FEDORA-2022-ff2aa5643d
Packages in this update:
rizin-0.4.1-1.fc36
Update description:
Rebase to upstream version 0.4.1 to fix some security issues
rizin-0.4.1-1.fc36
Rebase to upstream version 0.4.1 to fix some security issues
rizin-0.4.1-1.fc37
Rebase to upstream version 0.4.1 to fix some security issues
This blog was written by an independent guest blogger.
We have entered the era of data compliance laws, but regulations have not quite caught up to the level of risk that most organizations are exposed to. Uniting security and compliance is crucial to maintaining regulation standards and ensuring a secure environment for your business.
Digital transformation and the rollout of new digital tools are moving faster than the speed of litigation. For example, many industries are utilizing connected IoT tools that significantly increase attack vectors. But compliance laws do not have adequate standards to protect them from a growing IoT.
Even with compliance laws in place, Gartner predicts that nearly half of all organizations worldwide will experience a supply chain attack by 2025. These findings represent a threefold increase in attacks, despite growing data regulations.
Cybersecurity has never been more important than it is now. There are innumerable attack vectors that hackers take advantage of, and with the Covid-19 pandemic having pushed so many people online, more targets are available, too. Today, everyone is at risk.
How can organizations unite security and compliance more effectively? Here are 5 ways to improve your security posture and maintain compliance at the same time.
There are steps that individual users should take to ensure their data security, like using two-factor authentication for mobile apps and implementing a VPN when working from home.
And considering that financial scams cost consumers $5.8 billion in 2021 (with $1 billion lost in crypto), encrypting data is becoming more important too. This is why users should definitely encrypt their smartphones and desktop devices if they hold sensitive information such as banking details and also really on encrypted crypto wallet addresses for securely storing their crypto assets.
But companies shouldn’t rely on their customers to take security measures. Organizations need to focus on securing their perimeters and building a plan to protect data in case of an incident. A cybersecurity plan is especially important for industries like manufacturing, where 71% of leaders are concerned about the data impacts of a growing IoT. Companies use connected devices like sensors, tablets, and other industry-specific tools to improve operations and increase productivity. But this has serious data security implications that must be addressed.
From a data protection perspective, the best measure that companies can take is to avoid processing and storing data that isn’t necessary. If regulated data like personal or financial information is necessary to complete certain tasks, companies need to use the best encryption they can find.
Security and compliance are growing issues, both separately and together. Many industries require heightened levels of compliance and regulation like healthcare, finance, and manufacturing. Like everyone else, companies in these industries are also taking advantage of new tools and technology to make their services more convenient for customers and workers. Third-party apps like insurance verification software can be trustworthy so long as they remain compliant with standards such as the PCI-DSS.
A good relationship with auditors is the best way to create continuity between security and compliance. Auditors are often outsourced from a large firm that works with numerous companies within their region. They don’t have time to start from scratch and learn your security systems; their number one concern is data compliance.
It’s crucial that CISOs take the time to help auditors understand the company’s cybersecurity needs as a component of data compliance. Engaging with auditors about the security compliance needs of your organization through regular meetings and detailed reporting is imperative to close gaps in your ecosystem. Auditors are not cybersecurity experts. The only way to ensure that the auditor’s and company goals are aligned is to build a working relationship.
Although compliance regulation is far behind most companies’ cybersecurity needs, compliance frameworks provide a solid basis for security programs. Compliance mandates don’t explain to organizations what to do, how to execute security processes, or even how well certain processes perform.
For example, a compliance checklist may tell you that your company needs a firewall. But it doesn’t tell CISOs which type of firewall is most effective for their organization, nor does it tell you which ones to implement to meet compliance standards.
A better strategy for cybersecurity teams is to use bare-bones compliance expectations as a foundation to build an air-gapped security ecosystem. This is particularly critical for ICS systems like energy and power companies notorious for low-maturity security controls. But compliance is just the beginning.
First, make sure that your organization is checking all the boxes. Next, build a security program based on findings from compliance audits and implement regular pen tests in addition to regulatory testing. After that, companies can set up security workflows to support security and audits that exceed compliance rules and better protect their data.
At the end of the day, a compliance audit doesn’t actually do anything to improve your security measures. CISOs and their teams have to implement policies and procedures to address the findings of compliance tests. Without action, the testing is meaningless.
For example, let’s say that your organization does their annual pen test required by compliance, and it comes back with a vulnerability report. The CISO is now aware of the vulnerability. What happens next can mean the difference between a fine or, worse, a data incident.
In this example, the CISO takes note of the pen test but does not follow up. The following year, the same vulnerability was exposed since nothing was done to fix it. And now, your company is in trouble with regulatory bodies.
When compliance testing uncovers vulnerabilities, set up a process for fixing them and preventing future security issues, that’s how you get out of reactive cybersecurity and enter into proactive data protection. And it’s also how to avoid repetitive issues that can get you in trouble with compliance authorities.
When teams enter the phase of cybersecurity development where they do their regular testing and vulnerability patching outside of compliance, it’s crucial to measure the improvements that occur over time.
Compliance is an excellent vehicle for measuring improvements in your security posture and potential exposure to risks. Have a certain goal for each annual compliance test to work towards during the year, and keep track of how your security ecosystem performs. It can be difficult to see the bigger picture when you’re close to the problems. But measuring security risks regularly can help CISOs visualize their security infrastructure and the next steps they can take to improve it.
These measurements can also help IT managers report risk exposure to executives and other officials. Company leadership usually doesn’t consist of cybersecurity experts, so CISOs have to explain their needs to them in a way they can understand. And as the saying goes, “you don’t know what you don’t know.”
At the end of the day, if you focus on compliance, you’re probably not going to be as secure as you should be. But, if you focus on security, you’re more likely to be compliant according to the regulations of your industry.
Long standing companies and startups alike need to develop a better security plan that includes compliance factors and industry-related recommendations. It only makes sense that security and compliance intertwine to protect data loss from hackers.
Sizable fines assessed for data breaches since 2019 suggest that regulators are getting more serious about organizations that don’t properly protect consumer data. Marriott was hit with a $124 million fine, later reduced, while Equifax agreed to pay a minimum of $575 million for its 2017 breach.
Now, the Equifax fine has been eclipsed by the $1.19 billion fine levied against the Chinese firm Didi Global for violating that nation’s data protection laws, and by the $877 million fine against Amazon last year for running afoul of the General Data Protection Regulation (GDPR) in Europe.
Open-source security has been high on the agenda this year, with a number of initiatives, projects, and guidance launched in 2022 to help improve the cyber resiliency of open-source code, software and development. Vendors, tech firms, collectives and governments have contributed to helping raise the open-source security bar amid organizations’ increasing use of and reliance upon open-source resources, along with the complex security risks and challenges that come with it.
“2022 has intensified the necessary focus on the important topics of open-source security, including supply chain security. It has also accelerated efforts to identify what was left to do, and then start doing it. In sum: things are just getting started, but progress has been made,” David A. Wheeler, director of open-source supply chain security at the Linux Foundation, tells CSO.
The campaign was disclosed by Symantec and AhnLab but Cisco Talos is now providing more details