Home Podcasts Videos Guest Posts Q&A My Take Bio Contact

Steps forward


MY TAKE: Epiphany strikes Amazon, Google, Microsoft about who bears burden for cloud security

By Byron V. Acohido

Amazon and Google last week very quietly made some moves that signal they’ve been hit by the identical epiphany: they each need to do a helluva lot more to secure cloud computing.

Microsoft was hit by this lightning bolt about a year ago. The Redmond giant all through 2017 took pronounced steps to relieve users of their cloud services of at least some of the responsibility to repel malicious attacks.

Related podcast: Is ‘homomorphic encryption’ the Holy Grail of cloud security?

Current versions of  Office 365 and Windows Defender Advanced Threat Protection have been equipped with new threat intelligence and malware hunting tools, and the security features of Azure Security Center has been similarly beefed up.

Me-too bandwagon

Last week both Amazon and Google climbed on the we-need-to-bake-in-cloud-security-band-wagon.  Amazon did so, fittingly, by going shopping. Its Amazon Web Services division  acquired Sqrrl, a Cambridge, Mass.-based threat detection technology start-up, with an NSA pedigree. That acquisition pairs nicely with AWS’s earlier buyout of Harvest.ai, a security startup that uses machine learning to ferret out anomalous behavior in cloud storage databases .

Meanwhile, it was easy to miss Google’s me-too move last week. That’s because it was made by the search giant’s freshly-minted parent company, Alphabet, which very quietly launched an independent business, dubbed Chronicle. According to Chronicle CEO Stephen Gillett, the service will feature a new cybersecurity intelligence and analytics platform intended to “help enterprises better manage and understand their own security-related data.” Chronicle also leverages VirusTotal, the malware intelligence service Google acquired in 2012.


“The announcements today by Amazon Web Services and Alphabet/Google are encouraging and demonstrate that more and more, cyber security is at the forefront of corporate agendas,” observes Terry Ray, CTO at Imperva. “Both of these technologies will likely serve as analytic platforms for threat detection, which isn’t necessarily a new idea, though I’m sure they’ll have their differentiators.” …more

Q&A: What CyberX is doing to help address the hackable state of industrial control systems

By Byron V. Acohido

Finally, the profoundly hackable state of industrial control systems (ICS) is being elevated as an issue of substantive concern and beginning to get the level of global attention it deserves.

Nation-state backed hackers knocking out power grids and discombobulating other critical infrastructure – the cyber Pearl Harbor scenario – has been discussed for years in military and intelligence circles. However, skepticism and apathy have been the watchwords among the actual operators of industrial control systems.

Related article: Risking energy plant hacks signal cyber war activity

Discussions about better protecting these uniquely vulnerable specialized networks — now generally referred to as operational technology (OT) or industrial control systems — has historically taken a back seat to mainstream IT security issues, such as phishing, ransomware and denial of service attacks.

Fortuitously, that’s beginning to change. A series of disclosures this past year peeled back the curtain on the extent to which Russia, Iran and North Korea, in particular, have been proactively probing and infiltrating OT networks. On a parallel track, a handful of innovative startups have developed purpose-built platforms to address industrial and critical infrastructure security. …more

MY TAKE: Rising hacks on energy plants suggest ongoing global cyber war has commenced

By Byron V. Acohido

We all fret over the smorgasbord of cultural and geopolitical controversies complicating our daily lives. That being the case, not enough public attention is being paid to the increasingly plausible scenario of an ongoing global cyber war.

I say this because in recent months there has been a series of public disclosures about progressively more sophisticated hacks into power plants and other critical infrastructure. These intrusions clearly are nation-state sponsored, as they require significant resources to orchestrate, and there is no clear financial motivation behind them.

Related podcast: How Russia’s election meddling relates to plant hacks

And one more important thing: each of the power plant hacks we know about to date seem to be mainly about testing weak points, probing for footholds and generally maneuvering to get the strategic upper hand against a rival nation-state.

The ‘Triton’ hack is a case in point, disclosed on Dec. 14 by security vendor FireEye, a global security company with an extensive threat intelligence team (obtained via its acquisition of Mandiant) and a long history of tracking nation-state cyber groups.

Hackers caused an operational outage at a critical infrastructure site by deploying a new form of sophisticated malware. They were able to stealthily – for a while at least — take control of the plant’s Schneider Electric Triconex Safety Instrumented System (SIS). Such systems are used to automatically shut down industrial processes when operating parameters approach a dangerous state. …more

MY TAKE: What the Uber hack tells us about fresh attack vectors created by the rise of DevOps

By Byron V. Acohido

Dissecting the root cause of Uber’s catastrophic data breach is a worthwhile exercise. Diving one level deeper into the scenario that led up to the popular ride-hailing service losing personal data for 50 million passengers and seven million drivers shows us why this particular type of hack is likely to recur many more times in 2018.

Related podcast: Why DevOps and security are destined to intersect

Hackers got deep into Uber’s Amazon Web Services platform. They did this by somehow obtaining, then using the AWS logon credentials of one of Uber’s software developers, who left those credentials accessible on GitHub. Though we don’t know nitty gritty details, security analysts say something like this had to have happened:

While working on an AWS coding task, the Uber developer took some of this code base and uploaded it to GitHub.  No security sins to this point. ‘Git’ is a system for controlling the latest version of software programs; GitHub is an online repository where developers upload code for peer reviews and such.

Here’s the wider context: imagine the degree to which Uber, in order to connect riders and drivers, uses software to tie into services hosted by Amazon, Google, Facebook, Twitter, iPhone and Android. Uber is a prime example of an Internet-centric enterprise comprised of a collection of tools and services hosted by myriad partners. Think about how frenetic the software development process must be too keep Uber humming. …more

PODCAST: The case for rethinking security — starting with smarter management of privileged access logons

By Byron V. Acohido

Two cybersecurity trend lines have moved unremittingly up the same curve over the past two decades — and that’s not a good thing.

Year-in and year-out, organizations have steadily increased spending to defend their networks — and they continue to do so, with no end in sight. Research firm MarketsandMarkets estimates that the global cybersecurity market size will grow from $137.85 billion in 2017 to $231.94 billion by 2022, a compound annual growth rate of 11.0%.

Related podcast: Much stronger security can come from simple ‘Identity Access Management’ improvements

At the same time, the damage and disruption caused by malicious hackers has also continued to rise, with no end in sight. One recent measure of this comes from a survey of senior officials at 120 large enterprises, conducted by research firm Forrester and sponsored by Centrify, a leading supplier of identity and access management (IAM) technologies.


C-level executives disclosed to Forrester that two thirds of their companies had been breached multiple times –  a startling five times on average over the past two years. What’s more, respondents indicated these break-ins occurred evenly all across the network, at endpoints, servers, data bases and in software-as-a-service systems. …more

GUEST ESSAY: What ‘Fight Club’ taught me about protecting my online personas

By Thomas Yohannan

Dissociative identity disorder, AKA multiple personality disorder, is a human condition by which the victim’s personality becomes fragmented into two or more distinctive states.

DID has long been a rich topic for Hollywood screen writers. The movie Fight Club, in which Edward Norton and Brad Pitt portray polar opposite personalities of the main protagonist, is a classic example.

Related podcast: Phil Lieberman calls for resetting the C-suite mindset

DID sufferers subvert themselves in self-contained sets of memories, behaviors, attitudes, even perceived age. This is done so that the victim can insulate certain fragile areas of his or her psyche, and thus is able to function with a sense of security in otherwise threatening environments, psychologically speaking.

It may not be a bad idea …more

GUEST ESSAY: The top 4 cybersecurity certificates every IT staffer should have

By Victoria Zambito

Assuredly, it is a very positive development that more companies are looking to boost the security expertise of their in-house IT teams. This is being manifested by flow of IT professionals seeking out and participating in security-related certificate programs.

Numerous third-party organizations offer these educational tracks; a select few garner great respect within the field. Here’s the cream of the crop:

CompTIA A+ Certification

The CompTIA A+ Certification provides essential foundational knowledge for IT professionals. It covers basic enterprise hardware and software deployment, management techniques and cloud computing. Approximately 1 million IT professionals hold the highly coveted IT CompTIA A+ certification.

Certified Ethical Hacker (CEH v9) – EC-Council
The Certified Ethical Hacker Certification demonstrates an IT professional has an understanding of how to …more