Why not controlling your business data is a bad idea, part two - five years later things have not changed drastically

Details

Category: Cyber Security (Personal)

Published: 02 December 2019

In June 2014 I published https://www.datasecurityexpert.co.uk/articles/personal-articles/81-why-not-controlling-your-business-data-is-a-bad-idea.html when cyber security was less known about or “sexy”. A few articles ago in https://www.datasecurityexpert.co.uk/articles/personal-articles/331-cyber-security-the-gap-between-rich-good-security-and-poor-not-good-security.html. I said in the article, very early in my career I worked at a large firm whose security was incredible for the time. Still I stand by my comment that company x beats many companies today I see.

It is all good securing the corporate issued laptop, if you do at all, and then pay little attention to remote services like OWA (Outlook Web Access), Office365 (<), OneDrive (cloud file storage) or the web based DMS (document management system). It is likely your laptop will have FDE (full disc encryption) and maybe, just maybe USB storage devices blocked which makes it a little harder to leak data by mistake or on-purpose.

Post 2010 the concept of the four walls of a company or the boundaries of its physical firewall have slowly (or now rapidly) been degrading. In the old days all we used was a Outlook client and a shared folder which meant you needed to be on-site or with a VPN-laptop to get to your data. The days of client software are reducing and everything now is browser based, more specifically cloud based which is hosted in someone else’s data centre.

Read more …

Cyber security buzzwords: we will be bulletproof if we buy this shiny new box (insert words: AI, ML, Cloud, SIEM, Next-Gen, Blockchain, Zero Trust, Quantum, Disruptive, EDR, EPP, MDR, Threat Intel & APT to make it even better!)

Details

Category: Cyber Security (Personal)

Published: 01 November 2019

Go to Infosecurity Europe in London every year and there is a craze on the above words in brackets. This begs a thought or question, with tens of established and new vendors claiming to have invented the next best thing, do and can they really work? Salesmen/women are there to well, sell and hit targets and do not necessarily know the deeper technical details of the product/service they sell.

This article covers two things:

1. Do these products even work?
2. If they do work, will/do people even bother or know how to configure them to the maximum?

Over the years and still to this date I have seen examples of both. Before I go into the personal examples, let’s talk about two massive buzzwords this year, AI (artificial intelligence) and ML (machine learning). I am not here to say they do not work but these are newish technologies and they are still in their infancy thus time will improve them.

Read more …

What website security headers are and why you cannot see mine

Details

Category: Cyber Security (Personal)

Published: 10 October 2019

Last month I moved my website to a new server and rebuilt it from scratch along with: double username/passwords, double ninja firewalling, restricted TLS configuration, security headers, two factor authentication and a SaaS WAF (website application firewall), and more of course.

Many of us technical folk have seen and used SSL Labs by Qualys which gives me a “A” rating though it states I still have TLS 1.0 available which is incorrect. SSL Security Test by ImmuniWeb gives me a “A+” (if only I got this during school GCSE’s!) and states only TLS 1.2 + 1.3. Odd Qualys gets it wrong.

The technical security controls listed in paragraph one are known apart from security headers which are less known about and used. Headers are sent/set by: WAF, load balancer, web application, web server and other devices, and they are sent from the website to the end users’ browser.

Read more …