The National Institute of Standards and Technology released a guidebook Thursday aimed at helping organizations develop a game plan to quickly end and recover from a cyberattack. The NIST guide includes tactical and strategic guidance for developing, testing and improving a recovery plan. The document also includes information for planning for specific cyber incidents, including data breaches and ransomware. The book can be used in conjunction with NIST's Cybersecurity Framework, the agency said. NIST said it developed the handbook in response to the overall rise in cyber incidents and the Office of Management and Budget's 2015 Cybersecurity Strategy and Information Plan, which called on federal agencies to improve their cybersecurity response capabilities. “To be successful, each organization needs to develop its own plan and playbooks in advance,” said NIST computer scientist Murugiah Souppaya, one of the guide's authors, in a news release. “Then they should run the plays with tabletop exercises, work within their team to understand its level of preparation and repeat.”
Florida-based Inbound Call Experts, which the FTC and the state of Florida said engaged in a tech support scheme, will pay $10 million to consumers to settle a complaint and its business will be monitored for two years, said the commission in a Thursday news release. Commissioners voted 3-0 to accept the stipulated final order, which was filed in the District Court for the Southern District of Florida and entered Monday by a judge, the FTC said. The firm, which also did business as Advanced Tech Support, and other defendants used "high-pressure sales pitches to telemarket tech support products and services falsely claiming to find viruses and malware on consumers' computers," the release said. Under the final order, which bars them from misrepresenting such services, a judge will appoint a monitor to oversee the defendant's business for two years. To fund the $10 million, the company will transfer $5.75 million to the FTC within seven days after the judge signs the order and another $2.25 million within 30 days. Plus, a court-appointed receiver "will promptly transfer" another $2 million to the agency. The company didn't comment.
FCC Chairman Tom Wheeler had to “postpone some of the next steps in this combined approach” on cybersecurity -- addressing “a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively” -- due to the “impending change in Administrations,” he told Sen. Mark Warner, D-Va., in a Dec. 2 letter released Wednesday. Warner will be ranking member of the Senate Intelligence Committee starting next year. “Addressing loT threats remains a National imperative and should not be stalled by the normal transition of a new president,” Wheeler told Warner. “I've attached an outline of a program that I believe would reduce the risk of cyber threats to America's citizens and businesses. This program includes collaborative efforts with key Internet stakeholder groups; increased interagency cooperation; and consideration of regulatory solutions by the Commission to address residual risk that cannot be addressed by market forces alone due to market failure.” That attached plan, a page and a half in length, is titled the 5G/IoT Cybersecurity Risk Reduction Program Plan and has three sections: one on Federal Advisory Committee/voluntary stakeholder engagement; one on leveraging interagency relationships; and final one on regulatory and rulemaking activities. The FCC should issue a notice of inquiry “to develop a record and identify residual risk in the IoT commons, with the goal of determining where market failure may exist in the ISP, network element manufacturer, and device manufacturer community” and nail down best practices, the plan recommended. Then the agency should issue an NPRM “to examine regulatory measures the FCC could take to help address cyber risks that cannot be addressed through market-based measures,” it said. “The NPRM could examine changes to the FCC's equipment certification process to protect networks from loT device security risks. … Explore the potential of a cybersecurity certification (possibly self-certification) to create a floor and identifiable risk relevant levels above the floor for device cybersecurity and a consumer labeling requirement to address any asymmetry in the availability of information and help consumers understand and make better decisions regarding the potential cyber risks of a product or service.” This month, an NOI sought comment on cybersecurity for 5G devices (see 1612160063), and the agency's Communications Security, Reliability and Interoperability Council met (see 1612210060). Wheeler had been seen as backing off of pursuing a vote on a draft that would set up framework for the commission to hold confidential meetings with communications sector executives aimed at providing assurances on the firms’ cybersecurity practices (see 1611300063). Wheeler also told Warner the FCC’s authority over broadband empowers its cybersecurity initiatives, and staffers are “actively examining cyber challenges presented by today's end-to-end Internet environment.” A senior Republican staffer for the Senate Commerce Committee recently questioned the FCC’s approach to cybersecurity under Wheeler (see 1612060074).
APCO, the National Emergency Number Association and National Association of State 911 Administrators jointly expressed concerns about a CTIA proposal for quarterly 911 live call reports by the carriers, due at the FCC starting in February. “CTIA included a proposed template for the reports and explanatory information regarding the carriers’ intent to exclude certain categories of 9-1-1 calls from consideration,” the public safety groups said. But the proposal wouldn't include some important calls to 911, the associations said. “APCO, NENA, and NASNA are particularly concerned that the carriers intend to exclude 9-1-1 calls made from roaming handsets and non-service initialized (NSI) devices,” said a filing in docket 07-114. Location accuracy rules, meanwhile, “make no exceptions when it comes to the collection and reporting of aggregate live 9-1-1 call location data,” the groups said. CTIA didn't comment Wednesday.
CTA knows of no "credible threats against CES 2017, but we remain in communication with the Department of Homeland Security, FBI and local law enforcement officials," Karen Chupka, senior vice president-CES and corporate business strategy, emailed us Tuesday. We questioned Chupka on any additional security precautions CES would take to thwart the type of vehicular attack made on the Christmas market in central Berlin Monday that killed 12 people. "Following the implementation of enhanced security procedures at CES 2016, we are continuing to incorporate vigilant security procedures at CES 2017 with the goal of maintaining the safety of all of our guests while creating as little inconvenience as possible," Chupka said. "This includes more armed officers at our various locations and restricted access points." CES 2017 again will use the bag restrictions and metal detectors first imposed at the 2016 show, CTA said last month (see 1611300044).
The frequency of distributed denial-of-service (DDoS) attack mitigations increased 40 percent so far in 2016, vs. the same period in 2015, Neustar reported Monday. IoT botnets emerged this year as a DDoS tool, as evidenced by the Mirai botnet that caused the October Dyn attacks (see 1610210056 and 1610250035), Neustar said. “The DDoS attack landscape has become increasingly complex in 2016 because there is no singular goal behind these attacks; some seek to disrupt services, while others serve as smokescreens to breach data,” said Senior Vice President Rodney Joffe in a news release. “Mirai signals a watershed moment for DDoS attacks, where the bad guys finally turned the Internet back on its users. It is imperative to invest in effective DDoS protection now because the threat landscape has fundamentally changed.” Multi-vector attacks are 322 percent higher this year than 2015, and were 52 percent of all DDoS attacks that Neustar mitigated this year, the company said. Domain name system-based attacks increased 648 percent this year as attackers increased their leveraging of DNS security extension amplification to generate “massive volumetric pressure,” Neustar said.
The FCC Public Safety Bureau sought comment on cybersecurity for 5G devices, it said in a Friday notice of inquiry. “We are not conducting this NOI in a vacuum,” the bureau said. “We intend this inquiry to complement the important work on cybersecurity that is already taking place within the government and private sector. The Commission, these other groups, and the wireless industry all have a significant interest in ensuring that these new networks consider security risk and mitigation techniques from the outset. This NOI, and the record it seeks to develop, will help in that effort.” Initial comments are due 90 days after publication in the Federal Register.
Participants in NTIA's vulnerability research disclosures multistakeholder process released a provisional version Thursday of voluntary guidelines for multiparty disclosure coordination, a template for an “early stage” disclosure coordination policy and a study of attitudes to vulnerability disclosure practices. The guidelines that the Forum of Incident Response and Security Teams (First) issued via NTIA include six use cases. They include a compendium of current best practices, like building and maintaining trust among parties, maintaining communication and ways to minimize stakeholders' exposure as a result of a vulnerability. Comments are due to First by Jan. 31. The early stage disclosure policy template focuses on safety-critical industries but can be used by “any organization in taking the first steps toward a disclosure policy,” said Deputy Assistant Secretary of Commerce-Communications and Information Angela Simpson in a blog post. The disclosure attitudes research report found that 92 percent of the more than 400 researchers surveyed engage in some form of coordinated vulnerability disclosure. Seventy-six percent of mature tech providers and operators have internal vulnerability handling procedures but only about 33 percent of all surveyed companies require their suppliers to have their own vulnerability handling procedures, NTIA report. The documents “will help many types of organizations better understand security disclosure, and develop their own strategies,” Simpson blogged. “NTIA will continue to work with stakeholders on outreach models and ways to educate key sectors and organizations, raise awareness of this important issue, and encourage adoption of practices that help improve security of the digital economy.”
The U.S. private cyber insurance market is continuing to grow and is capable of managing most risks, the R Street Institute reported Thursday. The free-market think tank said that sector is growing at a rate of between 25 and 50 percent annually, netting $2.75 billion in premiums in 2015. U.S. cyber insurance premiums are expected to rise to $7.5 billion by 2020, R Street said. Policies with a $50 million limit “would be able to cover roughly 92 percent of cyber-event claims,” R Street said. The likelihood of a major cyber incident that causes $250 billion-$1 trillion in damage during the next decade is between 10 and 20 percent, the group said. The potential for that sort of “black swan” event requires a government “backstop” or reinsurance entity to manage U.S. cyber exposure, R Street said. “The cyber insurance market is growing rapidly and ... already has sufficient capacity to cover the overwhelming bulk of events the market already has faced,” R Street said. “Businesses report they are satisfied with their existing cyber coverages."
A hacker stole data from more than 1 billion Yahoo user accounts in August 2013, an incident that's "likely distinct" from one disclosed in September, said Chief Information Security Officer Bob Lord in a Wednesday blog post. In September, the company said 500 million user accounts were compromised in late 2014 (see 1609220046). "For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords ... and, in some cases, encrypted or unencrypted security questions and answers," wrote Lord. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information." He said Yahoo is notifying potentially affected users about securing their accounts and has invalidated unencrypted security questions and answers.