We round up reporting and research from across the web about the latest security news. This month: effective awareness programmes, CEOs in the spotlight, Wi-Fi weaknesses and the best browser for blocking bad stuff online.
October was Security Awareness Month in Europe and the US. There were many good articles and posts about ways to improve security through sharing best practices for staying safe online. In that spirit, here are links to material which may inspire awareness-raising efforts: Stop Think Connect is a global campaign from the Anti-Phishing Working Group and National Cyber Security Alliance. Cybersecuritymonth is a European campaign from ENISA. The ECSM website has tips and advice in 23 languages, as well as awareness raising material. Hot for Security gives useful tips for securing social media accounts. IBM’s SecurityIntelligence blog also has a good roundup of the main points. Want an example of security awareness in action? Sophos has a great story that shows the value of vigilance.
In the same month, the Wall Street Journal’s front-page story felt like a significant moment in security’s slow crawl towards the spotlight. The headline says it all: “Cybersecurity Tops Priority List For CEOs After String of High-Profile Hacks”. We’ll refrain from calling this a watershed moment for security, but it suggests times may be changing for the better. Interestingly, a report from PR firm Fleishman Hillard found most people feel companies don’t take data security seriously enough and few believe they take proper security precautions.
No so long ago, the public rarely heard about attempted security breaches – especially unsuccessful ones. Credit to Musgrave for voluntarily disclosing that it had suffered an attempted breach of its customer payment card data. Similarly, the blogging software company Disqus earned praise for how it handled a data breach openly. Troy Hunt described Disqus’ response as “exemplary”. Both stories are worth thinking about in light of GDPR’s obligations around breach disclosure.
There is a fascinating working paper from Wolfie Christl, a digital rights activist, called “How companies use personal data against people”. It focuses more on privacy than information security, but is a very informative primer that shows where these issues intersect. On a related note, the Financial Times recently carried an article by Rana Foroohar, an economic analyst, arguing that “Privacy is a competitive advantage” — something we at BH Consulting have been saying for some time.
As if to counterbalance positive developments during Cybersecurity Awareness Month, researchers found serious and severe vulnerabilities in WPA2. That is the protocol that protects Wi-Fi networks. An attacker could exploit the weaknesses to eavesdrop on data flowing between a wireless device and its nearest Wi-Fi network. Even encrypted traffic is at risk. This is a proof of concept, rather than in the wild. Crucially, there is another limiting factor. An attacker would need to be in physical range of the wireless network they wanted to break into. Here is the original research paper by Mathy Vanhoef and Frank Piessens, along with the website they created to publicise the work, and a demo video. Ars Technica has a good roundup of the flaw, while Peerlyst and Sophos have good advice on how to defend against the vulnerability.
Web browsers are the second most common entry point for ransomware, as the Verizon 2017 Data Breach Investigations Report notes. They can also be a useful first line of defence against web-based attacks. NSS Labs tested the three most commonly used browsers and found that Edge beats Chrome and Firefox at blocking malware downloads and phishing.