The Digital Trust Digest is a curated overview of the week’s top cybersecurity news. Here are five things you need to know this week.
CISOs share 14 lessons learned in 2022
The world is changing for CISOs. Amid the labor shortage, geopolitical conflict, and the rise in supply chain attacks, the pressure is on for CISOs to make good on increased budgets and provide tangible wins for their organizations.
CSO Online asked security leaders from Google, Veracode, Thrive, Trustwave, and others to reflect on their biggest takeaways from the year and look ahead to 2023. Their answers ran the gamut, from security insurance and legislation to shift-left software testing and adopting zero trust.
See the whole list at CSO Online. There’s a kernel of wisdom for anyone seeking a proactive approach to cybersecurity operations.
NIST action looks to jumpstart an explosive post-quantum cryptography market
As NIST makes its final selection of PQC algorithms, the rest of the industry is poised to follow its lead. ABI Research, a global technology intelligence firm, predicts PCQ revenues will grow by leaps and bounds for the next five years as organizations rush to adapt to NIST’s new standards.
“The progress of work in these fora will be a sign of technological maturity, and the goal for vendors will be to present ‘plug and play’ types of technologies for their respective industries, making for easier commercial integration and adoption,” said Michela Menting, ABI’s Cybersecurity Applications Research Director.
Crypto-agility will be mission-critical in the post-quantum era. Check out ABI’s report to see how NIST’s decision will impact your organization.
Despite White House deadlines, post-quantum transition will drag
A November 18 memo from the U.S. Office of Management and Budget demands agencies submit their first cryptographic system inventories identifying vulnerable systems, but it’s a tall order.
Most agencies have trouble getting their arms around the sheer volume of systems that depend on PKI. Meanwhile, scientists can’t agree on how to define a qubit — the quantum mechanical analog to a bit. Only one quantum security-as-a-service company has been awarded a Phase III contract, which allows it to contract with federal agencies.
The latest memo will be just one in a flurry of directives and legislation that will position the U.S. as the global leader in protection, even though experts predict the transition will take at least a decade. To read more about “the largest upgrade cycle in all human history,” head to FedScoop.
Malware-ridden app updates give full access to Android devices
Several big-name device producers like Samsung and LG suffered a security leak that used manufacturing keys to disguise malware-infected app updates as legitimate updates.
Unlike most malware apps, this technique didn’t need to deceive the user into granting sensitive permissions or clicking a malicious file or link. Merely downloading a malicious app update could hand over full access to the device.
The incident is a lesson in the risks of signing code without protocols for managing code signing keys. To see where these manufacturers failed and where you can succeed, check out the full story in CPO Magazine.
Too many identity solutions, not enough coverage
A new report by One Identity, an identity management solutions provider, shows that the vast majority of organizations struggle to cover gaps in identity-based access, despite a sprawl of identity solutions.
The report reveals that 41% of companies have deployed at least 25 different systems to manage access rights, yet 70% said they aren’t using all the identity tools they are paying for. These inefficiencies cost 42% of businesses over $100,000 each year.
Organizations will seek holistic solutions that centralize or consolidate identity management tools to solve this problem. As threat actors continue to target users, solving the identity-based access puzzle will be key to staving off social engineering attacks in the coming year. To get a sense of the full scope of identity management fragmentation, access the full report at BetaNews.
Catch up on last week’s headlines here.