What tools can be used in the fight against identity document fraud

Back in February 2021, we wrote a blog discussing how to prevent sophisticated physical document fraud, focusing on what the fraud looks like today and what can be done to reduce it. With the Secure Identity Alliance releasing a new report offering in-depth guidance on fighting passport fraud, now is a good time to revisit this subject.

There can be no doubt that document fraud is a serious crime and one that often leads to other significant threats for citizens, including human trafficking, drug smuggling, and terrorism. While it may seem like using fake passports is something reserved solely for spy, action or thriller movies, 47% of the fraudulent documents detected at European Union external borders in 2019 were passports. And, this problem is only set to grow, as criminals use more sophisticated techniques to forge documents. It is therefore essential that security experts and industry bodies come together to jointly develop innovative ways to protect ID documents, making them more intuitive to authenticate and fraud easier to detect.

Security is a gradual process, not binary

Ensuring document security protocols are up to date requires a close and consistent monitoring of technology evolution and threats, to keep a step ahead in that constant race against fraud. Passports, just like any other product, need to be protected from their conception using the principle of ‘cybersecurity by design’. Integrating security from the start of a product’s lifecycle is now a must-have in the fight against criminal activity. What’s more, in order to constantly stay one step ahead of fraudsters, the continued addition of new protective features, materials or techniques is essential.

Enhancing software security in passports

Securing the embedded software in a passport is also imperative. As demonstrated in eID cards, one way to enhance security in citizen credentials is to use open platforms – thanks to their post-issuance capabilities. This means if a key or algorithm is exposed in an attack, the issuer can switch to another algorithm, change the applet or deactivate faulty services – thus protecting citizens’ data. In essence, this addresses the natural security erosion over the life of a product as new types of attacks are developed.

Recent evolution in Common Criteria Certification

Over the last 25 years, Common Criteria certification has been the undisputed reference for securing a document’s embedded software. This certification has been essential in providing guidance for what cybersecurity assessments need to take place for all ID documents, both at their time of purchase and during their operational lifetime as well as within the secure document’s embedded software.

Until June 2019, Common Criteria certifications had no expiry date and were valid until the product was phased out. However, since then the EU Cyber Act & Common Criteria Recognition Arrangement has revised their approach regarding the lifetime security assessment. Instead, a five-year administrative validity period is now enforced. In practice, this means a security re-assessment is required before the five years end in order to extend the validity of the certificate.

The new regulation also strongly recommends that cybersecurity products offer the ability to be patched after their issuance, as part of a resilient strategy.

How governments can ensure the issuance of secure documents

When thinking about bolstering ID document security, governments should try to follow these four key principles: anticipate, resist, react, restore. This will allow them to deliver the intended outcome of protecting their citizens in spite of adverse cyber events.

Using this method, governments can ensure as many attacks as possible are prevented – making life difficult for hackers, the severity of attacks are reduced, the impact if an event happens is managed properly, and that they use these experiences to improve their future offering.

To fulfil this, governments need a long-term embedded software roadmap, with regular security surveillance and Common Criteria certification maintenance of the embedded software. They also need to make sure they are phasing out older products and migrating to new ones at regular intervals.

Finally, documents already in the field need to have upgradable features so the latest security upgrades can be made available to citizens through the use of a Document Lifecycle Management platform.

—

Using the information provided by the Secure Identity Alliance’s latest report, government authorities now have more guidance on the tools and techniques they need to fight document fraud. With this detailed analysis of the current document fraud landscape, public bodies are able to select the best security features when designing their documents to protect their citizens against fraud.

Only by deploying the latest security features, and through the use of emerging defensive technologies, can governments stay ahead in the permanent race against fraud. This revolves around actively monitoring any new threats to protect sensitive assets today, but also to anticipate future needs. This is our commitment to Cyber Resilience.

If you would like to know more about the security upgrade available in our latest secure embedded software range for identity documents, please tweet us @ThalesDigiSec or visit our dedicated webpage here.

The post What tools can be used in the fight against identity document fraud appeared first on Cybersecurity Insiders.

July 01, 2021 at 09:09AM

Read More

How have people proven their identity since the dawn of time?

The concept of human identity is something which has existed for thousands of years. Before we proved our identities with plastic cards or on our mobile devices, people proved their identity in several ways, such as language, physical identifiers or objects.

As part of our series on Digital Identity, this blog will look back on the personal identification techniques of previous eras to show how methods of identification have developed over the course of human history.

100,000 years ago – Jewellery

While drawing solid conclusions from evidence dating back hundreds-of-centuries is difficult, researchers and historians have been led to believe that cultures which existed nearly 100,000 years ago used items of jewellery as personal identifiers.

By studying artefacts found in modern day South Africa, Israel and Algeria, researchers believe that jewellery, such as beads, were used to communicate information such as wealth, familial origins and personal identity.

However, the method of using personal items as proofs of identity has not faded with history, with institutions such as the military using dog tags as individual identifiers for each soldier.

1046 BC – Tattoos

Another historical identification method was the use of tattoos. In numerous cultures, tattoos were considered valuable forms of identification because of their permanent nature. The use of tattoos as identification can be dated back as far as 1046 BC, where the Chinese authorities under the Zhou dynasty would use tattoos to mark prisoners.

However, arguably the most famous use of tattoos for identity purposes can be found amongst the Māori, the indigenous people of New Zealand. Lacking a written language, the Māori would use their facial tattoos (called Mokos) to identify themselves to other tribes. No two Mokos would be the same, each one detailing the individual heritage and history of the wearer’s family.

1415 – The first passport

The passport, one of the core identity documents of the modern world, was first created under the reign of King Henry V of England, following the Safe Conducts Act of 1414. Henry V created the passport for English citizens as a method of proving their identity in foreign countries.

Back then, passports were known as ‘safe conduct’ documents. However, they came to be known as passports around 1540, with the term ‘passport’ originating from a medieval document that was required to pass through the gate of a city wall or to pass through a territory.

1829 – Personal identification numbers

In 1829, the British Government enacted the Metropolitan Police Act, based on the reforms put forward by English statesman Sir Robert Peel. While this may seem initially unrelated to the history of identity, the Metropolitan Police Act saw police stations begin to store data in personal document files, each file being linked back to individuals using a unique numerical value. In short, this act was the inception of personal identification numbers, these later forming the basis of personal ID cards seen across the world today.

By 1936, the United States had begun rolling out their Social Security number cards, with other countries beginning to follow this example with the rise of electronic data processing.

1858 – First instance of biometric information being used for identification

It could be argued that the use of biometric identifiers, such as fingerprints, as identification has existed since pre-historic times. However, the first modern use of biometrics as an identifier was in 1858, when Sir William Herschel, an officer in the British Army stationed in India, recorded the fingerprints of workers on their employment contracts. He was later credited to be the first individual to use fingerprints as a practical means of identification.

1961 – The first computer password

Again, passwords are not a modern invention, with ancient societies such as the Romans using passwords in their military as means of identifying individuals entering restricted areas. However, passwords on computers, as we commonly use them today, were first developed at the Massachusetts Institute of Technology with the (CTSS), which was one of the first time-sharing operating systems.

While the use of passwords is a common reality for many of us, they are not without their flaws. This year, researchers have found that passwords are the primary means by which hostile actors hack into an organisation. In response to the ever-weaker protection offered by passwords, many organisations have turned to other methods, such as digital identity technology, to secure their data.

2004 – The development of advanced biometrics

A recurring theme in the later stages of our timeline, biometric technology took its quantum leap at the turn of the century. In 2004, for example, the U.S. states of Connecticut, Rhode Island and California established the first state-wide palm print databases. These databases were primarily used by law enforcement agencies to search unidentified palm prints against known offenders.

Six years later, the world’s largest biometric digital ID system, called the Aadhaar system, launched in India. The system was designed to speed up the verification process for government agencies while reducing fraud.

Today, biometric authentication is a constant feature in our lives, with many smartphones utilising facial or fingerprint recognition as a security measure.

With this rich history laying the foundations, we are now seeing the latest iteration of identification permeate societies across the world – Digital ID. With this comes the potential to unlock a wide spectrum of services which were previously which could have only been dreamt of in bygone times.

To find out more, read Thales’ recent eBook on digital identity. Follow us on Twitter @ThalesDigiSec to discover more about Thales DIS!

The post How have people proven their identity since the dawn of time? appeared first on Cybersecurity Insiders.

July 01, 2021 at 09:09AM

Read More

DoD Adds Two More (ISC)² Certifications to Requirements for Cybersecurity Staff

Earlier this week, (ISC)² announced that the DoD approved both the HCISPP and CCSP certifications to its DoD 8570 Approved Baseline Certifications table on the DoD Cyber Exchange website.

Why does this matter?

This means that the entire roster of (ISC)² certifications are now required for different security workforce categories within the Department, depending on the functional area the role covers. Approval for these additions came from the DoD Senior Information Security Officer and a recommendation by the Cyber Workforce Advisory Group (CWAG) Certification Committee.

The HCISPP has been approved for the following categories:

• Information Assurance Manager Level 1 (IAM 1)
• IAM Level II (IAM II)

The CCSP has been approved for the following categories:

• Information Assurance System Architect and Engineer Level III (IASAE III)
• Information Assurance Technician Level III (IAT III)

This also points to a raised level of importance that the DoD sees related to healthcare privacy data and cloud security; two areas that have been under near-constant attack and part of high-profile ransomware breaches within the past year. As last week’s #RansomwareWeek here on the (ISC)² Blog showed, the level of threat is only increasing as ransoms are paid and precedents are set. Breaches of cloud platforms, whether direct hits or through a third-party supplier, are high-risk scenarios, and healthcare systems and data are particularly sensitive as hospital networks cannot sustain prolonged outages without endangering patient safety.

As Dr. Casey Marks, chief qualifications officer for (ISC)² expressed at the time, “The addition of the HCISPP and CCSP certifications to the DoD’s requirements for certain cybersecurity roles points to the growing need to protect and defend health information and cloud data from targeted attacks. These certifications attest that their holders have broad, experience-based mastery of security concepts in real-world situations. Adding such professionals to the front lines of national cyber defense is an encouraging step by the DoD.”

Government agencies have trusted (ISC)² to train and certify their cybersecurity personnel for more than two decades. (ISC)² offers nine distinct Information Assurance (IA) certifications that meet the requirements for 11 of the 14 work roles defined in DoDD 8140.01 and DoD 8570.01-M. In accordance with these two regulations, personnel performing Information Assurance (IA) functions are obligated to obtain one of the certifications required for their position, category/specialty and level in order to fulfill the IA baseline certification requirement.

To review all the (ISC)² certifications that are required for certain levels of DoD Information Assurance roles, please visit: https://www.isc2.org/-/media/876358A408FC4F7A953A12CB918CB8FB.ashx

The post DoD Adds Two More (ISC)² Certifications to Requirements for Cybersecurity Staff appeared first on Cybersecurity Insiders.

July 01, 2021 at 09:09AM

Read More

AI everywhere: How AI is being applied in 4 different fields

Image Source: Pexels
This blog was written by an independent guest blogger.
Historically, the idea of artificial intelligence (AI) saturating our world has been met with suspicion. Indeed, it’s one of the more popular tropes of science fiction — learning machines gain sentience that helps them take over the planet. While we’re not even slightly close to that dystopian reality, we have reached a point at which AI has been significantly integrated into various aspects of our society.
While this isn’t without its risks, largely from a security standpoint, there are huge benefits. Indeed, some of those cybersecurity risks are even being mitigated by utilizing AI to predict and combat breaches. Machine learning, while still very much in its infancy, is proving to be an agile tool to increase efficiency and assist innovation. 
It’s always important, though, to have a good…

Posted by: Devin Morrissey

Read full post

     

The post AI everywhere: How AI is being applied in 4 different fields appeared first on Cybersecurity Insiders.

June 30, 2021 at 09:10PM

Read More

How we can use strong authentication to instantly activate digital banking cards

In today’s digital world, using our mobile phones to consume services is now a part of everyday life. With the average person now spending 2 hours and 51 minutes on their phone each day, service providers like ecommerce sites and entertainment channels have had to adapt their interfaces so that they also work on a smartphone.

The financial services industry is no exception. Based on our research, 80% of banked people now using their bank’s mobile app to review their transactions, check statements, and send money to others. This is due to a simple reason: the notion of waiting in line, as in branch, simply does not exist when using a smartphone.

Nonetheless, while accessing our bank accounts via a smartphone is easier and more convenient for customers, it presents a significant challenge to the financial services industry. These providers need to be able to grant/deny access to very sensitive information in real time and to someone they cannot authenticate physically using an unknown device.

Now, however, with Digital First mobile app technologies, providers can mitigate against this problem while still providing the same seamless user experience.

Onboarding with strong authentication, and identification

When designing their mobile app, all digital services providers need to choose what level of verification will be required to authenticate users and give them access to their services. This will vary depending on what the service is and what type of information it holds. Accessing your Netflix account on your mobile may only require a password, for example, whereas accessing an app containing your health records will require much stronger authentication methods.

On-boarding a sensitive service holding a lot of your personal data requires proof of identity. This is why, in order to open a bank account on your mobile, an ID verification process is needed. The customer most show proof of a valid ID document and some form of biometric authentication, like a selfie, to match them to this document. If the document is valid and if the person presenting that document is its genuine owner, then the service can be granted.

The trick here is ensure a smooth user journey for genuine customers wanting to open an account and also make sure attempts by fraudsters will be denied. In a Digital First mobile experience, all the above steps, plus additional black-list verification steps (for Anti-Money-Laundering for example), can be performed in less than 5 minutes.

What’s more, it is expected that this 5-minute figure will soon be closer to one minute with the proliferation of national digital identity schemes, and, as the ID document verification process becomes more familiar to customers.  Digital First provides the best digital banking and payment experience with optimized speed, security, and ease of use.

What about existing customers?

For an existing customer, Digital First will offer a variety of new services that the user will be able to access from their app, such as digital cards issuance, virtual card display, or PIN code management.

Why is this possible? Well, with Digital First, if ID proofing has been performed once at account opening, then, the user can be authenticated quickly and easily whenever the bank deems necessary using a strong, multifactor technique. ‘Strong’ authentication refers to using a combination of knowledge, possession, and inheritance factors to ensure that the candidate is the genuine, previously on-boarded user.

Don’t do the job twice. Delegate authentication to the mobile app…. if it’s well done.

While these authentication and identification concepts are not new, using them after ID proofing to activate sensitive services is a huge leap for the industry. The old school method would be to perform the job twice: The mobile app manages to verify you are who you say you are, and the payment schemes do too but separately. This usually would not be possible without resubmitting ID documents as occurred during the on-boarding process.

Digital First is a global willingness by all stakeholders to remove frictions for the user and team up between payment schemes, cards issuers and technology partners to focus only on one thing: a meaningful, fast, secure user experience.

The complexities behind Digital First

While the benefits of implementing a Digital First offering are numerous, it should be noted that the skills needed to help banks achieve this vision are tremendously complex to master because they come from three silos that have traditionally been completely independent. We have experience and expertise in all of these three pillars: payment, banking, and issuance and we manage these all under one single platform.

Join us on the Digital First journey and start giving your customers access to instantaneous financial services today.

The post How we can use strong authentication to instantly activate digital banking cards appeared first on Cybersecurity Insiders.

June 30, 2021 at 09:09PM

Read More

How can Digital First banking benefit financial institutions?

The benefits of Digital First banking for the consumer are clear. Whether it’s both physical and digital card issuance, real-time card management or secure, hassle-free online payments, the services on offer to consumers when it comes to Digital First banking are almost endless. With these digital features comes increased convenience and instantaneity, the core principles of modern banking.

But what is the benefit of Digital First for banks? While better serving the consumer is always the core goal for financial institutions, Digital First can also enhance the services that banks offer in a variety of key areas. So, before investing in a best-in-class digital banking infrastructure, it is important to know how digital first can benefit your bank as well as your consumers.

Empowering EMV as the premier online payment method

While the use of EMV bank cards is a staple when it comes to physical, in-person purchases, their use for buying goods and services online is less consistent. The meteoric rise of online shopping has seen the payment market diversify, with more consumers paying for goods and services with digital wallets and person-to-person (P2P) payments, displacing EMV bank cards as the primary option when shopping online.

What’s more, the use of EMV cards online can come with its own problems. Research has found that as many as 27% of shoppers abandon their online shopping carts due to complicated checkout processes. While seemingly easy, the constant process of entering in card details has proven to be a sticking point for consumers.

With this in mind, how can banks make EMV cards more accessible than other payment methods?

With a Digital First approach, banks can cut out the hassle of entering card details by offering consumers instant digital card payment through their mobile apps. With services such as virtual card display, consumers can seamlessly pay for their products without having to spend time repetitively punching in their card details.

Why does this benefit banks? With a more convenient transaction process, consumers will be incentivized to use their EMV cards from their mobile. As a result, the increased convenience of the virtual card leads to more consumers using their bank issued EMV card for online transactions.

The battle for online purchases is far from over, and with the help of Digital First banking, banks can strengthen the online position of their EMV cards against competing methods.

Enhanced Security for the issuer and consumer

We can all agree that when it comes to payments, security will remain a top priority across the board, both for banks and consumers. As of last year, global payment fraud has been predicted to increase to as much as $40.62 billion in 2027 (25% higher than 2020), What’s more, CNP (card not present) fraud accounted for 76% of fraud losses in Europe in 2020. With these numbers in mind, it is critical that banks equip themselves and their consumers with the tools needed to prevent illegal activities from occurring.

With Digital First banking being anchored around the mobile banking app, banks can use measures such as biometric authentication or digital signatures to ensure that only the certified user of the app can access the mobile banking suite.

And, in the unfortunate case of a physical card being stolen, consumers can be alerted of unwanted transactions through real-time transaction display in the form of notifications on their smartphone. Upon being alerted, consumers can simply cancel or freeze their card in real time through the mobile app, to prevent any further unwanted transactions.

By empowering consumers with the tools to protect their payment information, banks can in turn provide further protection to themselves through Digital First.

Increased competitiveness (through a wide, adaptable range of services)

Today, banks are well aware of what the consumer wants when it comes to banking: simplicity and instantaneity. As such, banks across the financial services landscape, including online-based ‘neobanks’, have expanded their offering to cater to these evolving consumer expectations. So, as each bank broadens the spectrum of services they offer, maintaining a competitive advantage in a fierce market is crucial.

With a Digital First methodology, banks can become more competitive by giving consumers the keys to their own banking experience, offering an adaptable service that can fit the needs of any consumer, all the while maintaining the core tenets of convenience and instantaneity.

Whether it is an online shopper who wants to use specific cards or particular eCommerce sites, or a traditional bank customer who prefers to collect their new cards in store, Digital First enables banks to shapeshift to fit the needs of any customer, regardless of their personal of preferences.

While better serving consumers will always remain a priority for any bank, it’s important that the solutions they implement offer additional benefits that help take their range of services to the next level. With Digital First, the promotion of customer experience can simultaneously improve a bank and their services.

Looking to find out more about Digital First? Learn more at our dedicated webpage. If you have any questions, let us know in the comments or tweet us @ThalesDigiSec, and we’ll get back to you with an answer!

The post How can Digital First banking benefit financial institutions? appeared first on Cybersecurity Insiders.

June 30, 2021 at 09:09PM

Read More

Data of 700 million LinkedIn users leaked and put for sale on Dark Web

LinkedIn is back in news for failing to protect its user data from hackers and this time the issue is serious as data of over 700 million of its 756 million has leaked and put for sale on the dark web.

However, the professional website denies all such media claims and stated that the newly discovered data was an old one scrapped from one of the previous hacks that took place in April 2021.

A spokesperson from the professional social networking website endorsed the news and said that no new data belonging to any member was exposed in the attack, as speculated by a certain section of media.

The California based company has also issued a statement that it doesn’t entertain any kind of user data scrapping taken up by members or any third parties that the members haven’t agreed. And described the activity as a violation of LinkedIn’s terms of service and assured that such activity will be blocked and those indulging will be prosecuted.

Note 1 –LinkedIn’s April 2021 hack exposed critical data of members that includes the users physical addresses, phone numbers, salary estimates, workplace information, gender details and URL links to their social media accounts respectively.

Note 2-Launched on May 3rd,2003, LinkedIn is the world’s first employment based social media platform that serves its users through a website and a mobile app. By the year 2015, the company picked up its revenue by selling its member information to recruiters and sales professionals. And in December 2016, Microsoft announced it has gained the social networking platform that has over 756 million users spread across 200 countries.

The post Data of 700 million LinkedIn users leaked and put for sale on Dark Web appeared first on Cybersecurity Insiders.

June 30, 2021 at 08:41PM

Read More

New disputes to arise from ransomware payments ban

As the law enforcement agencies are urging ransomware victims not to make any ransom payment to hackers, as it not only encourages crime but also doesn’t guarantee a decryption key for sure in exchange for the payment.

Some security analysts say that this could give rise to fresh troubles to businesses and their owners on a respective note.

Know how….?

1.) Well, as businesses close their operations on a permanent note, their customers can drag such businesses to courts for dishonoring their prior commitments.

2.) If the victim is a law firm or a police unit that lost critical data for not bowing down to the demands of hackers, it could backfire on those facing prosecution as they is a 95% chance that they will lose the case and might face a jail term forever.

3.) Banning cryptocurrency payments to hackers could lead to other consequences like the ransomware spreading gangs could be forced to launch more lethal digital attacks that could make organizations desperate to look for other solutions like secret negotiations with hackers to get back their stolen data.

4.) Hackers can leak the stolen data on the dark web and can make money by selling it to interested prospects that then use that data to launch more such extortion related attacks.

5.) A rise in 3rd party companies like security firms will be witnessed as they will help the victims get the decryption key by making negotiations with the ransomware spreading gangs on the behalf of the victim. Already many such businesses have sprouted around Bay Area where the staff of such firms have secret dealings with hackers and cryptocurrency sellers and mint extra money from victims, apart from the usual ransom payment.

So, what’s the advice?

Just keep a copy or two of the data on a separate node or on cloud and then deploy resilience technology to recover that backed up info as quickly as possible when the time demands.

Using anti-malware software, patching processes, and deploying security protection tools for email, web and mobile makes complete sense.

The post New disputes to arise from ransomware payments ban appeared first on Cybersecurity Insiders.

June 30, 2021 at 11:03AM

Read More

UN Security Council holds meeting on Cybersecurity

As cyber threats on government infrastructure of various countries are growing, the UN Security Council has held a meeting on Tuesday to discuss the ongoing threats and mitigation remedies required to be followed by nations.

Early this month, the same issue was brought to the notice of Russian President Vladimir Putin by Biden Administration that met each other at a summit held in Geneva. As Russia is acting as a home-ground to many hackers, Putin was asked to exchange intelligence related to them with the US law enforcement.

Mr. Putin agreed it on the point that the same gesture will be exchanged by the Biden led nation for the hacking groups that were constantly launching cyber attacks on the critical infrastructure of Russia.

In relation to the threats, the UN Security Council took an assurance from its nations in 2015 that all the member nations will refrain from launching cyber attacks on each other and any breach in the agreement made 6-years ago will be eligible for legal prosecution at the international level.

More details about the meeting will be posted shortly!

Note- UN Security Council is a kind of treaty made among nations that quench for international peace and security. The committee comprises over 15 member nations, of which 5-China, Russia, United Kingdom, United States of America and France are permanent as the specified countries are super powers as they were the winners of the World War II. UNSC acting powers include peacemaking operations, blocking any military actions and enacting international sanctions on nations that breach the agreement.

The post UN Security Council holds meeting on Cybersecurity appeared first on Cybersecurity Insiders.

June 30, 2021 at 11:02AM

Read More

GrammaTech Introduces Software Supply Chain Security Platform

BETHESDA, Md.–(BUSINESS WIRE)–GrammaTech, a leading provider of application security testing products and software research services, today announced the latest version of CodeSentry which reduces software supply chain security risks like those exploited in recent attacks on downstream users of SolarWinds, CodeCov and other applications. CodeSentry quickly analyzes purchased or commercial off the shelf software to identify application components, generate a software bill of materials (SBOM), and detect zero-day and N-day vulnerabilities.

“Most organizations go to great lengths to ensure the safety and security of their physical supply chains yet do very little to assess the integrity of the code used to run their business. Recent incidents like the SolarWinds attack have shined a light on software risk and its consequences,” said Mike Dager, CEO of GrammaTech. “CodeSentry enables organizations to discover what components are in the software they are building or using, detect the presence of potential vulnerabilities and mitigate risk. CodeSentry also automates compliance with the SBOM requirement detailed in the recent Executive Order on Cybersecurity.”

CodeSentry Binary Analysis

Organizations have traditionally trusted software vendors to manage security risk associated with the applications they purchase. But the increasing frequency of software supply chain attacks is forcing enterprises to proactively assess and verify third party software for vulnerabilities that expose them to threats. Since source code is rarely available for purchased applications, binary analysis is the only alternative for extracting a SBOM to detect underlying risks in commercial software products. Derived from research conducted for defense and intelligence agencies, CodeSentry provides the following capabilities and benefits:

• Creates Comprehensive SBOM – binary scanning identifies open source and third-party components and provides a security score, component match details, version information, location, and detailed vulnerability information including CVSS scores
• Zero- and N-Day vulnerability detection – detects unknown (zero-day) and known (n-day) vulnerabilities in identified open source and third-party components
• Executive Dashboard – provides a software application risk score based on detected vulnerabilities, CVSS and key performance indicators (KPIs)
• Advanced reporting – for compliance and risk governance audits
• Multiple SBOM formats – including industry standard CycloneDX
• Flexible deployment – native SaaS application with optional on-premises deployment

“The increasing reliance by application developers on open source and third party components is a big reason why the software supply chain is vulnerable to being exploited by attackers,” said Chris Rommel, Executive Vice President for VDC Research. “Consequently, both application providers and end-user organizations need visibility into the code bases they sell and use so they can continually prove software integrity and proactively detect and mitigate vulnerabilities.”

Top Use Cases

CodeSentry addresses the following challenges facing both software providers and enterprises:

IT Vendor Risk Management – reduce risk to the enterprise by assessing the components and security of commercial off the shelf software (COTS) applications such as financial, HR, video conferencing, messaging and other productivity applications

Information Security – ensure a strong security posture by proactively testing COTS applications for vulnerabilities before rolling them out departmentally or across the enterprise

DevSecOps – secure the third party code that is brought into the software development life cycle to assure it has been designed and architected with security across the entire stack

Availability

GrammaTech CodeSentry 2.0 is available immediately from GrammaTech and its business partners worldwide.

About GrammaTech

GrammaTech is a leading global provider of application security testing (AST) solutions used by the world’s most security conscious organizations to detect, measure, analyze and resolve vulnerabilities for software they develop or use. The company is also a trusted cybersecurity and artificial intelligence research partner for the nation’s civil, defense, and intelligence agencies. GrammaTech has corporate headquarters in Bethesda MD, a Research and Development Center in Ithaca NY, and publishes Shift Left Academy, an educational resource for software developers. Visit us at https://www.grammatech.com/, and follow us on LinkedIn and Twitter.

CodeSonar® and CodeSentry® are registered trademarks of GrammaTech, Inc.

The post GrammaTech Introduces Software Supply Chain Security Platform appeared first on Cybersecurity Insiders.

June 30, 2021 at 09:08AM

Read More

Log Management and SIEM: Using Both for Enterprise CyberSecurity

Properly analyzing the massive amounts of data created by network access and the associated security tools has become a very tedious chore.

Today’s cybersecurity professionals are seeking ways to better deal with the massive influx of information so that they can make intelligent choices when it comes to the cybersecurity posture of their networks.

Selecting the proper tools is an important task which merits investigation. A good cybersecurity tool also helps identify potential threats and vulnerabilities while also reporting on trends that impact the organization’s cybersecurity hygiene. After all, it is impossible to manage attack surfaces without understanding how potential threats impact a network.

SecOps teams often use multiple tools and attempt to integrate them to create a complete view of what is happening across their networks, but integrating these tools often proves to be a critical challenge.

Further complicating the situation: today’s networks are heterogeneous, have multiple entry points, often integrate with cloud-based applications, offer data center delivered services, and now include applications that run at the edge of the network. In other words, Enterprise networks have become increasingly complex, more difficult to manage, and generate massive amounts of transactional data.

Since identifying threats and understanding trends has become one of the most powerful practices in the world of cybersecurity – knowing which monitoring tools to use is paramount. This post will discuss two must-haves: SIEM and Log Management.

Popular Cybersecurity Tools: SIEM and Log Management Applications

Two of the most popular tools for cybersecurity analytics in use today are SIEM (Security Incident Event Management) and Log Management. Both help us better understand exactly what is happening across the network and the potential impact that this network activity has on the company’s security posture.

Although SIEM and Log Management tools take different approaches to analysis, using these tools together gives better visibility into the cyber hygiene of a complex network.

SIEM and Log Management overlap in several areas when it comes to achieving visibility. Understanding where the technologies differ and can complement each other, is key to maintaining the cyber hygiene of any Enterprise. Let’s get started.

What is SIEM?

SIEM software primarily gathers and aggregates data from multiple sources on a network and then visualizes that data to expose inconsistencies that indicate cybersecurity issues.

A SIEM solution uses many different underlying technologies to analyze and prioritize the massive amount of data that moves through the network devices. So it should be set up to gather information from the appropriate components that handle connectivity. Those devices can be physical or virtual appliances located in data centers, branch offices, cloud service providers, hosting sites, and so on.

Ultimately SIEM solutions rely on the logging mechanisms of those devices to provide data for analysis.

From the outset, SIEMs were designed to surface the most important security incidents and events in an Enterprise. SIEMs use automation to ease the burden on cybersecurity professionals, using algorithms to filter through millions of events, categorizing, identifying, and comparing those incidents against defined policies. This helps teams to determine if the incident was severe enough to trigger an alarm and take action.

What’s more, SIEM software offers reporting capabilities that categorize security-related events such as failed logins, potential malware activity, and potential data exfiltration. It also can help manage compliance issues since policies can be created to detect potential compliance failures.

SIEM Software has many strengths that make it a good fit in the typical Enterprise for cybersecurity hygiene. The better products in the market excel at data analysis and correlation, indexing, and categorizing events. Most SIEM solutions can work with numerous data sources and include advanced automation tools.

However, those features often come at a high cost, meaning that some businesses may have to make trade-offs.

Common Compromises When Deploying a SIEM

• Limiting the number of data sources: A SIEM is often optimized for gathering logs from security appliances only, meaning other devices on the network may not be included in the analysis. What’s more, many SIEM vendors charge per data source, meaning that for budget reasons, users may limit integration.
• Limiting the number of reports: SIEMs often have predefined reports that focus purely on security events, limiting the applicability for further forensics.
• Navigating costly integration issues: SIEMs often require custom integration to work with cloud or on-premise security appliances. If an appliance is not natively supported, coding may be required to include the log data.
• False Positives: The complexity of SIEMs, along with integration challenges, can lead to missed security events or generate false positives. Without the full context of a security event, a SIEM may create a situation that is time-consuming to track down.
• Complexity: Effectively using a SIEM may require extensive training and hiring additional cybersecurity staff.

Ultimately, SIEMs are complex tools that require extensive integration and the expertise to be fully effective.

What is Log Management

Log Management solutions prove to be highly customizable and offer numerous capabilities. They collect, aggregate, store (long-term), archive, analyze, search, and report computer-generated log data.

These tools (or software) process all of the logs created by devices, applications, systems, networks, software, users, and anything else that may make a log entry – helping to ensure no critical information is lost.

Aggregating data across the IT environment, log management software gathers information from operating systems, firewalls, servers, switches, routers, etc. Since each collection point may use a different format for a log, log management tools usually offer a way to normalize data, so that a single unified index can be used for analysis. This allows cybersecurity professionals to search data as soon as it is processed by the system.

Now essential for cybersecurity, log management platforms are especially useful for forensic analysis and understanding how data moves across the network. Cybersecurity professionals can use these platforms to delve into events that may have happened days, weeks, or even months ago.

SIEM vs. Log Management: Cybersecurity Use Cases

SIEMs and Log Management have some different use cases and are actually complementary to each other when it comes to the critical function of cybersecurity.

In the following scenarios, we’ll review the pros and cons as well as the best way to deploy both.

1. Compliance Management

Many businesses in highly regulated industries must report on their adherence to various compliance rules at specific intervals.

• SIEMs may offer a detailed compliance report showing policies enforced and, if there were any failures, what actions were taken.
• Log Management solutions provide forensic data that demonstrates a historical view of actual events related to compliance.

Using both tools together simplifies the process of compliance reporting and helps businesses to meet their auditing objectives.

2. Threat Hunting

Today’s businesses are constantly under attack, and threats can be a daily occurrence.

However, blended threats, which often use multiple attack vectors or are part of a larger attack, are often harder to detect and mitigate. A SIEM system may only offer a warning when a threat becomes active.

• SIEMs may alert the organization of a threat and even provide an indication of a compromise, but it may take a deeper look to find the origin of the compromise.
• Log Management systems can be used by the team to proactively search through archival data to find early indications of threats, even before a truly malicious payload may have been delivered.

READ: Threat Hunting Frameworks and Methodologies: An Introductory Guide

3. Cyber Hygiene

Avoiding threats or compromises is one of the biggest challenges faced by IT today.

Threats come in all forms, ranging from zero-day vulnerabilities to malicious code, to lateral movement. Understanding how those threats impact the network and drilling down into root causes is often the job of a forensics team.

• Log Management offers historical data and a broader scope – bringing additional capabilities to IT. These range from cyber forensics to performance management, to infrastructure management and anomaly detection.
• SIEMs only offer information from security-related logs, meaning that a forensics team has limited visibility into the network infrastructure. That can prove quite limiting, especially when dealing with zero-day threats and compromises.
• SIEMs are very good dealing with real-time cybersecurity issues and are a valuable tool for identifying and containing threats.
• Log Management tools expand the view into more data sources, allowing a team to look for patches, or microcode insertion, or any number of other attacks that may not be seen by a SIEM.

In closing, cyber professionals often need to create “what-if” scenarios to track down and expose weaknesses that may be missed by a SIEM. The analytics offered by Log Management tools make it possible to build reports that offer “what-if” analysis, reports that are critical for effective threat hunting.

Combining the capabilities of a SIEM with a Log Management solution gives today’s cybersecurity professionals a multi-pronged approach with which to respond, mitigate, and prevent network attacks.

The post Log Management and SIEM: Using Both for Enterprise CyberSecurity appeared first on Cybersecurity Insiders.

June 29, 2021 at 09:18PM

Read More

Empowering women in the field of ethics and compliance

This blog was written by an independent guest blogger.
Ethics and compliance is becoming a burgeoning industry as an increase in government regulations in areas such as sustainability, diversity, and data privacy make compliance an important focus for companies. It’s especially important in tech companies as the ever-growing risk of cybersecurity breaches requires that security teams be vigilant in protecting sensitive data. Any breach of regulations can result in legal headaches and customer distrust, making a solid compliance department a wise investment in any business. 
Ethics is another vital concern for companies who want to cultivate and maintain a positive public image. Corporations want their clients to see that they are doing the right thing, regardless of what the law dictates. As people increasingly look to their favorite brands to express support for social justice causes, ensuring that a company is on the right side of important…

Posted by: Nahla Davies

Read full post

     

The post Empowering women in the field of ethics and compliance appeared first on Cybersecurity Insiders.

June 29, 2021 at 09:10PM

Read More

How voice biometrics can help MNOs reduce fraud

In this blog, I am joined by my colleague Pauline Pinzuti, Marketing Manager to discuss how the use of voice biometrics can help telecom operators fight ID fraud.

What do mobile operations needs to know about telecom fraud?

Didier Benkoël-Adechy: Mobile Network Operators (MNOs) face unprecedented levels of competition and commercial pressure. As a result, many have created extensive service portfolios, extending far beyond just mobile communications. Perhaps inevitably, the wealth of valuable services now offered by operators has attracted the attention of sophisticated fraudsters.

Pauline Pinzuti: I completely agree – the threat posed to mobile network operators has multiplied exponentially over the last few years. The head of Security Operations of a major MNO actually recently said that “it is difficult to assess precisely the cost of fraud but this could represent up to 5% of the company’s revenue…”

How does identity impersonation fraud – also called account takeover fraud – actually happen?

PP: As the name suggests, with this type of fraud, fraudsters use the accounts of their victims to access the MNO’s services.

Fraud can occur using information gathered from a customer using social engineering. With phishing for example, customers can be tricked into providing information regarding their account. This information may then be used to contact an MNO’s customer service department and impersonate the customer.

DB: Fraud is moving to remote channels. In particular, call centres can have ineffective methods of verification when delivering services. Securing all the channels that fraudsters can target represents a major challenge for CFOs and fraud departments.

Looking ahead, we know that biometric authentication is an effective and convenient way to identify individuals. But how does this work for call centres?

PP: You’re right. The sort of verification tools that we use at airports, such as facial matching can’t be used in call centres. Instead, we can identify people through other biometric methods – like voice matching.

Drawing on the numerous different features that define the uniqueness of each individual’s voice, we can quickly compare a speaker’s recorded voice with thousands of recordings of known fraudsters held in databases to detect and prevent repeat fraud.

DB: This is really critical. A major MNO recently revealed that they suffered losses of up to €1 million a year through impersonation-based fraud at call centres, before the Thales effective voice matching service was put in place.

PP: By comparing and matching a caller’s voice with information such as the recording of a known fraudster, it is possible to address the threat of fraud before it becomes a financial liability for the MNO.

DB: From a different standpoint, the use of voice biometrics for authentication is also increasing in popularity due to its convenience by meeting customer expectations for easy and fast access to services. For instance, MarketsandMarkets predicts that voice biometrics will spike from $1.1 B in 2020 and will grow by 22.8% to $3.9B by 2026. This technology can be used to ease authentication for existing customers, replacing the inconvenience and risk of using PINs and knowledge-based authentication.

So how does voice biometric analysis work?

PP: The human voice uses more than 70 body parts. Each has a unique size and shape. Biometrics-based solutions analyse more than 140 physical characteristics (such as the size and shape of the larynx or nasal cavity) that make each voice unique. The use of these physical features is particularly significant. Unlike behavioural characteristics, such as the rhythm of speech, accent or intonation, they cannot be mimicked by a fraudster. A person’s gender and age range can also be revealed by analysing the voiceprints created from the recorded voices.

DB: It’s important to note, this technology is very different from speech recognition technology which is used to understand a specific instruction, regardless of the identity of the speakers. Just like facial recognition, voice recognition requires liveness detection to identify ‘spoofing’ types of attacks, such as speech created by fraudsters from the recordings of legitimate customers.

As far as the customer is concerned, the entire process of voice matching and detection is seamless. Indeed, it is invisible, with no disruption to the user experience or quality of service delivered by the MNO.

PP: Also, all the processes need to meet local regulations related to privacy. In particular, individual voiceprints held for authentication are encrypted and as a best practice, not stored with personally identifiable information. Voiceprints stored in a watchlist (or fraudster database) are also not linked to named individuals. They just indicate a risk of fraudulent activity.

What other challenges do you think are important to address in order to fight identity fraud?

PP: For MNOs, the fight against identity fraud is becoming more complex for two main reasons. The first is the proliferation of remote channels through which customers now interact with them – from call centres to online services. The second relates to the internal organisation of the MNO. Some network operators have numerous ‘silos’ within the company’s structure that are involved in fraud prevention. Multiple ‘silos’ within an organisation can undermine attempts to track the flow of losses to fraud. The heart of the problem lies in the fact that responsibility for measuring the impact of fraud, and implementing solutions, is split across several departments: fraud; revenue assurance (RA); credit risk; IT security; and network security.

DB: In fact, each department usually has its own KPIs and objectives in relation to fraud. And it is quite possible that no one has a 360° view of the level of fraud across the organisation.

Clearly, good communication and coordination is needed between all stakeholders. A number of major global MNOs have created structures in which different departments, including product marketing, are brought together to address revenue assurance and optimise fraud prevention.

Voice Biometrics solution is part of Thales Trusted Digital Identity Services platform, fraud detection, enrollment & authentication.

Find out more about our voice biometric solution  

The post How voice biometrics can help MNOs reduce fraud appeared first on Cybersecurity Insiders.

June 29, 2021 at 09:10PM

Read More

How a man used a fake finger to trick his smartphone biometrics

Chances are you’ve seen a Hollywood film where criminals manage to access biometric security systems using basic spoof attacks such as gelatin-made fingerprints and fake irises. For example, in Minority Report, Tom Cruise’s character Anderson gets an eye transplant so that he can’t be identified by the citywide optical recognition system. But what’s even more amusing is that he carries his original eyeballs in a plastic bag to maintain access to his former workplace.

The reality is that the trick that Anderson used in Minority Report wouldn’t fool today’s advanced systems thanks to their liveness detection capabilities.

But before I go into more detail of how liveness detection ensures that biometric systems remain spoof proofed, I wanted to quickly touch on a recent example where a Register reader, named Kieran, managed to essentially recreate a scene straight out of a Hollywood film. He demonstrated how he unlocked his smartphone using the severed tip of his finger, parted from his hand as a result of an industrial incident.

So how was Kieran able to unlock his smartphone with a severed fingertip? In this instance, the severed tip belonged to the finger that was registered to the device and Kieran was able to access his device because the finger used to identify enrolment was the same used for the authentication. This means that there were no faults in the system of the manufacturer.

While we hope that using a severed finger to unlock a smartphone is very uncommon, can cases of using a silicone or gelatin finger to unlock a device be successful?

Where does liveness detection fit in this scenario?

Liveness detection is the ability of biometric systems to detect whether a fingerprint or face (or other biometric information) is real (from a live person present at the point the information is captured) or fake (from a spoofed artifact). It’s powered by AI which analyses the data collected by the biometric scanner and verifies if the source is coming from a live or fake representation.

The features of liveness detection are purposed to counter biometric spoofing attacks, where a replica is used to emulate a person’s unique biometric information.

It’s worth noting that the standard terminology in the market is ‘Liveness Finger Detection’, which means that it stops replicas imitating a person’s unique biometrics – like a fingerprint mold – but enables real fingers, dead or alive, to work. And consumer grade devices still haven’t evolved so much to include signs-of-life detectors. So, in Kieran’s case the technology worked to the market standards.

What is Presentation Attack Detection (PAD)?

Let’s look into single finger scanners to explain what a Presentation Attack Detection (PAD) is. Single finger scanners are usually used for ID verification mainly on unattended applications like ATMs. To avoid people using fake fingers to attack the system, these scanners have been fitted with a technology that is able to detect the real nature of the finger placed on the scanner – PAD. For example, the Thales Cogent Single Finger Scanner AI-based solution uses a patented technology that is based on infrared light, and has been independently tested by iBeta and verified to ISO/ IEC 30107-3 standard. It is the first in the world to receive the iBeta PAD level 2 certification. Our technology has also achieved an Attack Presentation Classification Error Rate (APCER) of 0%.

PAD is usually implemented within systems where security comes as a higher priority to user convenience, according to The Biometric Institute. That’s why many consumer devices are unlikely to have been equipped with the technology but given how quickly the market is growing as well as consumers’ increased security awareness, this will likely change soon.

—

As companies and organisations across the world search for the most secure method of authentication and identification, biometrics has quickly become one of the premier methods of ensuring these two principles. Failure to prevent fingerprint spoofing attacks may have serious consequences not just for individuals but on a wider scale.

Unfortunately, there isn’t a magic formula to combatting fingerprint spoof attacks at the moment, but the real solution lies in combining the right number of different features. In a marketplace that features an abundance of solutions, your best bet would be choosing a solution that meets the ISO Presentation Attack Detection benchmark.

The post How a man used a fake finger to trick his smartphone biometrics appeared first on Cybersecurity Insiders.

June 29, 2021 at 09:09PM

Read More

Vulnerability makes hackers hijack video streams from millions of connected cameras

A recent study made by Nozomi Networks, a security company that offers solutions for IoT products has discovered that millions of connected cameras are on the verge of being hijacked by cyber crooks through a vulnerability.

Security researchers say that the flaw is related to software component used in cloud surveillance platform ThroughTek that is used by OEMs while manufacturing IP Cameras, baby monitoring cams and pet monitoring solutions along with robotic and battery devices.

Technically, the flaw is related to a P2P SDK firmware that allows clients to monitor a video stream from a camera on a mobile or desktop app. And research says that hackers could exploit the vulnerability to fraudulently access or reconstruct a video/audio stream, thus allowing them to snoop on a remote cam user.

US Cybersecurity and Infrastructure Security Agency issued a warning recently and assigned a 9.1 score to the newly discovered P2P SDK vulnerability.

ThroughTek is blaming its developers for incorrectly configuring the firmware on IOT devices and not issuing a fix to the flaw on time. It is also urging its customers to update their products with the latest SDK version that was released in March 2021.

Note-The bug could allow cyber criminals conduct eavesdropping on video and audio streams and could also lead to device spoofing as well as its security certificate hijacking

The post Vulnerability makes hackers hijack video streams from millions of connected cameras appeared first on Cybersecurity Insiders.

June 29, 2021 at 08:54PM

Read More

Beware of this Windows 11 fake Download

Microsoft has made an official announcement last week that it will present its Windows 11 operating system to the world on by November this year and also made it public that all laptops that have compatible hardware and software components will be eligible for a free upgrade to Windows 11 from Windows 10.

That means, all those systems running on Windows 10 OS and having a basic 4GB RAM, 64GB Storage and a 64-bit processor will be eligible for an upgrade for free of cost.

Now to those who are not familiar with your PCs hardware components, here’s an update that might grab your attention. The Satya Nadella led company will offer an online tool that can be downloaded and used to check whether a device is eligible for Windows 11 upgrade from a Win 10 OS or not.

Just open ‘www.microsoft.com/window-11 on your browser and then click on the download button that will be embossed on the check compatibility feature.

Then download a software called Windows PC Health Check and follow the instructions that will help you detect whether a device is compatible with Windows 11 upgrade or not.

Note 1– From the past 4 days, several websites have emerged on Google claiming to offer a free tool to online users that will help check the compatibility of the device for a Win 11 update. Remember, all such online resources will lead you to scams and malware infections that could spell a disaster to you’re a device on a permanent note.

Note 2– On request from the Engineers of Microsoft, Google authorities scrapped all such fake websites within a few hours of their emergence. So, the cyber crooks circulated messages on Telegram and WhatsApp groups about apps that might help in finding whether a device is eligible for a Microsoft Windows 11 upgrade or not. But in reality, such apps and websites are being distributed with malicious intent- only to make money through clicks, by circulating malware onto desktops and laptops and to mine crypto on the infected device; all without the knowledge of the owner thereafter. So, please be aware of such fake apps and websites that promise Windows 11 download for free.

Note 3– Microsoft is apparently planning for Windows 11 released date on September 9th, 2021.

The post Beware of this Windows 11 fake Download appeared first on Cybersecurity Insiders.

June 29, 2021 at 10:40AM

Read More

UK Ministers under probe for using personal emails for government projects

Acting on a complaint received from a Ministerial staff, the UK Information Commissioner’s office has started an investigation that deals with the fact on whether some or all the UK ministers are using personal email accounts while conducting government businesses.

Elizabeth Denham, the data protection commissioner of Britain, has confirmed the news and assured that more details will be brought to light after the conclusion of the official probe.

Coming to the investigation, digital evidence was found by the data watchdog that some of the UK Ministers including Matt Hancock and Lord Bethel holding health ministry were seen using email accounts of their own for discussing government contracts that were to be completed with the help of public money.

Downing Street claims that both the said ministers along with some others occasionally used their department email addresses to conduct government operations that were unlawful and might have already led to future controversies.

UK Prime Minister Boris Johnson cleared the air that he doesn’t want to comment on this issue and allow the world to know how he indulges in UK Governance. 

Cabinet Office in collaboration with the data watchdog conducted a probe and discovered that Matt Hancock and Lord Bethel were in a practice of using personal email IDs to analyze or approve government contracts and many of them emerged from their unofficial inboxes. 

Hancock and Mr. Johnson were seen using the WhatsApp app for official communication, thus leading the case to a sheer case of disobedience.

Note 1- Under normal circumstances, all the Ministers and their staff are only allowed to use their official email accounts to conduct government business/operations- all because of the concerns of espionage & eavesdropping. And all countries follow the practice across the world, irrespective of the fact that they are following democratic or republic policies.

Note 2- Using other message apps for official communication rather than those recommended might lead to data leak troubles. And the best example is the suspected play of Saudi Arabia Crown Prince Mohammad Bin Salman’s in launching a WhatsApp-based spying campaign on the Amazon Boss Jeff Bezos phone in 2018 that led to the leak of the photos that confirmed the affair of Mr. Bezos with his pilot girlfriend Lauren Sanchez.

Hence, are the Ministers listening..?

The post UK Ministers under probe for using personal emails for government projects appeared first on Cybersecurity Insiders.

June 29, 2021 at 10:34AM

Read More

Six existential threats posed by the future of 5G (Part One)

The COVID-19 pandemic has accelerated our transition towards an increasingly digital world. Now, thanks to lockdowns and remote working, people are realising, for example that meetings, which once had to be held in person, can be done via video calls equally well. With these discoveries having a positive impact on costs, operations, productivity and even the environment, there will be no going back to whatever we considered ‘normal’ prior to this global event.

It is for this reason that our reliance on connectivity is also growing exponentially. More than ever, we need strong and reliable networks that don’t buckle under increased demand. We need a solution that facilitates ubiquitous connectivity, which is why many operators are pouring more time, money, and effort into getting 5G products and services up and running.

Yet, there are some key concerns that telecommunication providers need to be aware of if they are going to successfully implement this next generation of connectivity, as well as inspire trust in customers. Below, we explore these risk factors in depth and determine what can be done to mitigate the threat moving forward.

1. Protecting a virtual network infrastructure

One of the most significant changes in network infrastructure when it comes to 5G is that the ‘standalone’ core network is almost exclusively cloud based. Put simply, the foundational technologies 5G will rely on, namely Network Function Virtualisation and Software Defined Networking, will turn many physical network components into software instead.

This move to the virtual brings a variety of new security risks including, danger of cross-contamination, data leakage and the spread of malware – all of which we can bet malicious actors will be waiting to take advantage of. Moreover, Mobile Network Operators (MNOs) cannot use the same techniques to protect a virtual network as they could with previous versions that have been largely physical – potentially putting them at even great risk if they are not adequately prepared.

To mitigate this threat, strong encryption of data – and accurate authentication of those given access to it, must be guaranteed by telecom operators, even in the most demanding, performance intensive environments. With measures introduced to safeguard any data travelling across the network, (whether on premises or in the cloud) customers be confident their mobile network provider is helping secure the network to the highest standard.

2. Working with an unprecedented volume of data

Estimations from the GSMA predict that by 2025, 5G will account for 21% of total mobile connections, with around 1.8 billion users. With almost a third of the global population set to take advantage of the high latency and speeds 5G will provide, we can expect to also see a subsequent surge in the volume of data (both in rest and in transit) travelling through the network.

For telecoms this raises a vital challenge; how to guarantee the security and privacy of more data than they’ve been used to dealing with, while also on a new, virtual network.

This is where machine learning can help – providing MNOs with the guidance, tools and techniques to enable thorough scrutiny of their core systems. With a deep analysis system in place, the telco is able to detect the cyberattack threat level and combat security risks in real time, deploying hunting capabilities around the clock to help telcos’ spot the most advanced threats.

Without these insights, not only does the customer experience suffer but also the potential economic and reputational damage from cyberattacks increases.

3. Securing millions of new IoT connections

From a device management point of view, 5G will work in a fundamentally different way to previous cellular generations, in that, as well as connecting smartphones, it will also be relied upon to connect over 22 billion IoT devices by 2024. This presents a huge opportunity for telcos, who will be provided with additional revenue streams, if they prove they can adapt to the unfamiliar, fragmented IoT device landscape.

There are, however, important technical challenges for telecom operators embarking on this endeavour – a connected car using 5G, for example, will be using it very differently to a smart meter. MNOs therefore need to apply a much more tailored approach to securing IoT devices than they have with smartphones, which requires careful planning. Attackers are also aware that these companies don’t have as much experience securing these devices to a network, so will be on the hunt to exploit any vulnerabilities that arise.

This begs the question, if there are tens of billions of machines on the network, how can we stop them from being compromised – and how can we trust the data they send?

Well, by using eSIM technology, telcos can help protect the range IoT devices on their network from cyberattacks. These secure, tamper-proof elements are soldered into place – making them ideal for use in objects under severe operating conditions (like heat and vibration).

What’s more, with an eSIM management suite, MNOs can remotely manage subscription profiles on individual devices so that they load, delete and replace them as needed – making sure every device on their network is accounted for.

—

There can be no doubt that 5G, has already started, and will continue to be, a gamechanger for the telecoms industry. While MNOs should rightly be excited about the new business opportunities this technology will bring to them, the changing skill set needed to protect this new type of network and all the devices it hopes to connect will be a significant challenge. If this is not taken seriously, cybercriminals will be waiting to take advantage of the network vulnerabilities, ultimately reducing trust in the network and deterring customers away from using 5G, an outcome no-one wants.

Stay tuned for part two of this blog series to discover the additional three threats posed by the future of 5G and what will need to be done to secure these.

For more information on building a 5G world we can all trust, see our whitepaper here, or tweet us @ThalesDigiSec with your questions.

The post Six existential threats posed by the future of 5G (Part One) appeared first on Cybersecurity Insiders.

June 29, 2021 at 09:10AM

Read More

Asset management in the age of digital transformation

Over the past year or so, organizations have rapidly accelerated their digital transformation by employing technologies like cloud and containers to support the shift to IoT and address the expanding remote workforce.
Visibility Matters:
This digital shift calls for a new approach to asset visibility as traditional asset administration responsibilities like inventory, software support, and license oversight are often the purview of IT and addressed with IT inventory-focused tools.  Along the way, many organizations have lost control over their IT asset inventory as they rush to adopt new transformation technologies that have blurred the boundaries of their traditional network perimeters. This lack of visibility into an IT environment undermines the foundations of enterprise security and compliance infrastructure and puts an organization at serious risk of a breach.
What you don't know can hurt you!
Fundamentally, security teams need to monitor IT asset health from a cybersecurity perspective to…

Posted by: Todd Waskelis

Read full post

     

The post Asset management in the age of digital transformation appeared first on Cybersecurity Insiders.

June 28, 2021 at 09:10PM

Read More

How to achieve financial inclusion with Open Banking

If you have seen the latest banking news, you may have seen that the Competition and Markets Authority in the UK recently launched a consultation on the future of open banking to set out the principal features for open banking in its next phase of implementation. While it is important to keep the powerful forward momentum of open banking, it is not inevitable that it will continue on the same trajectory – a feat that could have major implications for tackling financial inclusion.

In the past, attempting to reduce the gap between the banked and unbanked was a much more difficult challenge. Countries had to find a way to build more bank branches in new locations and find staff to look after these centres. The digitalisation of banking has fundamentally changed this, reducing the demand for physical branches and giving financial institutions new, scalable tools that could help bring services to financially excluded citizens – a figure which, according to World Bank data, currently sits around 2.5 billion people across the world. Since its introduction three years ago, open baking has helped reduce this egregious disparity.

In addition, with the pandemic lockdowns forcing the closure of many in-person bank branches, being able to remotely access our banks digitally has never been more important to the seamless continuation of the industry.

The role of Open Banking

The adoption of the Payment Services Directive (PSD2) legislation in Europe in 2018 paved the way for big changes in banking with regards to the ownership of customer data. While previously all this personal and financial information was controlled by your bank, PSD2 required all banks in the EU to create application programming interfaces (APIs) – a technology infrastructure that provides a secure and effective way to expose this data – and then share them with officially approved third parties.

In essence, the idea behind open banking was to offer customers the chance to give their bank credentials to these brands, which then use the data to create better products or facilitate easier payments. In terms of financial inclusion, open banking also provides a wider range of financial services to a larger proportion of the global population at a lower cost.

Financial Inclusion and Open Banking in practice

Some banks and software companies have already begun to explore the new opportunities offered by open banking, although the extent to which they are focusing specifically on accessible banking varies.

In Europe, for example, Spain’s BBVA opened its APIs in 2013 with the goal to allows companies and businesses to better manage their operations. The company help their customers maximise the value of the information they extract from the 25-30 million transactions they handle each day. Then, if one of their small business customers wanted to set up a shop selling ice cream in Madrid, BBVA can use this data to show them where is the best spot to set up is based on previous sales and what time of day they are likely to have the most customers.

On the other side of the world in India, the fintech Teknospire is helping banks develop accessible banking and payment products for customers on low incomes. With an Open API design, the platform allows suppliers to have access to, and efficiently use, the suitable financial services they need to enhance their living. This includes things like easy access to a bank account via authorised third-party apps, increased financial literacy, and the ability to reach out to more urban clients without the need to leave home.

However, for continued growth in open banking across the world and for the technology realise its full potential, banks and other financial institutions will have to prove they can be trusted with user data.

Securing Open Banking

Nonetheless, for customers to want to use and take advantage of the benefits open banking can bring to them, it is essential that they trust the technology and that their data is safe, despite the fact it is being shared with third parties.

To try and reassure citizens on this point, EU regulators are insisting that strong two-factor authentication be enabled for all PSD2-related transactions. While, at present, the legislation hasn’t defined exactly what measures need to be in place to create strong authentication, there are a number of techniques that can be used to secure the data flows between all parties involved.

One such method is to use a number of risk management services in conjunction with one-another. These services analyse thousands of attributes from the user and the device, such as geo-location, device profiling, IP address, device assessment, and behavioural biometrics – all with the aim of flagging any suspicious transactions made by the end user. Where needed, this data can also be anonymised – giving customers further reassurance that in the event of a data breach an attacker would not be able to gain any personal information on them.

Not only do these solutions go way beyond the just implementing the two factors required legally but, crucially, they keep the authentication process seamless as they often go on in the background without the customer having to instigate or progress them.

—

As open banking continues to mature and to deliver results, it is important to keep the goal of financial inclusion in mind and assess the degree to which this is taking place. We should see open banking initiatives leading to an increase in commerce and broadening a population’s range of economic opportunities, if implemented in a safely and secure way. This revolves around getting the security and authentication behind the technology right.

Finally, getting this framework right for open banking could pave the way for greater uptake of open finance – the next stage in opening up a customers’ entire financial footprint (including mortgages, savings, pensions, insurance and consumer credit) to trusted third party APIs.

Learn how Thales can help enable open banking security for you here.

The post How to achieve financial inclusion with Open Banking appeared first on Cybersecurity Insiders.

June 28, 2021 at 09:09PM

Read More