Risky Bits provides a brief summary of interesting cybersecurity considerations that help to enhance the protection of data and technology. There is no shortage of cybersecurity information available on the web – vulnerability alerts, threat notifications, products, and services. The list is purposefully simple and based on the most common challenges we experience. The information addresses:

  • Regulatory Updates – insight into the regulations and industry mandates impacting technology services
  • Security Training & Awareness – educate the workforce and promote the right culture
  • Privacy and Security Controls – apply the appropriate controls to protect data and technology assets
  • Operational Threats and Vulnerabilities – adapt to changing threats and technology vulnerabilities

Regulatory Updates

  • GDPR and Brexit – Brexit continues to be a moving target but the ICO has issued guidance regarding GDPR impact. GDPR will be incorporated into the UK data protection law. Transfer of data becomes a consideration. Transfer of data from the UK will be governed by UK transfer provisions and documentation requirements. The ICO will no longer act as an authority for the EU and GDPR.

Security Training & Awareness

General Awareness

  1. January 28th was privacy day. Organizations should take the opportunity to increase employee awareness. The following awareness tools are very effective:
    • Jigsaw provides a great tool to educate users and increase their awareness of phishing attacks. Organizations should incorporate this tool into the cybersecurity training program.
    • The security checklist provides a good awareness tool to educate employees on safe computing practices. Take the opportunity to conduct a lunch and learn to discuss the checklist recommendations. Employees will appreciate the insight and become more mindful of security in their work responsibilities.

Architect/Developer Awareness

  1. 15 Secure Coding Practices to Use in Digital Identity provides guidance to assist with enhancing user and service authentication. Developers should be mindful of these practices.
  2. Building safe algorithms that don’t harm individuals or introduce undue risk is critical. DeepMind safety researchers describe the key considerations for building safe AI solutions: specification, robustness, and assurance.

Privacy & Security

  1. Vulnerable versions of the TLS protocol (TLS 1.1 and below) are currently deployed. Architects (Software or Security) must assess the implications and consider the implementation of TLS 1.3. TLS 1.3 enhances security and may improve web performance.
  2. There are several tools in the marketplace that assist with identifying weaknesses in software. Lookout is a tool that assists with code reviews and identifies inconsistencies. The tool incorporates machine learning to increase effectiveness over time.
  3. Security implications must be considered as FaaS (Function-as-a-Service)/serverless services are consumed. Cloud Zero and PureSec offer tools to provide serverless visibility and security, respectively. Understand the implications of FaaS/serverless and implement measures to mitigate risk.
  4. De-identification of persons contained in images to satisfy privacy commitments is a daunting task. D-iD is a solution used by my customers to efficiently de-identify data and eliminate privacy concerns.

Operational Threats and Vulnerabilities

  1. DNS Hijacking – The Department of Homeland Security (DHS) has issued an alert due to the increased DNS hijacking activities. The alert describes the threat and mitigation steps.
  2. Text-based 2FA – Text based 2FA (two-factor authentication) solutions have proven to be vulnerable due to weaknesses in SS7 (signaling system 7). Organizations should ensure secure 2FA methods are deployed (consider application based) and increase user awareness of phishing attacks (reference Jigsaw tool) to prevent them from falling victim.

Posted by Karl

2 Comments

  1. Patrick Melanson April 1, 2019 at 9:59 pm

    Hi Karl,

    I hope you are doing well. I like the jigsaw site, but on my iPad, it probably doesn’t work right. It also looks like a phishing site! It is safe, right? I might give this to my security guy and prep something for our users.

    Cheers,

    Patrick Melanson
    Executive Vice President, Shared Services & CIO
    Black Diamond Group Limited
    Vice President & CTO
    LodgeLink.com

    Sent from where I am on my mobile device

    Reply

    1. Hello Patrick,

      Jigsaw is safe. It’s a training tool to help users identify phishing attacks and prevent them from falling victim. A few of my customers have included this in their security training. I took the quiz and had to stop and think a couple of times. The training is well done.

      -karl

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.