Cybersecurity spending on connected medical devices by healthcare providers and OEMs will reach $5.5 billion this year, but "only $390 million" of that will be earmarked for securing medical devices, said ABI Research in a news release Monday. "Healthcare stakeholders have to understand that there is a new hostile environment that will emerge around networked medical devices and that threat actors have multiple levels of skills and diverging motivations for attacking the medical IoT," said Research Director Michela Menting. While the U.S. is the only country "putting significant energies" into this area, ABI said awareness is increasing and global spending will triple by 2021.
The Cloud Security Alliance released guidelines to help IoT designers and developers understand security measures for IoT-related products and services, said a Friday CSA news release. CSA’s report cites 13 considerations and guidance for designing and developing “reasonably secure” IoT devices to mitigate common issues with IoT device development, it said. Topics include IoT device security challenges; security options available for IoT development platforms; a categorization of IoT device types and a threat review; recommendations for secure device design and development processes; and a checklist for security engineers and examples of IoT products mapped to relevant threats, it said.
The Democratic and Republican vice presidential candidates argued during their debate Tuesday in favor of their visions of countering cyberattacks. “We have got to bring together the very best resources for this country to understand that cyber warfare is the new warfare of the asymmetrical enemies that we face in this country,” said Indiana Gov. Mike Pence, the GOP vice presidential nominee. Sen. Tim Kaine, D-Va., the Democratic vice presidential nominee, said he believes private sector cybersecurity firms should participate in the “intelligence surge” that Democratic presidential nominee Hillary Clinton proposed to combat terrorism. “We've got some of the best intelligence and cyber employees in the world working right here in the United States for many of our private-sector companies,” Kaine said. Pence also referenced Clinton’s use of a private email server during her time as secretary of state, saying one of the best ways to improve the federal government’s cybersecurity would be to prevent future secretaries of state from similarly using private email accounts. Kaine countered that FBI Director James Comey found Clinton’s use of the email server wasn’t worthy of prosecution.
A majority of typical computer users experienced "security fatigue," that is they were tired of dealing with security, which could lead to increased risky behavior, said the National Institute of Standards and Technology in a Tuesday blog post on a new agency study. “If people can’t use security, they are not going to, and then we and our nation won’t be secure," said co-author Brian Stanton, a NIST cognitive scientist. The study is based on interviews with people of all ages, holding a variety of jobs and living in suburban, rural and urban areas about their online activity, including shopping and banking, computer security, security terminology, and security icons and tools. Researchers said most computer users "felt overwhelmed or bombarded" over computer security issues such as remembering dozens of passwords, leading to "feelings of resignation and loss of control." Some said they didn't know why they would be targeted in a cyberattack and added that security should be left to a third party such as their bank. To ease the fatigue, researchers, who plan further studies on the topic, said decisions should be made simple and consistent for users.
The volume of distributed denial of service (DDoS) attacks has remained consistently high, and such attacks are causing “real damage” to companies, Neustar said Tuesday in a report from surveying more than 1,000 cybersecurity professionals. It said DDoS attacks are frequently being used as a “smokescreen” for hackers to launch other malware against a company’s servers. Fifty-three percent of DDoS were accompanied by other malware, with 46 percent of such cases involving viruses, 15 percent involving ransomware and 37 percent involving other forms of malware. The risk of IoT-based DDoS attacks is increasing as more unsecured IoT-enabled devices go on the market. Eighty-two percent of professionals who have adopted IoT have experienced an attack, while 58 percent who haven’t adopted such technologies were attacked. “Organizations should be concerned that DDoS attacks are growing increasingly sophisticated and relentless, frequently serving as the first stage of a multi-stage attack against an organization’s infrastructure,” said Neustar Senior Technologist Rodney Joffe in a news release: “There is a silver lining: as public attention is driving urgency to improve DDoS protection capabilities, organizations are increasingly realizing that having a DDoS mitigation solution in place is a requirement” to prevent such attacks.
Four initial voluntary documents providing guidelines for information sharing and analysis on cybersecurity risks, incidents and best practices will be published Friday, said the Information Sharing and Analysis Organization Standards Organization (ISAO SO) in a news release Thursday. Led by the University of Texas at San Antonio, the ISAO SO is a nongovernmental group established a year ago through executive order 13691 to spur private sector cybersecurity sharing (see 1502130048). The group said the four publications will offer: an overview of ISAOs; a set of guidelines on how to create one and make it effective; a conceptual framework on information sharing, types of cybersecurity-related information that may want to be shared, how to facilitate sharing and privacy and security concerns; and resources related to federal laws and regulations, plus state and local perspectives. "We anticipate updating and expanding these guidelines based on feedback from their implementation," said Rick Lipsey, the ISAO SO's deputy director. "The ISAO Series will evolve in the coming months to serve the community with additional publications that will allow all organizations and individuals to better defend themselves against emerging cyber threats.” More than 160 experts collaborated on the documents, with public feedback, the release said. The group will host its next online public meeting Oct. 20 to address the publications, among other things.
Special Assistant to the President-Economic and Tech Policy David Edelman Wednesday credited the White House’s 2009 global cyberspace policy strategy for setting the tone for President Barack Obama’s cybersecurity focus. Cyber has become “a priority for this administration,” with cybersecurity issues now playing a prominent role in “every bilateral agreement” the U.S. signs, Edelman said during a Johns Hopkins University School of Advanced International Studies event. The 2009 cyberspace strategy also guided the Obama administration’s approach to dealing with thorny privacy issues after former NSA contractor Edward Snowden’s leaks about controversial surveillance programs, Edelman said. “Tremendous change domestically” on privacy issues, including passage of both the USA Freedom Act and the Judicial Redress Act, aided in development of the U.S.-EU Privacy Shield, Edelman said. “For all the political posturing that might exist on one side of the Atlantic or the other, the reality is that the U.S. did have a winning partner in the form of the European Commission” on the Privacy Shield, Edelman said.
Sen. Mark Warner, D-Va., is urging the SEC to investigate whether Yahoo fulfilled its obligation to inform investors and the public about the 2014 data breach that affected more than half a billion user accounts (see 1609220046 and 1609230026). In a Monday news release, which included the text of a letter to SEC Chairwoman Mary Jo White, Warner said, “Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public. The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it.” He said the company may have known about the breach this summer and failed to file a Form 8-K about it, as required. Warner, co-founder of the Senate Cybersecurity Caucus, also asked the SEC to assess the adequacy of current disclosure thresholds since "fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010." Yahoo didn’t comment.
Intel, Lenovo, Synaptics and PayPal are collaborating on an authentication system for consumer and enterprise laptops, they said in a Friday announcement. Lenovo customers will be able to authenticate to online FIDO- (Fast ID Online) enabled services such as PayPal by using a fingerprint rather than a password, said the companies. Intel’s 7th Gen Core processors with Software Guard Extensions are the foundation for the hardware-protected biometric authentication, and Synaptics’ Natural ID fingerprint sensor is said to offer enterprise-level security with TLS 1.2 encryption, including anti-spoofing algorithms. The goal is to reduce fraud and increase security through “nearly frictionless” hardware-based biometrics, said the companies. Users today have to remember myriad passwords for different accounts, PC log-in, email and online shopping, said Johnson Jia, senior vice president-Lenovo PC and smart device business group, saying the collaboration will change that with a simple authentication solution.
Yahoo confirmed that at least 500 million user accounts were compromised in late 2014, possibly by a state-sponsored actor, resulting in the possible theft of users' names, email addresses, phone numbers, birth dates, hashed passwords and encrypted and unencrypted security questions and answers. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected," wrote Chief Information Security Officer Bob Lord in a Thursday blog post. Lord said there's no evidence the state-sponsored actor is still in the network, but the company is working with law enforcement in an investigation. The company, which also provided FAQs about the breach, said it's strengthening network security and provided instructions for users to improve their account security. A spokesman for Verizon, which announced in July that it's acquiring Yahoo for $4.83 billion in cash (see 1607250016), tweeted Thursday that it was notified "with the last two days" of the incident, but has "limited information and understanding" beyond that there's an ongoing investigation.