Tag Archive for: improve

EU to Force IoT, Wireless Device Makers to Improve Security

/in


The European Union is poised to place more demands on manufacturers to design greater security into their wireless and Internet of Things (IoT) devices.

In an amendment to the EU’s 2014 Radio Equipment Directive (RED), the European Commission noted that as wireless devices, from mobile phones to fitness trackers to smart watches, become increasingly embedded into everyday consumer and business life, they also become a greater security risk.

The goal of the amendment – called a “delegated act” – is to ensure that all wireless devices are safe before they are sold in the EU. Manufacturers will be required to adhere to the new cybersecurity safeguards when designing and producing these products. In addition, the amendment also will ensure greater privacy of personal data, prevent financial fraud, and improve resilience in European communications networks, according to EU officials.

“Cyberthreats evolve fast,” Thierry Breton, commissioner for the Internal Market, said in a statement. “They are increasingly complex and adaptable. With the requirements we are introducing today, we will greatly improve the security of a broad range of products, and strengthen our resilience against cyberthreats, in line with our digital ambitions in Europe.”

The U.S. has made some strides on IoT security at the federal level; it remains to be seen if the EU initiative will spur the U.S. to greater action or result in a general improvement in device security.

Common EU Security Standards

It’s also part of a larger EU effort to create a comprehensive set of common cybersecurity standards for products and services that come into the European market, Breton said.

That said, it will take a while for the market to see the results of the amendment, which was announced in late October. It will need the approval of the European Council and European Parliament and then undergo a two-month period of review and scrutiny. Once in place, manufacturers will have 30 months to begin meeting the new legal requirements, giving them until mid-2024 to bring the devices into compliance.

The amendment addresses the ongoing concern about security at a time when the use of wireless devices and the IoT…

Source…

TECNO establishes Security Response Center to improve the security ecosystem

/in


TECNO Mobile recently established official security response center (SRC), a platform for cooperation and exchanges between TECNO and security industry experts, researchers and organizations. This remarks a strategic move that reiterates TECNO’s consistent commitment on security and help upgrade TECNO’s security ecosystem to a higher level.

TECNO SRC has launched a bug bounty program to encourage external security researchers to submit vulnerabilities detected to the security team, and reporters are entitled to get an up to $7,000 reward based on the evaluation of the impact of vulnerabilities. More than 45 models under TECNO Mobile’s four smartphone lines -PHANTOM, CAMON, SPARK and POVA are listed for the bug bounty program.

Stephen Ha, general manager of TECNO said: “ At TECNO, our first priority is offering the most secure mobile experience to our users. SRC is of strategic significance for TECNO to create a comprehensive upgrade of TECNO’s security ecology. Through SRC, we have gone one solid step further on mobile security protection for our users in over 70 global emerging markets.” 

John Peng, head of security department said: “We understand that under current social circumstance, users’ privacy and information security are vital. TECNO has been continuously executing diversified plans in terms of enhancing our product security. By cooperating with international security professionals through the establishment of SRC, we are sure that we  can provide users more secure mobile using experience.”

Starting from coding, application and firmware, the security department carries out security management and audits at each stage of product design, development, testing and release. This is to ensure that all software installed on each device can pass a series of rigorous security checks, including the tests of TECNO security scanning platform, Google Play Protect, GMS BTS and VirusTotal. In addition, TECNO has been regularly sending 90-day security patch updates to users to ensure product safety and protect user equipment from malicious software.

Moving forward, TECNO plans to reach cooperation with the international vulnerability public testing platform…

Source…

How to improve relations between developers and security teams and boost application security

/in


Chris Wysopal shared a history lesson about the evolution of application security and advice on how to make all apps more secure.

chris wysopal congressional hearing 1998

Veracode CTO Chris Wysopal shared the highlights of his career in application security during an OWASP event, including his 1998 testimony to Congress as a member of the hacking collective The L0ft.

Image: Chris Wysopal

In December 1996, application security expert Chris Wysopal published his first vulnerability report. He found that data could be edited or deleted in Lotus Domino 1.5 if permissions were not set properly or URLs were edited. That security risk — broken access control —  is the number one risk on OWASP’s 2021 Top 10 list of application security risks.

“We know about this problem really well and knowledge about the problem isn’t solving the problem,” he said. 

Wysopal, who is Veracode’s CTO and co-founder shared a short history of his time as an application security researcher, from his time with The L0ft hacker collective to testifying in front of Congress to doing security consulting with Microsoft in the early 2000s. Wysopal spoke during a keynote at OWASP’s 20th anniversary event, a free, live, 24-hour event held on Friday.

Wysopal said that he started out as an outsider in the tech world, which gave him a unique perspective to call out problems that software engineers, company leaders and government officials did not see. Over the last 25 years appsec researchers have moved from critics standing on the outside looking in to professional colleagues working with software engineers to improve security. 

SEE: How DevOps teams are taking on a more pivotal role 

“As William Gibson said, ‘The future is unevenly distributed, and I think we can learn from the past and learn from those already living in the future,” he said. 

He shared advice on how to build closer working relationships among developers and security experts as well as how the appsec profession has evolved over the years. 

Building relationships to improve security 

Wysopal said he sees the latest…

Source…

How to Use Cyber Threat Intelligence to Improve Your Cyber Security

/in


Cyber Threat Intelligence: What is it?

Many of us are familiar with Cyber Threats and Intelligence concepts, but how these concepts are related is a topic that needs to be discussed. Let us start with the reason that led to the introduction of Cyber Threat Intelligence. Cyber Threat Intelligence has been introduced in the world of cybersecurity because of its capability to foresee future attacks before it reaches the targeted networks. This helps the organizations to guard the networks by accelerating the decision-making process, itemizing the responses, and also provides better protection to the organization itself. In short, Cyber Threat Intelligence is the solution to prevent cyber threats or attacks faced by any network or organization. 

Different Types of Cyber Threat Intelligence

Cyber Threat Intelligence can be characterized into 4 different types. 

  • Strategic Threat Intelligence – This is the most difficult form of Threat Intelligence to create and usually it is in the form of reports. Strategic threat intelligence comes up with an outline of the threat landscape of the organization. Strategic threat intelligence provides statistics such as defensive actions, threat actors, their targets, and the intensity of potential attacks while considering the loopholes and risks in the threat landscape of the organization. It demands the collection and analysis of human data that urges a thorough understanding of cybersecurity and the accuracy of the global geopolitical situation. 
  • Tactical Threat intelligence – Tactical intelligence is the easiest Threat Intelligence to create, and it is mostly automatic. The tactical threat includes more explicit details about TTP (Tactics, Techniques, and Procedures), intelligence threat actors, and is primarily intended for the security team to understand the attacking group. Intelligence provides them the idea of how to devise defensive strategies to alleviate those attacks. The report covers every vulnerability and risk possessed by the security systems that could be taken advantage of by the attackers and ways to recognize such attacks. The findings can help in strengthening the existing security controls/protection mechanisms and eliminate…

Source…