Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Imminent threats

 

GUEST ESSAY: Why cyber attacks represent a clear and present danger — and what you can do about it

By John Mason

As we begin a new year, cyber attacks may actually pose a more profound threat to mankind than the specter of nuclear warfare.

So says billionaire investor Warrant Buffet, and I tend to agree with him. Cyber attacks are growing in prominence every day – from influencing major elections to crippling businesses overnight, the role cyber warfare plays in our daily lives should not be underestimated.

Related article: Digital vulnerabilities on the rise in 2017

I’ve reviewed dozens of reports and surveys that support Mr. Buffet’s observation. Here is an assemblage of these stark proof point, along with my assessment of how they tie together:

Malware storm

Research from Panda Security informs us that some 230,000 new malware samples are produced every day — and this growth is predicted to only keep growing. Encryption services vendor Venafi estimates that 90 percent of hackers cover their tracks by using encryption, including VPN services. Keep in mind encryption is only one of many stealth techniques hackers use. …more

MY TAKE: How a ‘gift card’ thief spoiled my Christmas

By Byron V. Acohido

Upon returning from a holiday trip this week, we received unsettling news. There has been a rash of mail theft emanating from our local post office. Our box of held mail seemed lighter than it should have been. And one envelope was slashed open; the gift card sent to us, missing.

Our experience fell in line with similar reports from around our neighborhood. It was a stark reminder that despite the wide adoption of chip cards, the lowly “magstripe” wallet card is still in wide use – and remains a prime target of thieves.

Related article: How fraudsters became so enamored with magstriped cards

Magstriped cards consist of magnetized particles impregnated on a thin band. This decades old technology is perfect for holding data, including account information. Anyone can easily extract this data from a magstriped card simply by purchasing a $70 card reader.

Longstanding exposure

And it’s equally simple to purchase blank cards and impregnate their magnetic stripes with whatever data you’d like, including account information extracted from a legit card. This intrinsic weakness of magstriped cards is exactly why U.S. banks finally got around to replacing mag-striped credit and debit cards with chips cards, years after banks in Europe and Canada had already done so.

There was a period from 2005 through 2014 when crime rings plundered account information from the likes of TJX, Heartland, Sony, Target, Home Depot and many more. Criminals got increasing efficient at creating faked credit cards, and then sending teams of mules to make thousands of dollar of purchases at the self-check out lines  Sam’s Club and WalMart, and online, as well. That specific type of faked-credit-card fraud has slowed considerably, due to adoption of chip cards. But magstriped cards continue in wide use, not just for gift cards, but on employee access cards, public transit tokens, phone calling cards, even hotel card keys. …more

Q&A: The case for rethinking security — starting with smarter management of privileged access logons

By Byron V. Acohido

Two cybersecurity trend lines have moved unremittingly up the same curve over the past two decades — and that’s not a good thing.

Year-in and year-out, organizations have steadily increased spending to defend their networks — and they continue to do so, with no end in sight. Research firm MarketsandMarkets estimates that the global cybersecurity market size will grow from $137.85 billion in 2017 to $231.94 billion by 2022, a compound annual growth rate of 11.0%.

Related podcast: Much stronger security can come from simple ‘Identity Access Management’ improvements

At the same time, the damage and disruption caused by malicious hackers has also continued to rise, with no end in sight. One recent measure of this comes from a survey of senior officials at 120 large enterprises, conducted by research firm Forrester and sponsored by Centrify, a leading supplier of identity and access management (IAM) technologies.

 

C-level executives disclosed to Forrester that two thirds of their companies had been breached multiple times –  a startling five times on average over the past two years. What’s more, respondents indicated these break-ins occurred evenly all across the network, at endpoints, servers, data bases and in software-as-a-service systems. …more

MY TAKE: How Russia’s election meddling relates to industrial control hacks

By Byron  V. Acohido

While America’s attention has been  riveted on stunning disclosures of how Russia meddled in the U.S. presidential elections, the significance of a parallel, equally important development, may have gotten lost. Don’t look now folks, but the world’s superpowers are steadily marshaling forces to engage in an all-out cyber war.

History may yet prove that Russia’s manipulation of elections in America and elsewhere is, in fact, connected to the steady escalation of attacks on industrial control systems. And it’s not just Russia. Evidence has surfaced that China, USA, Israel and North Korea have also been maneuvering to take full advantage of the profoundly vulnerable state of so-called “OT” systems.

Quick context here: Gartner a few years ago coined the buzzphrase “operational technology,…more

ROUNDTABLE: The implications of Deloitte data breach, especially following hacks of Equifax, SEC

By Byron V. Acohido

The astonishing rash of disclosures of data breaches at top-tier organizations continues. Big Four accounting firm Deloitte has joined Equifax and the U.S. Securities and Exchange Commission in going public about a catastrophic loss of sensitive data.

Ironically, Deloitte a few years ago branched from its core auditing and tax services to high-end cybersecurity consulting. PricewaterhouseCoopers, another member of the Big Four club, did much the same thing.

There is no question Deloitte and PwC take cybersecurity seriously and have talented people providing valuable guidance to marquee enterprises and big government agencies. ThirdCertainty has featured experts from both consultancies in our content.

Related article: Deloitte experts offer network security advice to corporate executives

That’s why it is so ironic that The …more

MY TAKE: Equifax hack highlights exposures caused by wide use of open-source protocols

By Byron V. Acohido

A major takeaway from the Equifax debacle that hasn’t gotten enough attention is this: The massive data theft happened because of a vulnerability in an open-source component, which the credit bureau failed to lock down.

Remember Heartbleed and Shellshock, the two massive security flaws discovered in open-source internet protocols back in 2014? The waves of network attacks that preyed on those flaws showed how open-source protocols—which over the years have become so widely used in business networks—actually comprise a ripe attack vector just waiting to be exploited.

Related article: Beware of open-source vulnerabilities lurking all through your network

The hackers leveraged a vulnerability in something called Apache Struts, an open-source application framework that supports the credit bureau’s web portal. It is widely used by developers of Fortune 100 companies to build web applications. In Equifax’s case, hackers used the flaw to access and remove copies of files for over two months, between May 13 and July 30, 2017.

When it seemed like the breach couldn’t get any worse for Equifax, the company also revealed that they knew about the vulnerability and tried to patch it in March.

Vulnerabilities are common

As Jeff Williams, co-founder and CTO of Contrast Security explains, “Essentially, an attacker could send a single HTTP request—just like the ones your browser sends—except with a specially crafted header that contains the attack. Through a series of unfortunate events, the Struts framework treats this header as an expression, effectively running the attacker’s code on the server.”

…more

INFOGRAPHIC: Studies show ‘security fatigue’ may trigger apathy in wake of Equifax hack

By Byron V. Acohido

There is no mistaking that, by now, most consumers have at least a passing awareness of cyber threats.

Two other things also are true: All too many people fail to take simple steps to stay safer online; and individuals who become a victim of identity theft, in whatever form, tend to be baffled about what to do about it.

INFOGRAPHIC: Shaking off cyber fatigue can be tough

A new survey by the nonprofit Identity Theft Resource Center, scheduled to be released in full next week, reinforce these notions. ITRC surveyed 317 people who used the organization’s services in 2017 and had experienced identity theft. The study was sponsored by CyberScout, which also sponsors ThirdCertainty. A few highlights:

• Nearly half, 48.4 percent, of …more