Meltdown and Spectre – play down or panic?

Users have long since accepted that software errors can be exploited for digital attacks. In fact, these have become so frequent that only highly critical incidents make the news. Hardware is mostly a different story and not often considered as a security threat. But now the Meltdown and Spectre security flaws can only be described as disastrous. Andreas Stiller from heise IT security news describes the two vulnerabilities with which data from protected internal memory areas can be read by many processors as a catastrophic security incident. Under certain circumstances, the CPU security flaws allow passwords or other confidential information to be read and forwarded to an attacker via a network connection. More than a dozen possible attacks have already been outlined publicly. It can be assumed that stakeholders who are interested in clandestine exploits may also have a few more ideas on the subject which are not in the public domain.

Looking into the crystal ball

In 2017, some of the worst data incidents of recent years have occurred. Whether Equifax, Uber or Maersk, organizations have had to admit, sometimes too late, that their customers’ personal data have been stolen. To some extent, companies’ tactics to cover up the incidents have seemed almost as criminal as the data theft itself. All industry insiders and security software companies that dare to make forecasts for the coming year agree that ransomware in particular seems to be developing into a threat that companies cannot currently handle.

Christmas is coming – but turn off the Wi-Fi

Every year, as Christmas draws nearer, many can be heard questioning the sanity of annual gifting madness. In the past, everything was better when the parents themselves were children and most were happy with a wooden car. Today’s children are far too spoiled anyway. But if you think the favorite toys of yesteryear (Magic Cube, He-Man, Furby, Tamagotchi) are the spawn of the devil, you’ll be amazed by the current toy trends. A survey of parents by the security software manufacturer McAfee found that 90 percent of children want networked toys. Hardly any parent, however, has IT security in mind, which is quite important with such digital technology finding a place in our children’s bedrooms.

GDPR: Who is responsible for what?

The EU General Data Protection Regulation (GDPR) and the Network Information Security (NIS) directive are already causing a flurry of activity among businesses. Who is ultimately responsible for cybersecurity seems to be attracting particularly intense discussion. According to a recent study by Palo Alto Networks, cybersecurity is usually the responsibility of CIOs in 50% of companies compared to 30% of CISOs. This is a surprising finding, especially considering that the role of Chief Information Security Officer implies this task. Whether this changes is probably more of a political rather than technical matter. At least around 30 percent of respondents believe that the CISO or CSO should be responsible for cybersecurity. The current situation points to long established and seldom adapted rituals in the distribution of responsibility within companies.

How to Lose User Confidence and Jeopardize Security

Using up-to-date security software is pretty much at the top of recommended defense measures. Anti-virus and anti-phishing software filter out daily attacks from network communications. However, it is important that users can trust this software to intercept malicious software, harmful links, and other threats no matter who they come from. Threats may originate from criminals but also increasingly government organizations. Users also expect that data remains stored confidentially on their devices, especially considering that security software has the capability of viewing and intercepting data. Recently, the Russian antivirus company Kaspersky has made headlines for exactly this reason. US authorities claim that Kaspersky stole top-secret software from a government employee’s PC and delivered it to the Russian intelligence service. This included exploits for previously unknown vulnerabilities.