User security awareness, incident response lessons following Heartbleed, stolen government malware, Snowden on encryption and Android app permissions are among this week’s top #infosec reads.
The weakest link in security isn't always technology but often the habits of the people who use it – which is why survey results on the security awareness training practices of some of the UK's major companies worry David Prince. On the other hand, this article reveals that CSO's are picking up on the value of "security culture," which at least promises modest improvement.
An important take away from the Heartbleed disclosure is how conflicting intel and hype affected the response. Heartbleed was quickly raised to the executive level. This is rare among security incidents and historically only serious incidents, (for example, where an exploit goes undetected or a vulnerability remains unresolved for months at a time, and the discovery of a breach or loss is a calamity event). In contrast, information about Heartbleed– and not all of it completely accurate - was abundant and viral. Everyone was talking about it and the “hysteria” caused IT groups everywhere to invest a great deal of the response efforts towards setting execs minds at ease. If we could get the same kind of reaction, sans hysteria, with the same rapid response for every security threat, incident response would improve dramatically.
The next Bond film in the making. I can even picture M briefing 007 about how the KGB need to get their act together the next time they think of dabbling in cyberspying. It does raise the question of how much malware out there was first developed for espionage. It sounds like conjecture, but it's important to know. Cyber criminals often prefer to work smarter than harder, so it's not a stretch to imagine that out of all the known (and unknown) malware threats in cyberspace, our governments share the burden of responsibility for their existence.
"Knowledge among individual practitioners is still lacking," seems to be this week's theme. While Snowden's celebrity status has taken the spotlight over his security expertise (and he may be plugging Spideroak shamelessly), he has the right of it. Dropbox is under a great deal of scrutiny, and experts agree that encryption is good practice for anyone looking to keep their information safe.
App permissions are fine-tuning ads, but is that all they're doing? Android apps aren't restricted from accessing user data. Seven out of every ten apps can send text messages, and three out of ten can read users' messages too. That's a huge red flag for any organization as endpoint devices are at serious risk with the Android app market being as laid back as it is.