Many of our clients now support the BYOD and Remote Worker Model. Some of them might be thinking about ways they can secure their mobile workforce.
The US Federal Risk and Authorization Management Program ( FedRAMP )is a "government-wide program that provides a standardized approach to security assessment authorization" for cloud service provider (CSP) solutions. As a Canadian, that standard provides us guidelines on how to build our own cloud solutions on native soil, but it also lets us take advantage of a lawful standard that commonly used providers, like Amazon, Google, Microsoft, already adhere to.
On the heels of the recent docker hub breach, we've got another Docker issue. Null Root Password. Folks, if you're going to rely on public images and builds for overall system architecture, please please PLEASE consider baking your own hub or scrutinise and sanitise what you're using.
The dark truth about fingerprinting hardware is that it can be used to specifically target particular weaknesses of mobile devices. Using embedded magnetometer, gyroscope, and accelerometer, any web page can determine your device type by serving up some script. What this also means is that a mobile web site tab can pretty much follow you around town all day, even without GPS.
A very basic way of protecting your banking clients, even when done visiting your site - idle time logouts. It seems that the Royal Bank was the only bank to "make the grade" when it comes to this one basic security configuration. Logging out idle users should be done actively, not passively.
Hackers are leaving no stone unturned when it comes to scouring systems and software for an attack vector. Usually, an adversary is looking for one-off anomolies at the low-end of computer programming, the 1's and 0's. A buffer overflow, a protocol fuzzing, some kind of byte-level trickery. Nothing so brazen as a supply chain attack. These attacks are swift, trusted, often skipped during antivirus and malware scanning. Last week I read about a terrible new Apple supply chain compromise.
Assessing security defenses and testing for weakness is an essential feedback component of the continuous improvement cycle - canonized by several risk management frameworks. At RiPPUL, we look at Vulnerability Testing as an important component of a well managed risk management program.
Open source tools and computational power have progressed, but there's a world wide race out there to weave the latest theories and algorithms with cheap small batch hardware. May the most accurate win.
There may be dimensions to the risk profile of your organisation which you never considered. Let RiPPUL cybersecurity experts protect your business, your clients, and your livelihood.
I've found two easy ways to stop bots from signing up and infiltrating a freshly pressed web site. If you've got no advanced IP (Geo/blacklist) filtering or email address spam checking built into your web-app, you should at least be throttling or hindering bot efforts using the tooling you've got at hand - your web … Continue reading Two Easy and Effective Ways for Web Developers or Regular Folk to Secure Against Bot Probing.