3 Ways Security Leaders Can Work With DevOps to Build a Culture of Security

Read Time:7 Minute, 53 Second

Learn how your organization can boost security efforts by eliminating the disconnect between Security and DevOps teams.

Establishing a strong security culture that bridges the gap between DevOps and security is one of the greatest challenges that CISOs and other security leaders face.

Because apps and digital services drive business growth and competitiveness, DevOps teams must develop and deploy software quickly and frequently. With businesses prioritizing agility over security, security often gets overlooked, creating opportunities for cybercriminals to attack. Just last year, 40-plus billion records were exposed as a result of data breaches. Now more than ever, organizations must establish a strong security culture that unites DevOps and security teams.

However, CISOs often find that this isn’t as simple as it sounds. Why? DevOps teams’ priority is to work diligently to get software and products developed and into production as fast as possible. Meanwhile, security teams focus on identifying and eliminating threats. Thus, a disconnect often exists between these teams as DevOps generally views security as a hindrance.

How can CISOs overcome this disconnect?

Although there is no one panacea, here are 3 ways CISOs and security leaders can work with DevOps to build a culture of security.

Step 1. Assess your current security culture

What does your current security culture look like?

Start by conducting one-on-one interviews with key DevOps stakeholders and fielding internal surveys to larger groups of employees. This assessment will help you identify areas for improvement and new opportunities. Additionally, it can help you understand how your DevOps counterparts perceive security efforts, so you can identify and prioritize pressing issues.

During an assessment, security leaders should ask themselves:

How does my DevOps team perceive their roles and responsibilities with regard to building secure software?
Is anyone in DevOps behaving in a way that makes them an easy target for cybercriminals?
How does the DevOps team protect sensitive data and workloads in the cloud?
Are there opportunities for improvement?

A thorough and honest assessment provides security leaders with the insight and visibility needed to strengthen areas of weakness, such as outdated software and policies, compliance issues, security misconfigurations, communication challenges, organizational silos and human errors. During the assessment, don’t forget to gather information about security incidents and feedback from employees.

By assessing your current security culture, you will identify and understand your team’s attitudes and behaviors towards security and empower them to become security champions that help build a strong security culture.

Step 2. Create an effective change management plan

Now that you have identified what your current security culture looks like in addition to opportunities for growth and improvement, the next step is creating a change management plan.

How can CISOs overcome DevOps teams’ reluctance and resistance to change, and get them to embrace new cyber security attitudes and behaviors?

For starters, they must offer DevOps teams the proper resources, tools, education and training. This is key for giving them the necessary skills to defend against and respond to cyberattacks. Here are some tips for effective cybersecurity training for DevOps teams:

Encourage them to stay vigilant and adopt a security-first approach to DevOps.
Promote education and awareness about security best practices such as shifting left and automation to help them identify vulnerabilities and eliminate risks throughout the software development lifecycle.
Enforce security from the top down and educate them on security ownership and shared responsibility.
Reward them and celebrate team wins to inspire and empower them. 

Developing a detailed plan for leadership and identifying roadblocks ahead is the first step in change management. Once your plan is developed, share it with DevOps leaders and team members to rally them behind the cause. Ensure that they understand the problems and challenges that they face and “why” things need to change.

Remember, change doesn’t happen overnight. Transparency and trust are key. Change comes slowly with repetition. By fostering a collaborative culture, DevOps can learn how to better collaborate with security teams and share best practices, tools and techniques to improve their workflows and strengthen their security culture.

Step 3. Integrate security into DevOps with the right DevSecOps tools

Motivating DevOps teams to be “passionate” about security is much easier said than done, but having the right tools in place significantly improves how DevOps and security teams communicate and collaborate.

Traditionally, DevOps and security teams have been siloed, operating independently, which ultimately creates a cultural divide between the two. Always working under time pressure, DevOps teams are often “too busy” to worry about security and see security as an obstacle that slows down the development process, negatively impacting their time to market, efficiency and agility. Additionally, the processes and tools that security teams have tried to impose have left developers frustrated, with the general consensus that security teams do not “understand” the development process, and that their expectations do not align with DevOps teams’ reality.

By contrast, security teams view themselves as the guardians and enforcers of security and find DevOps to be rather apathetic in regard to security. They believe that DevOps teams choose to ignore their guidance and requirements. Consequently, security teams have also found themselves frustrated while scanning code that’s insecure at the final stages of the software pipeline, which generally resulted in two outcomes: the insecure code’s deployment getting delayed or canceled, or worse, the insecure code being released as-is, providing a pathway for cybercriminals to attack.

The lack of understanding between the two teams has created tension and a blame culture, making it difficult for them to collaborate effectively and for organizations to build a culture of security.

However, security leaders can create environments where developers, operations and security teams are heavily integrated and all share the responsibility of security. In these organizations, security is no longer the sole responsibility of the security team. Instead, developers become part of the security solution, spawning movements such as shift-left, “the application of security controls as early in the software development life cycle (SDLC).”

These CISOs and security leaders are implementing a DevSecOps approach which fosters collaboration between DevOps and security teams. A key success element is to provide DevOps teams with the right DevSecOps tools.

The right kind of DevSecOps tools should be “developer-friendly.” In other words, these are application security testing tools to help developers to write more secure code. They are intuitive, simple, automated and integrated with developers’ tools. For example, tools such as Static Application Security Testing Tool (SAST), Dynamic Application Security Testing Tools (DAST), and Software Composition Analysis Tools (SCA) work well for developers.

According to CSO Online, SAST tools “analyze source codes of programs and applications while they are still under development” while DAST tools are deployed after the completion of a program, “acting as an outside tester to hack a program and look for potential vulnerabilities to exploit”. Additionally, these tools do not slow developers down and allow code errors to be detected before they make it into production, helping developers adopt a “shift left” approach. By deploying both SAST and DAST tools, DevOps teams can better protect their applications against threats and therefore decrease risks.

Software Composition Analysis tools analyze open source code, which can often make up 90% or more of an application’s code base. Open source code can contain vulnerabilities and misconfigurations, so it’s critical for DevOps teams to check any open source component for security flaws before incorporating it into their applications.

Furthermore, security leaders can work with teams to survey the best tools that promote security in an agile environment. This not only makes it easier for developers to write more secure code but also empowers them to prioritize security as they can leverage automated security tools to identify risks and vulnerabilities in real-time.

Building a strong security culture requires an all-hands approach to security that simultaneously promotes a collaborative culture. Through this methodology, development and security teams can learn to work together to prioritize security by embracing the concept of DevSecOps with the right tools in place.

Make the change

Building a culture of security is a continual team effort but it starts at the top with leadership. Security leaders must invest in a security strategy and continue to promote security awareness to their teams.

Treating security as a priority and shared responsibility is key to enabling DevSecOps success and building a strong security culture. Implementing a DevSecOps approach means everyone has a responsibility or a role in building a security culture, therefore all teams can be held accountable. Additionally, DevOps teams can have better clarity surrounding their roles, responsibilities and expectations when it comes to security.

Overall, creating a strong security culture means embracing cultural change and working towards improving the various attitudes and mindsets through change management, awareness, education, training and understanding. Once security leaders have taken the appropriate steps to build and reinforce their security culture, they can make the changes to move their organization and teams forward in the right direction and establish a strong culture of security.

Learn more

Read these blogs: 
How to Choose a Modern CSPM Tool to Reduce Your Cloud Infrastructure Risk 
You’ve Migrated Business-Critical Functions to the Cloud…Now What?   
What is IaC? Why Does It Matter to the CISO?          
CNAPP: What It Is and Why Is It Important for Security Leaders?
Download the whitepaper: Using Auto Remediation to Achieve DevSecOps 
To learn more about our capabilities, visit the: Tenable.cs Product Page 

Read More

Announcing the 2022 Tenable Assure Partner Award Winners

Read Time:2 Minute, 55 Second

Celebrating the elite defenders who are helping organizations around the world reduce their cyber risk.

Cybersecurity is always a team effort. Day in, day out, defenders rely on an ecosystem of teams, partners and vendors to address the evolving threat landscape and deliver holistic security.

As part of our ongoing channel commitment, we’re excited to highlight those partners who have gone above and beyond our expectations. 

Our second annual Global Partner Awards includes eight categories that recognize the success of Tenable’s highest-grossing distributors, resellers and MSSP partners over the 2021 calendar year. 

And the winners are….*drumroll*

Here are the Tenable Assure partners who had a stellar year in 2021.

Top New Business Partner

These partners generated the highest volume of new business, including both Channel-In and Channel-Out sales (excluding renewals). (Channel-In sales, the opportunity was brought to Tenable by the partner. Channel-Out sales, the opportunity was brought to the partner by Tenable.) 

Latin America: Scitum S.A. de C.V.
North America: CDW
EMEA: Softcat
APAC: Shanghai Maiwang Information Technology Co. Ltd

Top Regional Partner

These partners recorded the largest year-over-year growth in overall sales (excluding renewals) or generated the highest percentage of Channel-In sales.

Latin America: NeoSecure 
North America:           

            – Highest % of CI: Optiv 

            – Largest Y/Y Growth: GuidePoint 

Canada: Integra Networks 
EMEA: Software One Netherlands 
APAC: ECCOM Network System Co. Ltd

Top Breakthrough Partner

These are Silver or Gold Tier Partners with the largest year-over-year growth in overall sales (excluding renewals). 

Latin America: FastHelp 
North America: World Wide Technology 
EMEA: SCC UK 
APAC: Value Point Systems Pvt Ltd 

Top MSSP Partner 

These partners generated the highest MSSP Channel-In sales. 

Latin America: Tempest 
North America: eSentire 
EMEA: Capgemini 
APAC: Kordia SecOPs 

Top Distributor 

These partners demonstrated overall strategic partnership, including marketing programs, partner enablement, quoting support and technical competency. 

Latin America: Adistect CCA 
North America: Ingram Micro
Public Sector: Carahsoft 
EMEA: Zebra Technologies 
APAC: M. Tech Holdings Pte Ltd 

Top Overall Partner 

These partners generated the highest overall sales from both new business (including Channel-In and Channel-Out) as well as renewals. 

Latin America: ISH Technologia 
North America:   

           – Top Overall Partner: SHI   

           – Top Overall State & Local Partner: SHI  

           – Top Overall Federal Partner: Bluetech 

EMEA: Softcat
APAC: CyberCX Pty Ltd 

At Tenable, we continue to invest in our Tenable Assure Partner Program to help distributors, resellers and managed security service providers (MSSP) better support end-user organizations with the tools they need to understand and reduce cyber risk. It was an honor to see these efforts recognized by CRN in its 2022 Partner Program Guide, where Tenable was awarded a 5-star rating in the security vendor category for the second year in a row.

Over the past year, we have made significant improvements to our Tenable Assure Partner Program, including:

Introducing Active Directory and Cloud Security products into our portfolio 
Enhancing our MSSP portal and extending our product offering set for MSSPs 
Updating partner training and professional services certifications 
Growing partner teams at Tenable to support our global partner community 
Implementing processes for including partners in cloud-native marketplace private offer transactions 

Congratulations 

The Tenable Assure team congratulates all our Global Partner Awards winners! And we’re excited to see how everyone continues to push and exceed their goals in 2022. 

With more channel partners winning more business, it means more organizations around the world are leading the way in eliminating unacceptable risks and proactively managing their cyber exposure. 

Read More

Life Behind the Screens of Parents, Tweens, and Teens: McAfee’s Connected Family Study

Read Time:8 Minute, 51 Second

How do parents and children connect and protect themselves online? We spoke with thousands of them around the world to find out.

In December 2021 we conducted a study about beliefs and behaviors about life online among members of connected families—as individuals and as a family unit. Parents and children were surveyed together, with parents answering first and then bringing their children in to consent and answer, leading to findings that represent connected families across 10 different nations.

Through this study, we uncovered universal beliefs about online protection, along with several nuances, all of which pinpointed several tensions between parents and children when it comes to staying safe while enjoying life online.

Four broader topics presented themselves through this study, with each topic presenting several follow-on findings. Here, we’ll take a look at each topic and touch on a few of the several findings found within each, followed by a link where you can download the full report with its complete set of insights and trends.

Topic One: Mobile Maturity

While our tweens and tweens seem to grow into adults right before our eyes, their lives online mature into adulthood as well—thanks in large part to their mobile devices.

Our study found that children between 15 and 16 years old see their mobile usage jump significantly, so much so that it approaches levels that they will carry into adulthood. Yet their connected lives start much earlier, with smartphones and mobile devices leading the way online. The result is that most tweens and young teens today have access to the expansive internet in the palm of their hand, which exposes them to the broader internet full of apps, chats, entertainment, and social media—along with the benefits and risks nearly right away.

As far as the risks are concerned, tweens and young teens reported on their experience with cyberbullying, account theft, and unauthorized use of their personal data. Here it appears that several children were exposed to these risks at an early age.

While these experiences start early with 10–14-year-olds, exposure to online risks only increase as teens get older. By age 17 to 18, reports of cyberbullying increase to 18%, attempted theft of an online account to 16%, and unauthorized use of personal data to 14%.

Topic Two: Parents as Safekeepers

As far as life online is concerned, children look to their parents to keep them safe. While parents accept that role, our study found that they appear to have difficulty in following through.

Children said that their parents are best suited to teach them about being safe online, making them the clear winners across all categories. Nearly three-quarters of children pointed to parents, nearly twice than teachers at school (39%) and more than twice over for online resources (34%).

Looking at the reasons for that response more closely, 63% tweens and teens worldwide felt that their parents know enough to protect their security and privacy. This figure was higher for younger children (65%) and then decreased as they reached their late teens (55%). As noted earlier, an increasing number of children in their late teens have experienced online risks at this point, perhaps leading to less confidence that their parents indeed have the knowledge to keep them safe.

Parents recognize their role as protectors online, just as they recognize their responsibility to protect their children in the broader world. An overwhelming 90% of parents worldwide agreed with this sentiment. Like their children, parents felt that teachers at school played a role as well at 36%. However, their second top response was internet providers, weighing in at 41%.

Yet while parents say they view themselves as protectors, there’s a gap between intent and effort. On PCs and laptops, parents reported the online protection measures they took for themselves, which appear relatively low given the availability and ease of use with such measures—like installing antivirus software (68%), protecting the computer with a password (58%), or sticking to reputable online stores when shopping (50%).

These figures drop yet lower when asked if they took similar precautions for their children. Thus, as parents protect themselves at a low rate, they protect their children at a rate that’s yet even lower.

Moreover, when it came to protection on smartphones, the numbers were similarly low, and often lower than the rate of protection on PCs and laptops. For example, while 56% of parents said that they protect their smartphone with a password or passcode, only 42% said they do the same for their child’s smartphone—a further 14% drop.

Topic Three: The Secret Lives of Tweens and Teens Online

It’s no secret that teens and tweens may hide their activities online. In fact, they’ve said as much.

Our research found that more than half of children (59%) take some action to hide what they’re up to online. When asked for details, tweens and teens mentioned the following:

Clearing the browser history, 26%.
Close/minimize browser when parent walked in, 21%.
Hide or delete IMs or videos, 15%.
Browse with incognito mode, 15%.
Lie or omit details about online activities, 15%.
Use a device their parents don’t check, 10%.

As children grow older, these privacy-keeping activities only increase, particularly when it comes to clearing browser history and using incognito mode in their browser.

Likewise, it appears that it’s no secret children are speaking privately with people they don’t know online. When asked if they believe their children are having conversations without knowing a person’s real identity, 34% of parents said yes. As for children, 37% said yes, marking a 3% difference in awareness between parents and children.

Broken down by age bracket, 36% of children from ages 10 to 14 say they’re having these conversations, which jumps up to 41% at ages 15 to 16. Later, from ages 17 to 18, that figure drops to 39%.

Topic Four: Gendered Protection Bias

Parents in our study said that they take different measures for boys and girls when it comes to protecting them online. An apparent gender bias finds girls more protected than boys, yet it is boys who encounter more issues online.

Keeping tabs of a child’s safety online takes many forms, some involving apps and software on a child’s device, others that require parents to take a more active hand.

As for safety on devices, parental controls software provides one method for monitoring online activity, with features that keep an eye on children’s activity, limit screen time, and that block and filter certain apps and websites.

Parental controls software appears to remain a popular option. On PCs and laptops, 33% of parents reported using it. On mobile devices, the figure held at 33% as well.

Further, parents said that they relied on other approaches to help keep their children safe, citing several other ways they oversee their children’s time online. For example, in the case of monitoring activity on their child’s mobile device, parents say they will:

Limit the time of day or length of time when the child has screen time, 59%.
Check the websites or apps the child visits or uses, 56%.
Look at call records or text messages on a smartphone the child uses, 40%.
Friend or follow the child on social media sites, 35%.
Track the child’s location through GPS apps or software, 30%.

However, accounting for age and gender, differences in the use of parental controls arise. Girls in their tweens and early teens see more protection from parental controls software than boys do.

For example, girls 10-14 were more likely than boys of the same age to have parental controls on PCs on laptops in every country surveyed (except Canada), and on mobile in every country (except Germany).

This trend extends to several of the more hands-on approaches, with girls seeing them applied more often than boys. For example, in the U.S.:

47% of parents say they will check the browsing and email history on the PCs of their daughters aged 10 to 14. For boys of the same age, that figure is far lower at 33%.
The numbers for mobile devices were also similar, with reported checks for girls at 48% and for boys at 35%.

Based on reports from boys, they are more likely to experience a range of online threats more frequently than girls do—with issues ranging from attempted account theft, a financial information leak, and unauthorized use of their personal data.

Meanwhile, it is girls who are adopting online activities at a rate much faster than boys, at least on mobile. Girls aged 10 to 14 tend to stream music, use social media, and go online shopping more than boys their age.

In all, girls report that they are reaping the benefits of online life earlier than boys and with relatively fewer security issues. Meanwhile, for boys, that equation is flipped. Their online lives mature more slowly, yet they find themselves experiencing security issues more often.

Further findings

We’ve seen just how young children are when they reach maturity, at least in terms of their lives online.
By their mid-teens, they’re using computers, laptops, and smartphones at rates that will carry into adulthood. With that, they’re already experiencing some of the risks and issues that adults do, such as attempted account theft, improper use of data, and leaks of financial information.

These represent a few of the many insights and trends found in our complete report on connected families. Others include noteworthy differences across nations, such as which nations report the highest levels of cyberbullying and which nation has nearly 100% of its young children saying they use a smartphone regularly. Yet more findings reveal insights into screen time, video game usage, and a breakdown of the top online activities for teens—and many more ways families are growing up together through their lives online.

Click here for a full copy of the report.

Survey Methodology

In December 2021 McAfee LLC conducted a study about beliefs and behaviors around digital participation and online protection among members of connected families—as individuals and as a family unit.

Global survey of parents and children, with children answering alongside their parents.

Parents and children were surveyed together, with parents answering first and then bringing their children in to consent and answer.
These findings represent connected families not collections of individuals.

The post Life Behind the Screens of Parents, Tweens, and Teens: McAfee’s Connected Family Study appeared first on McAfee Blog.

Read More

DEA Investigating Breach of Law Enforcement Data Portal

Read Time:6 Minute, 5 Second

The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.

Unidentified hackers shared this screenshot of alleged access to the Drug Enforcement Administration’s intelligence sharing portal.

On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA.

KrebsOnSecurity shared information about the allegedly hijacked account with the DEA, the Federal Bureau of Investigation (FBI), and the Department of Justice, which houses both agencies. The DEA declined to comment on the validity of the claims, and issued only the briefest of statements about the matter in response to being notified.

“DEA takes cyber security and information of intrusions seriously and investigates all such reports to the fullest extent,” the agency said in a statement shared via email.

According to this page at the Justice Department website, LEIA “provides federated search capabilities for both EPIC and external database repositories,” including data classified as “law enforcement sensitive” and “mission sensitive” to the DEA.

A document published by the Obama administration in May 2016 (PDF) says the DEA’s El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement, as well as the Department of Defense and intelligence community.

EPIC and LEIA also have access to the DEA’s National Seizure System (NSS), which the DEA uses to identify property thought to have been purchased with the proceeds of criminal activity (think fancy cars, boats and homes seized from drug kingpins).

“The EPIC System Portal (ESP) enables vetted users to remotely and securely share intelligence, access the National Seizure System, conduct data analytics, and obtain information in support of criminal investigations or law enforcement operations,” the 2016 White House document reads. “Law Enforcement Inquiry and Alerts (LEIA) allows for a federated search of 16 Federal law enforcement databases.”

The screenshots shared with this author indicate the hackers could use EPIC to look up a variety of records, including those for motor vehicles, boats, firearms, aircraft, and even drones.

Claims about the purloined DEA access were shared with this author by “KT,” the current administrator of the Doxbin — a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly.

[SIDE NOTE: Nearly two dozen domain names used by Doxbin were very recently included on the “Domain Block List” (DBL) maintained by Spamhaus, an anti-abuse group that many Internet service providers work with to block spam and malicious activity online. As a result, the Doxbin is currently unreachable on the open Internet].

As KrebsOnSecurity reported earlier this year, the previous owner of the Doxbin has been identified as the leader of LAPSUS$, a data extortion group that hacked into some of the world’s largest tech companies this year — including Microsoft, NVIDIA, Okta, Samsung and T-Mobile.

That reporting also showed how the core members of LAPSUS$ were involved in selling a service offering fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms, mobile telephony providers and other technology firms, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.

From the standpoint of individuals involved in filing these phony EDRs, access to databases and user accounts within the Department of Justice would be a major coup. But the data in EPIC would probably be far more valuable to organized crime rings or drug cartels, said Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley.

Weaver said it’s clear from the screenshots shared by the hackers that they could use their access not only to view sensitive information, but also submit false records to law enforcement and intelligence agency databases.

“I don’t think these [people] realize what they got, how much money the cartels would pay for access to this,” Weaver said. “Especially because as a cartel you don’t search for yourself you search for your enemies, so that even if it’s discovered there is no loss to you of putting things ONTO the DEA’s radar.”

The DEA’s EPIC portal login page.

ANALYSIS

The login page for esp.usdoj.gov (above) suggests that authorized users can access the site using a “Personal Identity Verification” or PIV card, which is a fairly strong form of authentication used government-wide to control access to federal facilities and information systems at each user’s appropriate security level.

However, the EPIC portal also appears to accept just a username and password, which would seem to radically diminish the security value of requiring users to present (or prove possession of) an authorized PIV card. Indeed, KT said the hacker who obtained this illicit access was able to log in using the stolen credentials alone, and that at no time did the portal prompt for a second authentication factor.

It’s not clear why there are still sensitive government databases being protected by nothing more than a username and password, but I’m willing to bet big money that this DEA portal is not only offender here. The DEA portal esp.usdoj.gov is listed on Page 87 of a Justice Department “data inventory,” which catalogs all of the data repositories that correspond to DOJ agencies.

There are 3,330 results. Granted, only some of those results are login portals, but that’s just within the Department of Justice.

If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.

I’ll say it because it needs to be said: The United States government is in urgent need of leadership on cybersecurity at the executive branch level — preferably someone who has the authority and political will to eventually disconnect any federal government agency data portals that fail to enforce strong, multi-factor authentication.

I realize this may be far more complex than it sounds, particularly when it comes to authenticating law enforcement personnel who access these systems without the benefit of a PIV card or government-issued device (state and local authorities, for example). It’s not going to be as simple as just turning on multi-factor authentication for every user, thanks in part to a broad diversity of technologies being used across the law enforcement landscape.

But when hackers can plunder 16 law enforcement databases, arbitrarily send out law enforcement alerts for specific people or vehicles, or potentially disrupt ongoing law enforcement operations — all because someone stole, found or bought a username and password — it’s time for drastic measures.

Read More

How to counter smart home device breaches

Read Time:3 Minute, 9 Second

This blog was written by an independent guest blogger.

Businesses that allow employees to work from home are more likely to encounter a new security threat — compromised smart home devices.

Smart technology connected to an employee’s home network, like smart thermostats, appliances, and wearables, can all fall victim to hackers. Workers that join their employer’s network remotely can unwittingly allow compromised devices to open the doors to hackers.

The right IT policies, training and technology can help businesses counter smart home device breaches.

Why hackers target smart home devices

Attacks against smart home devices are rising fast. There were more than 1.5 billion attacks on smart devices in the first half of 2021, with attackers generally looking to steal data or use compromised devices for future breaches and cryptocurrency mining.

IoT devices are often not as guarded as laptops or smartphones and are easier to breach. They may not be updated as frequently, making them vulnerable to well-known exploits. Users may also not notice unusual activity from an IoT device as readily, allowing hackers to use it as part of a botnet or further attacks.

At the same time, the number of smart home devices is growing fast. Consumers have access to a growing range of IoT appliances, including smart refrigerators, lightbulbs, coffee makers and washing machines. The smart home device market is expanding quickly, making it a fast-growing target for hackers.

As a result, smart home technology is a prime target for hackers who need devices to stage an attack or want to break into otherwise secure networks.

Protecting business networks from smart home security threats

Employees are ultimately responsible for their home devices, but a wider range of people and organizations can take action to make them more secure. Employers, IT departments, managed service providers (MSPs) and communication service providers (CSPs) have the power to improve safety.

Some IoT device security stakeholders, like CSPs, can also provide risk mitigation to customers who may not receive security support from their employer or IT team. Employers and IT departments can work with CSPs to cover aspects of home device security that they may not be able to manage on their own.

The right WFH policies and employee training can help protect business networks from an attack that uses smart home devices. In most cases, a combination of approaches will be necessary.

One popular strategy for securing WFH employee smart devices includes appointing an internal organizational member responsible for monitoring IoT security. They should require WFH employees with smart home devices to follow best practices, like automating updates and ensuring they are digitally signed.

Requiring home IoT devices to have a Secure Boot feature available and enabled will also be helpful. This ensures that the device’s bootloader executable is genuine and has not been tampered with, initiates basic logging and checks for available firmware updates.

This feature provides an excellent foundation for IoT device security and helps automate device updating. Secure Boot also lets IT teams verify that employee smart devices are not compromised.

It’s also important for an organization to formally determine its IoT risks and build a security policy. Companies that don’t know what kinds of dangers they face won’t be able to create a set of rules and requirements for WFH employees that keeps devices and networks safe.

Make sure IoT devices don’t become a security threat

Smart home devices are increasingly popular, but they can create significant security risks for employers. Having the right IT policy will help companies manage these risks.

A well-documented IoT policy that remote workers can follow, Secure Boot devices and a designated IoT security manager will make it easier for businesses to protect their networks from smart device security threats.

Read More

A Vulnerability in certain HP PC BIOS Could Allow for Local Arbitrary Code Execution

Read Time:24 Second

A vulnerability has been discovered in certain HP PC BIOS, which could allow for local arbitrary code execution. The BIOS is a firmware which is used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. Successful exploitation of this vulnerability could allow for local arbitrary code execution with kernel level privileges. An attacker could then install programs; view; change, or delete data; or create new accounts with full user rights.

Read More