The week in security: New perimeters fighting breaches as old ones fall

The first week of National Cyber Security Awareness couldn't have been more timely, with two major-retailer hacks and a host of revelations confirming that cybersecurity issues are only continuing to get worse.

Microsoft was defending its Outlook Web Access against claims it can be exploited to reveal an organisation's user credentials. Also on the Microsoft front, some vendors are pointing out that endpoint protection tools can be used to effectively extend the usable life of legacy Windows XP and Server 2003 installations by building a layer of protection around platforms that are no longer being actively supported.

Speaking of no longer being actively supported, security researchers were pushing for the SHA-1 hashing algorithm – used to sign 1 in 3 SSL certificates – to be urgently retired after funding it can be attacked for just $US75,000.

The average mid-sized US company spends $US15m annually to fight cybercrime, new figures suggest. And sometimes the problems come in the most unexpected places, such as a ransomware network that Cisco Systems reportedly interrupted while doing research at a Dallas hosting provider. Hackers using a Linux cloak, the company said, are earning $US30m a year.

Dealing with the latest security threats can be tricky, and many organisations are responding by finding ways to limit employee access to particular resources. But some people argue that employee productivity is at stake and that the best approach is to make resources available by default unless there's a good reason not to.

That could, however, cause problems for the quarter of companies that can't tell how hackers get into their networks – a worrying statistic made even more so by the fact that many of those breaches will likely be attributable to mobile devices (often used as conduits for shadow-IT SaaS usage, increasingly targeted by smart detection solutions).

Indeed, Android security was once again under the spotlight as Stagefright 2.0 emerged and HTC said that it can't commit to monthly updates because of the complexities of dealing with carriers. That's not going to be reassuring given new research suggesting 87 percent of Android devices aren't up to scratch and most are patched only once a year.

Those are worrying statistics and reflect Android's contrast with iOS, where Apple pulled in-app ad blockers for security reasons and concerns that apps could spy on users' data traffic.

Read more: Victorian public-service executives ignoring warnings on IT security processes, end-of-life software: auditor

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list.

Get newsletters, updates, events and more right here.

Tags Microsoftbreachesweek in securityCSO AustraliaSHA-1Outlook Web AccessUS companyNational Cyber Security Awareness

Show Comments