Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Best Practices

 

GUEST ESSAY: ‘Identity Management Day’ highlights the importance of securing digital IDs

By Jerome Becquart

The second Tuesday of April has been christened “Identity Management Day” by the Identity Defined Security Alliance, a trade group that provides free, vendor-neutral cybersecurity resources to businesses.

Related: The role of facial recognition

Today, indeed, is a good a time as any to raise awareness about cyber exposures that can result from casually or improperly managing and securing digital identities. Here are five tips for securely managing identities across the new, hybrid work environment:

•Think granularly. The first mistake a lot of organizations make when planning their identity management strategy is not considering every identity on their network. Sure, a lot think about their users and what types of credentials they’ll need for their various systems. But what about the numerous machines on a company’s network, like mobile devices, servers, applications, and IoT devices?

Machines are dramatically increasing, and require a solution that will identify these identities, authenticate them, and then secure their interactions across the network.  IT leaders need to consider PKI-based solutions for managing their machine identities, so their IT teams can issue certificates to their machines, track what is on their network, and encrypt the communication between the devices. This will prevent falsified entities from entering the network and putting data at risk.

•Verify email. In the face of phishing threats, many companies focus their investments on anti-malware software or new technology to prevent threats from getting through. Unfortunately, some of these emails will inevitably slip through the cracks.

SHARED INTEL: IT pros gravitate to ‘passwordless’ authentication to improve security, boost agility

By Byron V. Acohido

Passwordless authentication as a default parameter can’t arrive too soon.

Related: Top execs call for facial recognition to be regulated

The good news is that passwordless technologies are not only ready for prime time, they appear to be gaining traction in ways that suggest we’re on the cusp of a period of wide-scale adoption. That’s the upshot of a new report, The State of Passwordless Security 2021, put out by HYPR, a New York City-based supplier of advanced authentication systems.

HYPR polled 427 IT professionals and found a high level of awareness about passwordless authenticators — and not just for enhanced security. The IT pros also recognized how passwordless systems contribute to operational agility, as well, and they’ve begun to factor this into their planning.

Some 91 percent of the respondents agreed that passwordless authentication was important to stop credential theft and phishing. Meanwhile, 64 percent saw value in improving user experiences and 21 percent said it could help achieve digital transformation.

“Adoption of passwordless authentication is moving faster than we expected,” says George Avetisov, HYPR’s co-founder and chief executive officer. “The rise of remote work has created a huge urgency around adopting passwordless multifactor authentication, and the no.1 use case is remote access.”

I recently sat down with Avetisov to discuss a few other notable findings in HYPR’s study. For a full drill down on our conversation, please give a listen to the accompanying podcast. Here are a few big takeaways.

GUEST ESSAY: How and why ‘pen testing’ will continue to play a key role in cybersecurity

By Dakota Staples

When we look at society today, we can see that we are moving further and further ahead with technology. Numerous advancements are being made at an extremely fast pace with no sign of slowing down. In fact, there is evidence that technology grows exponentially fast. Since we are quickly putting out large technologies, security risks always come with this.

Related: Integrating ‘pen tests’ into firewalls

Even large companies are not immune to this. Microsoft has had several security vulnerabilities including Zero Logon. Penetration tests are one way of mitigating the security risks that arise and make sure that we are not endangering users, their data, and the trust they inherently place in technology.

Penetration tests can be defined as the testing of a system to find security flaws in it. There are three main types of penetrations-black box, grey box, and white box which infosec institute defines. Each have various different goals and tasks.

Pen test types

Black box testing is taking the stance of an outside hacker who has prior or inside knowledge of the system. This type of test determines what is exploitable from outside the system and if the attacker is able to gain access to the system being tested.

Grey box testing is the next level of knowledge of a system. They would have access to the internal mechanisms of a system and maybe some privileges. This allows for testing of internal structures while still simulating an outsider threat who obtained internal access.

MY TAKE: Apple users show strong support for Tim Cook’s privacy war against Mark Zuckerberger

By Byron V. Acohido

Like a couple of WWE arch rivals, Apple’s Tim Cook and Facebook’s Mark Zuckerberg have squared off against each other in a donnybrook over consumer privacy.

Cook initially body slammed Zuckerberg — when Apple issued new privacy policies aimed at giving U.S. consumers a smidgen more control over their personal data while online.

Related: Raising kids who care about their privacy

Zuckerberg then dropped kicked Cook by taking out full-page newspaper ads painting Apple’s social responsibility flexing as bad for business; he then hammered Cook with a pop-up ad campaign designed to undermine Apple’s new privacy policies.

But wait. Here’s Cook rising from the mat to bash Z-Man at the Brussels’ International Privacy Day, labeling his tormentor as an obsessive exploiter who ought to be stopped from so greedily exploiting consumers’ digital footprints for his personal gain.

This colorful chapter in the history of technology and society isn’t just breezing by unnoticed. A recent survey of some 2,000 U.S. iPhone and iPad users, conducted by SellCell.com, a phone and tech trade-in website, shows American consumers are tuned in and beginning to recognize what’s at stake.

Fully 72 percent of those polled by SellCell said they were aware of new privacy changes in recent Apple software updates, not just in a cursory manner, but with a high level of understanding; some 42 percent said they understood the privacy improvements extremely well or at least very well, while 21 percent said they understood them moderately well.

Another telling finding: some 65 percent of respondents indicated they were extremely or very concerned about websites and mobile apps that proactively track their online behaviors, while only 14 percent said they were not at all concerned.

BEST PRACTICES – 9 must-do security protocols companies must embrace to stem remote work risks

By Daniel J. Nemeth

Technology advancements have made it relatively easy for many employees to carry out their regular job duties from the comfort of their home.

Related: Poll confirms rise of Covid 19-related hacks

This is something companies are under pressure to allow to help minimize the spread of Covid 19. The main problem for remote workers is the threat to online security. Remote workers face having both their personal and work-related information compromised.

As a remote worker, it is imperative to take measures to protect yourself and your employer online. Start by checking to see what security protocols your company has in place. Your employers might be able to provide you with specific directions on how to handle certain aspects of your cybersecurity.

Here are some cybersecurity best practices tips that apply more than ever when it comes to remote workers carrying out their duties securely.

•Use strong passwords. It is essential to ensure that all accounts are protected with strong passwords. To this day, a significant amount of people still use the password across multiple accounts, which makes it much simpler for a cybercriminal to compromise a password and take over accounts.

GUEST ESSAY: Now more than ever, companies need to proactively promote family Online Safety

By Ellen Sabin

Cybersecurity training has steadily gained traction in corporate settings over the past decade, and rightfully so.

In response to continuing waves of data breaches and network disruptions, companies have made a concerted effort and poured substantial resources into promoting data security awareness among employees, suppliers and clients. Safeguarding data in workplace settings gets plenty of attention.

Related: Mock attack help schools prepare for hackers

However, the sudden and drastic shift to work-from-home and schooling-from-home settings has changed the ball game. The line between personal and professional use of digital tools and services, which was blurry even before the global pandemic, has now been obliterated by Covid-19.

Moving forward, companies can no longer afford to focus awareness training on just employees, partners and clients. It has become strategically important for them to promote best security practices in home settings, including the training of children.

Bringing smart habits into homes and minds is good for kids, good for parents, and, it turns out, good for businesses, too.

We’re all connected

Consider that kids are constantly connected on the internet with online games, streaming devices, virtual schooling, and zoom play dates. Adults increasingly are working from home, and usually on networks they share with their children. Mistakes online by one family member can lead to compromises in a household’s network, placing computers, personal data, and perhaps even work-related content at risk.

Cyber criminals have increased attacks as they see these opportunities. Companies must take this into account and consider extending employee training to also promote security and privacy habits among all family

AUTHOR Q&A: New book, ‘Hackable,’ suggests app security is the key to securing business networks

By Byron V. Acohido

The cybersecurity operational risks businesses face today are daunting, to say the least.

Related: Embedding security into DevOps.

Edge-less networks and cloud-supplied infrastructure bring many benefits, to be sure. But they also introduce unprecedented exposures – fresh attack vectors that skilled and motivated threat actors are taking full advantage of.

Adopting and nurturing a security culture is vital for all businesses. But where to start? Ted Harrington’s new book Hackable: How To Do Application Security Right argues for making application security a focal point, while laying out a practical framework that covers many of the fundamental bases.

Harrington is an executive partner at Independent Security Evaluators (ISE), a company of ethical hackers known for hacking cars, medical devices and password managers. He told me he wrote Hackable to inform folks oblivious to the importance of securing apps, even as corporate and consumer reliance on apps deepens.

Here are excerpts of an exchange Last Watchdog had with Harrington about his new book, edited for clarity and length:

LW: Why is it smart for companies to make addressing app security a focal point?

Harrington: Software runs the world. Application security is the soft underbelly to almost all security domains, from network security to social engineering and everything in between.