Since COVID started I’ve been having a hard time keeping track of time. It feels like it’s been somewhere between 2 weeks and 2 years since this all began. After a bit of a hiatus I’m excited to start back on a regular cadence, sending out the ReThink Security Newsletter each month. Barring another global catastrophe, I’m happy to focus on bringing you security insights and interesting security related news.
Because we skipped last month there are more links than usual. I will organize them by priority and chronology, so you can see the most recent and most important news first.
Don’t forget to follow us on Twitter for our ongoing thoughts and realtime security news; our account wasn’t breached and we’ll never ask you for Bitcoin.
As predicted at the beginning of COVID we’re seeing many companies make the switch to working from home indefinitely. This is forcing a lot of companies to rethink their network security strategy. It is bringing forward one of my favorite strategies of zero trust network security. With this strategy you push security to the individual applications, devices, and systems to make decisions about authentication and authorization. Instead of relying on VLANs, VPNs, and network segmentation the systems themselves must make good decisions about the validity of the request.
Adopting a successful zero trust strategy is difficult and requires the use of many other systems including MDM, policies around BYOD, and Adaptive Authentication. These changes are not only technically difficult to roll out, but also have implications for employee adoption. Some employees may be resistant to install MDM on their personal devices. Security leaders will have to decide how to respond to this reluctance through policy. Adaptive Authentication can also be seen as invasive. Moving to Zero Trust is valuable, but there will be human complications in the rollout.
Recent ReThink Articles
You Have an Obligation to Fight for Privacy - Every click you make on the Internet increases the information that advertising companies like Google and Facebook collect from you. As a user, there are protections that you can put in place to limit the information gathered. As a security leader, there are principles that you can adhere to to protect your users’ privacy in a meaningful way.
Building a Security Team of 500 - Trying to control every developer at your organization with security policies and procedures alone is an ineffective strategy. . Instead, lead by example through security enablement that enlists every person at your company to become a security expert through a culture of caring about the security and privacy of your users.
How to Scale an Application Security Program - Part One & Part Two - Once you have buy-in from your company’s leadership on how to scale your application security program for success in the long term, you must be able to show and measure your success to everybody at the organization.
More Security Headlines
Hackers Tell the Story of the Twitter Attack From the Inside - The New York Times - A huge number of high profile twitter accounts were recently hacked. This has undermined many people’s confidence in the platform’s security. I understand security mistakes happen, so for me this is less about the issues that allowed this to happen and more about the unprecedented value that we put on the platform as a source of truth. Using social media as a realtime communication platform is one thing.Using it to disseminate policy, financial advice, or health and medical guidance is another thing. Twitter is doing more than Facebook to help give their users tools to identify false information, but this vulnerability in Twitter and Facebook’s most recent time in the spotlight highlights our reliance on these platforms for critical information. How we handle these kinds of issues will do nothing less than define us as a community. Mark Zuckerberg Is an Arbiter of Truth—Whether He Likes It or Not | WIRED
Why is This Website Port Scanning me - Some websites are port scanning their visitors. It’s unlikely that this is purposefully malicious behavior, but it does raise questions around why this kind of functionality is available in browsers at all. Ebay is port scanning visitors to their website - and they aren’t the only ones - nem.ec
Deepfake used to attack activist couple shows new disinformation frontier - Reuters - Disinformation warfare is already a massive issue in online platforms and social media.This will only ramp up as we get closer to the election. This article shows how malicious actors can fabricate an entire online persona including generating realistically faked images and online interactions.
IBM Releases Fully Homomorphic Encryption Toolkit for MacOS and iOS; Linux and Android Coming Soon | IBM Research Blog - Homomorphic encryption sounds like science fiction, but IBM has done some incredible research in this area. It theoretically allows a user to perform certain types of operations on encrypted data without decrypting it. This technology could be used in elections, securities trading, or any other place where user privacy is paramount.
The DHS CISA and FBI recently shared a list of the most commonly exploited vulnerabilities. This is important not only as a reminder to patch your systems, but also as an opportunity to see the themes of commonly exploited software and make better security choices in the future. High profile software systems like Office, Drupal, Struts and Windows are held to a different standard, they have more eyes on them to find any exploitable weakness for the greatest impact. DHS CISA and FBI share list of top 10 most exploited vulnerabilities | ZDNet
It looks like Adobe has finally decided to EoL Flash player, something that should have happened a decade ago. Ars has a good retrospective on Flash The rise and fall of Adobe Flash | Ars Technica.
Ironically, Adobe introduced a security flaw in Reader that could allow an attacker to gain root level permissions on macOS. Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently | Yuebin Sun’s Blog
IBM was hit by a massive BGP hijacking attack. This allows attackers to maliciously reroute internet traffic to another host. This is important to note because BGP hijacking is something that security researchers know and warn about often, but is sometimes dismissed as too difficult to execute. This real world example shows that it is possible and mitigations should be put in place. Massive IBM Cloud outage caused by BGP hijacking | ITProPortal
How long until I can just give AI the PowerPoint slide deck that I got from my PM and have it turn that into a working application? It may not be long considering some of the OpenAI breakthroughs. OpenAI Model Generates Python Code - YouTube