Cyber News Roundup: Will U.S. elections be secure?

Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

Even though the midterm elections are less than six months away an overwhelming 95 percent of digital security experts surveyed by The Cybersecurity 202 say state election systems are not sufficiently protected against cyberthreats.

Does that scare you? To think that the integrity of one of the most important and basic rights of every American is in jeopardy is positively frightening. With all of the headlines in the past two years about Russia’s interference in the 2016 U.S. elections, we should all be concerned.

While Congress recently approved over $380 million for states to secure their election systems, security experts question whether the election process can be protected. As reported by the Washington Post, “Given the gravity of the nation-state threats we face, much more needs to be done at every level — including a strong declarative policy that this activity is unacceptable and will trigger a strong response,” said Chris Painter, who served as the State Department’s top cyber diplomat during the Obama and Trump administrations.

Fortunately, the Election Assistance Commission has a national voting system certification program to independently verify that a voting system meets security requirements.

Another one bites the dust

Whether it’s local, state or federal elections, it seems that increased security to prevent any funny business from foreign entities in the upcoming U.S. election is being taken seriously by the public. At the same time the Trump administration eliminated the cybersecurity coordinator position on the National Security Council. The reason? According to the government, the role is no longer considered necessary.

According to Homeland Security Secretary Kirstjen Nielsen, “The cyber threat landscape is shifting in real time, and we have reached a historic turning point. Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself.”

In a Tweet, Sen. Mark Warner of Virginia questioned the administration’s decision:

“Mr. President, if you really want to put America first, don’t cut the White House Cybersecurity Coordinator — the only person in the federal government tasked with delivering a coordinated, whole-of-government response to the growing cyber threats facing our nation.”

Are any of us safe from cybersecurity threats?

Cybersecurity threats in Q1 2018 continued to rise with much attention being paid to cryptojacking and ransomware. Notable ransomware attacks included BlackRuby and SamSam, while GandCrab’s ransom demand was the first time that a cyber thief demanded payment in Dash digital security.

On top of that, there is much concern about the increase in zero-day market attacks. According to Fortinet’s “Threat Landscape Report Q1 2018,” the zero-day market is maturing. In 2017 there were 214 zero-day attacks, while there were 45 found in Q1 2018 alone.

To make matters worse, the growth in the Internet of Things technologies has opened the door to increased security breaches. And while 60 percent of all web traffic is now encrypted, there is no way of filtering encrypted traffic.

Let’s go phishing

While financial institutions utilize many technologies to prevent cyber theft, it’s actually bank employees who are most at risk of opening the door to security breaches. Phishing emails that are sent to employees at banks can easily bypass robust security measures. This tactic has been used by hackers including Cobalt, Lazarus, Carbanak, Metel, and GCMAN.

According to Computer Weekly, “In tests by Positive Technologies, employees at 75% of banks reviewed had clicked on links in phishing messages, and those at 25% of banks entered their credentials in a fake authentication form. At 25% of banks, at least one employee ran a malicious attachment on their work computer. With access to the internal network of client banks, Positive Technologies penetration testers succeeded in obtaining access to financial applications in 58% of cases.”

Partner blog of interest

Zscaler: Google is leveraging a zero-trust security model and so can you