STE WILLIAMS

Security pros have their fingers on some pretty cutting-edge technology. After all, that’s what they need to safeguard their organizations and stay as many steps ahead of attackers as possible.

So you might think these tech-savvy folks would be equally eager to own the latest and greatest innovations on the homefront — stuff like smart TVs and speakers, mobile-controlled thermostats and lighting, and video-connected doorbells, to name a few. Right?

Nah.

In The Edge’s most recent poll, we asked readers to tell us, on a scale of 1 to 5, how “smart” is your home? “Dumb” was the resounding answer, chosen by 69% of 305 respondents. But like most things in life, dumb comes in many flavors, so for this poll survey takers had their choice of two: “dumb as a rock and that’s how I like it” (cited by 44%) and the slightly scaled-back “pretty dumb” (25%).

Then we have the moderates — another 25% who said they’re all about “striking a cost-effective balance between tech enthusiasm and security caution.” Finally, barely 4% labeled their abodes “wicked smart,” while only five brave individuals (under 2%) replied “highly intelligent, voice-activated IoT everywhere. Can’t wait for my thought-activated IoT.”

As vulnerabilities in Internet of Things (IoT) devices continue to proliferate, leaving devices and homes open to attack, could it make sense to follow our pollsters’ lead?

(Maybe, just maybe, being a security professional means you’re too smart to have a smart home?) 

Take The Edge’s new poll.

(Image: mast3r via Adobe Stock)

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/poll-results-smart-enterprises-dumb-homes/b/d-id/1336155?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When cybersecurity professionals look across the technology landscape and witness the crush of vulnerabilities, the risky configurations, the poorly protected APIs, and the insecure application architectures, it can be easy to blame developers for them all. 

In the wake of that finger-pointing, security pros tend to look for ways to work around developers, to build systems and procedures that are as likely to block devs from getting valuable work done as they are to protect these engineers from themselves. 

However, there’s a sea change in the air.

Many veteran security pros who have been there and done that say the industry is looking at this in the wrong way. True, many security problems today arise as a by-product of a developer’s work. But more than anything else, many of the issues have their roots in security’s inability to adjust to a code-based world. 

“As security professionals, we’ve been trying to avoid applications and code for a long time. It was complicated. We didn’t understand it. We didn’t know what was going on inside it,” says Hillel Solow, co-founder and CTO of Protego Labs. “We built an entire practice around, ‘How do we build security controls around things without having to worry about what’s happening inside them?’ We put things in the front and the back, on the bottom and the top.”

That approach is falling apart at the seams as security professionals deal with what Solow calls the “revolution of everything as code.” The implications of poorly secured code creep far beyond the limited confines of Layer 7. With increasing enterprise reliance on cloud-native technologies like containerization and serverless deployments, the growing use of infrastructure-as-code to spin up and down new computing instances, the rise in software-defined networking, and the explosion in complexities from layering embedded systems upon embedded systems, everything always comes back to code. 

“We’ve moved over the past 30 years from hardware to software, layer by layer. And we’re now at the point where the vast majority of what we deploy in our value is lines of code, whether it’s, you know, C code, or Python code, or cloud formation templates, or Terraform, or something else,” he says. “Those of us in security who don’t understand code are really struggling to keep up.”

Solow and many others like him believe the only way security can possibly keep up is if they stop blocking developers and start enlisting their help. Forward-looking technology experts predict that smart developers are the industry’s best hope for solving some of the biggest security problems today. 

Making Developers Your Highest Hiring Priority
Seeking out developer assistance starts from within. Many longtime appsec advocates believe security managers need to kick off a change in tactics and strategy by putting developer resumes at the top of the stack for new hire candidates.

“Hiring developers on your team allows you to better speak the language of developers and better influence software development to positively impact security,” says Zane Lackey, co-founder and CSO at Signal Sciences. As a former CISO at Etsy, Lackey says one of the best hires he ever made was when he snagged someone internally from his firm’s software engineering team for the security crew to focus on development tasks that would positively impact security. 

These kinds of tasks can include building security tools and integrations, but they also extend far beyond that. 

Security developers can bring a fresh perspective to the table when the security team convenes to make policies and procedures — they’ll help everyone line up security requirements with business priorities and development realities. They may also take a hand in transforming those developer-friendly policies into security-as-code and what Lackey calls a “golden path” of secure configurations, common libraries, or third-party code that can be shared across engineering projects, encryption standards, and so on. 

“Investing in bringing developers on those security teams can help them build things that are going to be directly consumed by engineers,” Lackey says.

He is far from an outlier in this view that security needs to hire more developers. Hit up security and DevOps conferences today, and you’ll increasingly run across security managers who are pushing hard for the industry to prioritize development experience.

“I only hire developers; I don’t hire security people anymore,” says John Melton, application security senior manager at Oracle NetSuite. “If you’re a security person and you can’t code, you should learn how, or you should hire people on your team who know how to code.”

As Melton explains, the lack of development knowledge is endemic in the security world, and it’s hurting security teams in so many ways. He’s far from the only one to voice those concerns. According to Larry Maccherone, who runs the DevSecOps transformation at Comcast as senior director in the technology and product division’s security and privacy group, a lack of developers on security teams does the most damage to the team’s credibility. 

“I believe you can’t keep telling developers how to do their job if you aren’t also writing code,” says Maccherone, who, similar to Melton, almost exclusively only hires developers these days. Maccherone says it is much easier to train a developer in security fundamentals and mindset than it is to teach a security vet how to code. He thinks the only way to bring the kind of street cred to the table necessary for eye-to-eye conversations between security and software engineers is to bring experienced devs into the security fold.  

In the process, the industry may well be able to kill two birds with one stone. With the industry struggling to make qualified security hires, it may be time to stop looking for security unicorn hires and start recruiting trainable developers to fill in some vital gaps. 

It doesn’t even necessarily have to be as extreme as how Melton or Maccherone approach things. 

{Continued on next page}

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/edge/theedge/developers-the-cause-of-and-solution-to-securitys-biggest-problems/b/d-id/1336137?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/tough-choices/b/d-id/1336160?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Oracle has released a free tool that shows how well Internet Exchange Points (IXPs) are doing at filtering out incorrect or malicious traffic-routing information that could lead to major Internet disruptions.

The goal is to help an IXP identify and address gaps in its route-filtering capabilities while providing the broader public with a view of the IXP’s role in keeping the Internet safe. An IXP routes traffic between different ISP networks. It is a physical location containing numerous network switches that seamlessly link one service provider’s network to another.

Oracle’s new IXP Filter Check is part of a broad initiative called the Mutually Agreed Norms for Routing Security (MANRS), which is designed to bolster Internet routing security.

In recent years, Internet routing mistakes — of the accidental and malicious variety — have caused major problems. Last year, for instance, traffic bound for Google got misdirected via an ISP in China, causing intermittent disruptions to the company’s search and other services for over an hour. Earlier this year, traffic belonging to major Cloudflare customers ended up getting routed via the network of a small company in Pennsylvania. The misdirection caused many websites on Cloudflare and numerous other service providers to become unavailable to large sections of the Internet for about two hours.

Such disruptions often have been caused by relatively minor configuration errors. Google’s traffic, for instance, got misdirected because a small Nigerian ISP accidentally “announced” the wrong routing information for several Google IPs. China Telecom — one of the Nigerian’s ISP’s network “peers” — accepted the wrong routing information and propagated it widely across the Internet.

In Cloudflare’s case, the misdirection resulted from an ISP in Pennsylvania making more or less the same mistake and then Verizon forwarding the wrong routing information to the rest of the Internet. As Cloudflare put it at the time: “This was the equivalent of Waze routing an entire freeway down a neighborhood street.”

Not all routing errors are the result of innocent mistakes. In recent years, attackers have used redirection attacks to divert traffic for malicious purposes, including surveillance, distributed denial-of-service attacks, and cryptocurrency mining. 

Secure Internet Routing
The Internet Society’s MANRS initiative is designed to address the fundamental weaknesses in the Internet’s core routing infrastructure that have made such traffic misdirection almost catastrophically easy to make or to pull off. At a high level, it is aimed at ensuring that ISPs and IXPs have measures for quickly spotting and filtering out incorrect routing information — and, equally important, to prevent incorrect routes from being propagated across the Internet.

To be a member of the MANRS program, IXPs are required to filter all route announcements they receive using certain standards that are designed to ensure the legitimacy of routing messages. The goal is to ensure that any routing information that cannot be properly verified — such as its origin — is filtered out.

Oracle’s IXP Filter Check is a monitoring service — currently in place at some 200 IXP locations — that basically verifies how well an IXP is doing at filtering out incorrect and malicious routes. “It is a free service that offers third-party review of the routes passed by the route server at an IXP,” says Doug Madory, director of Internet analysis at Oracle. “The objective is to publicly report the invalid messages passed so as to help the IXP improve and also to report to the public how the IXP is doing.”

The Oracle tool is not designed to help IXP filter route messages. Rather, the objective is to help IXP administrators monitor and analyze the effectiveness of their existing route filtering, Madory notes.

IXP Filter Check uses a filtering mechanism similar to what an IXP would be expected to use as a member of the MANRS initiative. The Oracle tool runs the same checks on routing information that the IXP’s filtering mechanisms would, such as ensuring routing messages have proper origin information and prefix lengths.

“If they are correctly filtering invalid routes, then we shouldn’t see them,” Madory says. “If we do and report it in the tool, then that means the route server admin should go review the filtering [in place].”

According to Madory, IXP Filter Check is the first tool to offer a live and independent analysis of the behavior of route servers at IXPs around the world. He estimates approximately 1,000 entities currently label themselves as IXPs, though many are relatively small or operated by a single telecom.

“The war against insecure routing won’t be won by a single technology,” Madory notes. But it can be improved over time with measures such as route filtering, he says.

Related Content:

• Internet Routing Security Initiative Launches Online ‘Observatory’
• Internet Routing Security Effort Gains Momentum
• NIST Releases Draft on BGP Security
• 8 Microsegmentation Pitfalls to Avoid 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Has Cybersecurity Pros So Stressed — And Why It’s Everyone’s Problem.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/oracle-releases-free-tool-for-monitoring-internet-routing-security/d/d-id/1336158?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

IoTopia, a new framework for IoT security, aims to standardize the design, certification, deployment, and management of connected services and services, GlobalPlatform reports.

This initiative marks the latest effort to build on IoT security by the industry standards body, whose members work to ensure its specifications align with current and emerging market requirements. GlobalPlatform has 2,600 industry representatives from 90 member companies, and people around the world rely on its certified secure elements, which have been integrated in chip-enabled credit cards, smartphones, smart TVs, and control units built into vehicles.

As the Internet of Things continues to expand, so, too, do GlobalPlatform’s efforts to better secure it, says executive director Kevin Gillick. “We’re progressing farther into this world of interconnected devices everywhere,” he explains. “The same component technology and the same security mindset is logically extensible into this new space.”

The IoT is the “wild, wild west,” Gellick continues. Device makers are entering the ecosystem and creating connected products without bringing security into the picture. Part of GlobalPlatform’s effort involves sharing standardization to bring products to market faster, at a lower price. It makes more sense, he says, for manufacturers to invest RD into a service they can build their brands around rather than in their own security architectures and certifications.

“There is a lack of a common IoT security framework,” he adds. Device manufacturers don’t have security at the core of their competence; many avoid it because of the bias that adding more protection will increase cost and time to market. The idea behind IoTopia is to help these makers implement a framework that helps them move forward wihout bring security experts.

“We’re seeing a lot of industry associations crop up around IoT who talk a lot about requirements, talk about security and use cases, but don’t tell you how to implement it into technology,” Gillick says. “Moving from words and speech to something actionable and adoptable is [a gap] no one has been able to close.”

IoTopia is based on four pillars. The first is security by design, which includes capabilities and features that define how secure components and APIs can be used with existing “secure by design” standards. The second pillar is device intent. IoTopia uses Internet Engineering Task Force’s manufacturer usage descriptions and uniform resource identifier to manage device permissions and access on networks, GlobalPlatform explains.

“We want to make sure we have in place a simple way to answer important questions about the device,” Gellick says. “What is this thing? Who is responsible for it? How do I protect it, and how do I protect my business? Is it doing what it should be doing? … There’s no systematic way to go about doing that.”

The third pillar addresses autonomous, scalable, secure device onboarding (SDO), as IoTopia will offer an open, standards-based secure onboarding process to streamline network administration. The fourth focuses on device life cycle management, including a range of capabilities to manage devices throughout their life cycles aligned with international regulations.

Related Content:

• 7 SMB Security Tips That Will Keep Your Company Safe
• 8 Tips for More Secure Mobile Computing
• How Much Security Is Enough? Practitioners Weigh In
• Avast Foils Another CCleaner Attack

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/operations/iotopia-framework-aims-to-bring-security-to-device-manufacturers/d/d-id/1336159?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Federal Trade Commission (FTC) today alerted consumers about the risk of mobile spyware that surreptitiously “stalks” smartphone users, snooping on call history, text messages, photos, GPS location, and browsing history.

The warning comes the heels of the FTC’s settlement this week with app firm Retina-X Studios LLC, which sold apps called MobileSpy, PhoneSheriff, and TeenShield that could be used as “stalking apps” or “stalkerware,” the agency said. The FTC said Retina-X failed to ensure that buyers of the apps were deploying them legitimately. 

Consumers who suspect that their phones infested with stalkerware should check if the phone is jailbroken; either remove the spyware by executing a factory reset or replace the device altogether; and contact law enforcement, which can detect spyware on the device.

Read more here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/ftc-warns-consumers-about-stalking-apps/d/d-id/1336161?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security professionals often talk about the importance of enlisting users as allies in the battle for better security. When it comes to mobile security, that alliance must be a working reality rather than a managerial dream — namely because these handheld machines are typically employee-owned, thus placing their use and precise configuration out of the hands of enterprise IT.

Developing this partnership begins with convincing users they’re an important part of business security. Depending on the industry, that could include training on regulations as they apply to mobile devices, education from cyber insurance companies, and presentations from intellectual property attorneys.

Once employees are on board, what specific actions should be encouraged? We went looking for best practices across the Internet, and eight kept showing up. It’s important to note that only two of them require products or services that aren’t included with most mobile devices. Two of the tips involve user behavior. And the other four are all about using features of the mobile device or operating system in the most secure manner possible.

We’d also like to know about your best practices. What actions or technologies not on this list are critical in your organization? Conversely, is there anything on our list you’ve found to be unnecessary? Let us know in the Comments section, below. After all, good communication about security is definitely a best practice.

(Image: bnenin via Adobe Stock)

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/endpoint/8-tips-for-more-secure-mobile-computing/d/d-id/1336088?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple