The Seven Cybersecurity Commandments
And Whatever Happened To “Secure By Design”?
When I go on TV to report on a data breach, there’s a stock answer I usually use to the question on how companies can protect themselves against data breaches: “Enable multifactor authentication” — MTA. But, still, companies blindly hold only passwords as their single source of identification. Like it or not, at the core of cybersecurity is identity, whether it is users, devices or services. Unfortunately, sometimes, it feels like we are still living in a 20th-century world of digital technology, and where the move to the cloud has just moved our passwords there.
Recently, I was lucky to speak to Troy Hunt, and he outlined that it is still common for data breaches to have old (and insecure) hashed versions of passwords. In fact, he outlined that there were many cases where he saw old MD5 hashed passwords mixed with bcrypt, where users who had updated their passwords had a bcrypt hash, and those who hadn’t still had MD5. This, he thought, was silly, as it should have been possible to double hash the passwords in a single instance, and where we use the MD5 hash as a seed for bcrypt. This just seems like a complete lack of understanding of cybersecurity or a complete lack of caring about protecting citizen data.
And, so, for years (if not decades), we have seen a focus on “secure after design” rather than “security by design”. Security then becomes an afterthought, and a bolt-on option. Overall, we wouldn’t build bridges which weren’t designed to fall down, so why do we build systems that are not inherently secure? The reasons? Basically, there are many reasons, including poor cybersecurity knowledge (especially in cryptography) for developers, laziness, cost, “get it shipped” mentality, lack of due care and diligence in using citizen data, and a lack of real understanding about how products and services will actually be used.
In the EU, GDPR certainly moves companies towards a secure by design approach, and where it calls for pseudo-anonymisation, incident reporting within given time limits, and in the usage of encryption. But, GDPR is a bland and vanilla regulation that does not go into any great detail on the actual design of products and services.
The US, though, aim to overcome these issues with a new “Secure by Design Pledge [here]:
This was announced by CISA at the recent RSA confrence. Unforunately, it is a voluntary pledge and current signers include:
Overall, it contains seven pledges to important cybersecurity improvements:
- Multi-factor authentication (MFA). GOAL: Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
- Default passwords. GOAL: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
- Reducing entire classes of vulnerability. GOAL: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
- Security patches. GOAL: Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
- Vulnerability disclosure policy. Goal: Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP)
- CVEs. Goal: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting
- Evidence of intrusions. Goal: Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
Personally, I think these should be mandatory for large tech companies, and there should be other things added that relate to privacy, such as encrypting data, and making it anonymous.
I strong believe that every organisation should sign up to the basics of the pledges:
So, go on, sign your company up or follow the pledges, and show that you take security seriously!
