Risky Bits provides a brief summary of interesting cybersecurity considerations that help to enhance the protection of data and technology. There is no shortage of cybersecurity information available on the web – vulnerability alerts, threat notifications, products, and services. The list is purposefully simple and based on the most common challenges we experience. The information addresses:
- Privacy and Regulatory Considerations – insight into individual privacy rights and the regulations and industry mandates impacting technology services
- Security Training & Awareness – educate the workforce and promote the right culture
- Privacy and Security Controls – apply the appropriate controls to protect data and technology assets
- Operational Threats and Vulnerabilities – adapt to changing threats and technology vulnerabilities
Privacy and Regulatory Considerations
- The New York Times has published an excellent series of articles on digital privacy – The Privacy Project. Their objective is to explore the implications of the vast amounts of data collected from individuals, where the technology is going, and how do we best leverage it for the good of humanity. The articles range from Your Car Knows When You Gain Weight to Limiting Your Digital Footprint In A Surveillance State to Why America Needs A Thoughtful Federal Privacy Law. I highly recommend a review of the Project content, it’s time well spent.
- The California Consumer Protection Act (CCPA) effective data is looming, January 1, 2020. CCPA promotes a key principle: privacy is a fundamental right and individuals must be able to control the collection and use of their personal data. Does this sound familiar? GDPR? Organizations must work to understand applicability and, if applicable, what’s needed to comply. Those organizations that took on the hard work to comply with GDPR will be ahead of the game. Reference this blog post for more insight into the regulation and steps for compliance.
Security Training & Awareness
- Passwords continue to be problematic for users and there is no end in sight. Until better authentication options (e.g., 2FA) are adopted security training and awareness programs must continually educate users to understand how to best manage their passwords. This SANS Ouch Newsletter delivers simple, thoughtful password security suggestions to share with the user community.
- Securing the human is critical to thwarting cyber attacks. Quality, free security training and awareness content such as Stop Think Connect and Stay Safe Online is readily available to address this challenge. Don’t forget to focus on phishing awareness, it’s so important in today’s environment. I received positive feedback on the Jigsaw phishing awareness recommendation included in Risky Bits #1. There are many other phishing awareness tools and I’ll focus on them in the next Risky Bits post.
- Freelance Developer Password-Storage Insights – A study was conducted to determine freelance developer use of secure password storage practices. The results are helpful in understanding where to focus to ensure secure practices are understood and followed.
- Privacy by Design development considerations. Privacy by Design has been an elusive goal for organizations that choose to pursue it. Organizations developing custom software targeting individuals or their data should take the necessary steps to consider privacy during the development process. This article provides basic guidance to product development personnel to ensure privacy is not an afterthought. I’m working on more detailed guidance for practical adoption of privacy by design. Look for the blog post in Thoughtful Technology.
- NIST Secure Software Development Framework (SSDF) – NIST recently released a draft document on SSDFs. The document provides insights into tasks, implementation examples, and leading industry practices for each phase of the software development life cycle (SDLC). Considerations range from threat modeling to security in the toolchain. Organizations working to establish a secure framework for software development will find this to be a great reference.
Privacy & Security
- AWS Security Insights – Werner Vogels penned a good article describing how AWS achieves security at scale. He highlights the concept of provable security (mathematical proofs) used to automate reasoning. Should this approach to identifying threats and managing attacks be leveraged throughout the enterprise? That question has yet to be answered but it’s an interesting one to pursue.
- Encryption of data in use – Solutions are available to address encryption of data at rest and in transit, but encryption of data in use has been elusive. Enveil provides a solution to address this gap. They’ve commercialized homomorphic encryption to enable privacy preserving while processing sensitive data. The use cases for this technology are vast – protection of data in the cloud, third party (e.g., health care records) processing, and regulatory compliance represent a few highly applicable use cases. Enveil solutions are worth further investigation to determine fitness for your organization. There are implementation considerations such as application adaptations and potential performance penalties. Thorough due diligence is required. Other notable solutions in this space include Fortanix, Azure Confidential Computing, and Google Asylo Confidential Computing.
- Securing email – Phishing attacks and other business email compromises are a thorn in the side of IT. Email is the target for many successful attacks and it’s not going to get better anytime soon. Spoofing, phishing, and account takeovers are prevalent and used as a launching pad for more nefarious activities. I became aware of a new service, PreVeil, while researching the contributions of MIT’s Innovators Under 35. PreVeil attempts to address the client, server, message content, administrators, and authentication vulnerabilities within the email technology landscape. One approach to message content if end-to-end encryption and trusted messaging. There are certainly use cases to the service and it’s worth investigation.
Operational Threats and Vulnerabilities
- Open source security – The use of open source software is prevalent. The use of open source is not a security risk but unmanaged use can significantly increase risk. According to the 2019 Open Source Security and Risk Analysis (OSSRA) report, 60% of code contains OSS. Usage ranges from 58% in enterprise software (includes SaaS solutions) and 74% in marketing tech. What actions to take? Understand what open source components are used in the code base, implement process to identify and manage vulnerabilities, and establish policy to manage licensing risk.
- Disposable email addresses – Disposable email addresses can be used for legitimate purposes such as registering to download content from a website. Conversely, bad actors use these services to exfiltrate data. The SANS Internet Storm Center posted a list of domains associated with disposable email services. This information can be used to identify potential breaches. Shutting down access to these domains may not be practical. Use your SIEM solution to flag and investigate egress traffic to these domains.
- Medical Device Security – The vulnerability of medical devices is coming to the forefront in healthcare. CERT issued 30 advisories for medical devices in 2018 ranging from insulin pumps to surgical tools. More recently, a critical vulnerability was discovered in a gateway workstation used for infusion pumps. If successfully exploited, the bad actor can remotely takeover infusion pumps and change how much (or withhold) dispensing of medicine. Healthcare organizations must model threats against these devices and take proper measures to mitigate them.
- Jenkins Pillaging – Jenkins plays a key role in the CI (Continuous Integration) process. Bad actors are increasingly turning to tools used in the CI/CD process to achieve their goal. Jenkins plays a key role in CI and has become a target. Recently, a Jenkins Pillage tool has been made available to amount exploiting and exfiltrating Jenkins environment and workspace data. The lesson is Jenkins servers must be secured as any other server containing sensitive information. To start with, Jenkins servers must not be publicly accessible.