Latest from the Lab... October 2024
Hello there, and welcome back to this autumn issue of the FullProxy newsletter! This month we'll round up news from across the world of cyber security, share some key insights and thoughts from our senior team, plus detail more on AppViewX's certificate management solutions ahead of Google's expected 90 Day policy implementation. We're happy to have you back!
?
Apple has unveiled a draft proposal to reduce the maximum validity period of SSL/TLS certificates to just 45 days by 2027, announced during the recent CA/Browser Forum's Face-to-Face meeting. The proposal outlines a phased approach starting with a reduction to 200 days by September 2025, followed by 100 days in September 2026, before reaching the final 45-day target in April 2027.
This initiative aligns with the industry's broader push towards shorter certificate lifespans, following Google's earlier proposal for 90-day certificates. While the shortened validity periods aim to enhance web security by reducing vulnerability windows, they will require organisations to shift away from manual certificate management. Automation tools, particularly ACME (Automated Certificate Management Environment), will become essential for managing the more frequent renewal cycles and preventing certificate-related downtime.
?
?NatWest Group, including NatWest, Royal Bank of Scotland (RBS), and Ulster Bank, experienced a significant web outage that left customers unable to access their accounts online.?
For cybersecurity professionals, this outage highlights several key areas of concern. First, it underscores the potential vulnerabilities in centralised banking systems and the far-reaching consequences of technical failures. Second, it raises questions about the resilience and redundancy of financial institutions' digital platforms.
As financial services continue to digitise, ensuring the security, reliability, and availability of online banking platforms must remain a top priority for security teams in the financial sector.
On the incident, FullProxy's CTO Chris T. comments: "While the exact cause of the NatWest Group outage is yet to be confirmed, one possibility that shouldn't be overlooked is the expiration of critical security certificates. In large businesses, certificate management can be a complex task, and oversights in this area can lead to sudden, widespread service disruptions. This incident underscores the importance of robust certificate lifecycle management as a crucial component of maintaining both security and service availability in financial systems."
?
Recent findings from a World Travel Protection survey reveal a troubling trend: UK companies are significantly behind their global counterparts in implementing cybersecurity measures for business travellers. This gap in security practices poses a serious risk not only to individual employees but to the overall data integrity and competitive position of UK businesses in the global market.
The survey highlights that while 52% of UK business travellers express concerns about cyber attacks (rising to 62% for frequent travellers), a staggering 25% report that their organisations require no cybersecurity measures during travel. This stands in stark contrast to much lower percentages in the US (10%), Canada (9%), and Australia (11%).?
With the rise of hybrid work and 'bleisure' travel, where 18% of UK business travellers are permitted to "work from anywhere," the attack surface for potential data breaches expands dramatically.
?
The cybersecurity landscape is on the brink of a significant shift as passkeys, the password-killing technology developed by the FIDO Alliance, gains momentum. With the introduction of the Credential Exchange Protocol (CXP) and the launch of Passkey Central, we're witnessing a potential tipping point in the evolution of digital authentication.
For the cybersecurity pro, these developments represent a crucial step towards a more secure and user-friendly digital ecosystem. The CXP specification addresses one of the primary concerns about passkeys: ecosystem lock-in. By enabling secure transfer of passkeys between platforms, CXP not only enhances user freedom but also sets a new standard for credential portability. This interoperability could accelerate passkey adoption, potentially reducing the attack surface associated with traditional password-based systems.
?
EXPERT OPINION
It's time to think about upgrading your F5s - Ewan Ferguson
It's time to prioritise your BIG-IP system upgrades! Software currency is crucial for cybersecurity, ensuring protection against the latest threats while leveraging new features. If you're running version 14 or earlier, it's urgent to plan your upgrade strategy. By March 2025, aim to be on version 17.1.1, as older versions will reach End of Support and End of Life in July 2025. Remember, staying under F5 support grants access to the latest software versions.
?
Need help making the move? FullProxy's team specialises in F5 upgrades, ensuring a smooth transition for your infrastructure. Current FullProxy customers can reach out to their consultant for personalised advice on upgrade strategies. If you're not currently supported by us, get in touch to discuss how we can help navigate your F5 deployments and keep your network infrastructure current and secure.
TECH CORNER
Certificate Management could save your day. Keep up to speed with AppViewX's solutions
AppViewX has a range of tools to help you eliminate the laborious, tedious work of manual certificate management. Keeping your certificates up to date is essential though, as expired certificates can make you more vulnerable to a cyber attack. AppViewX's solutions could be your day saver. Here's an overview:
?
?
Certificate management is increasingly important - especially with Google's 90-day limit looming. Get caught up here.
FULLPROXY NEWS?
CTO Chris Templeton on the challenges facing Scottish Public Sector Cyber
Following his appearance at Holyrood Connect's Public Sector Cloud Services, Infrastructure and AI last month, FullProxy CTO Chris Templeton shared some insights on what he learned from the event.?
"Let's be clear: investing in cyber security measures isn't just about avoiding a breach. It's about safeguarding your department’s finances, reputation, and operational stability."
Chris took part in a panel discussing legacy systems and cloud migration in the public sector along with key figures from across Scotland's public sector. As the need for robust security measures increases - it's imperative that teams prioritise securing their systems and networks, even if internal pressures push back.
Cyber Security & SaaS Sales Professional || Helping businesses secure their people and data || Network Security Experts @ FullProxy ||
4 个月My takeaway from this - Automated certificate management is a must. "While the shortened validity periods aim to enhance web security by reducing vulnerability windows, they will require organisations to shift away from manual certificate management."