Cybersecurity

5751 readers

286 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

US senators propose mandated MFA, encryption in healthcare (www.theregister.com)

submitted 1 day ago by PhilipTheBucket@ponder.cat to c/cybersecurity@sh.itjust.works

9 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] sylver_dragon@lemmy.world 40 points 1 day ago (1 children)

While I'm not a fan of checkbox security. Given that major parts of the healthcare industry don't even seem to get over that bar, maybe it's time to put something in place to give network defenders a lever to pull on to get the basics sorted.

Not having MFA and encryption for data at rest should be treated as willful negligence when a company is breached.

[–] taladar@sh.itjust.works 11 points 23 hours ago (1 children)

To be fair encryption at rest is one of those checkbox requirements that - in the absence of checks how it is implemented - is just implemented as a key next to the file that is encrypted.

[–] sylver_dragon@lemmy.world 2 points 22 hours ago (1 children)

Ya, I know that's exactly what's going to happen. But, you have to start somewhere. Just getting management used to the idea that data must be encrypted is a start. That will then push the software vendors in the space to make fundamental changes, which will hopefully improve things a bit.

I actually have a pretty good example from my time in the US FedGov space. We were required (by our checkbox security) to enforce FIPS-140 compliance on all our systems. When working to setup a server for a new product, it just would not run with FIPS-140 in enforcement mode; so, I started digging into the product and found that they were still using the MD5 algorithm in their user password hashing process. Given how much the vendor really wanted our business (we were their "foot in the door" for more FedGov money), I sent an email to our customer service rep essentially saying "ya, MD5 as part of the password hashing is a deal breaker". A couple weeks later a new version of the product dropped and surprise, surprise, MD5 was no longer part of the password hashing process.

The reliance on checkboxes sucks; but, they can be a useful club to make improvements. A shift to real security takes time and a lot of effort. But, that journey starts with a first step.

[–] taladar@sh.itjust.works 2 points 21 hours ago

True, compliance can be helpful to pressure vendors into doing what they should have been doing in the first place.