Notes on the UK IoT cybersec “Code of Practice”
The British government has released a voluntary "Code of Practice" for securing IoT devices. I thought I'd write some notes on it.First, the good parts
Before I criticize the individual points, I want to praise if for having a clue. So many of these sorts of things are written by the clueless, those who want to be involved in telling people what to do, but who don't really understand the problem.
The first part of the clue is restricting the scope. Consumer IoT is so vastly different from things like cars, medical devices, industrial control systems, or mobile phones that they should never really be talked about in the same guide.
The next part of the clue is understanding the players. It's not just the device that's a problem, but also the cloud and mobile app part that relates to the device. Though they do go too far and include the "retailer", which is a bit nonsensical.
Lastly, while I'm critical of most all the points on the list and how they are described, it's probably a complete list. There's not much missing, and the same time, it includes little that isn't necessary. In contrast, a lot of other Continue reading
IBM’s O’Connell and Currie Discuss How to Incorporate Automation in the WAN
In this interview, IBM’s Brian O’Connell, Distinguished Engineer and Master Inventor, and Steve Currie, Distinguished Engineer, talk about IBM’s networking approach.
DC CyberWeek Is Here!
Photo by Sarah Ferrante Goodrich / Unsplash
This October is the 15th annual National Cybersecurity Awareness Month in the United States, a collaboration between the US government and industry to raise awareness about the part we can all play in staying more secure online. Here at Cloudflare, where our mission is to help build a better internet, we look forward to this month all year.
As part of this month-long education campaign, Cloudflare is participating in D.C CyberWeek this week, the largest cybersecurity festival in the U.S, taking place in Washington, DC. This year’s event is expected to have over 10,000 attendees, more than 100 events, and feature representatives from over 180 agencies, private companies, and service providers. We will join with other leaders in cybersecurity, to share best practices, find ways to collaborate, and work to achieve common goals.
Along with the United States, the European Union also runs a month-long cyber awareness campaign in October, with the initiative having started back in 2012. The aim of this advocacy campaign is similar: promoting cybersecurity among citizens and organizations, and providing information on available tools and resources. Watch our CTO speak to some of the main considerations around Continue reading
Research Brief: Secure SD-WAN: Seeking the Holy Grail
Download a copy of our new research brief on SD-WAN aimed at providing enterprises with a key guide to evaluating security capabilities of SD-WAN platforms.
Related Stories
CNCF Adopts First Container Runtime Security Project
The Falco project, donated by Sysdig, taps into the Linux kernel to provide runtime security at the application, file, system, and network levels.
How to irregular cyber warfare
Somebody (@thegrugq) pointed me to this article on "Lessons on Irregular Cyber Warfare", citing the masters like Sun Tzu, von Clausewitz, Mao, Che, and the usual characters. It tries to answer:...as an insurgent, which is in a weaker power position vis-a-vis a stronger nation state; how does cyber warfare plays an integral part in the irregular cyber conflicts in the twenty-first century between nation-states and violent non-state actors or insurgenciesI thought I'd write a rebuttal.
None of these people provide any value. If you want to figure out cyber insurgency, then you want to focus on the technical "cyber" aspects, not "insurgency". I regularly read military articles about cyber written by those, like in the above article, which demonstrate little experience in cyber.
The chief technical lesson for the cyber insurgent is the Birthday Paradox. Let's say, hypothetically, you go to a party with 23 people total. What's the chance that any two people at the party have the same birthday? The answer is 50.7%. With a party of 75 people, the chance rises to 99.9% that two will have the same birthday.
The paradox is that your intuitive way of calculating Continue reading
Short Take – The Diminishing Returns of Harder Passwords
In this Network Collective Short Take, Russ White talks about the value of harder passwords and what we should think about when developing password policies for our systems.
Russ White
The post Short Take – The Diminishing Returns of Harder Passwords appeared first on Network Collective.
Volta Charging Deploys Netsurion SD-WAN Across Its Electric Car Station Network
Netsurion, a newcomer to the SD-WAN market, has found its niche in the market as it builds its SD-WAN as integrated secure connectivity service.
Security Is Bananas
I think we’ve reached peak bombshell report discussion at this point. It all started this time around with the big news from Bloomberg that China implanted spy chips into SuperMicro boards in the assembly phase. Then came the denials from Amazon and Apple and event SuperMicro. Then started the armchair quarterbacking from everyone, including TechCrunch. From bad sources to lack of technical details all the way up to the crazy conspiracy theories that someone at Bloomberg was trying to goose their quarterly bonus with a short sale or that the Chinese planted the story to cover up future hacking incidents, I think we’ve covered the entire gamut of everything that the SuperMicro story could and couldn’t be.
So what more could there be to say about this? Well, nothing about SuperMicro specifically. But there’s a lot to say about the fact that we were both oblivious and completely unsurprised about an attack on the supply chain of a manufacturer. While the story moved the stock markets pretty effectively for a few days, none of the security people I’ve talked to were shocked by the idea of someone with the power of a nation state inserting themselves into the supply chain Continue reading
IBM Protests Pentagon’s JEDI, Still Plans to Bid for the $10B Deal
“No business in the world would build a cloud the way JEDI would and then lock in to it for a decade,” IBM's Sam Gordy says.
Google Bumps Up Enterprise Cloud Networking
Google is pulling out all the stops to bring more enterprise customers to its cloud.
What’s More Beneficial to CIOs: Containers or the Container Management System?
Perhaps the biggest benefit of containers is that they can be managed by Kubernetes, which is a pre-defined operational model.
Carbon Black Adds Threat Hunting to Its Security Cloud
The new service, called Cb ThreatHunter, is essentially a cloud-delivered version of the company’s on-premises endpoint detection and response device.
Will Cloud Security Expansion Lift Symantec Back Into the Black?
After a disappointing first quarter Symantec needs these cloud security updates to boost its bottom line and clout with enterprise customers.
Microsoft Boosts Government Cloud Support as JEDI Looms
The company currently supports 50 services at the FedRAMP Moderate level with plans to push that to the FedRAMP High level by year-end.
Google Won’t Compete for Pentagon’s $10B JEDI Cloud Deal
Google on Monday also said it would shut down its Google+ social network after a vulnerability exposed the personal data of approximately 500,000 users.
Setting the Record Straight on Multi-Cloud Security
Before deploying a multi-cloud strategy, there are four myths about multi-cloud security that need debunking.
CloudHealth Founder Talks VMware Acquisition, Cloud’s Next Phase
CloudHealth CTO and co-founder Joe Kinsella says VMware plans to target managed service providers with its new multi-cloud management product line.
Leave your VPN and cURL secure APIs with Cloudflare Access
We built Access to solve a problem here at Cloudflare: our VPN. Our team members hated the slowness and inconvenience of VPN but, that wasn’t the issue we needed to solve. The security risks posed by a VPN required a better solution.
VPNs punch holes in the network perimeter. Once inside, individuals can access everything. This can include critically sensitive content like private keys, cryptographic salts, and log files. Cloudflare is a security company; this situation was unacceptable. We need a better method that gives every application control over precisely who is allowed to reach it.
Access meets that need. We started by moving our browser-based applications behind Access. Team members could connect to applications faster, from anywhere, while we improved the security of the entire organization. However, we weren’t yet ready to turn off our VPN as some tasks are better done through a command line. We cannot #EndTheVPN without replacing all of its use cases. Reaching a server from the command line required us to fall back to our VPN.
Today, we’re releasing a beta command line tool to help your team, and ours. Before we started using this feature at Cloudflare, curling a server required me to Continue reading
Bloomberg China Chip-Hack Controversy Highlights Fake News, National Security Fears
By now the story and resulting controversy is as much about media credibility as it is about cyber — and national — security.