We round up research and reporting from across the web about security developments. This month in our security newsround: authentication acceptance, failing the text test, defining resilience for infosec, avoiding distraction, privacy made simpler and much more.
More forceful arguments for multi-factor authentication
The UK National Cyber Security Centre has published new guidance on multi-factor authentication. Aimed at senior decision makers in larger organisations, the guide provides steps to mitigating risks by protecting against password guessing. It suggests when it’s appropriate to use an extra authentication factor, and gives advice on choosing the most appropriate option.
Interestingly, the security blogger Brian Krebs published a very compelling story about authentication shortly after. Google confirmed to him that it hasn’t had a single successful phishing attempt in more than a year. What’s its secret? In early 2017, Google replaced passwords and one-time codes with physical security keys for more than 85,000 employees. What makes this news even more notable is that phishing continues to increase. According to the Anti-Phishing Working Group’s latest report, phishing in the first quarter of 2018 jumped by 46 per cent over Q4 2017.
For reasons ranging from budget to organisational culture, many organisations still rely on good old passwords. We’ve previously blogged our advice on ensuring your passwords are at least hard to break.
Reddit and wept
Is two-factor authentication over SMS safer than passwords, or an utterly broken model begging to be exploited? This security debate came to the fore after Reddit’s recent disclosure of a security breach. An attacker broke into its systems in mid-June “because of weak two-factor authentication”, Reddit said. The attacker accessed several Reddit employee accounts at cloud and source code hosting providers by intercepting SMS messages used in the two-factor authentication (2FA) process. The attacker could then access some user data including some current email addresses and a database backup from 2007. Reddit blogged that “we point this out to encourage everyone here to move to token-based 2FA”.
Security commentator Kevin Beaumont felt compelled to respond to some over-the-top reaction that Reddit’s woes prove SMS is worthless for authentication. Calling out “infosec’s fantastic fear of everything”, he made a well argued case saying that SMS is not suddenly insecure. It’s less costly than tokens or fobs, which matters where there’s a large user base. More importantly, SMS meets “a balance between practicality, budget and risk,” he said.
You say secure, I say resilient
At BH Consulting, we’re big believers in promoting resilience in security, not just responding to and recovering from incidents. We found this excellent recent definition of resilience from Kelly Shortridge of Security Scorecard. She argues the industry uses the term superficially, and wants to encourage discussion around what it means for security. “Resilience is ultimately about accepting reality and building a defensive strategy around reality,” she writes. The full piece is a transcript of her keynote address, and is a 35-minute read but it’s very worthwhile for security professionals.
Strategy vs shiny toys: the eternal security debate
Security professionals should take a long-term view of their strategy, and avoid distractions from technology hype. That’s the view of Mike Burgess, director-general of the Australian Signals Directorate. “When it comes to identifying and managing cyber risks, you should know what is important to your business, and what is important to your customers,” he said. This writeup from ZDNet covers his keynote address at the SINET61 cybersecurity innovation conference in Melbourne. The full speech is here.
While at Telstra, Burgess’ team developed the five ‘knows’ of cybersecurity, a useful one-page guide to managing risk effectively. In his talk, Burgess also referred to the ‘Essential Eight’, ASD’s strategies to mitigate cybersecurity incidents.
A notice worth noticing
Website privacy notices are in the spotlight as never before, especially since GDPR came into force. Presenting clearly understandable information to the people who visit your company’s website has suddenly become a big priority. The UK Information Commissioner’s Office has published an infographic giving a snapshot of how it presents information to website visitors. The detail and nature of the information can vary, depending on whether the customer is subscribing to a newsletter, making an enquiry or requesting a publication. The ICO also has a step-by-step process that breaks down the details of a privacy notice into its component parts.
Things we liked
In this section, we round up some thought-provoking security and privacy stories from around the web, including opinion columns, longread articles and blogs. First up, here’s what happens when your company has a data breach and you decide not to tell anyone. It’s an object lesson in how not to handle crisis management.
Meanwhile, almost all organisations that have suffered a security incident say it had a long-term negative impact, a survey found. Affected businesses saw a decrease in consumer trust and a decline in revenue.
Next, Europe’s Data Protection Supervisor Giovanni Buttarelli recently declared: “GDPR is a radical update of the rulebook for the digital age”. In related news, The EU Agency for Fundamental Rights released a handbook on European data protection law. The free guide is to help familiarise legal practitioners not specialised in data protection with this emerging area.
Trustwave has published a free white paper that outlines best practices for web application firewall management. The six-page document covers deployment as well as technical and management processes.
Lastly, after we recently blogged about the importance of not spreading false information on social media, we found this Wired profile of Jonathan Albright. He’s the digital sleuth shining a light on political misinformation.