Author Archives: cyber_admin

3 strategies for addressing sensitive legal cybersecurity issues

Posted on by

Three years after enacting one of the most exacting cybersecurity regulations in the United States, the New York State Department of Financial Services (NYDFS) recently filed its first cybersecurity enforcement action. This enforcement action shows the importance of mitigating legal risks when addressing cybersecurity risks. NYDFS alleged that First American Financial, one of the country’s largest providers of title insurance, failed to properly address a known security vulnerability on its website that allowed millions of documents containing consumers’ nonpublic information to be exposed. After the vulnerability surfaced in a penetration test, First American misclassified the vulnerability as “low,” failed to investigate the vulnerability in the timeframe set by the company’s cybersecurity policy, the scope of documents that were exposed, and heed the recommendations of its in-house cybersecurity team. The timing of the NYDFS’s inaugural enforcement action shows that cybersecurity remains a key priority for government agencies, even during the COVID-19 […]

The post 3 strategies for addressing sensitive legal cybersecurity issues appeared first on CyberScoop.

Continue reading 3 strategies for addressing sensitive legal cybersecurity issues

Fixing supply chain vulnerabilities should be a team effort

Posted on by

In the last few weeks, the Ripple20 vulnerabilities have once again brought the challenge of securing IoT and OT devices to the forefront, underscoring the risky supply chain of software and hardware components that serves as the foundation for many of these devices. While these vulnerabilities are significant on their own, what they show on a more fundamental level is the dire need to rethink how we are all approaching IoT security as an industry, all the way from manufacturing to the mitigation of vulnerabilities. What makes the Ripple20 vulnerabilities so widespread is that the security flaws lie in the TCP/IP stack that underlies many embedded systems, including industrial control systems, medical devices, and printers. It’s not just one type of device or manufacturer that is impacted by this, but potentially hundreds of millions that this software crept into their supply chain. This is an opaque process, with little or […]

The post Fixing supply chain vulnerabilities should be a team effort appeared first on CyberScoop.

Continue reading Fixing supply chain vulnerabilities should be a team effort

The case for a National Cyber Director

Posted on by

Although the aftershocks of COVID-19 will last for years, one result is already clear — shifting more activity online has increased our society’s digital dependence even faster than expected. The federal government’s cybersecurity capabilities need to keep pace. Although some Federal agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS), have made significant improvements over the last few years, at least three factors impede government-wide progress. First, cybersecurity’s cross-cutting nature does not fit with the U.S. government’s bureaucratic structure. Second, agencies are not incentivized to sustain the degree of coordination required for effective cybersecurity. Third, a lack of central leadership hinders effective incident response. No single policy action will solve these problems, but creating a National Cyber Director along the lines of what the Cyberspace Solarium Commission recommends would be a good start. Bureaucracies prefer issues that fit neatly into one organization’s mission. […]

The post The case for a National Cyber Director appeared first on CyberScoop.

Continue reading The case for a National Cyber Director

Taking steps to break down systemic racism in cybersecurity

Posted on by

Racism, like cybersecurity, is a national security issue. Systemic racism prevents diverse perspectives from informing policy and security. As a result, it hampers our ability to understand and combat misinformation and to address our society’s vulnerabilities so as to prevent our adversaries from exploiting them. Systemic racism also blinds us from seeing and leveraging the diverse experiences before us, undermining our ability to understand how all communities use technology and to ensure different voices are welcomed, heard, and protected in our national security institutions. We all have a role to play in the security of our nation, and there are so many institutional, systemic, and overt racial biases that make this problem so complex. So how do we start to dismantle them? We must start by acknowledging that these problems exist in our industry and begin taking tangible steps to educate ourselves on the impact of slavery and systemic racism […]

The post Taking steps to break down systemic racism in cybersecurity appeared first on CyberScoop.

Continue reading Taking steps to break down systemic racism in cybersecurity

Why the FBI’s cyber attachés are so valuable

Posted on by

On an average day, cybercriminals visiting the Darkode darkweb forum would expect to enter an underground, invitation-only digital marketplace to buy, sell, and trade malware, access to botnets, and stolen personal information. However, in July 2015, users were instead confronted with the emblems of the U.S. Federal Bureau of Investigation (FBI), the U.S. Department of Justice (DOJ), and EUROPOL’s European Cyber Crime Center (EC3) instead of the Darkode homepage. A large, bold warning surrounded by the official seals of 17 additional international police departments prominently proclaimed, “This domain and website have been seized.” This was the culmination of a multi-year joint undercover operation by U.S. and international law enforcement from 20 countries who searched, charged, or arrested 70 of the forum’s members worldwide and indicted 12 individuals with computer fraud conspiracy. This joint effort, known as Operation Shrouded Horizon, exemplifies the collaboration needed to counter the increasingly complex and diffuse […]

The post Why the FBI’s cyber attachés are so valuable appeared first on CyberScoop.

Continue reading Why the FBI’s cyber attachés are so valuable

Trust us, information sharing can work. Here’s how we’re doing it.

Posted on by

You know what’s worse than trying to share cybersecurity information? Writing about it. Everyone has read over and over again about how important information sharing is for cybersecurity. The idea is certainly not new. It’s definitely not cool. It’s also hard. No one has completely nailed it even after talking about it for decades. Why is information sharing so hard and why are we still working on it? We’ve identified plenty of barriers and worked to address them. In many cases, we’ve addressed them quite well. For example, information sharing is tough from a technical perspective because the volume and speed of data continues to increase. So the community developed standards like STIX (Structured Threat Information eXchange) as a common language to share indicators and context at machine speed, TAXII (Trusted Automated eXchange of Intelligence Information) to provide a protocol for the transfer of information, and MITRE’s ATT&CK framework for […]

The post Trust us, information sharing can work. Here’s how we’re doing it. appeared first on CyberScoop.

Continue reading Trust us, information sharing can work. Here’s how we’re doing it.

What Shopify has learned from five years of bug bounty programs

Posted on by

As a part-time hacker and full-time security engineer at Shopify, I’ve learned a lot along the way. One of the biggest takeaways I recognized early on was that I kept returning to programs run by security teams that respected me and my time, were responsive to my reports and inquiries, and were transparent in their communications and disclosures. When I first joined Shopify, we were challenged to scale our team alongside our relatively new bug bounty program. I was excited to bring my insights and improve upon a program that hackers would engage with. Our goal has always been to build upon the success of our hacker-powered security programs with a concerted effort to promote transparency and attract talent. With the extra sets of eyes, we are able to implement more checks and balances to harden our attack surfaces. We attribute much of our success to our work as an […]

The post What Shopify has learned from five years of bug bounty programs appeared first on CyberScoop.

Continue reading What Shopify has learned from five years of bug bounty programs

It’s hard for campaigns to be transparent without aiding attackers

Posted on by

Everyone knows what happened to John Podesta in 2016. Hillary Clinton’s campaign manager clicked on a phishing email, and as far as we know, it was the first time a cyberattack shaped a presidential election. This time around, the campaigns are more focused on recognizing and stopping phishing attacks. That’s good, because phishing has become way more sophisticated over the last four years, including the painstaking research smart attackers run. So if we were to see a repeat of 2016, where would hackers conduct their homework? They could look no further than the Federal Election Commission, whose website illustrates how tough it is to balance transparency and security. The bad guys are looking, too Check out the FEC’s campaign finance data repository. It enables anyone to see where campaigns are spending their money: They’re required to list individuals, vendors, and others they are paying to support their operations. The site […]

The post It’s hard for campaigns to be transparent without aiding attackers appeared first on CyberScoop.

Continue reading It’s hard for campaigns to be transparent without aiding attackers

Why you can’t trust your vote to the internet

Posted on by

A common adage in information security is that most startups don’t hire their first full-time security engineer until they’ve got around 300 employees. If an app only stores public data and has no need to authenticate users, that might not present much of a problem. But when an app needs to be trusted to protect the confidentiality of a person’s political preference, it’s something else entirely. It’s why Tusk Philanthropies — an organization devoted to bringing mobile voting to the masses — is playing matchmaker between a half-dozen mobile voting startups and the security experts that can help bring them up to snuff. The team at Trail of Bits — a boutique software security firm based in New York — was commissioned by Tusk in late 2019 to conduct a thorough ‘white box’ security test of mobile voting app Voatz, an app used in five states. The testers would have […]

The post Why you can’t trust your vote to the internet appeared first on CyberScoop.

Continue reading Why you can’t trust your vote to the internet

Experts: Internet voting isn’t ready for COVID-19 crisis

Posted on by

Internet technologies are set to play a critical role in the 2020 presidential election, but precisely which voting alternatives will be pursued – and whether they can adequately be secured – is now a $400 million question. COVID-19 doesn’t – at this point – present an excuse to postpone the general election in November. Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency told a recent Axios forum that 42 U.S. states have mechanisms in place that allow for alternatives to in-person voting, and the other eight have break-glass provisions for doing the same when emergencies require it. A global pandemic would most certainly meet that threshold. The $2.2 trillion coronavirus relief bill (CARES Act) signed into law last week included $400 million of grants the Election Assistance Commission can give to states to help them “prevent, prepare for and respond to Coronavirus.” Earlier versions of the bill stipulated […]

The post Experts: Internet voting isn’t ready for COVID-19 crisis appeared first on CyberScoop.

Continue reading Experts: Internet voting isn’t ready for COVID-19 crisis