As data breaches roll on and the insecurity of personally identifiable information (PII) shines an uncomfortable spotlight on glaring holes in some big box retailers' and other organizations' network defenses, recent developments may signal progress on several fronts.
Advances in stronger authentication designed to require less storage of PII on servers and point-of-sale systems are starting to show signs of life. Passwords have run their course, according to the Fast Identity Online (FIDO) Alliance, whose years of work on open standards may soon be put to the reality test. The public drafts of the FIDO specifications -- Universal Authentication Framework and Universal Second Factor -- were released in February. The first FIDO-ready product, Samsung Galaxy S5, shipped last month with FIDO authentication support from PayPal to enable phone users to tap their fingers to authorize transactions. Longtime technology journalist David Strom explores the evolution of two-factor authentication and a range of emerging FIDO-ready technologies in our cover story, "Figuring out FIDO."
Georgia Weidman, a security researcher and elite hacker, whose company Bulb Security LLC offers penetration testing and security training, is also ready to do away with weak authentication methods, including passwords. "Unless you've got two-factor authentication, as far as I'm concerned, passwords are doomed," she said. "I encourage companies to simulate their own attacks against the password hashes in their enterprise, by running the same password cracking tools and wordlists used by attackers." Weidman discusses common vulnerabilities in enterprise defenses, smartphone security and the security problems that may lie ahead with the looming network connectivity of everything -- think Wi-Fi on transatlantic flights and computer-driven cars -- in her chat with longtime columnist Marcus J. Ranum.
The fallout from high profile breaches is also driving renewed efforts to re-examine the role of CISOs -- Target didn't have one -- and how security vulnerabilities get reported up through the chain of command. A dedicated CISO who oversees incident response and takes a holistic view of network security including Web, credit card and phone systems "absolutely makes a difference," said David Sherry, CISO at Brown University. Sherry told news writer Brandan Blevins that reporting structures from chief information officers, to direct channels to chief executives and boards of directors are still hotly debated. In some cases, said Sherry, "They're reporting to the chief risk officer because the role is getting less and less about bits and bytes and more about compliance and legal issues." Read more of what CISOs have to say about these issues -- including Chris Ray, hired by data services provider Epsilon after its 2011 breach -- in Blevins' article, "Filling the CISO role: Is there any reason enterprises shouldn't?"
Indeed, the aftermath of high-profile breaches and alleged data collection activities by the National Security Agency has awakened calls for federal data privacy laws outside of financial services and healthcare. Cooley LLP Special Counsel Randy Sabett -- who revisited the ramifications of the landmark 2003 California data privacy law, SB-1386, on its 10-year anniversary for us last August -- looks at recent activities in Congress surrounding federal data breach notification laws in his article, "Another Call for National Data Protection Laws."
Spending money on security and staffing before a breach (instead of after) could improve network defenses in industries and organizations that today view cybersecurity as merely another business expense. Would federal data breach notification laws force companies to invest in security infrastructures up front, or would it merely introduce another level of paperwork and compliance? Let us know what you think, and enjoy the commentary in this issue.
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.
Send comments on this column to firstname.lastname@example.org.