With the CSO Perspectives roadshow in full swing this month – with sessions still to come in Brisbane, Sydney, and Wellington – security practitioners across Australia were treated to insights from black-hat turned white-hat hacker Mark Loveless and concerns about problems such as the dangerous world of the Internet of Things (IoT).
The WikiLeaks dump had brought the CIA’s spying powers into the spotlight, as well as raising questions about vendors’ security assurances.
And why not, with numerous reports of phones arriving at companies from their manufacturers with malware pre-installed. One audit of vulnerabilities blamed vendors for leaving systems unpatched for too long.
If everyday operational security isn’t already enough of a problem, attacks like Mirai highlight the problems inherent in IoT security – and the emerging risks from DDoS-for-hire services that can be used to take down one’s enemies.
Tools like continuous authentication and ubiquitous use of HTTPS are emerging as vendors try to improve their security stories, yet Internet stalwarts like WhatsApp and Telegram continued to fall to vulnerabilities.
Yet even technologies like HTTPS aren’t necessarily safe, as the US government backed Google’s alarm and warns against HTTPS interception products. Machine learning will play a crucial role in closing the ‘effectiveness gap’ that continues to haunt security practitioners, one senior Cisco Systems executive warned.
Others, speaking at the Cisco Live! conference in Melbourne, were highlighting the risks of point security solutions and encouraging Australian security companies to “go for it right now” to pursue their dreams. This, as some wondered why Australian companies aren’t being more proactive in sourcing solutions from Australian companies.
What with so many threats and architectural challenges at play, Cisco’s CISO feels it’s a “sexy” time to be in security – particularly as cybersecurity policy remedies longstanding shortcomings and helps companies ramp up their fight against attackers.
Hackers had figured out how to use the Petya ransomware strain to target companies without the original authors’ knowledge. Also being taken over were the accelerometer of a Fitbit a radio-controlled car.
Microsoft fixed a record number of flaws and pushed hackers to help security-test its Office Insider previews with a $US15,000 ($A19,950) bounty. Apple, for its part, was said to have deployed an unauthorised patch by mistake. This, as Adobe Reader, Edge, Safari, and Ubuntu were all compromised by exploits at the Pwn2Own hacking event.
Spooked by the eCensus fail last year, prudent businesses were considering the value of good cyber insurance and how they would survive an outage. It’s the new normal – and disaster planning now means knowing how to deal with ransomware and even negotiate with its authors.
This, as looming legislation looks set to give the NSA broad powers of foreign surveillance. The US Department of Justice wasn’t saying how much the FBI paid to hack an alleged terrorist’s iPhone last year. Meanwhile, a court blocked a man’s efforts to sue the country of Ethiopia for allegedly infiltrating his computer and spying on him.