Why you should be fed up with the cycle of FUD

The upcoming election has created the perfect opportunity for the $100 billion cybersecurity industry to throw some fear, uncertainty and doubt — colloquially known as “FUD” — into the daily conversation. Vendors see this as an opportunity to double down on their marketing to help congressional offices “defend democracy.” But they’re selling the same solutions that got these offices in trouble in the first place. Isn’t it time to try a different approach? It’s important to understand that unlike other branches of government, each congressional office is responsible for their own security when it comes to their IT infrastructure. In many instances, offices outsource management of their systems to contracting agencies, which contributes to the problem. Additionally, congressional offices and political parties were targets long before the industry took notice. Party staff are juicy targets for social engineering, phishing, and other forms of targeted attacks from APT groups. Stealing the […]

The post Why you should be fed up with the cycle of FUD appeared first on Cyberscoop.

Continue reading Why you should be fed up with the cycle of FUD

Reddit Should Tell Us More About How it Got Hacked

It really sounds like Reddit employees got SIM hijacked. If that’s the case, the company should be more transparent. Everyone gets hacked: It’s how you disclose it, and deal with it, that distinguishes you and makes a difference. Continue reading Reddit Should Tell Us More About How it Got Hacked

Advice for the U.S. government: Stop talking and start doing

When it comes to cybersecurity, the United States government is great at talking the talk, yet consistently falls short of walking the walk. Unless the U.S. government actually implements the cybersecurity best practices it touts, the nation and its citizens will continue to be at an increased risk of a cyberattack.   The government has already acknowledged the need for multi-factor authentication. In 2003, it started fielding Common Access Cards (CAC) in the military, as well as Personal Identification Verification (PIV) cards in civilian agencies. At that time, the game plan was to complete the MFA implementation across the government before the end of 2008. In April 2015, MFA implementation levels hovered below 50 percent. The massive breach at the Office of Personnel Management (OPM), which leveraged compromised user name and password credentials, could have been stopped with more rigid MFA practices. It wouldn’t have made this attack impossible, but […]

The post Advice for the U.S. government: Stop talking and start doing appeared first on Cyberscoop.

Continue reading Advice for the U.S. government: Stop talking and start doing

2020 Vision: California sees the future, and it looks like GDPR

The California Consumer Privacy Act is set to go into effect on Jan. 1, 2020, enacting a series of sweeping data privacy reforms for the state’s nearly 40 million citizens. In a classic David-vs.-Goliath scenario, California residents will have the power to call at least some of the shots on how their data is used by corporate behemoths in Silicon Valley and beyond. While residents of all 50 states are already covered under a patchwork of breach notification and privacy laws, the California legislation introduces some significant changes. Californians will have the power to ask companies to cough up all the data they’ve collected about them. They also will be able to tell these same companies to delete everything – personal information, data on what’s been shared, clicked on, and more — much like European Union residents are protected under the GDPR’s “right to be forgotten.” What can we expect […]

The post 2020 Vision: California sees the future, and it looks like GDPR appeared first on Cyberscoop.

Continue reading 2020 Vision: California sees the future, and it looks like GDPR

Obscurity is the only security

There’s a common belief in the security world that obscurity shouldn’t be used as a layer of protection. This line of thinking is based on Kerchoffs’s Principle, which states that the security of a cryptographic system should depend on its key, not on the secrecy of its design. When analyzing cryptographic primitives or doing any sort of system audit, letting auditors in on the details makes complete sense. Skilled reviewers should spend their time searching out novel weaknesses and not on layers that are intended to slow an attacker or to alert someone to an attack. That said, there is much to be gained through properly applied obfuscation in deployed systems. If there’s one thing that the history of cryptography has taught us, it’s that each system has a lifespan. Some of this is expected. Over time, RSA key sizes have grown as machines have increased in speed and power. Yet, experience […]

The post Obscurity is the only security appeared first on Cyberscoop.

Continue reading Obscurity is the only security

How crisis communications factor into a cyberattack

The epidemic of security breaches is escalating globally across all sectors of business, yet only half of CISOs and CIOs are ready with a crisis contingency plan and have the secure communications to implement one. What are we waiting for? After many high-profile cyber attacks that have brought down brands like Equifax, JP Morgan Chase and Yahoo!, most companies still haven’t implemented a company-wide crisis strategy. According to a recent global study conducted by Ponemon for IBM Resilient, 77 percent of respondents admit they don’t have a formal cybersecurity incident response plan (CSIRP) that is applied across their organizations, despite 65 percent agreeing that the severity of cyber attacks has increased and part of the severity stems from the longevity it takes to rebuild communications and infrastructure. Regardless of clear awareness of the risks and skyrocketing damages to companies who have suffered a cyber attack – which are expected to […]

The post How crisis communications factor into a cyberattack appeared first on Cyberscoop.

Continue reading How crisis communications factor into a cyberattack

In the dark about ‘going dark’

We can now add “a growing lack of trustworthiness on encryption-related topics” to the FBI’s list of problems. Recent reports have shown the FBI’s encryption argument is not only wrong, but greatly exaggerates the problem’s magnitude. This comes on the heels of a shocking report by the Department of Justice’s Inspector General, suggesting that some FBI staff purposely slowed efforts to unlock Syed Rizwan Farook’s iPhone in the aftermath of the San Bernardino shooting to pressure Apple to build a backdoor. These two episodes are troubling; lawmakers should demand a thorough accounting of the FBI’s actions and the public deserves full transparency about the true nature of the FBI’s encryption problem. The FBI and DOJ have long argued that the proliferation of end-to-end encryption — whereby only the user can access the plain text of their data — allows criminals to “go dark,” operating beyond law enforcement’s reach. Cybersecurity experts […]

The post In the dark about ‘going dark’ appeared first on Cyberscoop.

Continue reading In the dark about ‘going dark’

24 DevOps Pros Reveal the Most Important Characteristic of a Successful DevOps Engineer

There’s no precisely defined career track for DevOps engineers because they’re typically developers or sysadmins who develop an interest in other aspects of operations — such as network operations, deployment, or coding and scripting…. Continue reading 24 DevOps Pros Reveal the Most Important Characteristic of a Successful DevOps Engineer