“Enable multifactor authentication” is a standard response I give when I go on TV to report on a data breach and someone asks how businesses can defend themselves against data breaches. Nevertheless, businesses continue to heedlessly cling to passwords as their exclusive means of identification. Whether you like it or not, identity—whether it be that of people, devices, or services—is at the basis of cybersecurity. Unfortunately, there are moments when it seems like we are still using digital technology from the 20th century, and the cloud has simply shifted our passwords to a different location.
I had the good fortune to meet with Troy Hunt recently, and he explained that outdated (and insecure) hashes of passwords are still frequently found in data breaches. He reported seeing old MD5 hashed passwords combined with bcrypt in numerous instances, where users who had updated their passwords had a bcrypt hash while others who had not still had MD5. This was absurd, he thought, as we use the MD5 hash as a seed for bcrypt and it should have been possible to double hash the passwords in a single iteration. This just seems to be a total disregard for securing citizen data or a total lack of awareness of cybersecurity.
Bizfirespark | finvestguide | quickbizfly | cadencewavez | linkerchains
Thus, rather of emphasizing “security by design,” we have witnessed an emphasis on “secure after design” for years, if not decades. After then, security is considered an add-on and an afterthought. All things considered, we would not construct bridges that were not intended to collapse, so why do we create systems that are not intrinsically safe? The causes? Basically, there are a lot of reasons, such as developers’ lack of knowledge about cybersecurity (particularly in cryptography), laziness, cost, the “get it shipped” mentality, the carelessness with which citizen data is used, and a genuine ignorance of the true uses for which goods and services will be put to use.
The EU’s GDPR pushes businesses to adopt a secure by design strategy by requiring the use of encryption, pseudo-anonymization, and incident reporting within specified timeframes. However, GDPR is a generic law that does not provide any information about how goods and services are really designed.
Multi-factor verification (MFA) is used. GOAL: Show that steps have been taken to significantly raise the adoption of multi-factor authentication across all of the manufacturer’s products within a year of signing the pledge.
default credentials.GOAL: Within a year of making the commitment, show quantifiable progress in lowering default passwords on all of the products made by the manufacturers.
lowering the susceptibility of entire classes.GOAL: Within a year of making the commitment, show that steps have been taken to enable a notable and quantifiable decrease in the frequency of one or more vulnerability classes in all of the manufacturer’s goods.
patches for security.GOAL: Show that steps have been made, within a year of signing the commitment, to significantly increase the number of security fixes that consumers install.
Policy for disclosing vulnerabilities.The objective is to release a vulnerability disclosure policy (VDP) CVEs within a year of signing the pledge.Objective: After signing the pledge, within a year, show transparency in vulnerability reporting
indications of breaches.Objective: Show a quantifiable improvement in the capacity of consumers to obtain proof of cybersecurity breaches impacting the company’s goods within a year of signing the commitment.
In my opinion, these ought to be required for big IT companies, and additional privacy-related features like data encryption and anonymization ought to be included.