Five Links: Make Me Feel Safe Edition

Happy Friday, everyone.

The last few weeks have seen a series of DDOS attacks taking out major services through vulnerabilities in IoT security, outages from human error, and data breaches from major players like Yahoo and less reputable ones as well. There are a lot of different attack vectors and different types of information that is vulnerable — and this highlights the thin line between security and risk. Security is not exactly a buzzword and it doesn’t get a lot of attention until (like insurance, a warm coat, or a full tank of gas) you really need it. That’s this week’s theme — data security and privacy.

funny-memes-safe-risky

 

Before I get into the links, I want to give a solid shout-out to the Information Security group on LinkedIn. There are a lot of groups that have provided really good resources on best practices, architecture, and, yes, security in recent weeks (Cloud Computing and IoT – Internet of Things have had some strong posts), but the Information Security group is dedicated to security issues and has consistently provided excellent insights into different aspects of technology security.

Onward to the link roundup.

Protect Your Data from Ransomware Attacks (via Information Security Group on LinkedIn)

I love practical advice (if it has a diagram, even better), and this provides a very nice rundown of steps that IT departments can take to prevent a ransomware attack. These are applicable to a large number of cyber threats, and the steps are familiar best practices which IT departments should be able to implement, if they’re not already, like solid backup procedures, data encryption, limited user permissions to prevent escalations, and policies to assess and address vulnerabilities.

 

Attack of the Botnets: More about IoT Security (via IoT – Internet of Things group on LinkedIn)

This is more informative than anything else, but it links to two government docs (one from NIST and the other from Homeland Security) outlining procedures for IoT security. Both were released slightly ahead of schedule to provide insight to tech departments in light of the severe DDOS attacks last month. BONUS IoT link: ZDNet ran a kind of post-mortem looking at the (ignored) security issues that led to those DDOS attack. “When it comes to tech security,” writes Danny Palmer, “we seem doomed to witness history repeating itself — over and over again.” Nice point.

 

It will be easier for Uncle Sam to Search Your Computer without a Warrant (Ars Technica)

A recent rules change to the Federal Rule for Criminal Procedure would allow judges to sign warrants to allow authorities to hack into computers anywhere (regardless of jurisdiction) and to access multiple devices without having to obtain separate warrants for each individual device. Using malware (or potentially other methods) a government agency could circumvent anonymizers and other protections to access computers for crimes like child pornography. This has definite privacy and other civil liberties implications, especially given the propensity to expand the definitions of rules like these (like applying RICO to protesters).

 

Without Industry Guidance, US May Resort to Weakening Encryption (CIO / IDG contribution)

This is a fascinating article because it captures the debate between security, privacy, and freedom that is inherent of any discussion of information. The government position is a warning (or threat, depending on your perspective) that tech companies should work with the government to provide known backdoors or breakable algorithms to enable the government to track terrorist and criminal threats. The counterpoint is provided by Cindy Cohn with the Electronic Frontier Foundation, pointing out that providing backdoors for the government inherently weakens both data security and personal privacy.

 

Insights on Open Source and Security (RedHat.com)

This is an updated look at how the process  of open source development intrinsically hardens code and can mitigate security vulnerabilities. There’s an old cliché that closed-source software (and device firmware) relies on “security through obscurity.” Once that obscurity is breached, then security is compromised. Open source, by its nature, takes an open approach — a lot of eyes on code looking for cracks, responsiveness and collaboration over threats, and potentially thousands of people testing and using the software. The promise of open source software security is to focus on data security through best practices to manage and secure that data, rather than by trying to obscure the software itself.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s