Happy Friday, everyone.
The last few weeks have seen a series of DDOS attacks taking out major services through vulnerabilities in IoT security, outages from human error, and data breaches from major players like Yahoo and less reputable ones as well. There are a lot of different attack vectors and different types of information that is vulnerable — and this highlights the thin line between security and risk. Security is not exactly a buzzword and it doesn’t get a lot of attention until (like insurance, a warm coat, or a full tank of gas) you really need it. That’s this week’s theme — data security and privacy.
Before I get into the links, I want to give a solid shout-out to the Information Security group on LinkedIn. There are a lot of groups that have provided really good resources on best practices, architecture, and, yes, security in recent weeks (Cloud Computing and IoT – Internet of Things have had some strong posts), but the Information Security group is dedicated to security issues and has consistently provided excellent insights into different aspects of technology security.
Onward to the link roundup.
I love practical advice (if it has a diagram, even better), and this provides a very nice rundown of steps that IT departments can take to prevent a ransomware attack. These are applicable to a large number of cyber threats, and the steps are familiar best practices which IT departments should be able to implement, if they’re not already, like solid backup procedures, data encryption, limited user permissions to prevent escalations, and policies to assess and address vulnerabilities.
This is more informative than anything else, but it links to two government docs (one from NIST and the other from Homeland Security) outlining procedures for IoT security. Both were released slightly ahead of schedule to provide insight to tech departments in light of the severe DDOS attacks last month. BONUS IoT link: ZDNet ran a kind of post-mortem looking at the (ignored) security issues that led to those DDOS attack. “When it comes to tech security,” writes Danny Palmer, “we seem doomed to witness history repeating itself — over and over again.” Nice point.
A recent rules change to the Federal Rule for Criminal Procedure would allow judges to sign warrants to allow authorities to hack into computers anywhere (regardless of jurisdiction) and to access multiple devices without having to obtain separate warrants for each individual device. Using malware (or potentially other methods) a government agency could circumvent anonymizers and other protections to access computers for crimes like child pornography. This has definite privacy and other civil liberties implications, especially given the propensity to expand the definitions of rules like these (like applying RICO to protesters).
This is a fascinating article because it captures the debate between security, privacy, and freedom that is inherent of any discussion of information. The government position is a warning (or threat, depending on your perspective) that tech companies should work with the government to provide known backdoors or breakable algorithms to enable the government to track terrorist and criminal threats. The counterpoint is provided by Cindy Cohn with the Electronic Frontier Foundation, pointing out that providing backdoors for the government inherently weakens both data security and personal privacy.
This is an updated look at how the process of open source development intrinsically hardens code and can mitigate security vulnerabilities. There’s an old cliché that closed-source software (and device firmware) relies on “security through obscurity.” Once that obscurity is breached, then security is compromised. Open source, by its nature, takes an open approach — a lot of eyes on code looking for cracks, responsiveness and collaboration over threats, and potentially thousands of people testing and using the software. The promise of open source software security is to focus on data security through best practices to manage and secure that data, rather than by trying to obscure the software itself.