Tag: Urges | Page 5

Industry urges agencies to accelerate zero trust adoption after SolarWinds hack

January 10, 2021/in Internet Security

Written by

Dave Nyczepir
Jan 9, 2021 | FEDSCOOP

The SolarWinds hack could prove the spark that gets agency holdouts to adopt zero-trust security and hastens additional guidance from government, cybersecurity experts say.

Pandemic considerations delayed the National Institute of Standards and Technology‘s work on zero-trust reference architectures that will help agencies know what security tools to deploy.

Cyber experts hope that work will accelerate in the wake of one of the most serious incidents of digital espionage in U.S. history and that agencies will consult the special publication on zero trust that NIST finalized in August for the time being.

“We can’t see federal agencies kick this thing down the road anymore,” Stephen Kovac, vice president of global government and compliance at Zscaler, told FedScoop.

Zero trust could not have stopped the SolarWinds hack, which occurred when Russian hacking group APT29, or Cozy Bear, added source code into the tech company’s Orion software build process in a supply-chain attack. SolarWinds’ updating system was then used to push out malware compromising at least eight agencies.

But zero trust could, and did, mitigate that malware’s ability to spread across networks, cyber experts say.

“If SolarWinds would have happened a year ago or two years ago, I think agencies would have had a lot more consternation about it,” said Sean Frazier, federal chief security officer at Okta, in an interview.

Many agencies have started work improving their identity and access management, a component of zero trust, Frazier said.

But zero trust is a collection of solutions including cloud workload protection, micro-segmentation and secure access service edge (SASE) capabilities that provide agencies with full visibility and allow them to enforce consistent security policies across their networks.

Agencies with a zero-trust capability like SASE could’ve prevented malware from sending information out via the internet, but many agencies stop at one or two such capabilities. About 18,000 organizations were infected, though not all of them have…

Source…

Cyber security expert urges Vatican to strengthen internet defenses against hackers

November 22, 2020/in Computer Security

CNA Staff, Nov 18, 2020 / 07:00 am MT (CNA).- A cyber security expert has urged the Vatican to take immediate action to strengthen its defenses against hackers.

Andrew Jenkinson, group CEO of Cybersec Innovation Partners (CIP) in London, told CNA that he had contacted the Vatican in July to express concern about its vulnerability to cyber attacks.

He said that to date he had received no response, despite making several further attempts to raise the issue with the appropriate Vatican office.

The British cyber security consultancy approached the Vatican following reports in July that suspected Chinese state-sponsored hackers had targeted Vatican computer networks. CIP offered its services to address the vulnerabilities.

In a July 31 email to the Gendarmerie Corps of Vatican City State, seen by CNA, Jenkinson suggested that the breach might have occurred through one of the Vatican’s many subdomains.

Vatican City has a sprawling system of websites administered by the Internet Office of the Holy See and organized under the country code top-level domain “.va”. The Vatican’s web presence has expanded steadily since its launched its main website, www.vatican.va, in 1995.

Jenkinson sent follow-up emails in August and October, emphasizing the urgency of tackling weaknesses in the Vatican’s cyber defenses. He noted that www.vatican.va remained “not secure” months after the breach was reported. He also sought to contact the Vatican through intermediaries.

The Gendarmerie Corps confirmed Nov. 14 that it had received the information sent by Jenkinson. Its command office told CNA that his concerns “have been duly taken into consideration and transmitted, as far as their competence is concerned, to the offices that manage the website in question.”

A report, released July 28, said that hackers had breached Vatican websites in an attempt to give China an advantage in negotiations to renew a provisional deal with the Holy See.

Researchers said they had uncovered “a cyberespionage campaign attributed to a suspected Chinese state-sponsored threat activity group,” which they referred to as RedDelta.

The study was compiled by the Insikt Group, the research arm…

Source…

Microsoft Urges Firms to Hang Up on Phone-Based MFA

November 12, 2020/in Mobile Security

Microsoft has urged organizations to move away from voice and SMS-based multi-factor authentication (MFA), arguing that systems relying on phone networks are increasingly limited, inflexible and insecure.

Director of identity security, Alex Weinert, explained that, while MFA is essential to protecting users’ accounts, every mechanism used to exploit credentials — including phishing, account takeover and one-time passwords — can be deployed over publicly switched telephone networks (PSTN).

They are also exposed to unique issues by virtue of the fact that SMS and voice protocols were designed without encryption.

“From a practical usability perspective, we can’t overlay encryption onto these protocols because users would be unable to read them. What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device,” Weinert continued.

“An attacker can deploy a software-defined-radio to intercept messages, or a nearby FEMTO, or use an SS7 intercept service to eavesdrop on the phone traffic. This is a substantial and unique vulnerability in PSTN systems that is available to determined attackers.”

Social engineering attacks on mobile operators’ customer support agents are another potential route to compromise, leading to SIM swapping , call forwarding and message intercept attacks, he added.

In March, Europol announced the arrest of two dozen individuals suspected of stealing millions via SIM swapping mobile account hijacking.

Due to mobile operator performance issues and frequently changing regulations, downtime is not uncommon and it can be challenging for the MFA provider to alert the user to warn of difficulties.

Fundamentally, SMS and voice formats are not adaptable, meaning new innovations and security improvements can’t be overlayed. That’s why Weinert recommended encrypted authentication apps like Microsoft Authenticator, Google Authenticator or LastPass Authenticator.

Source…

Control Yuan urges ministry to boost Internet security – Taipei Times

March 2, 2020/in Internet Security

Control Yuan urges ministry to boost Internet security Taipei Times
“internet security news” – read more

Tag Archive for: Urges