The week in security: Security skills squeezed as human soft spot persists

The importance of the human element in information security is sometimes lost amongst all the discussion about new technologies, but the usage of insecure email services by former US secretary of state Hilary Clinton has brought the issue into fine focus after it was revealed that her email remained unencrypted and unauthenticated for three months. Indeed, despite years of user education experts continue to warn that the 'human firewall' is continuing to suffer from significant weaknesses.

Many companies are struggling to find and keep enough IT security professionals, Cisco Systems was warning as another survey found that information-security professionals are under increasing pressure to deliver and are increasingly short-staffed. Little wonder the US government announced skills 'pathways' to boost cybersecurity takeup amongst young people.

The shortage may already be having knock-on effects, with Verizon warning that a worrying percentage of companies fail to maintain adequate people-based policies for credit-card data after they are initially certified as PCI DSS compliant. Such shortcomings are hitting other industries, too: one US law firm, for example, sued three major automobile makers for failing to provide adequate security in their in-car computer systems. Equally problematic is the flood of insecure mobile apps entering large enterprises – which, according to a new survey, have an average of 2400 unsafe mobile apps each.

Some of those may eventually be otherwise legitimate tools – which, with the release of the first medical apps built with Apple's ResearchKit, could become privacy weak spots unless security is correctly handled and commercialisation of the information discouraged. Apple will also need to carefully manage the security of its Apple Watch, which debuted during the week amidst broadening warnings about the need for security in the Internet of Things (IoT) paradigm.

Even as security industry figurehead Eugene Kaspersky warned that “a very bad incident” may hit critical infrastructure well before they are secured, there were signs that a range of computer Trojans, used since 2009 to steal data from high-value targets in government and elsewhere, had their roots in malware that may have been created by French intelligence agencies. Along similar lines, a code name found in malware from the Equation hacking group suggested that it may have .

Conventional government regulation was also getting a look-in, with a US Senate panel secretly approving a cyberthreat sharing bill and Australia's privacy commissioner reporting that he is “pleased” with the progress made in complying with the strict new privacy laws introduced a year ago this month.

In a world where surveillance seems to be everywhere, it's hard to stay off the grid – but organisations such as Wikimedia are doing their part, suing the NSA in an attempt to get the organisation to stop spying on its users. Yet that's not all the US government is doing to compromise security: documents from Edward Snowden's cache suggest that the CIA has been attempting to defeat the security of Apple devices for years.

The FREAK SSL bug had proved more successful on that count, but it was open season on the flaw as Apple fixed the FREAK SSL bug in its iOS 8.2, OS X and Apple TV products, then added its Safari Web browser to the list. Microsoft fixed FREAK in its latest Patch Tuesday, while Cisco wiped out the vulnerability from its OpenSSL-based equipment.

Only BlackBerry has come out saying it has no fix for FREAK, which can't be great for the long-running perception that its security credentials are impeccable. Yet there could be more trouble, if past patches are anything to go by: HP researchers warned that a previous Microsoft patch for the LNK exploit used by the Stuxnet worm was flawed.

Indeed, new techniques are appearing with frightening regularity: Google researchers have even figured out how to hack computers using electrical leaks between the individual cells inside computer DRAM memory. A new hacking tool allows the hijacking of credentials on sites that use the Facebook Login feature of the social-media network, while researchers demonstrated a troubling method that may put people off of buying used Nest smart thermostats. Little wonder that Google's smart-home scoring patent application wants to evaluate a home's overall security and give it a rating.

Increasing resourcefulness in breaking through security protections is driving a slump in trust in keys and digital certificates, some warn. Of course, vendors like Lenovo haven't done much to boost trust either: in the wake of its Superfish adware debacle, the company's joint efforts with Microsoft suggested that there were now fewer than 1000 Lenovo PCs infected daily with Superfish. Yet with new ransomware now targeting gamers, the malware scourge continues unabated.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags eugene kasperskycyber threatsgovernment regulationCisco Systemssecurity skillsHilary ClintonCSO Australiahuman soft spotIT security professionalsFREAK SSL bug

Show Comments