Survey Report: 2018 Cybersecurity Report Card

See the results of the DomainTools second annual Cybersecurity Report Card Survey. More than 500 security professionals from companies ranging in size, industry and geography were surveyed about their security posture and asked to grade the overall health of their programs. Their responses shed light on how cybersecurity practices are evolving, and what the most successful organizations are doing to ensure they stay ahead of the ever-growing and changing threat landscape.

The week that was.

Magecart infestations.

Magecart has hit the Philippines' media conglomerate ABS-CBN. The criminal group behind this operation—there's a loose assembly of gangs using Magecart—is exfiltrating data to their servers in Russia. Magecart attacks, which have recently infested Ticketmaster and British Airways, are generally thought criminal capers as opposed to state intelligence operations (ZDNet). The attack on California-based retailer Newegg was also attributed to Magecart. In this case the criminals registered a similar domain, "neweggstats" that redirected to a site established to receive card data. Simultaneously the criminals installed skimming malware on the retailer's e-commerce checkout site (ZDNet). Experts expect the problem to continue until better e-commerce safeguards are in place (Help Net Security).

Find out what solutions are emerging, peaking and working for cyber risk managers.

In this recently-released report, Gartner Research analysts apply their “hype cycle” framework to describe the related services, software platforms, applications, methods and tools that organizations can use to develop programs to withstand risk events or take advantage of risk-related opportunities. Read the Gartner report, “Hype Cycle for Risk Management, 2018” courtesy of Coalfire.

OilRig evolves, and stays active.

Various Gulf states are taking seriously FireEye's warnings about an increase in Iranian government hacking by the APT33 threat group. Much of the recent activity has been associated with the actors involved with the OilRig attacks (Khaleej Times).

Who’s Using a Cloud Browser? You might be surprised...

More than 75 government agencies, tier 1 investment banks leading entertainment networks, leading law firms, and nationwide retail banks. Learn more!

Strategy for deterrence.

The US has released its national cyber strategy. It stresses deterrence, and domestically it's been generally well-received, with favorable comment by veterans of the previous Administration: observers see both continuity and evolution toward a clearer, more active policy in cyberspace. The cyber strategy aligns with the four "pillars" of the larger national strategy: "Protect the American People, the Homeland, and the American Way of Life;" " Promote American Prosperity;" " Preserve Peace through Strength;" and "Advance American Influence." Each pillar is explained in terms of specific measures. Prominently among them are a commitment to developing international norms in cyberspace, the development of effective deterrence and ability to impose costs on adversaries, and determination to counter hostile information operations. Russia, China, Iran, and North Korea are called out as nation-state adversaries. The strategy commits to core American values: "individual liberty, free expression, free markets, and privacy" (The White House).

Is your company passionate about empowering women to succeed in the cyber security industry?

The CyberWire’s 5th Annual Women in Cyber Security reception is a networking event that highlights and celebrates the value and successes of women in the cyber security industry. Leaders from the private sector, academia, and government from across the region and at varying points on the career spectrum can connect with each other to strengthen relationships while building new ones. Consider sponsoring the event. Limited sponsorships are available. Visit our website to learn more.

Novichok hacking and disinformational overreach.

There's a useful quick overview of Russian information operations in the current issue of Signal. The authors summarize them as falling into four categories: "dismiss, distort, dismay and distract."

Swiss authorities summoned the Russian ambassador and asked for an explanation of apparent attempts to hack Spiez Laboratory, a research facility that was doing some investigation into the Salisbury Novichok attacks on behalf of the Organization for the Prohibition of Chemical Weapons (AP). The Washington Post looks at how RT's spinning of the Salisbury chemical attacks as a laughable anti-Russian provocation played out over the past weekend, and the Post concludes that Moscow's information operators may have overplayed their hand by putting the two accused GRU hoods on television to tell their side of the story: they were just in Salisbury for a quick look at Stonehenge and the cathedral. Maybe they enjoyed a pint or two at a local pub, as tourists will. Comments on RT's video interview have been skeptical. A representative comment: "Until today I perceived this Skripal story as Britain’s provocation. But once I saw these two idiots, my view has been shaken" (Washington Post).

Recent Russian disinformation has combined coldly cheerful irreverence with mutually inconsistent big lies in ways that have lent their information operations a viral, tabloid quality, effective at undermining public confidence in Moscow's adversaries. But the interview with Petrov and Boshirov hasn't turned out well, for RT and its political masters. Once again, and this hasn't happened for a long time, official Russia has been hit squarely in its cultural sensitivity: the foreigners are laughing at them, and official Russia doesn't find it funny (Times).

Get security training from FireEye experts at Cyber Defense Summit.

Training opportunities at CDS offer attendees hands-on, small-group, interactive sessions with some of the world’s foremost experts in cyber security. Whether you’re an expert or just starting out in security, there’s a course designed for you. Register now

A financial system attack thought experiment.

A consideration of risk prompts some to think that the next financial crisis could be prompted by a cyber attack, and not the collapse of some speculative house-of-cards (Harvard Business Review). For all of the serious work toward resilience and redundancy done by FS-ISAC and its member institutions, there clearly remain unsolved problems (Quartz).

Crime and punishment.

Strike Force Woolana of the New South Wales Police arrested four members of a "fraud syndicate" that made millions in business email compromise. The alleged ringleader is a 43-year-old Nigerian man who operated while residing in an Immigration Detention Centre (ZDNet).

Nghia Pho, formerly employed at NSA, will be sentenced Monday after his guilty plea last December to mishandling highly classified material found in his home. Mr. Pho explained that he took the material home to work on polishing up his performance review. The Government has reviewed his performance and recommended eight years. Former NSA Director Rogers wrote the US Federal District Court in Baltimore, "The fact that such a tremendous volume of highly classified, sophisticated collection tools was removed from secure space and left unprotected, especially in digital form on devices connected to the Internet, left the NSA with no choice but to abandon certain important initiatives, at great economic and operational cost." There's some suspicion that his mishandling of classified information may have contributed to some of the ShadowBrokers' leaks (Politico).

Apparently getting a massage in the wrong place is a leading cause of difficulties in getting or keeping a security clearance (ClearanceJobs).

Visiting the imprisoned is a corporal work of mercy, but it's unlikely that's why Russian officials are regularly dropping in on Mariia Butina, the accused Russian spy now in US pretrial detention. The officials are fundamentally interested in two things: damage assessment and damage limitation (Politico).

A gentleman took a guilty plea to charges involving his posting the entire Dead Pool movie to his Facebook page. In what has become a leitmotif for online acting out, Mr. Trevon Franklin also unwisely tweet-taunted Federal law enforcement: "I see all these ppl talking the feds gone get me, well where they at???" Right now they at a sentencing recommendation of six months. Unclear on the concept of "being on the lam," Mr. Franklin also established a site he called "Bootleg Movies" (Naked Security).

There's also been a guilty plea in a ransomware attack staged through networked Washington, DC, traffic cameras shortly before President Trump's inauguration. Eveline Cismaru admitted guilt to two of eleven charges: conspiracy to commit wire fraud and computer fraud. She may get a break on her sentence if she follows through on her promise to help investigators against her co-conspirators. The motivation for the hacking was criminal, not political, and its timing seems to have been merely a coincidence (Washington Post).

Courts and torts.

The courts weighed in last week, indirectly, in the US Army's long-running, intramural Palantir civil war. In a decision made public on September 13th, a Federal Circuit Court ruled that the Army's procurement of the controversial Distributed Common Ground System violated laws requiring acquisition programs to give preference where possible to commercial companies. The solicitation for the Distributed Common Ground System-Army Increment 2 (DCGS-A2) ran afoul of the Federal Acquisition Streamlining Act by effectively excluding companies like Palantir (Law360).

Altaba, the holding company that retained what Verizon left behind in its acquisition of Yahoo!, has agreed to settle three outstanding suits over Yahoo!'s two major data breaches. Altaba will pay some $47 million to the plaintiffs (TechCrunch).

NSS Labs has filed an anti-trust suit against CrowdStrike, ESET, Symantec, and the Anti-Malware Testing Standards Organization (AMTSO). It alleges that an AMTSO testing standard is directed against NSS Labs' business (Dark Reading). NSS is an AMTSO member; they voted against the standards within the organization (Bleeping Computer).

Policies, procurements, and agency equities.

The US Defense Intelligence Agency (DIA) has announced the winners of its large HELIOS contract, a five-year vehicle under which DIA will by research, development, technical, and engineering services. The primes selected include AT&T, Booz Allen Hamilton, Harris Corp., KeyW Corp., Leidos Inc., Lockheed Martin Corp., Macaulay-Brown Inc., Northrop Grumman Corp., and Southwest Research Institute. The total contract value is $500 million (C4ISRNet).

The US Air Force is mulling creation of a new cyber office (Fifth Domain).

Analysts at Frost & Sullivan see a 2.9 percent compound annual growth in US Defense Department cyber spending, and they think this augurs consolidation in the cybersecurity industry. The spending also represents increasing convergence, within the Department of Defense, of cyber and electronic warfare (Fifth Domain).

Australia's Data61 feels like a voice crying in the wilderness: R&D could open up AUS$315 billion in opportunities, but Data61thinks the country's R&D investment isn't there (ZDNet). Observers say, unkindly, that a big slice of that opportunity lies in exporting "the nanny state," that is, in selling tested compliance solutions abroad (Australian Financial Review).

Fortunes of commerce.

India is the latest country to exhibit security skepticism about Chinese device manufacturers. It will exclude Huawei and ZTE from its 5G trials (Korea Times). Some Chinese legal academics are arguing that Australia's decision on security grounds to exclude Huawei from a Solomon Islands cable link violates the Law of the Sea (The Australian).

Symantec has responded to "activist investor" Starboard Value (which took a 5.8% share in the company last month) by adding three members to its board. One is a Starboard managing member, the other two are regarded as favored by the fund (Channelweb).

A newly passed Maryland law offers a tax credit to businesses that buy cybersecurity products and services from local companies (Technical.ly Baltimore).

Twelve security shops made the Forbes Cloud 100. The companies honored with a place on the list include Auth0, Cloudflare, CrowdStrike, Cylance, Darktrace, Endgame, Exabeam, Illumio, Lookout, Netskope, Pindrop Security, and Tanium,

Labor markets.

That white hat hackers are valuable isn't in serious dispute (Infosecurity Magazine). Some people wonder if you should set a thief to catch a thief, that is, if you could redress the perennial labor shortage in cybersecurity by hiring reformed black hats (ZDNet). There are plenty of black hats who've gone straight and now occupy positions of trust in companies, but there probably aren't enough to make a decisive dent in the labor shortage. And many black hats are merely skids, too, simply buying and deploying commodity attack tools without understanding those tools any better than the average home computer users understand their device's operating system. But the ones who have skills and seem to have learned their lesson? Why not?

A recurring theme in the discussion of the labor market is a widespread lack of clarity about career paths in cybersecurity. While it's easy to overestimate the importance of career pathways in corporate work, in government and particularly military service they may well matter more. Fifth Domain has a discussion of the challenges of structuring a military career in cyber. The convergence of cyber with intelligence and electronic warfare may ease some of those challenges.

Here's another thing people are thinking about: retiring IT workers (Wall Street Journal). The field remains surprisingly folkloric in the way it passes on knowledge. The Baby Boomers are exiting the workforce with the untidy self-regard that's been their generational marker for the past half century. When Les in IT retires, has Les really told Kim everything about that funny thing they've been doing to keep everything up and running? Those old Cobol jockeys won't be with us forever.

If you're looking for pattern recognition and link analysis skills, central to swift and effective intelligence analysis, some Intelligence Community experts think the autism spectrum is a good place to find them (GCN). 

Mergers and acquisitions.

Bomgar has acquired BeyondTrust, and it will take the acquired company's name. The combined business will be known as BeyondTrust (Security Boulevard).

Splunk is expected by investment analysts to continue acquiring companies (Seeking Alpha). 

Dublin-based managed service provider Trilogy Technologies has acquired cybersecurity and workplace virtualization shop Zinopy for an undisclosed amount (Irish Times).

Seattle-based Moss Adams, the accountancy, consulting, and wealth management firm, announced its intention to merge with cyber risk management shop AsTech, extending its consulting business into cybersecurity. Thirteen professionals from AsTech will join Moss Adams; AsTech's CEO will become a partner. The merger is expected to become effective on November 1 (Moss Adams).

Investments and exits.

Private-browsing company Duck Duck Go raised a $10 million funding round at the end of last month. The company's fortune's have risen as Google comes under increasing criticism for both questionable privacy and biased search results (Crunchbase).

Virginia-based SCYTHE has raised $3 million in an initial funding round led by Gula Tech Adventures. SCYTHE offers an attack simulation technology platform that organizations can use to emulate a complex range of cyberattack campaigns, using those emulations to test their vulnerabilities (BusinessWire).

Fidelis Cybersecurity, which specializes in automated detection and response, closed a $25 million funding round. The participants in the round were existing investors. Fidelis plans to use the investment to improve its unified security platform, Fidelis Elevate, strengthen go-to-market capabilities, and scale up its continuous managed detection and response service (BusinessWire).

See the note above about employers considering reformed black hats. Investors apparently consider them, too. Red Piranha, a security start-up founded by an Australian member of Anonymous who was convicted of offenses related to the Guy Fawkes Night capers of 2012, has raised $25 million. It will focus on privacy and small business security (Infosecurity Magazine).

And security innovation.

The all-new and always interesting SINET 16 list was released this week. The winners, in reverse alphabetical order, are Zingbox (an IoT security shop that offers an agentless, deep-learning approach to the challenge),  Very Good Security (data security, including compliance and liability assumption), Valimail (with a fully automated email authentication and anti-impersonation platform), Vade Secure (an email defense solution with special applicability to Microsoft Office 365 users), SecureLogix (enterprise voice security), Payfone (digital identity from dynamic digital signals as opposed to static personal data), Nehemiah Security (a risk quantification platform that helps minimize negative impacts to business), Illusive Networks (advanced tools to go with its deception-based cybersecurity and that manage the entire threat life cycle), ID Quantique (quantum-safe crypto solutions designed for the long-term future), Enveil (Never Decrypt computation to protect data-in-use), Edgewise Networks (zero-trust cloud workload security), D3 Security (comprehensive, integrated security technologies, threat intelligence, and dynamic playbooks to enable the SOC to succeed), Claroty (industrial control networks security), Bitglass (zero-day, cloud-based agentless, data and threat protection for any app and any device),  Avanan (a cloud security platform and single compliance manager that protects SaaS or IaaS against a range of threats), and Acalvio Technologies (advanced defense solutions that detect, engage and respond to malicious activity inside the perimeter) (BusinessWire). 

DARPA's ambitious AI program is attracting sympathetic but critical attention. Observers wonder in particular how anything developed in the program will bridge the proverbial "valley of death" between discovery and invention and regular engineering development (Bloomberg).

Australia's CISRO innovation shop, Data61, announced a partnership with Germany's HENSOLDT Cyber. They'll be collaborating on development of a trustworthy hardware-software stack (iTWire).

Deloitte has established a partnership with government-technology accelerator Decode, specialists in space and information security technology (PRNewswire).

What's the right role for a driven semi-outsider in technology development? War on the Rocks asks, who's the Hyman Rickover of Naval AI? Does the field need the same kind of founding spirit the nuclear Navy had?

 

This CyberWire look back at the Week that Was discusses events affecting Australia, Bahrain, China, European Union, Iran, Democratic Peoples Republic of Korea, Oman, Philippines, Russia, Saudi Arabia, United Arab Emirates, United Kingdom, United States.

THE CYBERWIRE
Compiled and published by the CyberWire editorial staff. Views and assertions in source articles are those of the authors, not CyberWire, Inc.