Businesses Turning To Zero-Trust Security Model
As a widening attack surface and evolving threats mean that organisations continue to breached despite a large security spend, many businesses are now turning to the ‘zero-trust’ security model.
What Is The Zero-Trust Security Model?
The Zero Trust security model, introduced by analyst firm Forrester Research, is an alternative architecture for IT security that doesn’t work on the traditional assumption that the perimeter is the main focus and that the inside of an organization’s network can be trusted. Zero-trust assumes that untrusted actors exist both inside and outside a company network, and that every user access request has to be authorised, using the principle of “never trust, always verify”. In this way, Zero-trust can address lateral threat movement within the network i.e. stopping insider and other threats from spreading once inside.
Breaches
Almost 70% of organisations are getting breached an average of five times a year, with 81% of breaches being simply linked to weak, default or stolen passwords. Once inside networks, attackers can camouflage their attack behind a legitimate identity like a database administrator, can go on to access and decrypt encrypted information, and be harder to spot and stop because of their apparent legitimacy.
According to some security commentators, this shows that identity, and identity-centric security measures are areas that organisations need to focus on, and this is where architecture such as zero-trust can help.
10 Cyber-Attacks Per Week
More businesses are recognising the need for a better approach to all-round security, particularly in an environment where hacking’s on the up. For example, The UK‘s National Cyber Security Centre has just announced that it has stopped 1,600 attacks over the past two years, many by hostile nation states and that there are now 10 such attacks per week. Also, the NCSC’s Active Cyber Defence (ACD) initiative reports removing 138,398 phishing sites hosted in the UK between September 2017 and August 2018.
Four Pillars of Zero-Trust Security
The zero-trust security model is, therefore, believed to be another step forward in the battle against cyber-criminals. The success of the zero-trust security model is based upon four key ‘pillars’, which are:
- Verifying users. This involves identity consolidation which can tackle weak / shared password issues (using single sign-on and one-time passwords), de-facto authentication everywhere, and monitoring user behaviour e.g. time and location factors.
- Validating devices.
- Limiting access of privileged users where possible.
- Applying machine learning to all these factors, and using this to step up the authentication processes wherever necessary. Machine learning also removes the need for manual intervention.
Benefits
Those who have implemented zero-trust security have reported many benefits. These include cost savings due to gains in incident response efficiencies and technology consolidation, and greater confidence in supporting users on mobile devices and rolling out new partner and customer experiences.
Challenge
One main challenge to the growth of the adoption of zero-trust security measures is the mistaken belief that it has to be time-consuming and takes a lot of effort to implement. Security commentators are keen to point out that, in reality, implementing a zero-trust security model is a step-by-step process.
What Does This Mean For Your Business?
It seems that the benefits of the zero-trust model are now becoming widely known by UK businesses and organisations. For example, an IDG study revealed that 71% of security-focused IT decision makers are actively pursuing a zero-trust security model, 10% are currently doing pilots, and around 8% who have implemented it fully.
It’s important to realise that the implementation needn’t be a huge hassle and expense and can be tackled step-by-step, using commercial off-the-shelf technology. This approach to security offers businesses the chance to customise their security for their specific data and assets, and strengthen their infrastructure from the ground up by enabling the identification of vulnerabilities and gaps in their current security models at the root level.
This approach can bring some much-needed benefits, not least of which is a greater feeling of trust and a confidence boost. In terms of more measurable benefits to businesses, a Forrester and Centrify study, for example, has shown that by applying best practices of zero-trust principles, organisations recorded 50% fewer breaches within just two months. These kinds of figures are making this approach to security very attractive to many businesses, particularly those who have fallen victim to costly cyber attacks.
Ubicoustics Overhears Everything You Do … And Understands
Researchers in the US have presented a paper based on their research that identified a real-time, activity recognition system capable of interpreting collected sounds that could well be used by home smart speakers.
Identify Other Sounds, and Issue Responses
Researchers at Carnegie Mellon University in the US claim to have discovered a way that the ubiquity of microphones in modern computing devices, and software that could use a device’s always-on built-in microphones could be used to identify all sounds in room, thereby enabling context-related responses from smart devices. For example, if a smart device such as an Amazon Echo were equipped with the technology, and could identify the sound of a tap running in the background in a home, it could issue a reminder to turn the tap off.
Ubicoustics
The research project, dubbed ‘Ubicoustics’, identified how using an AI /machine learning based sound-labeling mode, drawing on sound effects libraries, could be linked to the microphone (as the listening element) of a smart device e.g. smart-watches, computers, mobile devices, and smart speakers.
As Good As A Human
The sound-identifying, machine-learning model used in the research system was able to achieve human-level performance in recognition accuracy and false positive rejection. The reported accuracy level of 80.4%, and the misclassification level of around one sound in five sounds, means that it is comparable to a person trying to identify a sound.
As well as being comparable to other high-performance sound recognition systems, the Ubicoustics system has the added benefit of being able to recognise a much wider range of activities without site-specific training.
Applications
The researchers noted several possible applications of the system used in conjunction with smart devices e.g. sending a notification when a laundry load finished, promoting public health by detecting frequent coughs or sneezes and enabling smart-watches to prompt healthy behaviours after tracking the onset of symptoms.
Privacy Concerns
The obvious worry with a system of this kind is that it could represent an invasion of privacy and could be used to take eavesdropping to a new level i.e. meaning that we could all be living in what is essentially a bugged house.
The researchers suggest a potential privacy protection measure could be to convert all live audio data into low resolution Mel spectrograms (64 bins), thereby making speech recovery sufficiently difficult, or simply running the acoustic model locally on devices so no audio data is transmitted.
What Does This Mean For Your Business?
The ability of a smart device to be able to recognise all sounds in a room (as well as a person can) and to deliver relevant responses could be valued if used in a responsible, helpful, and not an annoying way. It doesn’t detract from the fact that, knowing that having a device with these capabilities in the home or office could represent a privacy and security risk, and has more than a whiff of ‘big brother’ about it. Indeed, the researchers recognised that people may not want sensitive, fine-grained data going to third-parties, and that operating a device with this system but without transmission of the data could provide a competitive edge in the marketplace.
Nevertheless, it could also represent new opportunities for customer service, diagnostics for home and business products / services, crime detection and prevention, targeted promotions, and a whole range of other possibilities.
Resurrecting An Old Android Phone Is Easier Than You Think
Many of us have an old Android phone somewhere in the house, doing nothing. Rather than leaving it there to add no value to your life and work, you may find that it’s much easier than you think to resurrect it.
Look Beyond The Launch
Even though your phone may have been the greatest and the fastest when it was launched, the passage of time doesn’t necessarily mean that it has become obsolete.
Performance issues can, of course, be exaggerated by age and resource limitations, but there are some steps you can take to clean-up your old android phone and bring it back into active service. These steps could include:
- Freeing -up storage space. Begin this process by backing up the media that you have on the phone. This can be done by opening Google photos, selecting “Settings,” “Back up & sync” and activating the toggle that appears. This will allow you to back up your photos and images to the cloud. Get Google’s free Files Go app, open it, grant the app permission to access your phone’s storage, and from here you will be given suggestions for freeing-up space on your device. For example, this can include removing junk and duplicate files, removing downloaded files and large files, and deleting the photos and videos (now that you have back-up copies).
- Getting rid of unused apps. This is a good move on any phone anyway as a way to improve security. In the case of refreshing your phone, the Files Go app can show you which apps are unused and therefore suitable to uninstall. You can also regain more phone resources by clearing out your app clutter. For apps that came pre-installed (and can’t be uninstalled), look for a button to disable those apps.
- Using ‘lite’ app alternatives. Using ‘lite’ versions of the apps that you’d still like to have on the old phone e.g. Facebook, Google Maps and Skype lite, can mean that you get plenty of basic functionality, but take up less phone resources.
- Reducing background activity / check-ins by certain apps. This can make the phone run faster, and can reduce monthly bills.
- Making sure your apps are up to date. Checking-in with Play Store and making sure you have the newest (lite) versions of apps on your old phone can prevent many of the problems caused by less optimized older versions.
- Making sure the home screen is up to date and not slowing things down. You may want to use a third-party launcher e.g. the free Lawnchair Launcher.
- Keeping the software animations to a minimum. This will involve accessing the system settings ‘Drawing’ section, but could help towards speeding your old android phone up.
- Trying a ‘factory reset’. This can make the phone run faster. Again, this is likely to involve accessing the ‘System’ section (after making sure everything important is backed-up).
- Adding new, efficiency-enhancing apps.
What Does This Mean For Your Business?
A succession of updated models, the need (or, being convinced by marketing of the need) to constantly upgrade to the next best model, along with a throwaway society means that there is so much wastage when it comes to devices, especially mobile phone handsets. This is why many businesses have seized the opportunity of refurbishing and re-selling them e.g. smartfonestore.com, Second-hand Phones.Com, envirofone.com and more.
There’s no doubt that smart-phones have become an important part of our lives with 78% of all adults now owning one, and with each of us checking our phone once every 12 minutes on average during our waking hours (Ofcom). Web browsing and using chat and other apps (WhatsApp and Facebook Messenger) are now equally as important as actually being able to make a call, so as long as your re-conditioned / resurrected phone has the storage space, speed, and available resources to accommodate modern apps (lite versions), you could be saving yourself money and making life easier for yourself by bringing it back into use.
New Chrome 69 Creates Better Passwords, Among Other Features
Chrome 69, the latest version of the Google browser which is now 10 years old, has a number of value-adding new features, including the ability to automatically generate strong passwords.
Improved Password Manager
This latest version of Chrome has an improved password manager that is perhaps more fitting of the browser that is favoured by 60% of browser users, many of whom still rely upon using very weak passwords. For example, the most commonly used passwords in 2017 were reported to be 123456, password, 12345678 and qwerty.
The updated password manger in Chrome 69 hopes to make serious inroads into this most simple of human errors by recommending strong passwords when users sign up for websites or update settings. The Chrome 69 password manager will suggest passwords incorporating at least one lowercase character, one uppercase character and at least one number, and where websites require symbols in passwords it will be able to add these. Users will be able to manually edit the Chrome-generated password, and when Google is generating the password, every time users click away from its suggestion, a new one is created. Chrome 69 will then store the password on a laptop or phone so that users don’t have to write it down or try and remember it (as long as they are using the same device).
Other Features
Other new and improved features of Chrome 69 include:
- Faster and more accurate form-filling: Google says that because information such as passwords, addresses and credit card numbers are saved in a user’s Google account and can be accessed directly from the from the Chrome toolbar, Chrome can make it much easier and faster to fill-out online checkout forms.
- Combined search and address bar (improvements): In Chrome 69, users will have a combined search and address bar (the Omnibox), which shows the answers directly in the address bar without users having to open a new tab, thereby making it more convenient. Also, if there are several tabs open across three browser windows, for example, a search in the Omnibox will tell users if that website’s already open and will allow navigation straight to it with “Switch to tab”. Google says that users will soon also be able to search files from your Google Drive directly in the Omnibox too.
- CSS Snap: This feature allows developers to create smoother browsing experiences. It does this by telling the browser where to stop after each scrolling operation, and is particularly useful for displaying carousels and paginated sections to guide users to the next slide or section.
Put The www. Back!
There was some controversy and protests from some Chrome users over the way that, in order to take account of the limited space on mobile screens, and for greater security (to stop confusion with phishing URLs), version 69 of Chrome has been made to no longer show the www. part of a URL (and the m. on mobiles) in the address bar. It is worth mentioning at this point that Apple’s Safari also hides URL characters. Some critics of Google’s move to this system have said that it could confuse users into thinking that they’re at the wrong website.
Other Criticism
Some more cynical / informed commentators have suggested that the change in URL display is actually more to do with AMP system and AMP cache which benefits the advertising side of Google’s business.
What Does This Mean For Your Business?
The changes in Chrome 69 that encourage and facilitate the use of much stronger passwords may be a little overdue, but it has to be good news for the security of all Chrome users. The speedier form-filling will also be a time-saver in an age where many people now carry out many of their daily transactions online and on mobile devices.
Even though stronger passwords are a good thing, security has now moved on again from those, because they have been found to be less secure than biometrics and other access methods.
The new Chrome 69 has been released, but so has the beta version of Chrome 70, and it remains to be seen how security is upgraded yet again in subsequent versions as cyber-crime threats become more wide-ranging and sophisticated.
Microsoft Tests Pop-Up Warnings About Other Browsers
Microsoft has made the news again by appearing to flex its market muscle by testing pop-up warnings in Windows 10 that are triggered when users start to install rival Chrome or Firefox web browsers.
What Happens?
It’s been reported that when a user tries to install another, non-Microsoft browser on a computer running Windows 10, pop-up warnings are issued that remind the user that they already have Microsoft’s Edge browser installed, and that Edge is a “faster, safer” browser for the Windows 10 operating system..
Just A Test
Microsoft has been quick to point out that the pop-up warnings are just a test among a small number of specific users. According to Microsoft, the warnings were only tested with a group of users who are part of its “Insiders” initiative, and that the warnings didn’t stop any software being installed.
The tests are part of the lead-up to Microsoft’s Windows 10 October Update.
Browser Trouble In The Past
Microsoft is no stranger to landing itself in hot water of over competition issues with its browser.
For example, way back in 1998, when competing browsers included Netscape Navigator, Microsoft was questioned by US regulators (with Bill gates being forced to testify) over its bundling of Internet Explorer in Windows in a staggering 95% of Intel-compatible PCs.
Also, after receiving a record-breaking fine of nearly 900 million Euros by the EC for charging “unreasonable” royalty fees for matters relating to disclosing documentation allowing non-Microsoft servers to work Windows computers and services, Microsoft was again punished in 2013. This time the European Commission slapped a 561 million euro fine on Microsoft for failing to comply with the Commission’s ruling that it had to allow users to more easily choose a preferred web browser.
Not The Most Popular
These days Microsoft’s Edge is a long way behind Chrome, Firefox and Safari in terms of browser market share, so it’s perhaps understandable that Microsoft is looking for different ways to compete and boost its share.
Google’s Chrome browser now has a massive 65.2% share of the browser market, and while this share rose 5.9 percentage points over the last year, Microsoft’s IE and Edge have seen falls in use in recent months.
What Does This Mean For Your Business?
Browser wars have been raging for years, and for business users, it’s simply a case of finding one that’s stable, secure, and offers plenty of useful features e.g. Chrome 69 looks set to offer extra-protection in generating strong passwords.
Microsoft is finding itself in a very awkward spot as regards the popularity of its browsers as requiring users to upgrade to the latest version of IE has effectively killed the still-popular IE8, IE9 and IE 10, and has sent the browser into 74% decline. With the need to move customers to Windows 10, IE has become a legacy product that now receives security updates only. Edge, the big hope as users migrate to Windows 10 has, so far, not been able to claw share back, probably because IE and Edge now only account for around 17% of the browsers that run on Windows (Net Applications figures). It remains to be seen how Microsoft is able to boost the popularity of Edge in the short term against such strong competition as Chrome.
Microsoft Slows Updates
Microsoft has listened to corporate SaaS Windows 10 clients and slowed down the rate of patches and updates that it is sending out, thereby giving company admins more time to catch up.
What’s The Problem?
For many enterprise / corporate customers, two feature upgrades for Windows 10 a year is proving too much to keep up with, resulting in many admins now saying that they’ve barely got the time to deal with one upgrade before another one comes along, thereby leading to the temptation to skip every other update.
Those tasked with managing the updates also say that the updates themselves often create more bugs and problems, and that having to spend time managing these additional problems actually distracts and diverts resources away from the focus of the business, thereby creating an opportunity cost that is too high. Many companies also resent having to fit-in with Microsoft’s schedule rather than their own.
Illustrated By Survey
The feelings of 1,100 company admins about the Windows 10 upgrade schedule are illustrated by the results of a survey conducted by Susan Bradley, who moderates the PatchManagement.org mailing list. The results show that 78% of those charged with carrying out servicing Windows for their firms said that Windows 10’s feature upgrades should be issued no more than once a year.
Only 11% of those surveyed said that they would prefer a twice-a-year release, and only 1% wanted more frequent upgrades than that.
What’s Been Happening?
Currently, the feature upgrades take place twice a year. This hasn’t always been the case, with four being envisioned but two being released in 2015, one upgrade (1607) being issued in 2016, and then a formal announcement by Microsoft that there would be a twice-yearly upgrade schedule. This meant that there were two in 2017, (1703 in April and 1709 October), and there’s been one (1803) in April this year, with another one scheduled for October.
Also, Microsoft has changed the extending of its support from 18 months to 24 months for Windows 10 Enterprise and Windows 10 Education, and then moved it back to 18 months again in April. This has caused problems for some customers with their patching schedule.
What Now?
It appears that Microsoft has listened to its customers and to the results of the survey, and Microsoft will now be taking some of the pressure off by offering companies 30 months (two and a half years). This new, extended deadline will apply to Enterprise and Education editions of the Windows 10 OS and applies only to the Autumn/Fall release. The Spring update will stay at 18 months e.g. after Redstone 5 next month, this will be supported until Spring 2022.
However, for the 19U1 update six months later, it will only have 18 months support (until autumn 2021). In essence, this means that customers can now upgrade at least every two years, with six months to play with if necessary between updates. Home and Professional editions will continue an 18-month cycle.
Support For Windows 7 – For A Price
Microsoft has also listened to the fact that 40% of the world’s computers, mostly in corporate environments, are still running Windows 7. Even though it was initially thought that it would reach end of life (EOL) on 14th January 2020, Microsoft has announced that it will carry on supporting Windows 7 for users willing to pay.
What Does This Mean For Your Business?
Businesses have been telling Microsoft for the last two years that they have been struggling to keep up with the schedule of feature updates / upgrades that Microsoft has set, so it is good news that the tech giant appears to be listening to its customers by giving them a longer grace period. This latest move from Microsoft will also mean that many enterprise customers will not need to consider opting for LTSB i.e. receiving only security and hotfixes, and no new features for ten years.
It is also good news for many companies that have not yet made the upgrade to Windows 10 and are still running Windows 7 that they will at least have the prospect of extended support, even though (as may be expected) they will have to pay for it.