NanoLock has announced the launch of a new suite of zero-trust cybersecurity solutions for the industrial and manufacturing market. In a press release, the firm claimed to be the first to offer device-level protection solutions designed specifically for legacy and new industrial machinery and smart factory production lines. The launch comes in the wake of a joint cybersecurity alert surrounding advanced persistent threat (APT) attacks on industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.

To read this article in full, please click here

Read More

A new open-source project aims to unify incompatible cloud identity systems such as Azure, AWS and Google, giving users the ability to apply consistent identity and access policies across multi-cloud platforms. Announced by identity orchestration firm Strata Identity, the project consists of Hexa, an open-source technology, and IDQL, a new common policy format that defines identity access policies, which combine to manage access policies across multi-clouds, on-premises systems, and vendors, the company said. The news comes in the wake of research that laid bare the security risks surrounding mismanaged, overly-permissive cloud identities that open the door to attackers targeting cloud infrastructure.

To read this article in full, please click here

Read More

Researchers have demonstrated iPhone malware that works even when the phone is fully shut down.

t turns out that the iPhone’s Bluetooth chip­ — which is key to making features like Find My work­ — has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off.

[…]

The research is the first — or at least among the first — to study the risk posed by chips running in low-power mode. Not to be confused with iOS’s low-power mode for conserving battery life, the low-power mode (LPM) in this research allows chips responsible for near-field communication, ultra wideband, and Bluetooth to run in a special mode that can remain on for 24 hours after a device is turned off.

The research is fascinating, but the attack isn’t really feasible. It requires a jailbroken phone, which is hard to pull off in an adversarial setting.

Slashdot thread.

Read More

Andrew Elliot from DCMS provides an update on government initiatives to boost cybersecurity talent pipeline

Read More

This blog was written by an independent guest blogger.

Despite years of industry efforts to combat insider threats, malicious behavior can still sometimes be difficult to identify. As organizations work towards building a corporate cyber security culture, many have begun looking into zero-trust architectures to cover as many attack surfaces as possible.

This action is a step in the right direction, but it also has the potential to raise fears and generate negative responses from employees. Zero-trust security could instill demotivation and resentment if taken as a sign of poor faith and mistrust, accelerating turnover rates and bringing the Great Resignation to a peak. 

How can an organization effectively navigate zero-trust without creating friction among employers and employees? In addition, how can they get there without holding trust-building exercises as part of an in-office environment?

Why trust matters in modern business environments

The security perimeter is no longer a physical location in a modern enterprise; it is a set of access points dispersed in and delivered from the cloud. In addition to identity, the authorization model should factor in the sensitivity of the data, the source location of the request, reliability of the endpoint, etc. The use of multiple cloud platforms and a growing number of endpoints can massively expand the attack surface.

The foundation of zero-trust security starts by eliminating the word trust. Criminals today don’t break into network perimeters; they log in with stolen credentials and then move laterally across the network, hunting for more valuable data. Protecting the path from identity to data is crucial – this is at the heart of an ID-centric zero-trust architecture. To do so, security teams should:

Validate the user
Verify the device
Limit access and privilege

The layers that connect identity to data play essential roles in sharing context and supporting policy enforcement. A zero-trust architecture is continuously aware of identity and monitors for a change in context.

A new memorandum by the United States Government Office of Management and Budget (OBM) outlines why zero-trust architecture is crucial to securing web applications that are relied on daily. The SolarWinds attack reminds us that supply chain security is vital, and the recent Log4Shell incident also highlights how crucial effective incident response is, so finding a way to an improved security posture is imperative.

However, zero-trust does not mean encouraging mistrust through the organization’s networks, and companies should not have to rely on technologies alone for protection. When it is a team effort, security is best applied, and successful zero-trust depends on a culture of transparency, consistency, and communication across the whole organization. But how can organizations achieve this?

The two pillars of building (Zero) Trust

When building zero-trust in any organization, two key pillars must be considered – culture and tools.

As companies begin implementing zero-trust, they must also integrate it into their culture. Inform employees what’s going on, what the process of zero-trust entails, how it impacts and benefits them and the company, and how they can support the zero-trust process. By engaging employees and challenging them to embrace skepticism towards potential threats, businesses are planting the seeds of security across their organizational ecosystem. Once employees understand the value of zero-trust, they also feel trusted and empowered to be part of the broader cybersecurity strategy.

Once zero-trust has been implemented at the core of an organization’s cybersecurity culture, the next step is to apply best practices to implement zero-trust. There are several measures that organizations can take, including:

Use strong authentication to control access.
Elevate authentication.
Incorporate password-less authentication.
(Micro)segment corporate network.
Secure all devices.
Segment your applications.
Define roles and access controls.

Although Zero-Trust is technology agnostic, it is deeply rooted in verifying identities. One of the first steps is identifying the network’s most critical and valuable data, applications, assets, and services. This step will help prioritize where to start and enable zero-trust security policies to be created. If the most critical assets can be identified, organizations can focus their efforts on prioritizing and protecting those assets as part of their zero-trust journey.

The use of multi-factor authentication is crucial here. It is not a case of if to use it, but when. Phishing-resistant MFA can’t be compromised even by a sophisticated phishing attack, which means the MFA solution cannot have anything that can be used as a credential by someone who stole it. This includes one-time passwords, security questions, and imperceptible push notifications.

The challenge of implementing zero-trust

One essential problem that most enterprises are dealing with is the issue of fragmented IAM. As a result, zero-trust implementation is fraught with high complexity, risks, and costs.

The key reason behind this problem is that organizations are operating multiple identity security silos. In fact, the Thales 2021 Access Management Index report indicates that 33% of the surveyed organizations have deployed three or more IAM tools. Coordinating that many systems can, at a minimum, create operational complexity, but it can also increase the risk of fragmented security policies, siloed views of user activity, and siloed containment.

A zero-trust culture should help enterprises with IAM silos to move towards a standardized zero-trust security model, with standardized security policies and adjustments orchestrated from a central control panel across underlying silos. The process should provide insights on security policy gaps and inconsistencies and recommend security policy adjustments based on zero-trust security principles.

Conclusion

A zero-trust approach to security is to cover all attack surfaces and protect organizations, but they mean nothing without people using them appropriately. Aligning company success and security with employee success and security is crucial. Deploying a centralized IAM solution that covers all attack surfaces ensures optimal protection and helps build confidence in a zero-trust business and computing environment.

Read More