Tag

Report

Browsing

The next generation of the Web – Web 3 – has been touted as more secure than the current incarnation of cyberspace, but a report released Tuesday warned that may not be the case.

According to a report by Forrester, a national technology research company, Web3 can be difficult to break into at the infrastructure level, but there are other points of attack that could provide threat actors with more opportunities for mischief than those found in legacy Web. can go.

Web3 applications, including NFTs, are not only vulnerable to attack; Forrester explained that they often offer a wider attack surface than traditional applications due to the distributed nature of blockchains.

Furthermore, it said, Web3 apps are desirable targets as tokens can be worth substantial amounts of money.

The openness of Web3, which is considered one of its main advantages, can also be a disadvantage. Martha Bennett, Vice President and Principal Analyst, Forrester, said, “The code that runs on a public blockchain is easily accessible by anyone with the necessary technical skills, from anywhere in the world – no need to enter corporate security to achieve this. Not there.” He is also a co-author of the report.

“Source code is generally readily available, because the focus is not on running closed source ‘smart contracts’. The Web3 ethos is, after all, ‘open code,'” she told TechNewsWorld.

unwanted complication

David Ricard, CTO of North America at Cipher, a division of Prosegur, a multinational security company, explained that Web3 is based on distributed control of data and identity by its users.

“This broadens the attack surface for individuals who may be unwilling or simply unable to handle the management of their own data and identities, bringing technical complexity to an area that is ‘above anything’ in use.” ‘easy’,” he told TechNewsWorld.

“Scrolling through personal, text messaging, email and social media and shopping apps is a real challenge for them,” he said.

He said the idea of ​​making Web3 code transparent and publicly available is unlikely to gain real traction. “There is a lot of money at stake between capital investors and users of blockchain financial systems and NFTs,” he said.

He further added that making the code transparent and public can also broaden the attack surface in a clear way. “Safe coding practices that predict how someone might abuse a system for nefarious gains are generally not practiced,” he explained. “It is not easy to predict how people might use the system for purposes other than those intended.”

“Most of the financial losses associated with blockchain and NFTs do not exploit immutable objects themselves, but rather manipulate them by exploiting applications that can affect them,” he said.

Furthermore, while legacy systems may be outdated, they may also be robust. “What’s new is also the most vulnerable,” said Matt Chiodi, chief trust officer at Cerby, creator of a platform to manage Shadow IT in San Francisco.

“While time is not always a friend of security, it allows an application to become battle tested,” he told TechNewsWorld. “Web 3 is no different. It’s new and not much tested. Legacy applications have a time advantage. Web3 doesn’t.”

NFT becoming popular target

Even if the code is visible and accessible, the report said, attackers will find weak points. This makes it clear that while attacks on smart contracts and cryptocurrency wallets are confined to the Wild West of decentralized finance, increasingly, NFT projects have become a favorite target.

“Why go for more difficult hacks if there are easier ways to get what you want?” asked Bennett. “Like any other venue where value is traded, [NFT] Markets and communication tools attract people who want to steal or otherwise break the rules.”

“For anything to do with Web3, speed is of the essence, and many of the people involved do not have the necessary expertise to assess a potential security issue,” she said. “Sometimes, startups don’t even advertise for a security chief until something bad happens.”

One of the biggest breaches of the NFT marketplace occurred in June at OpenC, which exposed nearly 1.8 million email addresses. “There was an inside threat involved in that particular case, but the applications that handle the transactions can be quite vulnerable,” Ricard said.

“There may be hundreds of thousands of ways this can be abused, which coders have to try to account for, yet a hacker only needs to discover a vector, once for a breach to occur. ,” They said.

Hangout for Scammers

Forrester also pointed out that social media network Discord has become a major weak point in NFTs and other public blockchain projects. Successful phishing attacks on Discord are at the root of many, if not most, NFT thefts, it continued.

It clarified that attacks are usually targeted at community managers and administrators. Once an administrator account is successfully taken over, attackers have the opportunity to steal extensively, as users rely on messages from community administrators.

Bennett noted that Discord was primarily designed as a communication platform for gamers, not for holding and exchanging value, and that it has mechanisms to mitigate risk. “But these mechanisms can only help if they are implemented, and it is clear that often, they are not,” she said.

“Furthermore,” she said, “Discord attracts a similar share of phishing attacks and scam messages, being the preferred communication mechanism for token projects.”

Ricard said the Discord communities provide a rich source of information for scammers, as well as investors. “The harvesting of participants’ contact information leads to phishing,” he said. “Hacks in digital wallets are not uncommon.”

“The Discord bot has been hacked, so threatening actors can post fake mining offers, resulting in the theft of cryptocurrencies,” he said.

Better security than legacy web?

Forrester’s report notes that in a fast-moving Web 3 world, it’s tempting to ignore security in favor of innovating quickly, but public safety issues can easily derail a major launch or product team. to analyze and mitigate critical security flaws.

Firms can identify risks and protect both the decentralized and centralized components of their Web3 applications by engaging their security teams not only in the software development lifecycle but throughout the product lifecycle.

“Web3 needs to shift its focus to the left, which means getting as much security as possible for developers and making prevention the ultimate goal,” Chiodi said. “Without this focus, Web3 would be indistinguishable from Web2. It would be a shame given its tremendous potential, especially around decentralized identity.”

“Web3’s distributed approach provides a variety of security capabilities, but the fundamental problems remain the same,” said Mark Bower, vice president of product at Anjuna, a confidential computing company in Palo Alto, Calif.

“If an attacker gains credentials, root-level privileges or access to keys — especially private keys that run throughout the ecosystem,” he told TechNewsWorld, “then it’s game over, as if this one in a centralized platform.”

Cyber ​​security professionals want the computer industry to emphasize vendor consolidation and open standards.

This major change in the security networks of IT professionals is long overdue, according to new research from the Information Systems Security Association (ISSA) International and the independent industry analyst firm Enterprise Strategy Group (ESG), a division of TechTarget.

Seller consolidation and the push toward open standards is driven by buyers themselves, who are challenged by increasing complexity, cost, and the promotion of best-of-breed technology “equipment sprawl”.

Nearly half (46%) organizations consolidate or plan to consolidate the number of vendors they do business with. Concerned by the growing complexities of security operations, 77% of InfoSec professionals would like to see greater industry collaboration and support for open standards that promote interoperability.

Thousands of cyber security technology vendors compete against each other in multiple security product categories. Organizations want to optimize all the security technologies in their stack at once.

According to the research report, vendors supporting open standards for technology integration will be best positioned to meet this shift in the industry.

“Given that nearly three-quarters (73%) of cybersecurity professionals feel that vendors are engaging in promotions on substance, vendors who demonstrate a genuine commitment to supporting open standards are more likely to engage industry-wide. would be in the best position to avoid consolidation,” he said. Candy Alexander, Board President, ISSA International.

He said CISO vendors have become so burdened with noise and security “equipment dispersion” that for many, the wave of vendor consolidation is like a breath of fresh air.

Shift to security platform

ESG studied 280 cyber security professionals, most of whom are ISSA members. The results, released last month, focused on security processes and technologies, and show that 83% of security professionals believe the technology interoperability of the future depends on setting industry standards.

The report’s details demonstrate a cybersecurity landscape that looks favorably toward a security product suite (or platform) as it moves away from a defense-intensive strategy based on deploying best-of-breed cybersecurity products. This approach is based on historical precedent that has consistently increased organizational complexity and contributed to substantial operations.

“The report shows that massive changes are taking place within the industry in what many believe is a long time to come,” said John Oltsik, Senior Principal Analyst and ESG Fellow.

“The fact that 36% of organizations may be willing to purchase most security technologies from a single vendor speaks volumes for a change in buying behavior as CISOs are openly considering security platforms in lieu of best-of-breed point of view devices. are,” he said.

Why Jump from Best-of-Breed

The number of competing security suites has skyrocketed with many organizations managing 25 or more independent security tools. It follows that security professionals are now stressing the need to juggle so many independent security products to do their job.

Managing an assortment of security products from different vendors has increased training requirements, makes it difficult to get an overall picture of safety, and requires manual intervention to fill in the gaps between products. As a result, 21% of organizations are consolidating the number of cybersecurity vendors they do business with, and another 25% are considering consolidating.

“In general, buying, implementing, configuring and operating too many different tools has become very difficult, let alone ongoing support relationships with vendors. Consolidation management/operations makes sense,” says Oltsik told TechNewsWorld.

This ongoing complication is prompting 53% of cybersecurity professionals to purchase security technology platforms instead of best-of-breed products. The study showed that 84% of respondents believe a product’s integration capabilities are important, and 86% consider it important or important that integration with other products create best-of-breed products.

According to 60% of IT teams, strict integration between already separate security controls is a primary requirement rather than a best buy. Improved threat detection efficiency such as accurate high-fidelity alerts and improved cyber-threat detection were on the wish list for 51%.

generalized government mandate

Cybersecurity products cover the basics, noted Oltsik. This includes antivirus software, firewalls, some sort of identity management system, and a range of products for endpoint encryption.

“In many cases, these technologies are mandated by government and industry regulations,” he said. “The biggest influencer in cybersecurity protections is the US federal government which can and does mandate certain standards.

For example, the Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community considerations. The In-Process Cyber ​​Security Maturity Model Certification (CMMC) standard mandates certain security certifications for DoD vendors.

“We have also seen standards from industry, such as the activity of the Organization for the Advancement of Structured Information Standards (OASIS) and other OASIS standards. This week, we introduced the Open Cyber ​​Security Framework (OCSF), a standard data schema for security data. Saw the beginning. There are also many identity management standards,” he said.

Finding a shared security base

After reviewing this data, ESG and ISSA recommend that organizations encourage their security vendors to adopt open industry standards, possibly in collaboration with the Industry Information Sharing and Analysis Center (ISAC). In addition, there are some established security standards available from MITER, OASIS and Open Cyber ​​Security Alliance (OCA).

Many vendors speak in favor of open standards, but most do not actively participate or contribute to them. However, this lukewarm behavior can change quickly.

For this to happen, cybersecurity professionals – especially large organizations big enough to send signals to the market – establish best practices for vendor qualification.

In addition, they need to emphasize process requirements that include adoption and development of open standards for technology integration as part of a broader process for all security technology procurement, according to the report.

expected result

Cyber ​​security standards and vendor integration will strengthen the cyber security landscape against the continuing increase in cyber threats by easing product development and integration. Oltsik explained that this will allow industry and security teams to focus more on innovation and security fundamentals and less on building connectors for interoperability.

He sees an opportunity within the industry to support these efforts.

“It seems that some industry leaders are collaborating. I point to OCSF where 18 vendors agreed to support it,” he said.

This group includes a number of leaders – AWS, CrowdStrike, IBM, Okta and Splunk, for starters. He said another potential driver would be the support of large security technology customers.

Oltsik concluded, “If Goldman Sachs, GM, Walmart and the US federal government said they would only buy from vendors that support OCSF, it would really hit the industry.”


The full ESG-ISSA report titled “Technology Perspectives from Cyber ​​Security Professionals” is available here. No form filling is required.

Low-income drivers behind the wheel of electric vehicles are expected to reduce greenhouse gases in the coming years, according to a report released Monday by the Information Technology and Innovation Foundation (ITIF), a science and technology think tank in Washington, DC. necessary to obtain.

Given the lack of low-carbon alternatives to internal combustion engines (ICEs) and the urgency of emissions reduction requirements for EVs to be market success, report authors Madeline Yozwiak, Sanya Carly and David M. Koninsky.

Because of the stakes involved, he continued, the technology maturity path for EVs needs to move faster than an emerging technology.

There is a need for rapid adoption of this young technology if local and global policy goals are to be met, he added. This implies that a wider range of consumers should buy an EV earlier in the adoption process than similar technologies

Since traditional approaches to incentivizing the purchase of EVs may fail to reach low-income and disadvantaged communities, the authors argue that innovation should help address the disparities in EV adoption and assist the broader goal of mass adoption. would be an important strategy.

They believe that by intentionally involving a diverse range of users in the adoption process, technology providers can more effectively identify issues and modify technology to successfully appeal to the mass market.

barriers to adoption

Rob Enderle, president and principal analyst at Enderle Group, an advisory services firm in Bend, Ore., agreed that low-income and disadvantaged people who drive cars are critical to the decarbonization of the environment. “That’s where most non-compliant gas cars live, which makes it an important milestone in reducing automotive-based pollutants,” he told TechNewsWorld.

“Be aware, however,” he warned, “that most areas still do not yet have sufficient power generation and distribution capacity for these clusters.”

The ITIF report said the top three barriers to EV adoption – range, price and charge time – affect low-income and disadvantaged drivers more than others.

“Standard barriers may be experienced more acutely for low-income individuals than for middle-income individuals,” Yozwick said.

For example, when it comes to low-income drivers, incentives designed to encourage the purchase of EVs can leave their mark.

“The upfront cost is higher than for internal combustion vehicles, yet the primary form of government-created incentive is a tax credit of $7,500,” Yozwiak told TechNewsWorld. “But to benefit from that policy, you must have at least $7,500 in tax liability.”

“If you make $30,000 a year, you won’t have that much in tax liability, so you won’t get the full benefit of that credit to lower the cost of the vehicle compared to higher-income buyers,” she explained.

rich man with garage

Charging an EV can be even more challenging for low-income and disadvantaged drivers. David M. Hart, director of ITIF’s Center for Clean Energy Innovation, told TechNewsWorld, “Low-income people are more likely to live in multi-family dwellings and less likely to have a place to directly charge a car “

Anderle said that because of constraints like price, range and charging time, EVs are often the second car in the family. “Low-income groups likely only have one car that they primarily use, and that is the car that needs to be replaced,” he said.

The report also noted that strategies to accelerate EV adoption among low-income and disadvantaged communities include prioritizing communication and marketing, revisiting perceptions and biases about early adopters, and increasing demand and universal benefits. should be involved in designing government programs to maximize

“Perceptions about who is using this technology inform a variety of decisions,” Yozwick said. “Those decisions result from what defines the types of incentives and policies the technology has made to encourage its adoption.”

“If those decisions are based on misconceptions about who is buying the technology or who can buy it,” she continued, “you perpetuate a bias that could further impact access.”

“When car sellers think of early adopters, they think of wealthy men with garages,” Hart said. “If they focus solely on that group, they will be slow to adopt these vehicles because they will be seen as the province of the rich. We need these vehicles to perform the mobility tasks that all of us need. People need it.”

Enderle notes that EVs were initially offered at the premium end of the market and that public chargers are positioned to serve that segment of the buyer. “Low-income households may not have the power to power a Level 2 charger or the location to install it,” he said.

“Public charging will need to be installed that is more convenient for those populations,” he continued, “such as street inductive charging – which requires less maintenance and is less prone to vandalism – that is available on the ground from companies such as Witricity. achieving.”

Tesla Witricity with Wireless Charger

WiTricity Halo wireless charging for EVs was announced in February.


incentive work

Another takeaway from the report was that the federal government could help increase benefits to the low-income and disadvantaged by modifying the federal tax credit for EV purchases to make it eligible for a refundable, or carry-forward, charging infrastructure. To expand access to and help. Upgrades to older homes.

If the tax credit was refundable, for example, a person who only paid $3,000 in taxes would receive a $3,000 tax credit and a $4,500 refund check from Uncle Sam, or with a carry-forward, they would get a $4,500 tax credit. 3,000 and will be able to carry the remaining credit to subsequent tax years.

Incentives like tax credits can boost sales, said Edward Sanchez, senior analyst at Strategy Analytics, a global research, advisory and analysis firm. “Norway recently removed some incentives because they exceeded the 50% threshold for EVs in the form of new car sales, and soon after removing that credit, they saw a drop in EV sales,” he told TechNewsWorld. Told.

“The long goal for manufacturers is to bring the price up to the point where subsidies and credits are no longer needed, but we are not quite there yet,” he said.

move in mass transit

Since most Americans buy used cars, the best thing to do to accelerate EV purchases by low-income and disadvantaged drivers is to accelerate sales of new vehicles, according to E-Mobility Insights in Detroit. Sam Abuelsamid, a leading analyst, said. “As they filter into the used vehicle fleet, they may become more economical,” he told TechNewsWorld.

“The only other thing we can do is encourage people to get out of old vehicles and use mass transportation,” he said.

“As long as Americans want to continue driving their vehicles,” he said, “it’s going to be at least 2040 before you significantly reduce the existing vehicle fleet.”