The Digital Trust Digest is a curated overview of the week’s top cybersecurity news.
In addition to everything going on in the world of cybersecurity this week, today is Veterans Day in the United States. We’d like to extend our gratitude to veterans and their families for their service.
Here are the top five cybersecurity updates you need to know about this week:
1. A new report examines the growing significance of trusted digital identities in financial services
The American Bankers Association released a new report that outlines a framework for improving customer identity management to protect the financial industry and its customers from fraud.
The report outlines how vulnerabilities in the key identity processes in banking can result in fraudulent activity. Recommendations for actions to prevent fraud and achieve stronger digital identity processes include:
- Establishing a digital identity within the bank’s executive team.
- Benchmarking against peers and industry best practices.
- Conducting a root cause analysis to identify weaknesses.
- Mapping the current identity-related vendors.
- Understanding the core banking system provider roadmap related to customer identity.
- Evaluating vendors in the context of the digital identity ecosystem.
- Engage with industry groups focused on digital identity developments.
Read more about the report here.
2. The EU faces challenges rolling out a new digital identity system
Raconteur reports that “the EU is moving closer to rolling out a continent-wide digital identity system, but it still faces technical and legislative hurdles.” This digital identity system comes in response to the shit to digital-centric life during the pandemic and the need for a universal way to verify identities online.
While this system must meet privacy and data protection requirements, industry groups and digital rights advocates have spoken out against this initiative. In particular, browser providers, like Google and Mozilla, argue that the additional trust certificates proposed in the mandate are less secure than current website authentication methods and would require extensive web infrastructure work to accommodate these changes.
Read more about the EU’s new digital identity system and its challenges here.
3. Apple’s release of passkeys may revolutionize how companies implement sign-in for their products
Matthias Keller, chief scientist and SCP of technology at KAYAK, argues that Apple’s release of passkeys as part of iOS 16 has the potential to revolutionize how companies implement sign-in for their products. Keller also notes that because passkeys use strong cryptography, the potential to steal large amounts of credentials from websites or cloud-based password managers is eliminated.
The benefits of passkeys include:
- Servers never actually see the user’s private keys.
- Users do not have direct access to their private keys and can only access them through authentication using biometrics or device passcodes.
- Streamlined user experience for registering and using passkeys.
- Eliminates the need for password updates or even remembering endless passwords.
Read more about Apple’s passkeys in this VentureBeat article.
4. Six ways organizations can reduce their IoT attack surface
The Internet of Things is becoming a massive attack surface for cybersecurity breaches due to these devices’ basic security issues and vulnerabilities. TechRepublic offers these tips to help companies reduce IoT risks:
- Create an up-to-date, complete asset inventory to help remediate risks and remove high-risk devices.
- Adhere to password security best practices by giving IoT devices unique, complex passwords that rotate regularly.
- Manage device firmware by updating to the last version and recognizing when to downgrade to eliminate a vulnerability.
- Turn off extraneous connections and limit network access to mitigate attacks from having too much access.
- Ensure certificates are up to date, well managed, and validated.
- Be aware of environmental drift by ensuring that devices that have been secured, stay secured.
Read more about IoT security best practices here.
5. A new Forrester report reveals data protection is at the heart of zero trust
Forrester’s report on modern zero trust, The Definition of Modern Zero Trust, explains how these initiatives have evolved since 2009. The report also clarifies the definition of the concept to eliminate confusion and skepticism.
InfoSecurity Magazine highlights five takeaways from the report.
- Zero trust is more about data than networks since data is the real value of businesses today.
- Align Zero Trust initiatives with business benefits and incrementally incorporate those with immediate relevance.
- Implement updated Zero Trust Key Principles in your initiatives.
- Focus your Zero Trust initiatives on early wins like file encryption and data-in-use controls.
- Avoid rip-and-replace initiatives and instead, build on existing solutions that meet your organization where it is today.