By Colby Proffitt and Mesay Degefu
1.) Top Security Challenges for 2018 – Part 1 (January 2, 2018)
Summary: There will be an increase in the number, sophistication, and impact of cyber attacks for 2018. Executives from across the industry offer commentary on some of the top security challenges that might crop up.
Why it matters: What’s interesting about these predictions is that they aren’t focused on any one area – from compliance and readiness, to corporate data theft and security problems with IoT devices and IET. It’s not enough to think about cybersecurity as just a practice or even an essential team within your organization. You have to think of it more holistically as a part of daily business operations. Every decision organizations make will have significant cyber implications in 2018.
2.) Android Malware Steals Uber Logins, Then Covers it Up (January 4, 2018)
Summary: Symantec discovered malware present in Android phones that mimics Uber’s app interface, and tricks the user into entering their ID and password. The information is then sent to a remote server.
Why it matters: “Think before you click” is good general advice, but it’s also easier said than done. Today’s tech users are fast and they expect their apps, tech, and devices to be able to keep up. When it comes to terms and conditions, and any popups that inhibit a user’s ability to get to the info they want or complete a task (i.e., schedule an Uber), many users just click “Accept” – oftentimes without actually knowing what they’ve just accepted. This is a tough problem to resolve – users are going to be users, and building in more security into devices has traditionally not only made the app less user friendly, but also more costly to develop. Apart from a federal mandate to bake-in more security features, what we can expect is a split in user expectations – some users who don’t care about security until they’ve been hacked, other users who choose security over convenience, and other users who will opt for secure devices over feature-rich devices only when performing sensitive or financial transactions.
3.) What DHS employees need to know about OIG data breach (January 3, 2018)
Summary: Department of Homeland Security employees affected by a personal data breach last year will receive 18 months of free credit monitoring and a $1 million identity theft insurance policy. After discovering employee’s personal information on the home computer of an OIG employee, the agency is now taking measures to limit the number of individuals who have back-end access to its case management system.
Why it matters: What’s worse than being a victim of a data breach? Being targeted by hackers after falling victim to a data breach. Although a cyber attack was not cited as the root cause of the incident, it does present attackers with a large-scale attack vector. We can expect that hackers will capitalize on the opportunity to target victims of the breach, posing as representatives from credit bureaus and credit monitoring companies. Victims would be wise to thoroughly examine any suspicious emails before opening or downloading attachments, and when in doubt, notify DHS.
4.) Meltdown, Spectre: What We Know About the Major Cyber Security Flaws and How to Protect Yourself (January 4, 2018)
Summary: The discovery of massive cyber security flaws affecting nearly every computer and device has sent developers across major platforms around the world racing to roll out fixes for the bugs. Researchers from Google, academia and cyber security firms discovered the two flaws, now known as “Meltdown” and “Spectre” and computer chips that are part of nearly all modern computers.
Why it matters: While patches may resolve the issue in most cases, in others, users may be required to replace their CPU to fully remove the vulnerability. And while updates are either already available or will be soon, nearly every computer manufactured in the last 10 years is vulnerable, giving hackers the opportunity of a lifetime. To compound the problem, Microsoft’s chip patch is messing with anti-virus products. This series of events highlights the amount of time required to identify vulnerabilities, publicly disclose them, develop patches, push patches, and coordinate patches with AV vendors. It’s not a fast process, which begs the question – will we see any improvements in this area this year?
5.) Securing government email is a critical step for U.S. cybersecurity (January 4, 2018)
Summary: The Department of Homeland Security issued a binding operational directive (BOD 18-01) in October, requiring all federal agencies to implement several key measures to increase the security of their email and their websites.
Why it matters: In last week’s roundup, we pointed out that while DMARC and HTTPS are a step in the right direction, the federal government really needs to take a rather large leap and pursue end-to-end encryption. The other part of BOD 18-01 focuses on securing government email. Whether these improvements will position the federal government ahead of industry, or simply allow the government to catch up is debatable; what’s important is that DHS is taking steps in the right direction. Minimizing the attack surface and minimizing the likelihood of a successful phishing attempt will put a major dent in hackers’ plans – but it will also likely fuel innovation, and so the cyber arms race will continue.