Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: Don’t worry about zero-days. Don’t worry about passwords. And don’t worry about your code (if you’re a software company).
This week’s action: Do you share the concerns of 48% of Board-level cyber experts?
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
THREE ARTICLES
1: Don’t worry about zero-days until you have nailed 700-days.
What? The Hacker News recently reported on a flaw in Cisco’s AnyConnect VPN software that is now being actively used by the bad guys to gain access into the computer systems of organisations around the world.
So what? This flaw (aka “vulnerability”) was not discovered by Cisco in the last few days. It has known about it for over two years, and it released updates (aka “patches”) for its AnyConnect VPN software at that time. This is a reminder that we shouldn’t get distracted by reports of bad guys taking advantage of previously-unknown vulnerabilities in software (aka “zero day attacks”) until we know that we have a reliable process in place to install the patches that fix flaws that the world has known about for over two years.
2: Ready to say goodbye to passwords?
What? The Register recently reported that PayPal is starting to ditch passwords on Apple devices and is instead moving towards a passwordless future. For users that adopt the new approach, their login will be authenticated by a secure key that is stored on their Apple device.
So what? We all hate passwords. We all reuse passwords, even when we’re told not to. We all use short and easy-to-guess passwords, even though we’re told not to. The flaw is not the password – It’s the human. So, this adoption of a passwordless future that relies on something more reliable than a human (in this case, the human’s mobile device) is actually far more secure.
3: Shouldn’t software companies take some responsibility for writing secure applications?
What? Dark Reading recently reported a finding by Forrester that none of the 50 top computer science college courses in the US require students to complete a course in how to write secure code. Industry leaders believe we can do better. According to one contributor to the report, “Education is an underrated but essential part of computer security. The industry is currently severely under-educating all developers out there on really basic aspects of security and it’s hurting organizations.”
So what? If a car manufacturer released a vehicle to the market that was vulnerable to an attack by anyone in the world, and which could cause the vehicle to crash, stop, speed up, or steer in any given direction, it wouldn’t take long for the manufacturer to realise the error of their ways. And yet the same can’t be said for software companies. Once they deny all liability in their monstrously-long Terms and Conditions, they can release anything to the unsuspecting world and wait to see what happens.
TWO NUMBERS
1: 65%
What? The percentage of board members who feel their organisation is at risk of a material cyber breach within the next 12 months, according Proofpoint survey that was recently cited by CPO Magazine (and mentioned by Secure The Village).
2: 48%
What? The percentage of CISOs (Chief Information Security Officers) within this same survey group who feel their organisation is at risk, according to the same survey.
So what? Two-thirds of board members fear an attack is imminent but only 48% of the CISOs within this group have this fear. There appears to be a disconnect between the CISO’s worldview and the board members’. It suggests that the CISO needs to do a better job of explaining to the Board how the organisation has been secured and where the real risks are. Because it seems like the board members do not know, or they do not trust the CISO.
ONE ACTION
1: If you are accountable for cybersecurity in your organisation, do you share the concerns of 48% of cyber experts?
What? 48% of the cyber experts who sit at the board table fear an attack on their organisation is imminent. If you are not a cyber expert, and you do not share the same fear, are you wrong or are the experts wrong? Is it likely that you know something they don’t know, or that they know something you don’t know?
So what? If you are accountable for cybersecurity, even though you are not a cyber expert and you rely on a third party company to manage cybersecurity for you, then hopefully this third party company is proactively advising you about the real threats and the key security foundations that you need to implement to defend against these threats. If not, I think it’s time you and I had a Cyber Clarity Call. It costs 30 minutes of your time and in return, I guarantee you will be more informed. No jargon, no scare tactics, no upsell – Just independent advice.