Author Archives: Shaun Waterman

Tax prep firm reaches settlement with FTC over cybersecurity lapses

Posted on by

TaxSlayer, a tax preparation company hacked by a ring of identity thieves in 2015, has agreed to settle a Federal Trade Commission complaint about its cybersecurity and data privacy practices — consenting to adopt a new security program and pay for third-party audits of its services. “Tax preparation services are responsible for very sensitive information, so it’s critical they implement appropriate safeguards,” said Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection in a statement. “TaxSlayer didn’t have an adequate risk assessment plan.” The FTC announced the settlement in a statement Tuesday, saying the company was in violation of the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to implement security safeguards to protect customers’ personal information; and its Privacy Rule, which requires financial institutions to tell customers about their privacy practices — the widely ignored “privacy notices” that they distribute. There is no direct financial penalty, but the company has to bear the […]

The post Tax prep firm reaches settlement with FTC over cybersecurity lapses appeared first on Cyberscoop.

Continue reading Tax prep firm reaches settlement with FTC over cybersecurity lapses

Elevation of Cyber Command will make it more like its elite brethren

Posted on by

Buried deep in President Donald Trump’s decision to elevate U.S. Cyber Command to a full-fledged unified combatant command is a detail that will eventually herald important changes to the way its military cyber personnel are going to be trained — and one that helps illuminate how the U.S.’ understanding of cyber war is changing. The elevation announcement earlier this month was mandated by Congress was widely anticipated for months, if not years. According to current and former Pentagon officials, Adm. Michael Rogers, the four-star commander of Cyber Command, already has pretty much the same authorities the commanders of the other nine UCCs enjoy, including the highest profile ones — a direct line to the Secretary of Defense and a seat at the budget deliberations table. “On paper, the chain of command goes through U.S. Strategic Command,” the UCC to which Cyber Command is currently subordinate as it awaits elevation, explained former Acting Deputy Assistant Secretary of Defense […]

The post Elevation of Cyber Command will make it more like its elite brethren appeared first on Cyberscoop.

Continue reading Elevation of Cyber Command will make it more like its elite brethren

Forcepoint, emphasizing ‘human-centered’ security, buys RedOwl

Posted on by

Cybersecurity company Forcepoint, as part of its intensifying focus on what it calls “human first security,” is buying RedOwl, which specializes in using data analytics to measure and manage insider risk. Austin, Texas-based Forcepoint announced the acquisition Monday, saying RedOwl’s analytics platform would be on sale immediately and over time would be integrated into its full range of products. Executives declined to reveal the terms of the acquisition. “If the cybersecurity industry fails to put people at the center, it is certain to fall short in helping customers protect their most vital assets,” said Forcepoint CEO Matthew Moynahan, in a statement. “Forcepoint is absolutely committed to empowering customers with human-centric security systems,” and the Baltimore-based RedOwl “fits squarely into this promise,” he said. Cloud computing, mobile technology and rapid changes to infrastructure are making traditional perimeter cybersecurity “a fallacy,” explained Bharath Vasudevan, senior director for Forcepoint’s data and insider threat security business. “By focusing on how, when, where and why […]

The post Forcepoint, emphasizing ‘human-centered’ security, buys RedOwl appeared first on Cyberscoop.

Continue reading Forcepoint, emphasizing ‘human-centered’ security, buys RedOwl

DHS will scan agencies for DMARC, other hygiene measures

Posted on by

The Department of Homeland Security is now collecting data about federal agencies’ use of an industry-standard cybersecurity measure that blocks forged emails. The collection is seen as a first step to encouraging wider adoption within the U.S. government, according to official correspondence. In a letter to Sen. Ron Wyden, D-Ore., DHS official Christopher Krebs says the department, “is actively assessing the state of email security and authentication technologies … across the federal government,” to include Domain-based Message Authentication, Reporting and Conformance (DMARC). DMARC is the industry standard measure to prevent hackers from spoofing emails — making their messages appear as if they’re sent by someone else. Spoofing is the basis of phishing, a major form of both crime and espionage, in which an email appearing to a come from a trusted third party directs readers to a website where login and password credentials can be stolen. Krebs says DHS’s 24-hour cyber watch center, […]

The post DHS will scan agencies for DMARC, other hygiene measures appeared first on Cyberscoop.

Continue reading DHS will scan agencies for DMARC, other hygiene measures

Intel bill puts DNI in charge of countering Russian election meddling

Posted on by

The nation’s top intelligence official will have to assess spy agencies’ response to Russian election meddling last year, devise a whole-of-government strategy for combatting similar effort in the future, if a Senate bill that advanced this week becomes law. The bill, S.1761, the Intelligence Authorization Act for Fiscal Year 2018, passed out of committee this week with a single vote dissenting. The bill in its current form would require a number of reports to Congress on a variety of issues regarding cybersecurity incidents targeting the federal government in the last year. Sen. Ron Wyden, D-Ore, said in a statement he voted no, “over a provision that could set a troubling constitutional precedent” — by identifying Wikileaks and its senior leaders as “a non-state hostile intelligence service often abetted by state actors.” “My concern,” he said, “is that the use of the novel phrase ‘non-state hostile intelligence service’ may have legal, […]

The post Intel bill puts DNI in charge of countering Russian election meddling appeared first on Cyberscoop.

Continue reading Intel bill puts DNI in charge of countering Russian election meddling

Most large companies don’t use standard email security to combat spoofing

Posted on by

Only a third of Fortune 500 companies deploy DMARC, a widely-backed best-practice security measure to defeat spoofing — forged emails sent by hackers — and fewer than one-in-10 switch it on, according to a new survey. The survey, carried out by email security company Agari via an exhaustive search of public Internet records, measured the use of Domain-based Message Authentication, Reporting and Conformance, or DMARC. “It is unconscionable that only eight percent of the Fortune 500, and even fewer [U.S.] government organizations, are protecting the public against email domain spoofing,” said Patrick Peterson, founder and executive chairman, Agari. A similar survey of federal government agencies earlier this month, by the Global Cyber Alliance, found fewer than five percent of federal domains were protected by switched-on DMARC. The Agari survey found adoption rates similarly low among companies in the United Kingdom’s FTSE and Australia’s ASX 100. DMARC is the industry standard measure to prevent hackers from spoofing emails […]

The post Most large companies don’t use standard email security to combat spoofing appeared first on Cyberscoop.

Continue reading Most large companies don’t use standard email security to combat spoofing

Trump advisers: key industries need separate systems in wake of cataclysmic event

Posted on by

The U.S. needs special communications networks for its most critical industries, including physically separate fiber systems and spectrum reserved for them to use in an emergency, to guard against a major attack, an industry advisory committee recommended in a report Tuesday. “We find ourselves in a pre-9/11-level cyber moment, with a narrow and fleeting window of opportunity to coordinate our resources effectively” before a major attack, states the report, which was adopted Tuesday by the National Infrastructure Advisory Council. The report was mandated in President Donald Trump’s recent executive order on cybersecurity. As the report notes, “Cyber is the sole arena where private companies are the front line of defense in a nation-state attack on U.S. infrastructure,” and the council — made up mostly of current or former business executives, with a few former government officials thrown in — is designed to help bring to government deliberations the perspective of those private companies that run […]

The post Trump advisers: key industries need separate systems in wake of cataclysmic event appeared first on Cyberscoop.

Continue reading Trump advisers: key industries need separate systems in wake of cataclysmic event

Newest Microsoft report issues warning on cloud ‘weaponization’

Posted on by

The number of cloud-based Microsoft user-accounts that came under cyberattack in the first quarter of this year was four times what it had been during the same period last year, the Redmond, Washington-based tech giant revealed in its latest security statistics. In the publication, the company also warns about the increasing “weaponization” of cloud services by cybercrime groups and other hackers. The latest volume of Microsoft Security Intelligence Report presents incident data from January to March this year across the company’s billion-plus device ecosystem. For the first time, the data is broken out into endpoint and cloud segments. “Today, most enterprises now have hybrid environments and it’s important to provide more holistic visibility,” the company’s security team states in a blog post. The post also says the company will now share data quarterly, as opposed to every six months “as we shift our focus to delivering improved and more frequent updates in the […]

The post Newest Microsoft report issues warning on cloud ‘weaponization’ appeared first on Cyberscoop.

Continue reading Newest Microsoft report issues warning on cloud ‘weaponization’

Security companies give public free way to sift through malware research

Posted on by

Cybersecurity companies spend a lot of money on their research and the infrastructure they build to conduct it, so it’s counter-intuitive that they would give it away — but that’s exactly what two of the biggest firms are doing this summer. Comodo recently announced Comodemia, a program that would make its vast database on more than 120 million malware incidents — and the analytics engines used to mine it for insights — available online for university, government, and nonprofit researchers and educators. “Many researchers currently spend the majority of their time building the tools and the environment they need to do code compiling, malware analysis, phishing detection … It can take months before the real research can even begin,” explained Fatih Orhan, Comodo’s vice president of threat labs. “That’s where we can offer a benefit.” A list of features Comodemia would offer include: “A feed, accessible in realtime of all the threat data we collect […]

The post Security companies give public free way to sift through malware research appeared first on Cyberscoop.

Continue reading Security companies give public free way to sift through malware research

Cyber CEOs urge NIST Framework be made a part of NAFTA talks

Posted on by

Ten major cybersecurity companies have written to the U.S. Trade Representative Robert Lightheizer to urge that alignment of cybersecurity standards — and the use of risk management tools like the NIST Cybersecurity Framework — should become part of the re-negotiation of the North America Free Trade Agreement that started this week. “The government … needs to step up to the plate” in international affairs where cybersecurity is concerned, Amit Yoran, CEO of Tenable, and one of the letter’s signatories, told CyberScoop. The other companies signing on are Rapid7, Arbor Networks, Bugcrowd, CA Technologies, Cybereason, Forescout, McAfee, Mimecast and Symantec. “Trade issues related directly to the U.S. cybersecurity industry are absent” from the lengthy list of U.S. negotiating objectives in the NAFTA rewrite released by LightHeizer’s office, the letter complains, while welcoming the inclusion of objectives related to digital trade more generally. That omission is especially damaging, the letter suggests, because “Numerous countries are currently considering or […]

The post Cyber CEOs urge NIST Framework be made a part of NAFTA talks appeared first on Cyberscoop.

Continue reading Cyber CEOs urge NIST Framework be made a part of NAFTA talks