This week, security experts took a few fresh, dare we say “disruptive,” perspectives on established security conventions – specifically, the password and PCI compliance.
Yahoo! made ripples this week with a new on-demand system that eliminates the static password. The new system sends a temporary password to your phone, much in the same way the second factor in many two-factor authentication systems work. Yahoo! CISO Alex Stamos took to Twitter to defend the system but ended up expanding his thoughts to the password and available security tools such as password managers. This series of tweets is a must-read analysis of the password and user security.
User security is inseparable from organizational security, as recent breaches stemming from compromised credentials illustrate. At the same time, the current state of affairs reveals the widespread vulnerability of employees: companies have, on average, 12% of users with at least one stolen credential for sale on the DarkNet. It is the extent of this issue that made this take on the Anthem Breach, shared by Barclays CISO Troels Oerting, stand out to us. The takeaway is that security professionals can reduce risk to their organization by making every employee part of the cyber security team. In other words, employees outside of the security team should be aware of common security missteps and best practices. Also included are four recommendations for incorporating cyber security into company culture.
Digging deeper into the nuts and bolts of security maintenance, Steven Fox of the US Department of the Treasury shared an article on seven common mistakes of security policy change management. Apparently the same issues that plague text messages can threaten cyber security, as the final piece of advice is automate processes whenever possible in order to avoid human error or “fat finger” mistakes.
To say PCI compliance gets on security teams’ nerves would be an understatement. Richard Rushing, CISO at Motorola, shared an excellent analysis of Verizon’s 2015 PCI Compliance Report. For those feeling overwhelmed, we published a guide to PCI compliance in a cloud summarizing the 12 requirements and offering a host of additional resources.
You can’t prevent every attack, and security teams should hope for the best but be prepared for the worst. US Army Corps of Engineers CISO Sam Liles shared an article on the key rules for handling a cyber attack. Step three, “Notify third parties,” will be especially important in light of new European Union data protection regulations, which will enforce more severe consequences for organizations who fail to do so.