Tag: Raise | Page 2

Security labeling could raise the cyber bar, but won’t stop next SolarWinds

March 15, 2021/in Internet Security

Plans from the Biden administration to release product security rating system could raise the bar for security overall, say experts, but won’t likely prevent the next SolarWinds or Microsoft hacks.

In a briefing to reporters Friday, senior official compared the forthcoming rating system to the health and safety letter grades at restaurants. And it is a concept that the cybersecurity community has batted around for some time: place a label on the box that says a product is or is not secure, and let consumers create a market around security.

But experts say the simplicity of that concept is both its strength and its weakness: it’s a concept that is easy to understand and could drive compliance with a set of standards, but it won’t prevent more sophisticated attacks and could create a false sense of complacency.

“Labeling won’t solve nation-state problems, no matter how good the label is, even if it’s perfectly enforced and sets a really high bar,” said Beau Woods, cyber safety innovation fellow at the Atlantic Council and a volunteer with the internet-of-things security advocacy group I Am The Cavalry.

Several governments, both individual nations and the European Union, have pursued cybersecurity standards in recent years, particularly around IoT devices. At the briefing, the administration specifically mentioned Singapore’s labeling law. Labels create a voluntary basic cybersecurity standard.

The problem is that basic standards do a good job addressing the vast majority of hackers, but they do not address hackers with extraordinary capabilities. No standards can create perfectly secure products, because they simply don’t exist.

Brad Rees, chief technology officer of the ioXt Alliance, an industry group developing labeling standards for IoT, noted that the issues behind the SolarWinds hack likely would not have shown up on a product rating.

“It’s unfortunate that the White House chose to throw out or tease an IoT labeling scheme in the middle of talking about a Chinese-state hacker with Microsoft Exchange,” he said. “Labeling schemes are here to prevent baseline security issues. They’re not…

Source…

Security flaws in Microsoft email software raise questions over Australia’s cybersecurity approach

March 15, 2021/in Computer Security

On March 2, 2021, Microsoft published information about four critical vulnerabilities in its widely used Exchange email server software that are being actively exploited. It also released security updates for all versions of Exchange back to 2010.

Microsoft has told cybersecurity expert Brian Krebs it was notified of the vulnerabilities in “early January”. The Australian Cyber Security Centre has also issued a notice on the vulnerabilities.

The situation has been widely reported in the general media as well as specialist cybersecurity sites, but often inaccurately. But the situation also highlights a contradiction in government cybersecurity policy.

When governments find flaws in widely used software, they may not publish the details in order to build up their own offensive cybersecurity capabilities, i.e. the ability to target computers and networks for spying, manipulation and disruption. Operations like this often rely on exploiting vulnerabilities in commercial software — thus leaving their own citizens vulnerable to attack as a consequence.

What happened?

Microsoft has issued patches to fix the vulnerabilities and provided advice on how to respond if systems have already been affected.

These vulnerabilities can be really damaging for anybody running their own Exchange mail server. Attackers can run any code on the server and fully compromise a business’s email, allowing them to impersonate anybody in the business. They could also read all email stored on the server and potentially compromise more systems within the businesses’ network.

Who was affected?

It’s important to clear up exactly who the vulnerabilities affected: anybody running their own instance of Exchange, and the risk was higher if web access was turned on.

An ABC/Reuters report said:

All of those affected appear to run Web versions of email client Outlook and host them on their own machines, instead of relying…

Source…

Security Watch: Interconnected sectors raise need for robust cyber defence strategy

March 2, 2021/in Computer Security

Even as contradictory claims emerge from the Centre and the Maharashtra government over the involvement of Chinese actors in the Mumbai power outage of October last year, the allegations have put focus on the need for India to be better prepared to protect its critical infrastructure against globally rising cyber-attack attempts on key infrastructure. Cybersecurity experts pointed out that this is particularly significant given the increasing interconnectedness of sectors and proliferation of entry points into the internet, which could further grow with the adaption of 5G.

A National Cyber Security Strategy is being formulated by the Office of National Cyber Security Coordinator at the National Security Council Secretariat. A strategy document prepared by an inter-ministerial task force involving representatives from different central government ministries and departments has now been forwarded to an Empowered Technology Group for consultation. Once the process is through, the document will be placed before the Cabinet Committee on Security for deliberations and approval.

Hackers targeting critical infrastructure is not a new trend but experts believe that propensity for damage is more than ever, especially with countries investing in cyber offensive capabilities. In 2015, in what was the first known successful cyber attack on a power grid, hackers compromised systems of three energy distribution companies in Ukraine thereby disrupting electricity supply.

“Critical infrastructure is getting digitised in a very fast way — this includes financial services, banks, power, manufacturing, nuclear power plants, etc. Because of these a lot of security issues arise. We just saw the SolarWinds hack, which impacted national critical infrastructure in the US. Most countries are not prepared for combating the sophistication of attacks that are happening,” Saket Modi, co-founder & CEO of cybersecurity firm Safe Security told The Indian Express.

“A lot of countries have started taking advantage of this. They’re spending unprecedented amount of money and are building armies. Israel is a good example, they say that there is a fourth unit in the defence system, which is for…

Source…

Malicious hackers amid pandemic raise need for cybersecurity

November 14, 2020/in Computer Security

Before the pandemic, the internet played a major part of our daily lives. But when schools, businesses and activities were brought to a halt last March, the internet was fundamental to enabling the widespread shift to a new way of life with most people working and learning remotely, as well as maintaining vital connections with family, friends, and loved ones via FaceTime, Zoom, and other platforms.

While the success of such a significant societal change will be judged years ahead, there is no doubt that this increased reliance on the internet has brought both new and evolving risks.

Every day, malicious hackers, phishers, and cyber criminals are attempting to capitalize on our increased screen time and on the added stress and distractions that come with it, whether it’s to steal money or to sow discontent in our communities.

Cybersecurity is not a new focus area for Massachusetts, but it has taken on an even greater importance since March. Last month, across the commonwealth, organizations came together to sponsor virtual panels, host learning sessions, and virtual trainings as part of the first Massachusetts Cybersecurity Month, an effort organized by the MassCyberCenter at MassTech to bring attention to this critical issue. During the month, the commonwealth announced a new grant to the CyberCenter that will launch a statewide cybersecurity conference for municipal leaders and public safety officials in 2021.

Source…

Tag Archive for: Raise

What happened?