The week in security: Security skills squeezed as human soft spot persists

The importance of the human element in information security is sometimes lost amongst all the discussion about new technologies, but the usage of insecure email services by former US secretary of state Hilary Clinton has brought the issue into fine focus after it was revealed that her email remained unencrypted and unauthenticated for three months. Indeed, despite years of user education experts continue to warn that the 'human firewall' is continuing to suffer from significant weaknesses.

Many companies are struggling to find and keep enough IT security professionals, Cisco Systems was warning as another survey found that information-security professionals are under increasing pressure to deliver and are increasingly short-staffed. Little wonder the US government announced skills 'pathways' to boost cybersecurity takeup amongst young people.

The shortage may already be having knock-on effects, with Verizon warning that a worrying percentage of companies fail to maintain adequate people-based policies for credit-card data after they are initially certified as PCI DSS compliant. Such shortcomings are hitting other industries, too: one US law firm, for example, sued three major automobile makers for failing to provide adequate security in their in-car computer systems. Equally problematic is the flood of insecure mobile apps entering large enterprises – which, according to a new survey, have an average of 2400 unsafe mobile apps each.

Some of those may eventually be otherwise legitimate tools – which, with the release of the first medical apps built with Apple's ResearchKit, could become privacy weak spots unless security is correctly handled and commercialisation of the information discouraged. Apple will also need to carefully manage the security of its Apple Watch, which debuted during the week amidst broadening warnings about the need for security in the Internet of Things (IoT) paradigm.

Even as security industry figurehead Eugene Kaspersky warned that “a very bad incident” may hit critical infrastructure well before they are secured, there were signs that a range of computer Trojans, used since 2009 to steal data from high-value targets in government and elsewhere, had their roots in malware that may have been created by French intelligence agencies. Along similar lines, a code name found in malware from the Equation hacking group suggested that it may have .

Conventional government regulation was also getting a look-in, with a US Senate panel secretly approving a cyberthreat sharing bill and Australia's privacy commissioner reporting that he is “pleased” with the progress made in complying with the strict new privacy laws introduced a year ago this month.

In a world where surveillance seems to be everywhere, it's hard to stay off the grid – but organisations such as Wikimedia are doing their part, suing the NSA in an attempt to get the organisation to stop spying on its users. Yet that's not all the US government is doing to compromise security: documents from Edward Snowden's cache suggest that the CIA has been attempting to defeat the security of Apple devices for years.

The FREAK SSL bug had proved more successful on that count, but it was open season on the flaw as Apple fixed the FREAK SSL bug in its iOS 8.2, OS X and Apple TV products, then added its Safari Web browser to the list. Microsoft fixed FREAK in its latest Patch Tuesday, while Cisco wiped out the vulnerability from its OpenSSL-based equipment.

Only BlackBerry has come out saying it has no fix for FREAK, which can't be great for the long-running perception that its security credentials are impeccable. Yet there could be more trouble, if past patches are anything to go by: HP researchers warned that a previous Microsoft patch for the LNK exploit used by the Stuxnet worm was flawed.

Indeed, new techniques are appearing with frightening regularity: Google researchers have even figured out how to hack computers using electrical leaks between the individual cells inside computer DRAM memory. A new hacking tool allows the hijacking of credentials on sites that use the Facebook Login feature of the social-media network, while researchers demonstrated a troubling method that may put people off of buying used Nest smart thermostats. Little wonder that Google's smart-home scoring patent application wants to evaluate a home's overall security and give it a rating.

Increasing resourcefulness in breaking through security protections is driving a slump in trust in keys and digital certificates, some warn. Of course, vendors like Lenovo haven't done much to boost trust either: in the wake of its Superfish adware debacle, the company's joint efforts with Microsoft suggested that there were now fewer than 1000 Lenovo PCs infected daily with Superfish. Yet with new ransomware now targeting gamers, the malware scourge continues unabated.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackerscybersecurityIT security professionalsHilary Clintoneugene kasperskyhuman soft spotsecurity skillsgovernment regulationCSO AustraliaFREAK SSL bugCisco Systemscyber threats

More about AppleBlackBerryCiscoCSOEnex TestLabFacebookGoogleHPKasperskyLenovoMicrosoftNestNSAVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts