CI Security

IT Security News Blast – 11-5-2019

Managing Tool Sprawl

"If you think back on just the past five or six years and what's happened in the security space, the threat landscape and the reaction to the threat landscape, there's been such a myriad of new tools, new types of analytics," says Goldhammer. "So you've got preventative technologies and detection & response technologies that have just flooded the market, creating a staggering tool sprawl."


DISA Official: ‘No One Knows’ How Cyber Standards Will Impact Contractor Pool

Officials at the Defense Information Systems Agency don’t know whether forthcoming vendor cybersecurity standards will shrink the pool of contractors that qualify for critical tech projects. [...] While the program is intended to push vendors to strengthen their security standards and increase visibility into the department’s supply chain, it could also render a significant chunk of the Pentagon’s contractor pool ineligible for its most sensitive projects, according to DISA officials.


Healthcare Data Breaches Will Cost $4 Billion by Year's End

A third of hospital executives that purchased cybersecurity solutions between 2016 and 2018 report they did so blindly without much vision or discernment. 92 percent of the data security product or service decisions since 2016 were made at the C level and failed to include any users or affected department managers in the cybersecurity purchasing decision. Only four percent of organizations had a steering committee to evaluate the impact of the cybersecurity investment.


Cybersecurity, telehealth bills likely to stall in Congress, CHIME officials say

Speaking during a policy update during the CHIME Fall CIO Forum, Leslie Krigstein, vice president of congressional affairs at CHIME, said Sen. Mark Warner, D-Virginia, vice chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, will likely introduce healthcare cybersecurity legislation. The senator has pushed the healthcare sector on cybersecurity gaps and the need to strengthen cyberpolicies.


Understanding the Import of HITRUST Certification to Healthcare

The framework brings together several frameworks and standards, including NIST and HIPAA, to create a central key mapping tool. HITRUST brings together compliance and security to protect data while maintaining compliance with regulations. Currently, the framework is in its ninth release and was developed by a CSF Advisory Council led by members from the American Hospital Association, American Medical Association, America’s Health Insurance Plans, and other privacy and security leaders.


Cyber attack hits Spanish companies including radio network

“We have been recommended not to work on our computers in a network environment,” a source at the station told Reuters. The National Security Department did not identify any other victims of what it said were ransomware attacks against a number of companies. [...] Technology media outlet Xataka, online news portal El Confidencial and daily El Mundo said Spanish data company Everis was also affected[.]


How Should Small Businesses Measure Cybersecurity?

Just as there are some marketing metrics you are probably paying too much attention to, you might be looking at the wrong measurements when it comes to cybersecurity. In this article, we’ll strip back some of the jargon, and give you five KPIs that are easy to measure, and that will keep your focus on what actually matters when it comes to cybersecurity.


Officials in New Jersey Reluctant to Publicize Cyberattacks

Dozens of municipal government agencies in New Jersey have been victimized by hackers over the past two years, but have been reluctant to make those attacks public, officials say. [...] “Their systems remain vulnerable due insufficient security and local governments continue to pay the criminals,” Cohen said. “Until localities change their practices in the regard, they will continue to be targeted.”


Trends in Cyber Attacks for the automotive sector

Concerningly, of the 500 businesses we surveyed, 65% did not have a cyber security team. But this is not unique to the mid-market, small businesses are also feeling the heat and are facing an increasing number of attacks. The UK’s Federation of Small Businesses recently reported that small organisations are collectively subject to 10,000 attacks per day. These findings are mirrored in the automotive sector.


United States, Montenegro Partner to Defend Against Malicious Cyber Actors

Montenegrin Defense Minister Predrag Boskovic said “Montenegro is among the first in Europe to face unconventional attacks on its democracy and freedom of choice.  It is precisely in the face of new challenges with the United States that we seek a way, using their resources, to protect democracy in the Western Balkans from those who would keep this part of Europe in conflicts, setbacks, and economic decline.”


The Zero-Day War? How Cyber is Reshaping the Future of the Most Combustible Conflicts

Conventional wisdom would suggest that scaled-up capabilities, growing competition, and the proliferation of malware across cyberspace presents a legitimate risk of escalation in state conflict, transcending the cyber domain toward the kinetic. However, recent history has shown that states more often avail themselves of their offensive cyber arsenals to achieve surprisingly de-escalatory effects.


Interior Grounds All Drones With Ties to Chinese Companies

In a recent Senate hearing, national security experts warned lawmakers that drone manufacturers like DJI collect “an unprecedented level” of intelligence on America’s physical, social and economic infrastructure, which could potentially help the Chinese obtain an economic and military advantage. They compared the threats to those posed by Huawei, the Chinese telecom titan the White House is trying to effectively blacklist from U.S. markets.


Putin’s Top Spy: We’re Teaming Up With D.C. on Cybersecurity

Behind-the-scenes cooperation with the Trump administration, particularly when it comes to cybercrime and terrorism, is a theme the Kremlin likes to push onto center stage every so often. And according to our sources there is indeed some consultation at a practical level, but for Washington’s intelligence professionals it’s a very delicate, very dangerous game, complicated enormously by the inclinations and prejudices of President Donald J. Trump.


Hackers Can Use Lasers to ‘Speak’ to Your Amazon Echo or Google Home

They can now use lasers to silently "speak" to any computer that receives voice commands—including smartphones, Amazon Echo speakers, Google Homes, and Facebook's Portal video chat devices. That spy trick lets them send "light commands" from hundreds of feet away; they can open garages, make online purchases, and cause all manner of mischief or malevolence. The attack can easily pass through a window, when the device's owner isn't home to notice a telltale flashing speck of light or the target device's responses.


First Cyber Attack 'Mass Exploiting' BlueKeep RDP Flaw Spotted in the Wild

Cybersecurity researchers have spotted a new cyberattack that is believed to be the very first but an amateur attempt to weaponize the infamous BlueKeep RDP vulnerability in the wild to mass compromise vulnerable systems for cryptocurrency mining. [...] BlueKeep, tracked as CVE-2019-0708, is a wormable vulnerability because it can be weaponized by potential malware to propagate itself from one vulnerable computer to another automatically without requiring victims' interaction.


Critical Remote Code Execution Flaw Found in Open Source rConfig Utility

The vulnerabilities (CVE-2019-16663, CVE-2019-16662) are both tied to rConfig version 3.9.2. The more serious of the two vulnerabilities (CVE-2019-16662) allows an attacker to execute system commands on affected devices via GET requests, which can lead to command instructions. [...] This flaw has the higher CVSS (v3.1) rating of 9.8 out of 10. The second bug (CVE-2019-16663) has a high CVSS (v3.1) rating of 8.8.


Microsoft Security Setting Ironically Increases Risks for Office for Mac Users

Carnegie Mellon University's CERT Coordination Center (CERT/CC) on Friday warned that systems running Microsoft Office for Mac — including fully patched Office 2016 and Office 2019 versions — can be attacked remotely because of a trivially exploitable bug in Excel involving XLM, an old macro format. [...]  In a note Friday, CERT/CC at Carnegie Mellon University described the issue as giving unauthenticated remote attackers a way to execute arbitrary code on systems running Office for Mac.


Watch out Fortnite players, hackers are coming for you

Fornite player Tyler "Ninja" Blevins makes US$300,000 a month through streaming alone. Trend Micro says more players like him will have their data stolen through ransomware, be defeated by players using illegal cheats, or have their money stolen. [...] Trend Micro says it already sees signs hackers are preparing to ramp up activity over the next three years.

You are receiving this email because you are subscribed to receive the IT Security Daily Blast email from Michael Hamilton, Founder, President, and CISO of CI Security, formerly Critical Informatics.

Archived articles are available at

CI Security and the CI Security logo are the trademarks of CI Security, Inc. All other brand names, trademarks, service marks, and copyrights are the property of their respective owners.

© 2019 CI Security. All rights reserved.

CI Security
245 4th St, Suite 405  Bremerton, WA 98337
About Us   |   CI News   |   Contact Us

Add this Email to Your Address Book

Update Your Preferences   |   Unsubscribe from the Daily Blast