CS Nov-Dec 2022

More documents

Recommendations

Info

2023 predictions PaaS, such as containers. Next generation XDR can take telemetry from assets like containers into a more modern Security Orchestration, Automation and Response (SOAR) platform. Tools such as these are becoming an increasingly critical function to support, secure and ultimately keep up with digital transformation." STEPHANIE BEST, DIRECTOR OF PRODUCT MARKETING, SALT SECURITY "2023 will be the year of API security. API traffic has increased 168% over the past year, with malicious traffic growing 117% in the same period. As business infrastructure increasingly moves towards digitalisation, API traffic, malicious and otherwise, will only continue to increase through 2023. If businesses are to protect themselves from the torrent of attacks coming their way, they must recognise the uniqueness of API security. Traditional security solutions, such as WAFs, API gateways and bot mitigation, simply aren't effective at protecting from most attacks aimed at APIs. "Attacks on APIs are typically 'low and slow', with attackers searching for unique business logic flaws for weeks or even months before they succeed. As these attacks aren't as overt as more traditional methods, they cannot be detected by security tools that are not APIspecific. What's more, basic security tools such as authentication, authorisation and encryption fail to meet the challenge of contemporary API security. "Businesses require deep, detailed context to understand and protect their API ecosystems - that means being able to distinguish normal API activity from anomalies amidst millions of API calls. Basic security tools just don't provide that context, leaving businesses at risk. "While it's not certain that businesses will wise up to the importance of API security, attacks on APIs will certainly increase. Just this year, Australian telco giant Optus suffered an API security incident with catastrophic results. The breach resulted directly from broken user authentication, the second biggest API vulnerability, according to the OWASP API Security Top 10. "Attackers know that they can easily exfiltrate data from unauthenticated APIs. With an API security platform able to provide continuous visibility in runtime and show the normal behaviours of APIs versus anomalies, this threat could have been identified before the attacker accessed the user data. If organisations don't learn from Optus's mistakes, 2023 will be riddled with major API security failures. In short, 2023 is either going to be the year of API security or API security incidents. The end result will be determined by whether businesses wise up to the need for API-specific security or continue to rely on old security solutions for a very modern problem. JOHN GOODACRE, DIRECTOR OF THE UKRI'S DIGITAL SECURITY BY DESIGN CHALLENGE AND PROFESSOR OF COMPUTER ARCHITECTURES AT MANCHESTER UNIVERSITY "As we head into 2023, the financial impact of cybercrime is heading towards the $10 trillion mark, with no signs of slowing. As our world becomes ever more connected and dependent on technology, the traditional approach to cyber security of cleanliness and the rush to patch will continue to struggle to keep up. The doom-and-gloom headlines will continue to be written about data loss and a lack of resilience or trust from an ever-increasing breadth of cyber-attack across the digital world. "IT teams and users alike are already stretched to the limit, many acknowledging that they do not have the skills or time to keep up with the almost weekly attempted attacks and zero-day patches. Simply monitoring for and patching vulnerabilities that are discovered at the user level is not a battle that can be won by the defenders, especially when attackers only need to be right once to exploit a vulnerability. "The UK is seeking to do something about this to balance responsibility across the supply chain. Already in 2022, we have seen the Government's PSTI Bill looking to ensure that consumer products are shipped more securely by default, placing more responsibility on the product manufacturer. "The UK Government is not stopping here, though. As part of the UK's National Cyber Strategy, there is now a focus on the underlying technology that our digital world is built upon, ensuring products are not only secured by default to help reduce the number of vulnerabilities, but also secured by design of the components and enabling technologies to help protect against the inevitable remaining vulnerabilities. "UK Research and Innovation's Digital Security by Design Programme, part of the National Cyber Strategy, has been redesigning from the ground up the way software interacts with hardware, so it can block the exploitation of around 70% of the ongoing discovered vulnerabilities by design, while also enabling software development new ways to maintain resilience and integrity. Working across government, industry and academia, the £300m programme has been distributing a prototype, with developers and researchers finding more ways to protect everything digital from cyber and operational incidents. "As we move into 2023, we will really start to see early examples for sectors where this innovative technology can reduce threats and block exploitation of vulnerabilities. Developers and IT teams will become more vocal, pressing for the day they can benefit from new hardware that can actively block exploitation of vulnerabilities and their need to chase the ever-increasing number of patches." 14 computing security Nov/Dec 2022 @CSMagAndAwards www.computingsecurity.co.uk
ook review YOU AND YOUR DATA ARE THE PRODUCT THIS ARTICLE IS AN EDITED EXTRACT FROM THE PRIVACY MISSION: ACHIEVING ETHICAL DATA FOR OUR LIVES ONLINE, BY ANNIE MACHON (PUBLISHED BY WILEY, 2022) Making money from selling people's data is now a wellknown business model, whether that data is contact information or browsing history. How do you think Facebook grew so exponentially and became so rich? By selling our data to ad companies. Any free service available online will probably be using our data as their product by selling it to thirdparty organisations. This means that each one of us who uses this technology has become the product and we are being data farmed. What I would like you to understand is that the big corporations treat us like battery hens. All the data we churn out is being used to generate profit for other people; as individuals, we do not see a penny of it. The General Data Protection Regulation (GDPR) legislation introduced in the EU in 2016 was put in place in an attempt to rein in some of the most aggressive data-farming practices. While it is good in theory, it does not seem to be that effective in practice. As the United States has not followed suit, there is little to deter big American corporations from continuing how they always have when it comes to their data collection, storage and sharing methods. If you look at a list of the world's biggest companies in 2022, you will see that it is dominated by tech firms. Apple, Microsoft, Alphabet (Google), Amazon, Tesla, Meta and Tencent are all featured at the time of this writing.1 How do you think many of those companies made their money? Using data - our data. Data is the new oil. The drive to commoditise our data has often been likened to the oil rush at the end of the nineteenth and beginning of the twentieth centuries, when many huge American corporate fortunes and monopolies were established. The tech giants are merely continuing this trend of using data to build their wealth and, thanks to their huge wealth advantage, they are able to manipulate the sector to ensure their continued dominance. As soon as a rival technology appears that could threaten their business model, they buy the firm out. Although it is referred to as our data, I want you to realise that it is much more than data. This is your life. We live so much of our lives online that your 'data' covers every aspect of you, from your thoughts, relationships, political beliefs or activism to your financial and health records. All of this information is online and it is all accessible. There is a huge blurring of lines between our physical lives and online lives, which is what makes us so vulnerable. Those of us who grew up in a world without the internet, and who very clearly remember that time, may have a greater awareness of some of these issues. But if you are part of the generation termed digital natives (broadly, anyone born from the 1990s onward), this has always been your reality and you may never have considered the underlying concepts surrounding your privacy and human rights. In fact, these days I would argue that the only privacy we have as individuals is what goes on inside our heads. 1. 'Biggest companies in the world 2022', FinanceCharts.com, accessed 4 May 2022, available at: https://www.financecharts.com/screener/biggest. Annie Machon is an international public speaker, writer, media commentator and political campaigner. She has also appeared in award-winning films and TV documentaries. She is currently a Director of the World Ethical Data Foundation. Machon is a former MI5 intelligence officer, a European board member of the drug reform organisation, Law Enforcement Action Partnership and a member of the Organising Committee of the Sam Adams Associates for Integrity in Intelligence. www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2022 computing security 15
Page 1 and 2: Computing Security Secure systems,
Page 3 and 4: comment WHY DATA ETHICS MATTER Data
Page 5 and 6: We focus on your cybersecurity thre
Page 8: news Bogdan Botezatu, Bitdefender.
Page 11 and 12: 2023 predictions Meanwhile, EU Digi
Page 13: 2023 predictions zero-day exploit.
Page 17 and 18: 2022 CS Awards THE 2022 WINNERS: Em
Page 20 and 21: deepfakes THE DYSTOPIAN WORLD OF DE
Page 22 and 23: data management YOU AND YOUR DATA A
Page 24 and 25: ansomware RANSOMWARE ON THE RAMPAGE
Page 26 and 27: ansomware Dan Turner, Forcepoint: c
Page 28 and 29: ansomware Steve Forbes, Nominet: pa
Page 30 and 31: legislation EU CYBER RESILIENCE ACT
Page 32 and 33: packet data BUILDING A CAPTIVE AUDI
Page 34 and 35: data threats WHY RANSOMWARE IS 'MOV
Page 36 and 37: eaches MAJOR BREACH, HARSH LESSONS
Page 38 and 39: GDPR REGULATORS MEAN BUSINESS! THE
Page 40 and 41: GDPR Dan Middleton, Veeam: Business
Page 42: Strengthen your data resilience wit

CS Nov-Dec 2022

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?