In this age of smart devices, the amount and sensitivity of user data has increased overwhelmingly. Voice activated assistants, smart watches, and biometric screen locks store the very essence of the user. Any breach to this information can easily lead to identity theft or worse. Security has never been more in demand and needed. Some of the top information security concerns to high tech firms would be as follows:
Recently it was discovered that every Intel and AMD processor is vulnerable. These vulnerabilities, named Meltdown and Spectre, exist in the hardware architecture of the processor. The software patches that have been made aren’t stable or reliable and can reduce the speed of a system up to 20%. This means nearly every computer on the planet is currently vulnerable. We can’t trace any exploitation of these vulnerabilities as they leave no evidence, nor do we know how long before we get a good patch. This leaves a big hole in security for any company. Even cloud hosted systems are vulnerable.
Last year a similar vulnerability was found in WPA2 encryption for Wi-Fi. The encryption algorithm was itself flawed. Not every router maker has issued a patch yet and even for those who have created a patch, not every user has applied the patch. Such large scale vulnerabilities pose great threats to the information security of every company. Companies will have to be proactive and diligent in handling threats like these. They will have to make sure every system is patched at the earliest, and unpatchable issues are monitored until a solution is found.
With the increasing number of IoT devices that have no security protocols, it has become easy to use them as bots. A hacker could control thousands of these devices without knowledge of the user. In the best cases they could use them for bitcoin mining, but other times, they can launch large scale distributed denial of service attacks. We saw such an attack on Dyn DNS in 2016 and it was successful in taking down sites like Twitter, GitHub, and PayPal for a few hours. What makes them so dangerous is that there isn’t a way to prevent them. Because traffic is originating from sources (bots) scattered around the globe, you cannot filter them out. You cannot easily identify which user is a legitimate user and which user is a bot. All you can do is scale up to handle the traffic. There are research projects and products that use AI to intelligently identify bots and filter them out. However, these products are still far from being production ready and reliable. Companies have to set up their cloud architectures intelligently and set up rules to scale up automatically in the case of such an attack. They have to build more redundancies. There is no direct mitigation technique yet, so companies will have to make their systems strong enough to handle such attacks.
Third party applications and libraries
A good way to achieve results fast is to not re-invent the wheel and use something already available. However, it does come with a caveat of “use at your own risk.” Thus, any third party application needs to be vetted thoroughly. Sometimes third party applications are used to protect your system, like antivirus software. In these scenarios, it is of paramount importance that these applications are vetted. We recently heard that Kaspersky, an antivirus software, was linked to Russian spying. This illustrates how dangerous third party applications can be if not vetted thoroughly. Any closed system or software is also hard to vet. Open source applications and libraries can help overcome this issue. They give the user an option to look under the hood and make sure nothing malicious is coded in them. Also, in their making and use, they have been reviewed by a large number of users. However, in any scenario, it is of the utmost importance that companies thoroughly review any third party application or library being used by them.
A company can have a state of the art encryption and security that is unhackable and yet, if an employee’s login information is stolen, their systems can be penetrated. Once a hacker has gained legitimate credentials, no security rules can prevent him or her from accessing sensitive systems. This makes it crucial that a company have strict rules for employees’ access, like using strong passwords. Employees should also be trained about simple security protocols, like not clicking any random link in emails. Biometric authentication can also be used to add an extra layer of security. Users can be tied to specific machines or IPs, so that even if a hacker gets a user credentials, they can’t access anything. However, taking all these steps does reduce the ease of use. Companies have to find the perfect balance in making systems secure while maintaining a certain level of ease of use.
We at Quality EDGAR Solutions take security very seriously and have taken measures to protect our users. We actively monitor and subscribe to various security mailing lists, so that we are first to know of any newly discovered vulnerabilities. We actively update our systems and apply patches. We have scale rules in place for our cloud architecture and actively monitor traffic for any attacks. We only use open source third party libraries that are vetted thoroughly. We use two factor authentication for every login we have and have strict rules defining access of personnel.