Risky Bits #1

Risky Bits provides a brief summary of interesting cybersecurity considerations that help to enhance the protection of data and technology. There is no shortage of cybersecurity information available on the web – vulnerability alerts, threat notifications, products, and services. The list is purposefully simple and based on the most common challenges we experience. The information addresses:

• Regulatory Updates – insight into the regulations and industry mandates impacting technology services
• Security Training & Awareness – educate the workforce and promote the right culture
• Privacy and Security Controls – apply the appropriate controls to protect data and technology assets
• Operational Threats and Vulnerabilities – adapt to changing threats and technology vulnerabilities

Regulatory Updates

• GDPR and Brexit – Brexit continues to be a moving target but the ICO has issued guidance regarding GDPR impact. GDPR will be incorporated into the UK data protection law. Transfer of data becomes a consideration. Transfer of data from the UK will be governed by UK transfer provisions and documentation requirements. The ICO will no longer act as an authority for the EU and GDPR.

Security Training & Awareness

General Awareness

1. January 28^th was privacy day. Organizations should take the opportunity to increase employee awareness. The following awareness tools are very effective:
   • Jigsaw provides a great tool to educate users and increase their awareness of phishing attacks. Organizations should incorporate this tool into the cybersecurity training program.
   • The security checklist provides a good awareness tool to educate employees on safe computing practices. Take the opportunity to conduct a lunch and learn to discuss the checklist recommendations. Employees will appreciate the insight and become more mindful of security in their work responsibilities.

Architect/Developer Awareness

1. 15 Secure Coding Practices to Use in Digital Identity provides guidance to assist with enhancing user and service authentication. Developers should be mindful of these practices.
2. Building safe algorithms that don’t harm individuals or introduce undue risk is critical. DeepMind safety researchers describe the key considerations for building safe AI solutions: specification, robustness, and assurance.

Privacy & Security

1. Vulnerable versions of the TLS protocol (TLS 1.1 and below) are currently deployed. Architects (Software or Security) must assess the implications and consider the implementation of TLS 1.3. TLS 1.3 enhances security and may improve web performance.
2. There are several tools in the marketplace that assist with identifying weaknesses in software. Lookout is a tool that assists with code reviews and identifies inconsistencies. The tool incorporates machine learning to increase effectiveness over time.
3. Security implications must be considered as FaaS (Function-as-a-Service)/serverless services are consumed. Cloud Zero and PureSec offer tools to provide serverless visibility and security, respectively. Understand the implications of FaaS/serverless and implement measures to mitigate risk.
4. De-identification of persons contained in images to satisfy privacy commitments is a daunting task. D-iD is a solution used by my customers to efficiently de-identify data and eliminate privacy concerns.

Operational Threats and Vulnerabilities

1. DNS Hijacking – The Department of Homeland Security (DHS) has issued an alert due to the increased DNS hijacking activities. The alert describes the threat and mitigation steps.
2. Text-based 2FA – Text based 2FA (two-factor authentication) solutions have proven to be vulnerable due to weaknesses in SS7 (signaling system 7). Organizations should ensure secure 2FA methods are deployed (consider application based) and increase user awareness of phishing attacks (reference Jigsaw tool) to prevent them from falling victim.