The week in security: Budget flags encryption troubles, cross-government IAM

Call it CSO's regret: four out of five companies that have suffered an IT security breach wish they had done more to prevent it and just 1 in 3 believe they have a strong enough security defence, according to new research.

The government appears to be among them, with the new Budget 2015 revealing that ASIO is worried about the use of encryption to avoid its gaze and that the Digital Transformation Office (DTO) will commit $33.3 million to build a cross-government identity management system.

Mass data collection was under the microscope as the US House of Representatives voted to narrow the NSA's phone records collection program. Critics called the changes “fake reform”.

Data-centre security has long revolved around managing user access privileges, but similar discipline is also needed for internal security measures. Particularly as new PCI DSS and other compliance requirements come onboard, it's an important part of ensuring compliance in the cloud, as are new platforms such as a cloud-based document protection service from startup Ionic Security.

The release of new malware that runs on graphics processing units (GPUs) heralded new threats for Windows users and a Mac version is reportedly in the works. Other new high-profile malware included a ransomware strain that drew on the TV show Breaking Bad for aesthetic inspiration, an unusual Wordpress attack that steals login credentials, and a DDoS botnet built using tens of thousands of home routers.

Ransomware has become so much of an issue that one security executive suggests evaluating security tools foremost on their ability to detect the problematic code. This is particularly important now that bots now out number humans – accounting for 59 percent of all site visits, by one count. Things are only likely to get worse as millions of non-human devices come online into an Internet of Things (IoT) that will require fresh approaches to security.

With malware proving so nimble, it's important to consider new ways of keeping up with the threat. Microsoft is also working to keep up with the threat, designing its new Edge browser in a way that the company says will be much harder to hack than previous browsers were. And one group of researchers designed a password manager that uses fake vaults full of convincing decoy passwords to confuse attackers.

Also from the fight-fire-with-fire files, a team of Israeli researchers have developed software that detects fake mobile and WiFi networks. Another software tool shows users when they're sending unencrypted data from their mobiles. It's all part of a learning process that often takes the biggest steps forward based on free and cheap IT security tips.

Even as Google tightened restrictions on Chrome extensions and revamped its Gmail logins to boost security, Adobe plugged numerous months-old flaws in its Reader and Acrobat products, while Microsoft fixed 46 bugs across numerous key products. Yet new vulnerabilities continue to pop up just as quickly, with a significant virtual-machine flaw discovered to have been hiding in floppy disk code for 11 years and another virtual-machine vulnerability poised to impact data centres and business systems.

Read more: The week in security: Android apps collecting your location data, home routers hit by drive-by malware

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags malwarePCI DSSbudgetIAMdata collectionIT security breachsecurity defenceencryption troublesData-centre security

Show Comments