Author Archives: Shaun Waterman

Few U.S. hospitals secure their email against phishing, Global Cyber Alliance says

Posted on by

Fewer than one-third of the largest 98 public and private hospitals in the United States secure their email against phishing and spamming, according to data released Thursday. The Global Cyber Alliance said that of the 50 largest public hospitals, only six employed Domain-based Message Authentication, Reporting and Conformance, or DMARC — an email authentication policy and reporting protocol developed a decade ago, originally by PayPal. Of the 48 biggest for-profit hospitals, only 22 used DMARC. The figures led GCA to describe U.S. health care providers’ email security as being in “critical condition.” The alliance also notes that, according to the latest Verizon Data Breach Investigative Report, 66 percent of malware installed on healthcare providers’ IT networks was delivered via email attachment — something normally done using a spoofed email address. DMARC helps prevent phishing and other email spoofing attacks, when an email is made to look as if it comes from a company, […]

The post Few U.S. hospitals secure their email against phishing, Global Cyber Alliance says appeared first on Cyberscoop.

Continue reading Few U.S. hospitals secure their email against phishing, Global Cyber Alliance says

New research looks at how scammers are turning fake news into profit

Posted on by

Like many forms of online crime, scam artists have turned fake news into a purchasable service on the web, promising to viralize content, no matter how distorted or untrue, spread it on the Internet and promote it through social media. Researchers from Trend Micro catalogued the services on offer in Chinese-, Russian- and English-language dark-web cybercrime forums and online “grey” markets, where they are offered alongside “black hat” Search Engine Optimization tools; services that promise to generate social media followers; and offers to generate comment spam, fake upvotes or other kinds of fraudulent Internet engagement. The report doesn’t address how effective these tools and services are; nor does it analyze any actual examples of their use. All the scenarios it discusses — discrediting a journalist or sparking a street protest — are hypothetical. Nonetheless, it’s an interesting inventory of the “wide variety of tools and services … readily available, both inside […]

The post New research looks at how scammers are turning fake news into profit appeared first on Cyberscoop.

Continue reading New research looks at how scammers are turning fake news into profit

NSA’s new open language for cyber-defenses will aid interoperability

Posted on by

Led by the NSA, a group of cybersecurity experts and vendors has been busy behind the scenes for more than a year, developing an open, standardized computer language for the command and control of cyber-defenses — OpenC2. The idea of OpenC2 is to let different elements of cyber-defense technology communicate at machine speed — regardless of whether or not they are made by the same vendor and no matter which programming language they use. Cyber-defenders “have to have an automated machine response,” to outpace the attacker, said NSA official Joe Brule, the original convener of the OpenC2 process. “We’re going to have to have standardized interfaces” to allow security tools from different vendors to talk to each other, he told the Gartner Security and Risk Management Summit on Tuesday. The use of standardized interfaces and protocols enables interoperability of different tools, regardless of the vendor that developed them, the language they are written in or […]

The post NSA’s new open language for cyber-defenses will aid interoperability appeared first on Cyberscoop.

Continue reading NSA’s new open language for cyber-defenses will aid interoperability

UL now wants to ubiquitous in cybersecurity, including medical devices and industrial controls

Posted on by

The company that pioneered safety certification for electrical devices at the end of the 19th century and went on to represent a reassuring stamp of approval in the 20th century has quietly begun to issue cybersecurity certifications for networked software. Underwriters Laboratories, or UL as most people know from its ubiquitous logo, launched its Cybersecurity Assurance Program last year, publishing its 2900 standard that covers the security of software for network-connectable devices and special supplements with additional requirements particular to medical devices and industrial control systems. The requirements were drafted with the help of academics, industry experts and government officials — including federal “three-letter agencies” — UL Principal Engineer for Medical Software and Systems Anura S. Fernando told CyberScoop. The feds “provided us with some direction on what they’d like to see improved from a cybersecurity national posture point of view,” he said. According to a UL factsheet, its 2900 series of standards tests and evaluate products based on […]

The post UL now wants to ubiquitous in cybersecurity, including medical devices and industrial controls appeared first on Cyberscoop.

Continue reading UL now wants to ubiquitous in cybersecurity, including medical devices and industrial controls

Recruitment and retention of ‘cyber ninjas’ doesn’t have to be a dark art, report says

Posted on by

Those on the front lines of the cybersecurity workforce crisis are dogged by one question above all others: how to recruit and retain the highly technically skilled personnel they need. Now, thanks to the SANS Institute, they have some fresh answers — at least in the government contracting sector. The institute, an information-security training provider and research clearinghouse, analyzed a list of the top 100 U.S. government contractors, and identified the eight companies which score highest on two indices reflecting metrics developed by the Center for Strategic and International Studies think tank last year. The eight firms are all major U.S. defense and intelligence  contractors, called systems integrators because they build IT and other business systems for the government by assembling hardware, software and services from multiple vendors. According to the SANS analysis, the eight companies have had “remarkable success” in recruiting and retaining the highly technically skilled individuals that the CSIS report dubbed “cyber […]

The post Recruitment and retention of ‘cyber ninjas’ doesn’t have to be a dark art, report says appeared first on Cyberscoop.

Continue reading Recruitment and retention of ‘cyber ninjas’ doesn’t have to be a dark art, report says

WannaCry outbreak was first big test of HHS’s new cybersecurity center for health sector

Posted on by

When the WannaCry computer worms crippled the British National Health Service last month, the response at the U.S. Department of Health and Human Services was led by a new cybersecurity watch center, lawmakers heard Thursday. The Healthcare Cybersecurity and Communications Integration Center, “coordinated the response to WannaCry,” Steve Curren, director of resilience in the HHS Office of Emergency Management, told a House Energy and Commerce subcommittee. When the WannaCry worm struck, crippling dozens of British hospitals, HHS officials “took immediate action to engage [the] broader U.S. health sector and ensure that IT security specialists had the information they needed to protect against, respond to and report intrusions,” Curren said. The HCCIC, (pronounced “aitch-kick”) came online in May is modeled on the Department of Homeland Security’s National Cybersecurity and Communications Integration Center — a 24-hour watch center that pulls in real-time data from vital national industries like banking and telecommunications and distributes warnings and other information. […]

The post WannaCry outbreak was first big test of HHS’s new cybersecurity center for health sector appeared first on Cyberscoop.

Continue reading WannaCry outbreak was first big test of HHS’s new cybersecurity center for health sector

Lawmakers fret over proposed budget cuts to some DHS cyber programs

Posted on by

During two days of hearings on Capitol Hill, lawmakers generally said they were pleased so far with Homeland Security Secretary John Kelly, but several from both parties expressed concern about the impact of budget cuts on some DHS cybersecurity programs — and Kelly indicated the cuts weren’t final. Proposed cuts to the department’s Science and Technology Directorate and the planned closure of a cybercrime training college for state and local law enforcement and prosecutors were highlighted by Republican congressmen Wednesday, while Democratic Sen. Claire McCaskill of Missouri complained Tuesday about the proposed reduction of grant programs that helped fund port and airport security. “Why have you cut the science and technology budget … by 20 percent?” asked Rep. John Rutherford, R-Fla., noting that the budget reductions would cause several of the department’s research laboratories and centers of scientific excellence to close. Kelly hedged. “This is obviously a work in progress, congressman,” he […]

The post Lawmakers fret over proposed budget cuts to some DHS cyber programs appeared first on Cyberscoop.

Continue reading Lawmakers fret over proposed budget cuts to some DHS cyber programs

Leaked NSA hacking report ratchets up pressure on local election officials

Posted on by

Despite new evidence from a leaked NSA report that Russian hackers sought to compromise state and local election technology, the officials in charge are still vigorously opposing the federal designation of their polling systems as critical infrastructure. “It’s unclear how this situation would change anyone’s opinions about the [critical infrastructure] designation,” Kay Stimson of the National Association of Secretaries of State told CyberScoop. NASS represents the state-level officials responsible for tabulating election results. Stimson added that officials didn’t get any additional resources to defend their networks as a result of the January 2017 announcement by the Department of Homeland Security, which many saw as a federal power grab. Federal officials have stressed that state or local participation in any DHS programs is voluntary, and suggested that DHS expertise might be able to help election officials secure themselves against online attacks. Stimson said officials had asked DHS for a briefing about the leaked information. The document, leaked […]

The post Leaked NSA hacking report ratchets up pressure on local election officials appeared first on Cyberscoop.

Continue reading Leaked NSA hacking report ratchets up pressure on local election officials

Former DoD official: U.S. ‘more and more vulnerable’ to cyberattacks

Posted on by

Vital U.S. industries like banking and telecommunications are more vulnerable than ever to cyberattacks; the military systems that ought to deter such incursions are themselves susceptible to hackers; and in any case, not all of the actors who will soon be capable of launching such destructive online strikes can be deterred. That’s the scary takeaway from remarks Tuesday by former Pentagon cybersecurity policy chief James N. Miller. “I don’t see the vulnerability of U.S. critical infrastructure peaking,” Miller told an audience at the Brookings Institution,”I see it going up and up and up.” The vulnerabilities that potentially affect the military  — not only in Pentagon systems themselves but also in civilian ones like the power grid that the troops rely on — are getting so severe that Miller and his colleagues on the Defense Science Board believe U.S. security is at risk. “Down the road, I don’t see it as the case today, but down the […]

The post Former DoD official: U.S. ‘more and more vulnerable’ to cyberattacks appeared first on Cyberscoop.

Continue reading Former DoD official: U.S. ‘more and more vulnerable’ to cyberattacks

Report: International nonprofit would ease work of cyber-attribution

Posted on by

Identifying the perpetrators of cyberattacks and other malicious online activities is tough. Aside from the purely technical difficulties, would-be attributors also must deal with a skeptical public that is suspicious of official pronouncements and wary about misinformation — even from democratic governments. That being the case, concludes a new study, what’s needed is an international nongovernmental body consisting of technical, policy and legal experts that could conduct independent investigations into cyber-incidents and publish their results. The study was published Friday by the RAND Corp., a think tank with historic ties to the U.S. military. “We see this as a first step,” the study’s lead author, RAND Senior Information Scientist John Davis, told CyberScoop. “Personally, I hope this work continues.” The study was financed by Microsoft, whose President Brad Smith called in February for a “Digital Geneva Convention.” Last year, in a policy paper, the company called for an intergovernmental body — modeled on the International […]

The post Report: International nonprofit would ease work of cyber-attribution appeared first on Cyberscoop.

Continue reading Report: International nonprofit would ease work of cyber-attribution