Tag Archive for: addressing

How Google is addressing Chrome’s big security loophole


Google Chrome icon in mac dock.
PixieMe / Shutterstock

Google is looking to get ahead of high-severity vulnerabilities on its Chrome browser by shortening the time between security updates.

The brand hopes that more frequent updates will give bad actors less time to access and exploit n-day and zero-day flaws found within Chrome browser code.

As of Wednesday, the brand has rolled out Google Chrome 116, which includes the new schedule. Previously a bi-weekly update, Chrome will now be treated to weekly security updates.

With the open-source nature of Chromium, anyone is able to access the Chrome browser source code, “submit changes for review, and see the changes made by anyone else, even security bug fixes,” Google said on its security blog.

Typically, community members from Google’s Canary and Beta channels notify the brand of various issues of stability, compatibility, or performance that can be addressed before stable updates are sent to the public. This openness is double-edged; however, as bad actors have the same access as good-faith users, allowing them real-time details on vulnerabilities before updates are deployed to a wide range of public users. If taken advantage of, such an attack is called an n-day exploitation.

This is why Google hopes shortening the time between security updates can assist in deterring nefarious users from gaining information about vulnerabilities in Chromium code. Usually, the time between security updates is used for testing prior to a public release. Google first observed this to be an issue in 2020 when its patch gap between updates was approximately 35 days. It then shifted to a biweekly update schedule with the release of Chrome 77.

The brand noted this latest schedule still won’t deter all n-day exploits but can minimize them further. In practice, more frequent security updates offer less time for bad actors to exploit flaws that require detailed paths and more development time. Over time, there is also the likelihood that bad actors will find ways to create faster exploits.

There is also the possibility that the frequency of security updates could eventually truncate even more, with patches being deployed as soon as they’re available.

Google stated it now…

Source…

Improved knowledge is important to addressing cyber crimes


BY LORRAINE WOHI

Lack of people with knowledge on how to deal with cyber threat intelligence is an issue that needs to be addressed in PNG and rest of the Pacific Island nation.

APNIC Senior Internet Security Specialist, Adli Wahid speaking at the 27th PITA conference in Port Moresby said in most cases many of the organisations are struggling not with the issue itself but with people who are dealing with these issues.

Cyber threat intelligence refers to data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviours.

Mr Wahid said in most cases, organisations lack people including security engineers, security practitioners who are quite new to the field and they are playing catch-up on different areas.

He spoke on three main areas which include insights on how organisations prepare to question and identify why and how ransomware occur in an effort to improve cybersecurity, to better define and provide awareness.

“Cyber security intelligence is about people.

“The bottom line is getting the people to be informed in discussion and talking about it.

All of you need to ask each other how does the security teams or the security engineers heard information about threat and is there something we can do to collaborate together.

I think this is where organisation needs to put profit aside and see if there is a common goal in defending the organisation in the Pacific region as well as in the niche economic so that you can bring people together,” Mr Wahid said.

Discussions on cyber security is one of the key topics of discussion that has and will be discussed at the four days annual general meetings for the Pacific Islands Telecommunication Association (PITA) at Hilton , Port Moresby.

Source…

Upcoming IAEA Conference on Computer Security: Addressing Security for Safety


The growing range and number of cyber threats means that there is no single facility immune to cyber-attacks. In the case of nuclear installations and radiological facilities, computer-controlled systems are extensively used to support their core functions and operations. Information and computer security, therefore, are an essential part of nuclear security measures, along with physical protection, both for nuclear facilities and nuclear or other radioactive material facilities.  

“The heightened awareness of cyber threats urges for further investment of resources towards improving computer security for nuclear security,” said Elena Buglova, Director of the IAEA’s Division of Nuclear Security. The IAEA offers countries assistance in addressing their needs in the area of computer security. In 2022, the IAEA organized 46 computer security-related events, an increase of 28 per cent from 2021, with a focus on national-level support for computer security regulations and inspections, and computer security exercises. 

The IAEA is holding an International Conference on Computer Security in a Nuclear World: Security for Safety, from 19 to 23 June 2023 in Vienna, Austria, bringing together the international community to discuss developments and progress in protecting nuclear and other radioactive material activities against cyber-attacks.  

The conference, the second of its kind with the first held in 2015, will provide the opportunity for countries to discuss and exchange about key elements of computer security, such as state level strategies, regulations, implementation of a computer security programme with protective measures, supply chain and incident response, as well as capacity building courses and exercises offered by the IAEA. 

“Every participant will benefit from the technical sessions planned in the upcoming conference, as well as from a variety of hands-on demonstrations to be showcased,” said Buglova.  

The conference will provide a global forum for competent authorities of IAEA member countries, nuclear operators, integrators and suppliers of security systems and other relevant international and industry organizations and institutions. It will feature…

Source…

Addressing OT security under the National Cybersecurity Strategy


The recently released National Cybersecurity Strategy sets a strategic objective for the federal government to modernize Information Technology and Operational Technology infrastructure, and to “replace or update IT and OT systems that are not defensible against sophisticated cyber threats.”

In recent years, advances in technology, coupled with the ease of digital connection, have greatly increased the convergence of IT and OT across critical infrastructure sectors and even within the federal government. In fact, 56 out of 90 agencies report using Internet of Things technologies to control, monitor, access, or track equipment, systems, facilities, or physical assets.

Convergence brings significant benefits, from increased visibility to user-centric capabilities. Unfortunately, it also greatly increases agencies’ attack surface, so now must be included under the NCS.

IT and OT are not created equal

Lessons learned from modernizing IT unfortunately won’t apply to OT because of OT’s unique operating requirements. Efforts taken under the NCS must first consider each individually and then together.

For instance, when an IT system reaches end-of-life, an agency must decide to either continue using it at risk, pay for extended manufacturer service, or sunset and replace it all together. Each option has pros and cons, but agencies at least have options and can usually plan accordingly—sunset dates will be known in advance, diminishing potential impacts of the time variable.

However, timing is actually critical for approaching OT modernization. Gartner predicts that by 2025 cyber attackers will have weaponized OT environments to successfully harm or even kill humans. Ramifications of an attack on IT could be devastating, but might pale in comparison to the long-term human safety and critical infrastructure impacts of a well-executed attack on OT. We simply lack the luxury of time to modernize OT security that has been given to securing IT over many years.

Additionally, it is often feasible and more cost effective to simply rip-and-replace an IT system at its end-of-life. Because of how OT systems were designed, rip-and-replace isn’t a viable approach for them. Legacy OT systems…

Source…