It’s Gonna Be May: Client Coverage Round-Up
Cyber Security, High Technology, Public Relations, Technology Posted May 31, 2019 by Kayla Krause
Channeling my inner teenage, boy band-obsessed self, combined with a love for any kind of GIF – the month of May always makes me think of…
That being said – in true *NSYNC fashion, our clients were bringin’ da noise this month with breaking news comments and coverage. Some also took the time to write about recent security trends, a la Docker containers, or pen some best practices to use in preventing a data leak; while others said bye, bye, bye to making risk management harder than it needs to be and discussed better ways to measure and manage cyber risk. Check ‘em out below, you won’t want to miss these articles – This I Promise You…
Container Journal, Docker Inc. Addresses Latest Vulnerability
A “time of check to time of use” (TOCTOU) bug reported in Docker containers caused a bit of a stir, as it could be employed to enable malicious code inside a container to gain arbitrary read/write file access on the host with root privileges. Capsule8’s Kelly Shortridge, who wrote an analysis of the bug, told Container Journal that while the potential damage caused by the bug is high, these and other Docker and Kubernetes vulnerabilities recently disclosed are nowhere near serious enough to dissuade any organization from employing containers.
At the beginning of the month, U.S. President Donald Trump signed an executive order on growing and strengthening the federal cybersecurity workforce. The White House explained there are over 300,000 cybersecurity job vacancies in the United States and believes it’s crucial for the country’s economy and security that these jobs are filled. Dave Weinstein, Chief Security Officer of Claroty, was quoted saying that the order paves the way for giving mission-oriented cybersecurity professionals a legitimate alternative to industry, even if it means taking a pay cut. And when it comes to cybersecurity, there should be a revolving door between industry and government.
Hackers look for low-hanging fruit, and misconfigurations are counted among them. This byline, authored by Tim Bandos, VP of Cybersecurity for Digital Guardian, takes readers though the most common configuration mistakes that lead to leaked company data. From delayed software patching to password re-use, some of these security “faux pas” seem obvious, but can be difficult to avoid nonetheless.
FedScoop, Should agencies pilot zero trust now?
At the recent CSA Federal Summit 2019, Duo Security’s Advisory CISO, Sean Frazier, presented at a keynote session “A Walk in the Clouds: Zero Trust Security for a Cloud World” , discussing how agencies building zero-trust networks should start with a single, successful application and modularize successive components. Afterwards he caught up with FedScoop’s Dave Nyczepir to deep dive into that session. Here Sean explains to Dave that agencies performing information technology modernization can make apps with security baked in and through repetition can “be well on their way” to having a zero-trust environment and NIST has an opportunity to standardize zero-trust so that agencies and vendors have a shared language around implementation — particularly important because every agency’s zero-trust framework will involve multiple vendors.
At the beginning of May, Baltimore city government computers were infected with ransomware. Hackers demanded payment for the second time in just over a year, underscoring the struggle that municipal governments face when trying to keep computer networks safe. Flashpoint’s Director of Intelligence, Christopher Elisan, spoke with the Baltimore Sun shortly after the attack happened and highlighted specific details about the ransom note and said that the relatively small ransom demand also suggested the attack was not targeted.
SecurityWeekly, Enterprise Security Weekly Podcast #139
Chief Risk Scientist of RiskLens and Chairman of the FAIR Institute, Jack Jones, sat down with Enterprise Security Weekly’s podcast host Paul Asadoorian to talk all things risk management. In general, risk management can be perceived to be harder than it really is, and as Jones mentions, we too often take at face value what infosec tools say and that generates a tremendous amount of noise. Throughout the podcast, Jones gives a refresh on the ways in which businesses can better manage and measure cyber risk.