Last week, our insights on securing IoT devices in healthcare really took off, engaging thoughtful commentary across the web. We also had the opportunity to comment on the NIST password draft, among other hot topics…
Vendors approve of NIST password draft
The National Institute of Standards and Technology (NIST) recently release draft Digital Identity Guidelines that offer a baseline set of standards for digital identity, establishing basic authentication / password processes. The revised guidelines include the incorporation of the latest research on passwords which has shown that periodically changing passwords and algorithmic complexity have been ineffective, among other changes. Ryan Francis summarizes the new draft on CSO Online, noting the positive change to come out of additions such as password screening and required password storage requirements.
Richard Henderson, Absolute’s global security strategist, notes that the changes make dictionary and rainbow attacks less useful to test credentials and that scanning known stolen password lists against their own can be valuable:
“Beyond the idea of potentially minimizing the risk of password reuse and creating weaker passwords, it can alert companies to the potential of a breach of one of their users. If a password like 247KangarooKiwi! shows up on a compromised list somewhere, and that’s a password one of your users uses, it’s an awful large red flag to take a look at their corporate or work endpoint devices and look for evidence of compromise.”
Ransomware attacks continue to hit home
A quickly spreading piece of malware managed to infect more than 70,000 machines in a matter of hours, including a number of hospitals. This malware did not depend on phishing links. In fact, all it needed was for you to have skipped a Microsoft security patch issued two months ago. The malware found its way in and quickly spread and was used in ransomware attacks.
As Gizmodo’s Dell Cameron summarizes, this attack was preventable. Too many people click ‘remind me’ for updates, instead of actually deploying them. As people open their computers today after the weekend, some experts expect we’ll see another surge of the original and variant versions of this malware this week.
When it comes to securing data against ransomware attacks, automation is key. Whether security patches run overnight or in the background, it’s critical that software on the network and the endpoint has all the latest security patches.
In other malware news, a new variant of SLocker was targeting corporate mobile device fleets through app stores, which poses a significant risk for organizations.
Upcoming Absolute events
We had the opportunity to talk about the power of the self-healing endpoint at Dell EMC World, TractionForce 2017 and Go North Canada last week in Seattle. This week, we’re at the IANS Security Forum in Toronto and CIOsynergy in Boston to continue these great conversations. And, on May 23, mark your calendars and join us for a webinar on the Global Implications of GDPR Legislation.
Want to stay on top of the latest developments? Join us on Twitter and LinkedIn for more insights and to continue the conversation. Questions? Comments? Topic suggestions? Email us at firstname.lastname@example.org.