A boss is bitten in the bottom after being struck by one of the worst crimes in Finnish history, Strava’s privacy isn’t so private, and a private investigator uncovers some TikTok tall tales. All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham … Continue reading "Smashing Security podcast #319: The CEO who also ran IT, Strava strife, and TikTok tall tales"
Category: Privacy
In an open letter, seven secure messaging apps—including Signal and WhatsApp—point out that the UK’s Online Safety Bill could destroy end-to-end encryption:
As currently drafted, the Bill could break end-to-end encryption,opening the door to routine, general and indiscriminate surveillance of personal messages of friends, family members, employees, executives, journalists, human rights activists and even politicians themselves, which would fundamentally undermine everyone’s ability to communicate securely.
The Bill provides no explicit protection for encryption, and if implemented as written, could empower OFCOM to try to force the proactive scanning of private messages on end-to-end encrypted communication services—nullifying the purpose of end-to-end encryption as a result and compromising the privacy of all users.
In short, the Bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copy-cat laws.
Both Signal and WhatsApp have said that they will cease services in the UK rather than compromise the security of their users worldwide.
Managed Security Service Providers, MSSPs, have been around for some time now as a resource to help companies operate more securely.
Related: CMMC mandates best security practices
Demand for richer MSSP services was already growing at a rapid pace, as digital transformation gained traction – and then spiked in the aftermath of Covid 19. By one estimate, companies are on track to spend $77 billion on MSSP services by 2030, up from $22 billion in 2020.
At RSA Conference 2023 , which gets underway next week at San Francisco’s Moscone Center, I expect that there’ll be buzz aplenty about the much larger role MSSPs seem destined to play.
I had the chance to visit with Geoff Haydon, CEO of Ontinue, a Zurich-based supplier of a managed extended detection and response (MXDR) service. We discussed the drivers supporting the burgeoning MSSP market, as well as where innovation could take this trend.
Guest expert: Geoff Haydon, CEO, Ontinue
For its part, Ontinue is leveraging Microsoft collaboration and security tools and making dedicated cyber advisors available to partner with its clients. “Microsoft has emerged as the largest, most important cybersecurity company on the planet,” Haydon told me. “And they’re also developing business applications that are very conducive to delivering and enriching a cyber security program.”e
I covered Microsoft as a USA TODAY technology reporter when Bill Gates suddenly ‘got’ cybersecurity, so this part of our discussion was especially fascinating. For a drill down, please give the accompanying podcast a listen. Meanwhile, I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
Were you a US-based Facebook user between May 24 2007 and December 22 2022?
If so, I've got some good news for you.
Read more in my article on the Hot for Security blog.
A Finnish court has given the former CEO of a chain of psychotherapy clinics a suspended jail sentence after failing to adequately protect highly sensitive notes of patients' therapy sessions from falling into the hands of blackmailing hackers.
Read more in my article on the Hot for Security blog.
Graham wonders what would happen if his bouncing buttocks were captured on camera by a Tesla employee, and we take a look at canny scams connected to China's Operation Fox Hunt.
All this and more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault.
USB charging stations - can you trust them? What are the real risks, and how can you keep your data safe on the road?
No organization is immune to cybersecurity threats. Even the most well-protected companies can be susceptible to attacks if they are not careful about a proactive approach towards cyber security.
Related: Why timely training is a must-have
That’s why businesses of all sizes need to understand the biggest cybersecurity weaknesses and take steps to mitigate them. Here are a few of the top security weaknesses that threaten organizations today:
Poor risk management. A lack of a risk management program or support from senior management is a glaring weakness in your cybersecurity strategy.
A robust risk management program should include regular assessments of security controls and audits to ensure compliance with industry standards and best practices.
Tick-in-the-box training. Unfortunately, many organizations fail to educate their employees on the importance of cyber hygiene, leaving them vulnerable to phishing scams, malware infections, data breaches, and other cyber attacks.
By not involving your audience and understanding their context, i.e., organization users are susceptible users being the weakest link that in fact could be your strongest link.
Anemic asset management. Integrating asset management into your organization can help you understand where your vulnerabilities lie so that you can take steps to protect yourself accordingly.
By understanding what data or systems you manage, you can then determine which security measures need to be implemented. This will enable you to better safeguard your organization’s sensitive information against potential threats.
Lackadaisical set up. Getting security right early in the development cycle with well-architected services and systems reduces attack surface significantly.
Singh
When designing new systems or modifying existing ones, think about the principles of least privilege and need to know. By taking a proactive approach towards security in your architecture and configuration, you are better able to protect critical data from potential threats.
Spotty patching. Vulnerability management is another key consideration when it comes to security. It ensures that all systems are regularly updated, vulnerabilities are triaged accordingly, and legacy equipment is managed securely.
To do this effectively, you must have an effective patch management process in place which takes into account the different operating systems you use across your organization as well as their respective patch cycles.
Weak access controls. Identity and Access Management (IAM) plays an important role in reducing attack surface by controlling who has access to what data within your system environment. All access should be granted on a need only basis, meaning that users should only be able to access the data they need for their role or job function within the organization.
Lack of monitoring. Logging events is the first step in understanding which services or systems are used within an organization. Security monitoring, meanwhile, provides us with visibility into what is happening on our systems so that we can identify and respond to potential threats quickly.
No disaster plans. It is also essential to have an effective incident management strategy if a security incident occurs. This involves having a plan for detecting incidents quickly and responding effectively. You should also have procedures to reduce incidents’ impact through recovery planning.
Visibility gaps. A key issue many organizations face is they don’t always know where their data is stored, who has access to it or how it is processed. This lack of clarity leaves organizations vulnerable to threats such as insecure cloud buckets or permissions-based misconfigurations which can lead to data breaches.
Supply chain blindness. Organizations increasingly rely on third-party suppliers for their product components or services. Unfortunately, these third parties may not have the same level of security as your organization; therefore, the lack of risk-based approach adds another layer of vulnerability.
By taking a risk-based approach to supply chain security, organizations can better protect themselves from malicious actors looking to access confidential information or disrupt operations with cyber attacks or data breaches.
Overall, it is clear that there are many different security weaknesses an organization can face. This fundamentally reflects a failure to acknowledge that cybersecurity has moved to risk-based approach, one that offers measurable outcomes, not just investment into tooling.
A starting point should be assessing the gaps fairly, usually utilizing a third-party cyber security services company. This would ensure you are aware of your blind sports, more importantly, help you with analysis and preparing a risk remediation plan.
About the essayist: Harman Singh is a security consultant serving business customers at Cyphere. He has also delivered talks and trainings at Black Hat and regional conferences – on Active Directory, Azure and network security.
Scanning tools, supply-chain malware, Wi-Fi hacking, and why there should be TWO World Backup Days... listen now!
An Elon Musk-worshipping college principal gets schooled, and rapper Afroman turns the tables after armed police raid his house.
All this and much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault.