Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

BEST PRACTICES: Resurgence of encrypted thumb drives shows value of offline backups — in the field

By Byron V. Acohido

Encrypted flash drives, essentially secure storage on a stick, are a proven technology that has been readily available for at least 15 years. A few years back, it seemed like they would fade into obsolescence, swept aside by the wave of streaming services and cloud storage.

Related: Can Europe’s GDPR restore data privacy?

And yet today there is a resurgence in demand for encrypted flash drives. What’s happened is this: Digital transformation has raced forward promoting high-velocity software innovation, with only a nod to security. This trend has opened up vast new tiers of attack vectors – and threat actors are taking full advantage.

Security-conscious companies – the ones who are proactively responding, not just to threat actors having a field day, but also to the specter of paying steep fines for violating today’s stricter data privacy regulations – are paying much closer attention to sensitive data circulating out in the field, as well they should.

Highly secure portable drives make perfect sense in  numerous work scenarios; encrypted flash drives, specifically, are part of a global hardware encryption market on track to climb to $296.4 billion by 2020, up 55% as compared to 2015, according to Allied Market Research. (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

MY TAKE: How blockchain technology came to seed the next great techno-industrial revolution

By Byron V. Acohido

Some 20 years ago, the founders of Amazon and Google essentially set the course for how the internet would come to dominate the way we live.

Jeff Bezos of Amazon, and Larry Page and Sergey Brin of Google did more than anyone else to actualize digital commerce as we’re experiencing it today – including its dark underbelly of ever-rising threats to privacy and cybersecurity.

Related: Securing identities in a blockchain

Today we may be standing on the brink of the next great upheaval. Blockchain technology in 2019 may prove to be what the internet was in 1999.

Blockchain, also referred to as distributed ledger technology, or DLT,  is much more than just the mechanism behind Bitcoin and cryptocurrency speculation mania. DLT holds the potential to open new horizons of commerce and culture, based on a new paradigm of openness and sharing.

Some believe that this time around there won’t be a handful of tech empresarios grabbing a stranglehold on the richest digital goldmines. Instead, optimists argue, individuals will arise and grab direct control of minute aspects of their digital personas – and companies will be compelled to adapt their business models to a new ethos of sharing for a greater good.

At least that’s one Utopian scenario being widely championed by thought leaders like economist and social theorist Jeremy Rifkin, whose talk, “The Third Industrial Revolution: A Radical New Sharing Economy,” has garnered 3.5 million views on YouTube. And much of the blockchain innovation taking place today is being directed by software prodigies, like Ethereum founder Vitalik Buterin, who value openness and independence above all else.

Public blockchains and private DLTs are in a nascent stage, as stated above, approximately where the internet was in the 1990s. This time around, however, many more complexities are in play – and consensus is forming that blockchain will take us somewhere altogether different from where the internet took us.

“With the Internet, a single company could take a strategic decision and then forge ahead, but that’s not so with DLT,” says Forrester analyst Martha Bennett, whose cautious view of blockchain we’ll hear later. “Blockchains are a team sport. There needs to be major shifts in approach and corporate culture, towards collaboration among competitors, before blockchain-based networks can become the norm.”

That said, here are a few important things everyone should understand about the gelling blockchain revolution. …more

MY TAKE: How ‘credential stuffing’ and ‘account takeovers’ are leveraging Big Data, automation

By Byron V. Acohido

A pair of malicious activities have become a stunning example of digital transformation – unfortunately on the darknet.

Related: Cyber risks spinning out of IoT

Credential stuffing and account takeovers – which take full advantage of Big Data, high-velocity software, and automation – inundated the internet in massive surges in 2018 and the first half of 2019, according to multiple reports.

Credential stuffing is one of the simplest cybercriminal exploits, a favorite among hackers. Using this technique, the criminal collects your leaked credentials (usually stolen in a data breach) and then applies them to a host of other accounts, hoping they unlock more. If you’re like the majority of users out there, you reuse credentials. Hackers count on it.

A new breed of credential stuffing software programs allows people with little to no computer skills to check the log-in credentials of millions of users against hundreds of websites and online services such as Netflix and Spotify in a matter of minutes. The sophistication level of these cyberthreats is increasing, and there’s an ominous consensus gelling in the cybersecurity community that the worst is yet to come.

“We’ve observed significant growth in credential stuffing and account takeovers for several years. It’s hard to see a short-term change that would slow attempts by attackers,” Patrick Sullivan, Akamai’s senior director of security strategy, told me. “Significant changes to authentication models may be required to alter the growth trajectory of these attacks.” …more

MY TAKE: What everyone should know about the promise and pitfalls of the Internet of Things

By Byron V. Acohido

The city of Portland, Ore. has set out to fully leverage the Internet of Things and emerge as a model “smart” city.

Related: Coming soon – driverless cars

Portland recently shelled out $1 million to launch its Traffic Sensor Safety Project, which tracks cyclists as they traverse the Rose City’s innumerable bike paths. That’s just step one of a grand plan to closely study – and proactively manage – traffic behaviors of cyclists, vehicles, pedestrians and joggers. This is all in pursuit of the high-minded goal of eliminating all accidents that result in death or serious injury.

Portland is shooting high, and it is by no means alone. Companies in utilities, transportation and manufacturing sectors are moving forward with the …more

MY TAKE: A primer on how ransomware arose to the become an enduring scourge

By Byron V. Acohido

“All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!”

This is an excerpt from a chilling ransom note Baltimore IT officials received from hackers who managed to lock up most of the city’s servers in May. The attackers demanded $76,000, paid in Bitcoin, for a decryption key. Baltimore refused to pay – choosing, instead, to absorb an estimated $18 million in recovery costs.

Related:  ‘Cyber Pearl Harbor’ happens every day

Some 15 months earlier, in March 2018, Atlanta was hit by a similar assault, and likewise refused to pay a $51,000 ransom, eating $17 million in damage.

Stunning as these two high-profile attacks were, they do not begin to convey the full scope of what a pervasive and destructive phenomenon ransomware has become – to individuals, to companies of all sizes and, lately, to poorly defended local agencies.

Probing and plundering

Ransomware is highly resilient and flexible. Its core attraction for criminals is that it is about as direct a channel to illicitly-garnered cash as any conman could dream up – few middlemen required.

From a high level, ransomware is essentially an open platform that operates on market principles, around which a thriving ecosystem of suppliers and specialists has taken shape. This has opened the door for newbie purveyors, with modest technical skill, to enter the field, giving these novices easy and cheap access to powerful turnkey tools and services. Meanwhile, the advanced hacking collectives invest in innovation and press forward. The net result is a continuation of proven styles of ransomware attacks, as well as constant probing for vulnerable pockets and plundering along fresh pathways.

According to the FBI, the absolute number of daily ransomware attacks actually dipped slightly last year. However, that’s more a function of hackers targeting individuals less, and companies and governments more. And as highlighted by the assaults on Baltimore and Atlanta, municipalities are among the hottest targets of the moment. A survey of local media reports by Recorded Future tallied 38 ransomware attacks against cities in 2017, rising to 53 attacks in 2018. In the first four months of 2019 alone, some 22 attacks have been disclosed.

…more

ROUNDTABLE: Huge Capital One breach shows too little is being done to preserve data privacy

By Byron V. Acohido

Company officials at Capital One Financial Corp ought to have a crystal clear idea of what to expect next — after admitting to have allowed a gargantuan data breach.

Capital One’s mea culpa coincided with the FBI’s early morning raid of a Seattle residence to arrest Paige Thompson. Authorities charged the 33-year-old former Amazon software engineer with masterminding the hack.

Related: Hackers direct botnets to manipulate business logic

Thompson is accused of pilfering sensitive data for 100 million US and 6 million Canadian bank patrons. That includes social security and social insurance numbers, bank account numbers, phone numbers, birth dates, email addresses and self-reported income; in short, just about everything on an identity thief’s wish list.

Just a few days before Capital One’s disclosure,  Equifax rather quietly agreed to pay up to $700 million to settle consumer claims and federal and state investigations into its 2017 data breach that compromised sensitive information of more than 145 million American consumers. Also very recently,  the Federal Trade Commission slammed Facebook with a record $5 billion fine for losing control over massive troves of personal data and mishandling its communications with users.

Sure enough, it didn’t take long (less than 24 hours) for Keven Zosiak, a Stamford, Connecticut resident and Capital One credit card holder, to file a lawsuit  against Capital One for its failure to protect sensitive customer data. Many more lawsuits, as well as federal probes and Congressional hearings, are sure to follow.

Oh, and let’s not forget how Equifax summarily canned five top execs, including Equifax CEO Richard Smith, in the aftermath of its big breach. Not even doing this YouTube video apology was enough to save Smith his job.  It’s going to be interesting to see who Capital One’s board of directors designates to throw under the bus on this one.

Larger lessons

Arguably the most fascinating twist to the Capital One caper is the FBI’s rather quick arrest of Paige Thompson. Arrests in network breaches are rare, indeed. For instance, we know a lot of details about the Equifax breach, thanks to a GAO investigation and report. But no suspects have ever been publicly named.

What’s more, the usual suspects in high-profile breaches – i.e. professional Russian, Eastern European, Chinese and North Korean hacking collectives – appear to be out of the loop with respect to this particular caper. The Capital One breach, it seems to me, vividly highlights the depth and breadth of the Internet underground. Anyone with technical aptitude, diligence and a lack of scruples, such as an out-of-work IT staffer, can engage in criminal activity at a fairly high level. …more

NEW TECH: A couple of tools that deserve wide use — to preserve the integrity of U.S. elections

By Byron V. Acohido

As the presidential debate season ramps up, the specter of nation-state sponsored hackers wreaking havoc, once more, with U.S. elections, looms all too large.

It’s easy to get discouraged by developments such as  Sen. McConnell recently blocking a bi-partisan bill to fund better election security, as well as the disclosure that his wife, Transportation Security Elaine Chao, has accepted money from voting machine lobbyists.

Related: Why not train employees as phishing cops?

That’s why I was so encouraged to learn about two new tools that empower individual candidates – and local election officials – to take proactive steps to make election tampering much more difficult to successfully pull off. In the current geo-political environment, every forthright step can make a huge difference.

First, there’s a tool called the Rapid Cyber Risk Scorecard. NormShield, the Vienna, VA-based, cybersecurity firm that supplies this service, recently ran scores for all of the 26 declared presidential candidates —  and found the average cyber risk score to be B+.

What this tells me is that the presidential candidates, at least, actually appear to be heeding lessons learned from the hacking John Podesta’s email account – and all of the havoc Russia was able to foment in our 2016 elections. NormShield found that all of the 2020 presidential hopefuls, thus far,  are making sure their campaigns are current on software patching, as well as Domain Name System (DNS) security; and several are doing much more.

My takeaway: other candidates can use this scorecard, which runs assessments of 10 cyber risk categories, as a starting point to harden their campaigns.

Another such service that can do a ton of good was announced last week by Global Cyber Alliance (GCA), in partnership with Craig Newmark Philanthropies and the Center for Internet Security. It’s a free cybersecurity toolkit for elections that gives local election authorities actionable guidance on how to mitigate the most common risks to trustworthy elections.

…more

SHARED INTEL: What can be done — today — to keep quantum computing from killing encryption

By Byron V. Acohido

There’s little doubt that the shift to quantum computing  will open new horizons of digital commerce. But it’s also plain as day that the mainstreaming of quantum processing power will profoundly exacerbate cybersecurity exposures.

Related: The ‘post quantum crytpo’ race is on

This isn’t coming as any surprise to IT department heads. In fact, there’s widespread recognition in corporate circles that the planning to address fresh cyber risks associated with quantum computing should have commenced long ago.

That’s the upshot of a survey of 400 large organizations across critical infrastructure industries in the U.S., Germany and Japan. The study, sponsored by DigiCert, Inc., a Lehi,Utah-based supplier of digital certificates, found 71 percent of global organizations already see the emergence of quantum processing power as a material security threat.

Their trepidation is focused on the potential undermining of a core security component of classical computing systems: encryption. In a nutshell, when quantum processing power becomes widely available – whether that be three years or 10 years from now — threat actors will gain the ability to decrypt everything companies have been protecting with classical encryption.

To its credit, the global cybersecurity community is not asleep on this. A major public-private effort is underway to revamp classical cryptography, and ultimately replace it with something called post-quantum-cryptography, or PQC. DigiCert happens to be in the thick of this effort; I recently had a wide-ranging discussion about this with Tim Hollebeek, DigiCert’s industry and standards technical strategist. …more

NEW TECH: Silverfort deploys ‘multi-factor authentication’ to lock down ‘machine identities’

By Byron V. Acohido

From the start, two-factor authentication, or 2FA, established itself as a simple, effective way to verify identities with more certainty.

Related: A primer on IoT security risks

The big hitch with 2FA, and what it evolved into – multi-factor authentication, or MFA – has always been balancing user convenience and security. That seminal tension still exists today even as the global cybersecurity community is moving to extend MFA as a key security component in much more complex digital systems spinning out of digital transformation.

One leading innovator in this space is Tel Aviv-based Silverfort. I’ve had a number of conversations with company co-founder and CEO Hed Kovetz over the past couple of years, and I had the chance to meet with him again at Black Hat 2019.

One thing I learned from Kovetz this time was that secure authentication seems destined to play a major role, going forward in verifying, not just human identities, but also machine identities. In terms of baking in security at a fundamental level of future systems, that’s very significant. For a drill down on why that’s so, give a listen to our full discussion in the accompanying podcast. Here are the key takeaways:

A machine’s world

Machines are taking over. A machine, in this context, is any piece of hardware or software that can accept and execute instructions. This includes the beefy servers humming along in vast data centers and providing the infrastructure for cloud services.

And it also include software: the modular “microservices” written by third-party developers; the software “containers” inside of which these microservices get mixed and matched; and the billions of APIs that enable two disparate machines to exchange data. In this realm, the identity of each and every machine must be verified, or chaos would rule.

Machine identities are verified by digital certificates that leverage the public key infrastructure (PKI), a framework for encrypting data and authenticating web entities. These identity certificates — and the encrypted keys to authenticate them – get issued bu Certificate Authorities (CAs) —  vendors that diligently verify the authenticity of websites. …more

NEW TECH: Can an ‘operational system of record’ alleviate rising knowledge worker frustrations?

By Byron V. Acohido

An undercurrent of discontent is spreading amongst knowledge workers in enterprises across the United States and Europe.

Related: Phishing-proof busy employees

White collar employees today have amazingly capable communications and collaboration tools at their beck and call. Yet the majority feel unsatisfied with narrow daily assignments and increasingly disconnected from the strategic goals of their parent organization.

That’s my big takeaway from a survey of 3,750 knowledge workers from mid-sized and large organizations across the US, the UK, Germany and the Netherlands. The State of Work: 2020 is the sixth annual poll of its kind sponsored by Workfront, a Lehi, Utah-based supplier of work management and project management systems.

These findings reflect knowledge workers growing increasingly frustrated that they can’t do more to advance strategically meaningful initiatives. It’s not that workers are cynical or apathetic; far from it. Some 89% of respondents said they believed their role matters, including 78% who said their job represented more than a paycheck.

Fully 91% of the workers surveyed said they were proud of the work they do and cared about the bigger picture. Yet an inordinate amount of time continues to get devoted to make-work activity or wasted scurrying down unproductive rabbit trails. Over the six years Workfront has conducted this poll, one stat has remained constant: knowledge workers on average spend just 40% of their work week on the job they were hired to do.

A similar earlier survey, conducted by tech industry research firm Forrester, found much the same thing. Some 71% of global knowledge workers polled by Forrester said their jobs required  deep concentration; yet 21% said they were unable to find or access the appropriate information they need to do their job – at least once a week. …more

SHARED INTEL: APIs hook up new web and mobile apps — and break attack vectors wide open

By Byron V. Acohido

If your daily screen time is split between a laptop browser and a smartphone, you may have noticed that a few browser web pages are beginning to match the slickness of their mobile apps.

Related: The case for a microservices firewall

Netflix and Airbnb are prime examples of companies moving to single-page applications, or SPAs, in order to make their browser webpages as responsive as their mobile apps.

The slickest SPAs leverage something called GraphQL, which is a leading edge way to build and query application programing interfaces, or APIs. If you ask the builders of these SPAs, they will tell you that the scale and simplicity of retrieving lots of data with GraphQL is superior to a standard RESTful API. And that brings us to cybersecurity.

APIs are being created in batches on a daily basis by the Fortune 500 and any company that is creating mobile and web applications. APIs are the conduits for moving data to-and-fro in our digitally transformed world. And each new API is a pathway to the valuable sets of data fueling each new application.

Trouble is that at this moment no one is keeping very good track of the explosion of APIs. Meanwhile, the rising use of SPA and GraphQL underscores how API growth is shifting into a higher gear. This means the attack surface available to cyber criminals looking to make money off of someone else’s data is, yet again, expanding.

I had a chance to discuss this with Doug Dooley, COO of Data Theorem, a Silicon Valley-based application security startup helping companies deal with these growing API exposures. For a full drill down, give a listen to the accompanying podcast. Here are a few key takeaways:

Cool new experiences

Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba Cloud supply computer processing and data storage as a utility. DevOps has decentralized the creation and delivery of  smart applications that can mine humongous data sets to create cool new user experiences.

Microservices are little snippets of modular code of which smart apps are made of. Written by far-flung third-party developers, microservices get mixed and matched and reused inside of software containers. And each instance of a microservice connecting to another microservice, or to a container, is carried out by an API.

In short, APIs are multiplying fast and creating the automated highways of data. The growth of APIs on the public Internet grew faster in 2019 than in previous years, according to ProgrammableWeb.  And this doesn’t account for all the private APIs business built and use. The services on that smartphone you’re holding makes use of hundreds of unique APIs.  …more

SHARING INTEL: Why full ‘digital transformation’ requires locking down ‘machine identities’

By Byron V. Acohido

Digital commerce has come to revolve around two types of identities: human and machine.

Great effort has gone into protecting the former, and yet human identities continue to get widely abused by cyber criminals. By comparison, scant effort has gone into securing the latter. This is so in spite of the fact that machine identities are exploding in numbers and have come to saturate digital transformation.

Related: IoT exposures explained

I’ve conversed several times with Jeff Hudson about this. Hudson is CEO of Salt Lake City, UT-based Venafi, a leading provider of machine identity protection solutions. Each time I’ve come away with a better grasp of how machine identities have come to play such a pivotal role in the IT systems taking us forward – and yet how vulnerable they remain to attack in the current environment.

We had a chance to meet again at Black Hat 2019. For a full drill down of our wide-ranging discussion please give a listen to the accompanying podcast. Here are a few key takeaways:

Machines on the march

Cloud computing and DevOps have given rise to a whirlwind of new types of machines. A machine, in this context, refers to any piece of hardware or software that can accept and execute instructions. The hardware servers humming along in vast data centers are, indeed, machines.

And so are the modular “microservices” written by far-flung third-party developers, who specialize in mixing, matching and reusing microservices assembled inside of software “containers,” which are another type of machine. APIs, the interface coding that allows two different machines to exchange data – for instance, an IoT device and a command server — are machines as well. This is how cool new digital services are getting spun up at high velocity. …more