cybX Security Digest, 22nd Feb 2016
Good Morning and welcome to the cybX Security Digest for the 22nd February, I have a number of articles for you this morning that I have hand plucked from the InfoSec world, as ever it’s been a busy weekend so let’s get down to it.
Before I get started on the articles however, I wish to bring your attention to some very key points that came to my own attention over the weekend. As many of you know, the UK will have a referendum on whether to remain or depart the European Union, politics aside there are a number of very important things to consider should the out campaign win. Right now we have a series of legislation that protects our data both domestically and abroad and much of that stems from EU Directives and potential legislation that is working it’s way through the pipeline, such as the GPDR. How do we as professionals and businesses start to reconcile how we stand legally should the out campaign be successful, just a little food for thought. As I type, the debate is in it’s early days and it could go either way, I am not here to advocate on which to vote but just to ask the question of, have you thought about the consequences of either option?
In brief, The Register has an article with a slightly different take on the glibc vulnerability that has been identified, they also bang the drum once more and yes, I will too - that phishing is not going away folks. Following on from last week's article on the ‘Dark Web’ we have helpnetsecurity doing some further analysis based on the flashpoint research released last week.
Kicking off today we have zdnet asking who can we truly trust on the internet, Linux Mint is one of the more popular distributions on the web, as it has traditionally geared itself towards the home user as it’s target market. However, a hacker has managed to modify the installation media to have a back door, meaning anyone who installed this version of the OS was compromised out of the box. This isn’t a new technique, for anyone that knows Kevin Mitnick he was doing this kind of thing in the 80’s. There are ways to defend against it but because the hackers compromised the website it’s hard to say if using things like Hashes would be beneficial, as they could have also compromised those. This all comes down to who and what do you trust on the internet, where you source your data from and how reliable can they be - but when reputable sources get compromised what are your defenses against that and how might you mitigate those threats?
HP Have released a summary on ‘Detecting the patterns that lead to cyberattacks’ with data taken from their 2016 State of Security Report. This report often has some key insights into threats, trends and mitigation methods. Naturally, as HP is a technology vendor their focus is primarily on how can technology help detect and monitor internal networks, and as a service vendor I’ll now happily remind you that technology is only one spoke in the wheel. Training, Development, Exercising of processes in how the data and information taken from the technology output is used is just as important as using the technology itself. No point having whizz bang technology (or the infamous ‘blinky box’ as it’s come to be known) if nobody in the office knows how to interpret the rate of red blinks in a fashion that relates to the business and the risk exposure it’s willing to go up against.
As ever, I’ve also found you another article on IoT, Computer Weekly has a fairly indepth article on “Three steps towards a hierarchy of needs for smart cities”. This is a fairly non technical, but comprehensive look at what’s required for IoT within a smart city before implementation, along with a number of supporting links that you might find interesting. (I will be shortly checking out the February IoT Tech Expo that seemed to have passed me by!). Although he doesn’t go into security comprehensively, he talks about Governance and Standardisation - both of which are key factors of security. With standardisation we have predictability and ensuring everyone's singing from the same hymn sheet so to speak. The real interesting section for me at least, is the discussion around Data Governance. How are local authorities going to outsource the vast amount of data that is collected and keep people's personal information safe, given what we know about how anonymous, anonymous data actually is.
Finally, I finish with a blog from flying penguin.com surrounding the interesting headline “Our digital right to die”. This is something that has hit home personally for me in the past year, but also has me concerned for the future, especially as a millennial I am creating vast amounts of online data that is being archived, stored and backed up across dozens of servers and spread through my many online personas. If we ignore the elephant in the room that is the iPhone debacle, and focus more seriously on what actually happens to our data when we pass regardless of circumstance do we actually know? Will we have to write into our will our password management passwords and how to access (or at the very least erase without allowing anyone to see) some of our most personal secrets. How do you govern who gets access to data of someone who has passed and what provisions are in place to ensure that the person requesting access is a legitimate request? This is a whole pandora’s digital box of questions both for the individual and the business that is going to become a growing problem in the coming years.
And that is it for today, I hope you’ve enjoyed reading, if you have don’t forget to like and share and I will be back with more news on Thursday.
The thoughts and opinions expressed in this article are that of the author and do not necessarily reflect that of cybX or its parent company.
David Dowson is an IT Technician working on the cybX project, cybX is a simulated virtual environment in which we can train, test, validate and exercise your technical and managerial teams in a safe and secure manner.