Halloween isn’t the only scary thing on people’s minds this month! October is the 18th annual Cyber Security Awareness Month, raising awareness on the importance of internet safety and cyber security in our country. This year’s theme is “Do Your Part. #BeCyberSmart” and each week of October has a different focus.
- Week of October 4: Be Cyber Smart.
- Week of October 11: Fight the Phish!
- Week of October 18: Explore. Experience. Share.
- Week of October 25: Cybersecurity First
Good or bad, it seems like every facet of our lives is somehow intertwined with the internet and so never has it been more important to make sure that you are protecting yourself online. Sponsored by CISA (Cybersecurity & Infrastructure Security Agency) and NCSA (National Cyber Security Alliance), Cyber Security Awareness Month is significant for both business and personal internet use. One of the largest security breaches in history happened just this past summer involving 700 million LinkedIn users. Then in August, 40 million T-Mobile customers had their data stolen. These types of attacks are happening so regularly nowadays that they often go unnoticed in the public eye and garner limited media attention. It is the focus of Cyber Security Awareness Month to make sure that no matter who you are or what you use the internet for, you are using it safely and securely.
BOCA is lucky enough to work with some of the top security experts in the business. We asked them for their thoughts on potential security threats and the importance of cyber security.
Provided by Peter Albert, CISO at InfluxData
A concern that needs to be resurfaced is the lack of file verification for external dependencies embedded within source code. This is a global issue and is pervasive and difficult to detect without source code review. Never download code from another source and then send it straight to your shell to execute in whatever user context you are using, oftentimes root. When you do this, you lose the visibility of what is in the code you are executing. What if that code was altered? For more well-known and trusted dependencies, there may be a greater belief that the file hasn’t been altered perhaps, but there is no guarantee, so why are we still doing this? The scale of this issue is gigantic – the quantity and quality of dependencies being acquired and loaded in the global code base without file verification is an anti-pattern of epic proportions, which has really gotten out of hand due to the contemporary hyper-connected nature of software development and service delivery.
Provided by Ambuj Kumar, CEO and co-founder of Fortanix
There are four trends that I would like to raise awareness about:
- Changed Security Mindset. The fast-tracking of digitization led to a sprawl of unmanageable systems, including servers, data centers, VPNs, etc. Businesses need to focus more on securing their data rather than focusing solely on beefing up the walls around it. They need to redesign their strategies around ‘when’ they get attacked rather than ‘if’ they get attacked.
- Compliance is Local. More and more jurisdictions are passing their own data privacy regulations, compliance requirements, and penalties. Security teams need the agility to operate in multiple markets simultaneously.
- How Will You Hire Your Next Security Engineer? With literally millions of open security jobs “throwing people at the problem” is not an option. Security teams need to focus on strategy and architecture, not operations and infrastructure. “Security as a Service” offerings make this possible.
- The Digital Supply Chain Is Still Poorly Understood. A typical application uses dozens of projects, each probably authored by dozens, if not hundreds of developers. Any of these developers can be a source of a vulnerability in your application. The vulnerabilities can lie dormant for a long time, giving businesses a false sense of safety, only to be exploited when the adversary wants.
Provided by Sarit Tager, VP of Product Marketing, JFrog
With the growing proliferation of software supply chain attacks and constant exploitation of insecure software by threat actors, organizations need to adopt more product security practices and have product security stakeholders in their org-chart. Many existing practices are still fragmented and not managed holistically – organizations adopt secure development and AST practices but do not look at product security processes as a whole. Recent regulatory activities such as President Biden’s cybersecurity executive order is actively changing this today, as it enforces security controls such as mandatory SCA (software composition analysis) and software supply chain risk mitigation to enhance product security. This will enable more secure products for end-users and thus a smoothly running digital economy.
Provided by Calvin Scharffs, VP of Product Marketing, Pixalate
The privacy and information security risks posed by exploits of consumer devices are enormous. A well-placed attack can reach scale at an alarming rate. Apple’s emergency security update to close a spyware flaw impacting phones, tablets, computers, and even watches shows how serious the threat is — especially if it goes undetected. For consumer privacy, the problem is magnified due to the sensitive data commonly accessible to and generated by mobile apps. Over 1 million apps on the Google Play Store request access to the user’s precise GPS coordinates in H121. Additionally, there was a 21% YoY increase in the number of apps requesting permission to record audio using phone microphones. Despite the nature of this sensitive data, many apps from the Google and Apple app stores still lack basic privacy policies. According to H121 Pixalate research, 16% of Apple and 22% of Google apps have no detectable privacy policy. The consumers’ most trusted device is also their most vulnerable. Google and Apple need to lead a crackdown on data leakage and over-permissioning. Any such initiative needs to include better policing of their stores and privacy policy enforcement.