Terrible passwords outlawed in Microsoft’s new Azure tool

Kudos to Microsoft for heading down this path and taking one more step closer to better password security.  It is still not a perfect world scenario, but it is better than the basic controls inherent to the OS.

https://nakedsecurity.sophos.com/2018/06/25/terrible-passwords-outlawed-in-microsofts-new-azure-tool/

Federal Websites Still Lack Basic Security

This is yet another Federal example of “Do as I say…not as I do.”  There is no excuse for the Federal government not following and meeting or exceeding the standards it sets for websites and website security.

https://www.infosecurity-magazine.com/news/federal-websites-still-lack-basic/

Google Rolls Out Advanced Protection for High-Risk Users

This is an excellent step forward in the effort to protect sensitive Google data.  U2F is a strong, reliable authentication mechanism and will afford Google more flexibility as this program moves forward.  There are certain limitations with mobile devices and third party applications that will need to be navigated, but if someone finds him or her self in a highly sensitive or high-risk situation, then this is the best security option available to date for the Google email ecosystem.

https://www.infosecurity-magazine.com/news/google-rolls-out-advanced/

Security’s #1 Problem: Economic Incentives

This article is an very intriguing read.  The economics of software are hard, whether the applications are public facing and for resell or the development is internal to an organization.  Security is far too often an afterthought or a nice to have in the development cycle.  True devops programs and security officers should partner.  Instead, they complete.

Sadly, the only real mechanism that addresses these problems today is fear – fear of penalties and fear of non-compliance.  We should be motivated by security itself – a desire to protect customer data, to provide a more secure, robust service.  It will take consumers willing to demand such a high-caliber standard before the market will adjust and the economics will justify a more mature, secure development cycle.

https://www.darkreading.com/vulnerabilities—threats/securitys–1-problem-economic-incentives/a/d-id/1329939

Verizon Report: Businesses Hit with Payment Card Breaches Not Fully PCI-Compliant

Companies struggle to maintain PCI compliance within a year of meeting it, according to a new payment security report by Verizon.

Sadly, this is not surprising.  Many businesses are chasing compliance and not seeking real security.  They are trying to check boxes and not secure data.  True data centric security requires dedication and effort.  It is not a package to purchase or a spreadsheet to fill out.

https://www.darkreading.com/endpoint/verizon-report-businesses-hit-with-payment-card-breaches-not-fully-pci-compliant/d/d-id/1329778

CIPA Compliance and Cybersecurity: You Can’t Have One Without the Other

Though unabashedly sales centric, this blog post by Fortinet provides a good overview of the intentions and goals associated with CIPA (Children’s Internet Protection Act).  It is well worth a read as both a parent and a potential technology provider in the K-12 space.

https://blog.fortinet.com/2017/08/31/cipa-compliance-and-cybersecurity-you-can-t-have-one-without-the-other