announced the results of a global study of cybersecurity preparedness, and the news was not encouraging. IBM hired the Ponemon Institute to conduct the research, and it found that 77 percent of the respondents do not have an incident response plan that is consistently applied across the company.
     That wasn’t all. More than half said they don’t test their plans regularly.
      “Failing to have a plan is a plan to fail,” said Ted Julian, VP of product management and co-founder of IBM Resilient.
     Read more from CISOMAG.
KKR’s Phishing Experiment
Private Equity giant KKR has been investing in cybersecurity companies for a while. And doing quite well. But in an April story in Fortune, there was an interesting revelation about its own vulnerability.
     In a Q&A that was part of the article, KKR Managing Director Vini Letteri was talking about the high percentage of breaches that result from human error.  Then he said this:

"I think I can share this; as part of our diligence, we worked with our [chief security officer] to actually launch a phishing attack on a subset of KKR employees. We think this place is full of high-integrity, intelligent people—and even then, over a third of the employees that we sent it out to went ahead and clicked on the malicious email. We brought that up in the investment committee meeting, and it became so obvious that if, in a place like this, people still need to go through that sort of training, then it’s got to be broadly applicable out in the marketplace."

Read more from Fortune.
Vini Letteri
The Big Problem with Cybersecurity Research
How do companies defend themselves against cyberattacks? And what seems to be most effective?
     Great research topics, right? But there’s a very big problem with cybersecurity research. Companies are not providing enough raw data to researchers. They claim they have concerns about privacy.
     And to make matters worse, researchers who do manage to get ahold of data rarely share it with other researchers when they’re done—which is not the norm, scientists say.
     The dearth of quality research may explain in part why the state of cybersecurity has shown few signs of improvement in recent years, and may be getting worse.
     Read more from The Washington Post.
MORE NEWS