2022 was a busy year fordigital security.In our connected world, threats are increasing, anddigital trusthas never been more critical so that users have confidence in their digital interactions.
This post will review what occurred this year in digital trust. Additionally, don’t miss oursecurity predictions for 2023.
News
- In October, welcomed Dr. Amit Sinha as CEO and member of the Board of Directors. Sinha brings over 20 years of technology, strategy and operational experience from Zscaler, Motorola, AirDefense and Engim. Sinha’s leadership will ensure the right focus and strategy to help define digital trust for the real world and continue to accelerate its leadership in digital trust.
- acquired IoT cybersecurity provider Mocana,enabling end-to-endIoT securityand quickening time to market for IoT device manufacturers and operators. The combination of and Mocana provides customers with a comprehensive platform for managing security across the full IoT device lifecycle.
- Earlier this year, acquired DNS Made Easy, a provider of managed Domain Name System (DNS) services for enterprises. This expands ’s digital trust portfolio and will enable to offer a seamless approach tocertificate lifecycle management.
- is alsopartnering with researchers at UC San Diego and Stanfordto prevent future DNS attacks by understanding DNS hijacks, identifying maliciously obtained certs and building countermeasures.
- پ Secure Software Manager now supports the GPG Keyring.For those who need to sign code on Linux or for git commits, or who need OCI-compliant container signing with Redhat tools, this is a significant milestone.
- , partnered with EONTI, was selected by the Western Canadian NG9-1-1 network operator to secure the next generation of 911 systems.
IoT
- The Connectivity Standards Alliance (CSA) released on Oct. 4 and ’s Root Certificate Authority (CA) became by the CSA for Matter device attestation, allowing for rapid time to market for smart home manufacturers and automatic security for customers.Matterhas been a multi-year project, bringing together all the biggest names insmart homemanufacturing, including Apple, Google, Samsung and more to create a reliable, secure way for devices by different manufacturers to interoperate. has been highly involved in Matter and can help manufacturers achieve compliance with device attestation.
- by August 2023, which surprised customers and industry specialists. A year to transition seems like a generous runway, but why the change now, and are they doing the right thing? Learn more in this blog post.Additionally, Google IoT Core customers searching for alternatives should consider for Connected Devices.
- ճ U.S. PATCH act was put forward recently, which would make it It would also require manufacturers to follow security best practices for the design, development and maintenance of these devices.
Email
- TheS/MIME Certificate Working Groupof the CA/Browser Forum, chaired by 'sStephen Davidson,approved the S/MIME Baseline Requirements, the first standard for CAs issuing publicly-trusteddigital certificatesused in email security. The new Baseline Requirements are expected to take full effect in September 2023.
- VMC adoption continued to grow this year,with new Email Service Providers (ESPs) likeAppledeploying it and additional trademark (TM) options approved for VMC, moving closer to a world where customers can see your logo in every email sent. Additional countries were added in Gmail for TMs, including: France, Netherlands, Switzerland, Denmark, Sweden and New Zealand. Learn more about BIMI and VMC at /ܱǰ/dzܰ/ڲ/-ٰܲ/ɳ---Ի-ɳ---ǰٲԳ.
Browser
- ѾDzǴڳ June 15. Internet Explorer had been functioning for about and Microsoft is retiring it in favor of the newer Microsoft Edge. If users are still going to Internet Explorer, Microsoft plans to temporarily redirect them to Microsoft Edge.
- in a blog post in September. Previously, Chrome relied on the Root store on the platform it was running, but with this new move, Chrome will have a consistent, more secure root across all platforms with minimum requirements for all CAs to be trusted in their Root program. We covered the Chrome Root program and its requirements in more detail in our June recap of the CA/Brower Forum: /blog/ca-browser-forum-recap-june-2022.
European standards
- TheE.U. announced its first move for IoT cybersecurity legislation, the first E.U.-wide legislationthat will impose cybersecurity rules on manufacturers and enforce massive fines and penalties on manufacturers and developers for failure to comply. For E.U. consumers, this is a major step forward in giving them better purchasing power and trust in their devices. The EU Cyber Resilience Act is currently still being examined by the European Parliament, but once passed manufacturers will have up to two years to enforce compliance.
- The European Parliament and E.U. Member States reached an agreement on a in early May. The existing rules were the first E.U.-wide legislation on cybersecurity; however, an update was needed to offer more digital trust amidst increasing
- The legislative process for updates to Europe's eID and electronic transactions laws (known as eIDAS2) areand expected to move to vote in 2023. One important goal is to foster a Europe-wide eID scheme, with interoperable digital wallets provided by each eID country. The goal is to have 80% of EU citizens regularly using eID by 2030.
- that the new data protection law will enter into effect on Sept. 1, 2023. The Data Protection Act (DSG) is designed to ensure that Switzerland maintains a high level of data privacy compatible with E.U. regulation for cross-border data transmission to continue without additional requirements.
U.S. standards
- The White House hosted a meeting with tech industry leaders in October to create a new standard for security labels for IoT devices,planned to launch Spring 2023.This security “nutrition label” will help consumers easily access information about their smart devices, such as vulnerability and interoperability with other products. Learn
- NIST, the U.S. National Institute of Standards and Technology, Similar to nutrition labels, these labels would give consumers more information about their purchase, specifically in regard to the privacy and security of the device or software.
- into law in early August. The legislation will provide billions in incentives to CHIP manufacturers and will fund public research to help boost the United States’ competitive edge and solve supply chain issues. As CHIP manufacturers move operations to the United States, they should partner with a leader in digital trust capable of helping them inject trust into their silicon and manage it at any stage in the product lifecycle.
- specializing in blockchain analysis and virtual asset seizure. The announcement comes after the largest virtual asset seizure to date, with the FBI charging a New York couple with laundering over $4.5 billion in bitcoin
Quantum
- NIST selected the first quantum-resistantcryptographic algorithms,meaning now is the time to prepare your organization’s crypto-agility and start testing new cryptographic algorithms. However, one of the final algorithms selected, Supersingular Isogeny Key Encapsulation (SIKE), was If this vulnerability cannot be fixed, then NIST will have to This is an important reminder of why crypto-agility is critical so that algorithms can be changed out easily if vulnerabilities are discovered, whether in classical or PQC algorithms.
- urging leaders to prepare for quantum computing risks now, and not to wait until quantum computing is commercially available. “Do not wait until the quantum computers are in use by our adversaries to act," the CISA warned.
Vulnerabilities
- According to cybersecurity researchers at Proofpoint, (MFA), including using phishing kits. allow attackers to harvest and use credentials and are typically inexpensive. Newer kits enable hackers to steal not only usernames and passwords but also MFA tokens and more.
- for its npm software packages to protect its open-source registry. The move comes after vulnerabilities like Log4Shell raised concerns that there is no guarantee that open-source packages on npm are built from the same source code that’s published.Code signingbuilds will authenticate where the software came from, adding another layer of digital trust.
- Meta Platforms announced that it would be notified about a million after they identified more than 400 malicious Android and iOS apps scamming users to share their login information. Apple and Google have both removed the apps, and Meta says it will be sharing tips to help potential victims avoid compromising their credentials with problematic apps.
Data breaches
- found that about half of businesses from over a dozen countries have experienced a data breach in the last two years. The study found that data breaches are increasing, and with an increasing threat landscape comes increased costs and resources spent in remediation.
- were stolen in just three hours in an apparent phishing attack. The attack targeted OpenSea users using a vulnerability in the open-source standard underlying most NFT smart contracts. The attackers were able to use valid digital signatures in partially complete contracts but transfer the contract to their own wallets.
Malware
- In what experts are calling a parallel cyberwar, Russia has been On the day of Russia’s first ground attack on Ukraine, an affecting computers at a Ukrainian bank and Ukrainian government agencies.
- Furthermore, the U.S. advised that both public and private organizations implement “shields” to protect against potential Russian cyberattacks, including malware.
- In January, Hacktivists claimed to have to stop Russia from advancing into the country. On Twitter, they announced that they would only offer the decryption key if Belarus President Alexander Lukashenko agreed to stop aiding Russian troops and released political prisoners in need of medical assistance. This attack was the first of its kind to be used in this way.
- Researchers warned that attackers are increasingly using HavanaCrypt is the latest ransomware to attempt fake updates in Windows 10, Microsoft Exchange and Google Chrome.
- In August, GitHub was flooded with about While it’s common to clone open-source projects among developers, in this case, attackers cloned legitimate projects but added malware to them and reposted them to GitHub. GitHub has since removed most of the malicious repositories.
TLS/SSL
- On July 21, it on June 18. Their internal network was breached by a third party, and corporate data was stolen. However, it is not yet known if customer and/or vendor data was stolen. Entrust sent a security notice to their customers on July 6 letting them know of the data breach, saying that “we have found no indication to date that the issue has affected the operation or security of our products and services.”
Click here to see the whole series on the latest news in digital trust.
Get the IDC whitepaper Digital Trust: The Foundation for Digital Freedom | to read more about digital trust—what it is, how it works, and why it must be a strategic initiative for any organization, including yours.