The pandemic-driven remote working brought about unforeseen challenges that the pre-pandemic corporate world would have never imagined. From transitioning to a work-from-home as a ‘perk’ to a ‘necessity’, the organizations had to realign their operations and do it fast, to keep the ships afloat.
Now that the dust seems to have settled on the novelty of remote working, there’s no doubt that remote working- whether organizations like it or not is here to say. This raises the concerns of corporate data security in remote working that still stand as a key challenge that organizations are trying to navigate, workforce productivity being the second.
Organizations need to have critical business data made available to the employees that work remotely- and this could include the devices carefully vetted and secured with corporate policies and provided by the organization, but could also include the devices that are not under the organization’s purview.
Fragmentation dilemma
The modern employees demand flexibility and you simply can’t prevent employees from accessing work emails on their phones while they surf the beach or hike the mountains- nor does it add to your organization’s overall efficiency and productivity.
But this, along with the hugely fragmented devices and endpoints used in the virtual working environment adds to the security risks that can not only drain out the IT teams but also the CIOs to a great extent. (more…)
This is so, despite the fact that the fundamental design of a VPN runs diametrically opposed to zero trust security principles.
I had the chance to visit with David Holmes, network security analyst at Forrester, to learn more about how this dichotomy is playing out as companies accelerate their transition to cloud-centric networking.
Guest expert: David Holmes, Analyst for Zero Trust, Security and Risk, Forrester Research
VPNs encrypt data streams and protect endpoints from unauthorized access, essentially by requiring all network communications to flow over a secured pipe. VPNs verify once and that’s it.
Zero trust — and more specifically zero trust network access, or ZTNA — never trusts and always verifies. A user gets continually vetted, with only the necessary level of access granted, per device and per software application; and behaviors get continually analyzed to sniff out suspicious patterns.
Remote access is granted based on granular policies that take the least-privilege approach. For many reasons, and for most operating scenarios, ZTNA solutions makes more sense, going forward, than legacy VPN systems, Holmes told me. But that doesn’t mean VPN obsolescence is inevitable. To learn more, please give the accompanying Last Watchdog Fireside Chat podcast a listen.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
Seeking to minimize cybersecurity threat effects, the SEC has proposed several amendments requiring organizations to report on cyber risk in a “fast, comparable, and decision-useful manner.”
Worryingly, threats are beginning to outpace organizations’ ability to effectively prevent and respond to them. Leaders are no longer as confident in their organization’s cyber resilience, and employees often lack awareness.
The SEC, in essence, is compelling businesses, public companies and large investment firms to better prepare for inevitable cyber attacks. The new rules urge companies to build more robust cyber risk management programs.
This should provide better visibility into the impact of cyber risk and demonstrate the adequacy of risk mitigation investments.
Many organizations base their risk mitigation programs on standard risk quantification models such as FAIR (Factor Analysis of Information Risk). Cyber risk officers can use FAIR to quantify cyber risk in financial terms, a language familiar to business executives and boards of directors.
VPNs encrypt data streams and protect endpoints from unauthorized access, essentially by requiring all network communications to flow over a secured pipe.
This worked extremely well for users accessing network resources remotely via their company-issued laptops and immobile home computers. However, VPN pipes have become less efficient with the rising use of personally-owed mobile devices increasing reliance on cloud-centric IT resources.
The sudden spike in work-from-home scenarios due to Coivd 19 quarantining accelerated this trend. I had the chance to ask Chris Clements, vice president of solutions architecture at Cerberus Sentinel,
Initial access brokers, or IABs, are the latest specialists on the scene. IABs flashed to prominence on the heels of gaping vulnerabilities getting discovered and widely exploited in Windows servers deployed globally in enterprise networks.
I had the chance at RSA Conference 2022 to visit with John Shier, senior security advisor at Sophos, a security software and hardware company. We discussed how the ProxyLogon/Proxy Shell vulnerabilities that companies have been scrambling to patch for the past couple of years gave rise to threat actors who focus on a singular mission: locating and compromising cyber assets with known vulnerabilities.
For a drill down on IABs, please give the accompanying podcast a listen. Here are the key takeaways:
Sequential specialists
IABs today jump into action anytime a newly discovered bug gets publicized, especially operating system coding flaws that can be remotely exploited. IABs gain unauthorized network access and then they often will conduct exploratory movements to get a sense of what the compromised asset is, Shier told me.
This is all part triangulating how much value the breached asset might have in the Darknet marketplace. “IABs specialize in one specific area of the cybercrime ecosystem where the victims are accumulated and then sold off to the highest bidder,” he says.
To assure persistent access to, say, a compromised web server, an IAB will implant a web shell – coding that functions as a back door through which additional malicious
Unlike many younger users online, they may have accumulated savings over their lives — and those nest eggs are a major target for hackers. Now add psychological variables to the mix of assets worth stealing.
Perhaps elderly folks who haven’t spent a lot of time online are easier to deceive. And, let’s be honest, the deceptive writing phishing assaults and other cyber threats today employ are skilled enough to fool even the most trained, internet-savvy experts.
Ever present threats
Some of our elderly may be concerned that any hint of weakness will convince their relatives that they can no longer live alone. Thus hackers rely on them not revealing they’ve been duped. That said, here are what I consider to be the Top 5 online threats seniors face today:
•Computer tech support scams. These scams take advantage of seniors’ lack of computer and cybersecurity knowledge. A pop-up message or blank screen typically appears on a computer or phone, informing you that your system has been compromised and requires repair.
As RSA Conference 2022 convenes this week (June 6 -9) in San Francisco, advanced systems to help companies comprehensively inventory their cyber assets for enhanced visibility to improve asset and cloud configurations and close security gaps will be in the spotlight.
As always, the devil is in the details. Connecting the dots and getting everyone on the same page remain daunting challenges. I visited with Erkang Zheng, founder and CEO of JupiterOne, to discuss how an emerging discipline — referred to as “cyber asset attack surface management,” or CAASM – can help with this heavy lifting.
Based in Morrisville, NC, JupiterOne launched in 2020 and last week announced that it has achieved a $1 billion valuation, with a $70 million Series C funding round.
For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:
As their organizations migrate deeper into an intensively interconnected digital ecosystem, CISOs must deal with cyber attacks raining down on all fronts. Many are working with siloed security products from another era that serve as mere speed bumps. Meanwhile, security teams are stretched thin and on a fast track to burn out.
Help is on the way. At RSA Conference 2022, which takes place this week (June 6 – 9) in San Francisco, new security frameworks and advanced, cloud-centric security technologies will be in the spotlight. The overarching theme is to help CISOs gain a clear view of all cyber assets, be able to wisely triage exposures and then also become proficient at swiftly mitigating inevitable breaches.
Easier said than done, of course. I had the chance to discuss this with Lori Smith, director of product marketing at Trend Micro. With $1.7 billion in annual revenue and 7,000 employees, Trend Micro is a prominent leader in the unfolding shift towards a more holistic approach to enterprise security, one that’s a much better fit for the digital age. For a full drill down on our discussion, please give the accompanying podcast a listen. Here are key takeaways.
Beyond silos
It was only a few short years ago that BYOD and Shadow IT exposures were the hot topics at RSA. Employees using their personally-owned smartphones to upload cool new apps presented a nightmare for security teams.
Fast forward to today. Enterprises are driving towards a dramatically scaled-up and increasingly interconnected digital ecosystem. The attack surface of company networks has expanded exponentially, and fresh security gaps are popping up everywhere.
At RSA Conference 2022, which takes place this week (June 6 – 9) in San Francisco, advanced technologies to help companies implement zero trust principals will be in the spotlight. Lots of innovation has come down the pike with respect to imbuing zero trust into two pillars of security operations: connectivity and authentication.
However, there’s a third pillar of zero trust that hasn’t gotten quite as much attention: directly defending data itself, whether it be at the coding level or in business files circulating in a highly interconnected digital ecosystem. I had a chance to discuss the latter with Ravi Srinivasan, CEO of Tel Aviv-based Votiro which launched in 2010 and has grown to .
Votiro has established itself as a leading supplier of advanced technology to cleanse weaponized files. It started with cleansing attachments and weblinks sent via email and has expanded to sanitizing files flowing into data lakes and circulating in file shares. For a full drill down on our discussion, please give the accompanying podcast a listen. Here are key takeaways.
It’s not difficult to visualize how companies interconnecting to cloud resources at a breakneck pace contribute to the outward expansion of their networks’ attack surface.
If that wasn’t bad enough, the attack surface companies must defend is expanding inwardly, as well – as software tampering at a deep level escalates.
The Solar Winds breach and the disclosure of the massive Log4J vulnerability have put company decision makers on high alert with respect to this freshly-minted exposure. Findings released this week by ReversingLabs show 87 percent of security and technology professionals view software tampering as a new breach vector of concern, yet only 37 percent say they have a way to detect it across their software supply chain.
I had a chance to discuss software tampering with Tomislav Pericin, co-founder and chief software architect of ReversingLabs, a Cambridge, MA-based vendor that helps companies granularly analyze their software code. For a full drill down on our discussion please give the accompanying podcast a listen. Here are the big takeaways:
‘Dependency confusion’
Much of the discussion at RSA Conference 2022, which convenes this week (June 6 – 9) in San Francisco, will boil down to slowing attack surface expansion. This now includes paying much closer attention to the elite threat actors who are moving inwardly to carve out fresh vectors taking them deep inside software coding.
The perpetrators of the Solar Winds breach, for instance, tampered with a build system of the widely-used Orion network management tool.
Big banks and insurance companies instilled the practice of requesting their third-party vendors to fill out increasingly bloated questionnaires, called bespoke assessments, which they then used as their sole basis for assessing third-party risk.
TPRM will be in the spotlight at the RSA Conference 2022 this week (June 6 -9) in San Francisco. This is because third-party risk has become a huge problem for enterprises in the digital age. More so than ever, enterprises need to move beyond check-the-box risk assessments; there’s a clear and present need to proactively mitigate third-party risks.
The good news is that TPRM solution providers are innovating to meet this need, as will be showcased at RSA. One leading provider is Denver, Colo.-based CyberGRX. I had the chance to sit down with their CISO, Dave Stapleton, to learn more about the latest advancements in TPRM security solutions. For a full drill down of our discussion, please give the accompanying podcast a listen. Here are key takeaways:
Smoothing audits
CyberGRX launched in 2016 precisely because bespoke assessments had become untenable. Questionnaires weren’t standardized, filling them out and collecting them had become a huge burden, and any truly useful analytics just never happened.
“Sometimes you’d get a 500-question questionnaire and that would be one out of 5,000 you’d get over the course of a year,” Stapleton says, referring to a scenario that a large payroll processing company had to deal with.
From Office 365 to Zoom to Salesforce.com, cloud-hosted software applications have come to make up the nerve center of daily business activity. Companies now reach for SaaS apps for clerical chores, conferencing, customer relationship management, human resources, salesforce automation, supply chain management, web content creation and much more, even security.
This development has intensified the pressure on companies to fully engage in the “shared responsibility” model of cybersecurity, a topic in that will be in the limelight at RSA Conference 2022 this week (June 6 -9) in San Francisco.
I visited with Maor Bin, co-founder and CEO of Tel Aviv-based Adaptive Shield, a pioneer in a new security discipline referred to as SaaS Security Posture Management (SSPM.) SSPM is part of emerging class of security tools that are being ramped up to help companies dial-in SaaS security settings as they should have started doing long ago.
This fix is just getting under way. For a full drill down, please give the accompanying podcast a listen. Here are the key takeaways:
Shrugging off security
A sharp line got drawn in the sand, some years ago, when Amazon Web Services (AWS) took the lead in championing the shared responsibility security model.
To accelerate cloud migration, AWS, Microsoft Azure and Google Cloud guaranteed that the hosted IT infrastructure they sought to rent to enterprises would be security-hardened – at least on their end.
What good is connecting applications, servers and networks across the public cloud if you’re unable to securely operationalize the datasets that these interconnected systems store and access?
Solving data sprawl has now become a focal point of cybersecurity. It’s about time. Much of the buzz as RSA Conference 2022 happens this week (June 6 – 9)in San Francisco will be around innovations to help companies make sense of data as it gets increasingly dispersed to far-flung pockets of the public cloud.
I had the chance to visit with Karthik Krishnan, CEO of San Jose, Calif.-based Concentric AI, which is in the thick of this development. Concentric got its start in 2018 to help companies solve data sprawl — from the data security and governance perspective – and has grown to 50 employees, with $22 million in venture capital backing. For a full drill down of our discussion, please give the accompanying podcast a listen. Here are a few key takeaways.
Crawling, classifying
Jeff Bezos solved data sprawl for selling books and gave us Amazon. Larry Page and Sergey Brin solved data sprawl for generalized information lookups and gave us Google.
In much the same sense, companies must now solve data sprawl associated with moving to an increasingly interconnected digital ecosystem. And addressing data security has become paramount.
That’s changing — dramatically. Advanced VM tools and practices are rapidly emerging to help companies mitigate a sprawling array of security flaws spinning out of digital transformation.
I visited with Scott Kuffer, co-founder and chief operating officer of Sarasota, FL-based Nucleus Security, which is in the thick of this development. Nucleus launched in 2018 and has grown to over 50 employees. It supplies a unified vulnerability and risk management solution that automates vulnerability management processes and workflows.
We discussed why VM has become acutely problematic yet remains something that’s vital for companies to figure out how to do well, now more so than ever. For a full drill down, please give the accompanying podcast a listen. Here are the key takeaways:
In today’s times, we are more aware of cyberattacks as these have become front-page news. We most recently witnessed this as Russia invaded Ukraine. Cyberattacks were used as the first salvo before any bullet or missile was fired.
We live in an increasingly digitized world where digital footprints are left behind, leaving evidence of nearly everything we do. This enables our adversaries to gain extremely valuable information and to steal, disrupt or even harm with simple keystrokes on a distant computer.
Quantum computers pose yet another looming threat since it has been mathematically proven that quantum computers with enough power will crack all the world’s public encryption. When these computers come online, any company or federal agency that is not upgraded to post-quantum cybersecurity will leave its data vulnerable to attackers. Even worse, data that is being stolen today is sitting on servers in other countries waiting to be decrypted by quantum computers.
Why Now?
It is now more important than ever for companies to share cyberattack and ransomware data with the government to ensure that we can defend and prepare much better than before.
On March 15, 2022, a new bipartisan legislation cyber incident reporting law called the “Cyber Incident Reporting for Critical Infrastructure Act” was passed by Congress and signed by President Joe Biden which requires critical infrastructure leaders in commercial enterprises and government to report cyber incidents to the Department of Homeland Security (DHS) cyber and infrastructure security agency (CISA).
Yet, the tech titans recently agreed to adopt a common set of standards supporting passwordless access to websites and apps.
This is one giant leap towards getting rid of passwords entirely. Perhaps not coincidently, it comes at a time when enterprises have begun adopting passwordless authentication systems in mission-critical parts of their internal operations.
Excising passwords as the security linchpin to digital services is long, long overdue. It may take a while longer to jettison them completely, but now there truly is a light at the end of the tunnel.
I recently sat down with Ismet Geri, CEO of Veridium, to discuss what the passwordless world we’re moving towards might be like. For a full drill down on our wide-ranging discussion, please give a listen to the accompanying podcast. Here are a few takeaways.
You and your cybersecurity team do everything correctly to safeguard your infrastructure, yet the frightening alert still arrives that you’ve suffered a data breach.
It’s a maddening situation that occurs far more often than it should.
One of the main culprits for these incredibly frustrating attacks has not so much to do with how a team functions or the protocols a company employs, but instead, it’s a procurement issue that results from supply-chain shortcomings and the hard-to-detect vulnerabilities layered into a particular device.
“The same technologies that make supply chains faster and more effective also threaten their cybersecurity,” writes David Lukic, a privacy, security, and compliance consultant. “Supply chains have vulnerabilities at touchpoints with manufacturers, suppliers, and other service providers.”
The inherent complexity of the supply chain for modern technology is a reason why so many cybercrime attempts have been successful. Before a device reaches the end user, multiple stakeholders have contributed to it or handled it.
Log4j, aka Log4Shell, blasted a surgical light on the multiplying tiers of attack vectors arising from enterprises’ deepening reliance on open-source software.
This is all part of corporations plunging into the near future: migration to cloud-based IT infrastructure is in high gear, complexity is mushrooming and fear of falling behind is keeping the competitive heat on. In this heady environment, open-source networking components like Log4j spell opportunity for threat actors. It’s notable that open-source software vulnerabilities comprise just one of several paths ripe for malicious manipulation.
By no means has the cybersecurity community been blind to the complex security challenges spinning out of digital transformation. A methodical drive has been underway for at least the past decade to affect a transition to a new network security paradigm – one less rooted in the past and better suited for what’s coming next.
Log4j bathes light on a couple of solidifying developments. It reinforces the notion that a new portfolio of cloud-centric security frameworks must take hold, the sooner the better. What’s more, it will likely take a blend of legacy security technologies – in advanced iterations – combined with a new class of smart security tools to cut through the complexities of defending contemporary business networks.
Some 96 percent of organizations — according to the recently released 2021 Cloud Native Survey — are either using or evaluating Kubernetes in their production environment, demonstrating that enthusiasm for cloud native technologies has, in the words of the report’s authors, “crossed the adoption chasm.”
It’s easy to understand why a cloud-native approach elicits such fervor. By using flexible, modular container technologies such as Kubernetes and microservices, development teams are better equipped to streamline and accelerate the application lifecycle, which in turn enables the business to deliver on their ambitious digital transformation initiatives.
However, despite cloud-native’s promise to deliver greater speed and agility, a variety of legitimate security concerns have kept IT leaders from pushing the throttle on their cloud-native agenda.
According to the most recent State of Kubernetes Security report, more than half (55 percent) of respondents reported that they have delayed deploying Kubernetes applications into production due to security concerns (up 11 percent from the year prior) while 94 percent admitted to experiencing a security incident in their Kubernetes or container environment in the past year.
It’s clear that until we can deliver security at the same velocity in which containers are being built and deployed that many of our cloud-native aspirations will remain unfulfilled.
Cloud-native requirements
Traditionally, developers didn’t think much about application security until after deployment. However, as DevOps and modern development practices such as Continuous Integration and Continuous Delivery (CI/CD) have become the norm, we’ve come to appreciate that bolting security on after the fact can be a recipe for future application vulnerabilities.
Security must be ‘baked in’ rather than ‘brushed on’—and this current ethos has given rise to the DevSecOps movement where security plays a leading role in the DevOps process. However, it’s not enough to simply shoehorn these practices into the dynamic cloud-native development lifecycle.
Today’s operating system battleground has long been defined by the warfare between the top three players—Microsoft’s Windows, Google’s Android, and Apple’s iOS.
While each of them has its distinguishing features, Apple’s privacy and security are what makes it the typical enterprise’s pick. Tim Cook, CEO of Apple, could be heard stating in the virtual Computers, Privacy, and Data Protection Conference, “Privacy is one of the top issues of the century and it should be weighed as equal as climate change.”
In June 2020, Apple’s intention of expanding in the enterprise space was made evident by the acquisition of Fleetsmith, a Mobile Device Management (MDM) solution for Apple devices. What would unfold next with Fleetsmith on their team was the most anticipated question.
In effect, Apple launched Apple Business Essentials (ABE). Let’s take a look at whether ABE will suffice enterprises’ demands.
Apple eyes SMBs
In recent years, we have seen diverse initiatives, including the Apple Business Manager (ABM) app launched in spring 2018 and Apple Business Essentials (ABE) in 2021, clearly showing Apple’s desire to conquer the enterprise market.
A movement aspiring to do just that is underway — and it’s not being led by a covey of tech-savvy Tibetan monks. This push is coming from the corporate sector.
Last August, NTT, the Tokyo-based technology giant, unveiled its Health and Wellbeing initiative – an ambitious effort to guide corporate, political and community leaders onto a more enlightened path. NTT, in short, has set out to usher in a new era of human wellness.
Towards this end it has begun sharing videos, whitepapers and reports designed to rally decision makers from all quarters to a common cause. The blue-sky mission is to bring modern data mining and machine learning technologies to bear delivering personalized services that ameliorate not just physical ailments, but also mental and even emotional ones.
That’s a sizable fish to fry. I had a lively discussion with Craig Hinkley, CEO of NTT Application Security, about the thinking behind this crusade. I came away encouraged that some smart folks are striving to pull us in a well-considered direction. For a full drill down, please give the accompanying podcast a listen. Here are a few key takeaways:
A new starting point
Modern medicine has advanced leaps and bounds in my lifetime when it comes to diagnosing and treating severe illnesses. Even so, for a variety of reasons, healthcare sectors in the U.S. and other jurisdictions have abjectly failed over the past 20 years leveraging Big Data to innovate personalized healthcare services.
It’s possible to de-risk work scenarios involving personal data by carrying out a classic risk assessment of an organization’s internal and external infrastructure. This can include:
Security contours. Setting up security contours for certain types of personal data can be useful for:
•Nullifying threats and risks applicable to general infrastructural components and their environment.
•Planning required processes and security components when initially building your architecture.
•Helping ensure data privacy.
Unique IDs. It is also possible to obfuscate personal data by replacing it with unique identifiers (UID). This de-risks personal data that does not fit in a separate security contour.
Implementing a UID system can reduce risk when accessing personal data for use in analytical reports, statistical analysis, or for client support.
This flaw in the Apache Log4J logging library is already being aggressively probed and exploited by threat actors — and it is sure to become a major headache for security teams in 2022.
“This vulnerability is so dangerous because of its massive scale. Java is used on over 3 billion devices, and a large number of those use Log4j,” says Forrester cybersecurity analyst Allie Mellen, adding that crypto miners and botnet operators are already making hay.
“We can expect more devastating attacks, like ransomware, leveraging this vulnerability in the future,” Mellen adds. “This vulnerability will be used for months if not years to attack enterprises, which is why security teams must strike while the iron is hot.”
This flaw in an open-source web server software used far and wide puts open-source risks in the spotlight – yet again. Companies will have to deal with Log4J in much the same manner as they were compelled to react to the open source flaws Heartbleed and Shellshock in 2014.
Privacy and cybersecurity challenges and controversies reverberated through all aspect of business, government and culture in the year coming to a close.
Last Watchdog sought commentary from technology thought leaders about lessons learned in 2021– and guidance heading into 2022. More than two dozen experts participated. Here the first of two articles highlighting what they had to say. Comments edited for clarity and length. The second roundtable column will be published on Dec. 27th.
In 2021, large supply chain attacks successfully exploited critical vulnerabilities. Patching is hard and prioritization is key. By mapping cyber relationships to business context, security teams can focus on a smaller number of critical assets and vulnerabilities.
The cyber industry swings back and forth between prevention and response. A renewed focus on preventative approaches, like security posture management, cyber hygiene and cyber asset management shows organizations are trying to anticipate these problems. Forward thinking security teams working to unlock siloed telemetry and generate a wider cybersecurity view of the organization.
We’re seeing ransomware gangs morph into savvy businesses, with one going so far as to create a fake company to recruit talent. In 2022, we’ll see this trend continue to pick up steam, with greater coordination between gangs, double extortion evolving to triple extortion, and short selling schemes skyrocketing.
Additionally, we will see a shift in threat actors coming from Southeast Asia and Africa. As cyber criminals look to find cheaper labor and technical expertise, we’ll see activity pick up in these regions in 2022 and beyond.
APIs are the snippets of code that interconnect the underlying components of all the digital services we can’t seem to live without. Indeed, APIs have opened new horizons of cloud services, mobile computing and IoT infrastructure, with much more to come.
Yet, in bringing us here, APIs have also spawned a vast new tier of security holes. API vulnerabilities are ubiquitous and multiplying; they’re turning up everywhere. Yet, API security risks haven’t gotten the attention they deserve. It has become clear that API security needs to be prioritized as companies strive to mitigate modern-day cyber exposures.
Consider that as agile software development proliferates, fresh APIs get flung into service to build and update cool new apps. Since APIs are explicitly used to connect data and services between applications, each fresh batch of APIs and API updates are like a beacon to malicious actors.
Organizations don’t even know how many APIs they have, much less how those APIs are exposing sensitive data. Thus security-proofing APIs has become a huge challenge. APIs are like snowflakes: each one is unique. Therefore, every API vulnerability is necessarily unique. Attackers have taken to poking and prodding APIs to find inadvertent and overlooked flaws; even better yet, from a hacker’s point of view, many properly designed APIs are discovered to be easy to manipulate — to gain access and to steal sensitive data.
Meanwhile, the best security tooling money can buy was never designed to deal with this phenomenon.
While I no longer concern myself with seeking professional recognition for my work, it’s, of course, always terrific to receive peer validation that we’re steering a good course.
That’s why I’m thrilled to point out that Last Watchdog has been recognized, once again, as a trusted source of information on cybersecurity and privacy topics. The recognition comes from Cyber Security Hub, a website sponsored by IQPC Digital. We’ve been named one of the Top 10 cybersecurity webzines in 2021.
Here is their very gracious description of what Last Watchdog is all about:
“Founder, contributor and executive editor of the forward-thinking Last Watchdog webzine, Byron V. Acohido is a Pulitzer-winning journalist and web producer. Visit Last Watchdog to view videos, surf cyber news, gain informative analysis and read guest essays from leading lights in the cybersecurity community. Expect content that is always accurate and fair, with recent posts exploring the monitoring of complex modern networks, telecom data breaches that expose vast numbers of mobile users, efforts to make software products safer and ransomware attacks on global supply chains.”
What’s happening is that businesses are scaling up their adoption of multi-cloud and hybrid-cloud infrastructures. And in doing so, they’re embracing agile software deployments, which requires authentication and access privileges to be dispensed, on the fly, for each human-to-machine and machine-to-machine coding connection.
This frenetic activity brings us cool new digital services, alright. But the flip side is that companies have conceded to a dramatic expansion of their cloud attack surface – and left it wide open to threat actors.
“The explosion in the number of human and non-human identities in the public cloud has become a security risk that businesses simply can’t ignore,” observes Eric Kedrosky, CISO at Sonrai Security.
I’ve had a couple of deep discussions with Kedrosky about this. Based in New York City, Sonrai is a leading innovator in a nascent security discipline, referred to as Cloud Infrastructure Entitlement Management (CIEM,)
Most of the people I know professionally and personally don’t spend a lot of time contemplating the true price we pay for the amazing digital services we’ve all become addicted to.
I’ll use myself as a prime example. My professional and social life revolve around free and inexpensive information feeds and digital tools supplied by Google, Microsoft, Amazon, LinkedIn, Facebook and Twitter.
I’m productive. Yet, I’m certainly not immune to the clutter and skewed perspectives these tech giants throw at me on an hourly basis — as they focus myopically on monetizing my digital footprints. I don’t know what I’d do without my tech tools, but I also have a foreboding sense that I spend way too much with them.
Technologically speaking, we are where we are because a handful of tech giants figured out how to collect, store and monetize user data in a singular fashion. Each operates a closed platform designed to voraciously gather, store and monetize user data.
An array of promising security trends is in motion.
New frameworks, like SASE, CWPP and CSPM, seek to weave security more robustly into the highly dynamic, intensely complex architecture of modern business networks.
And a slew of new application security technologies designed specifically to infuse security deeply into specific software components – as new coding is being developed and even after it gets deployed and begins running in live use.
Now comes another security initiative worth noting. A broad push is underway to retool an old-school software monitoring technique, called observability, and bring it to bear on modern business networks. I had the chance to sit down with George Gerchow, chief security officer at Sumo Logic, to get into the weeds on this.
Based in Redwood City, Calif., Sumo Logic supplies advanced cloud monitoring services and is in the thick of this drive to adapt classic observability to the convoluted needs of company networks, today and going forward. For a drill down on this lively discussion, please give the accompanying podcast a listen. Here are the main takeaways:
TMobile has now issued a formal apology and offered free identity theft recovery services to nearly 48 million customers for whom the telecom giant failed to protect their sensitive personal information.
At the start of this week, word got out that hackers claimed to have seized personal data for as many as 100 million T-Mobile patrons.
This stolen booty reportedly included social security numbers, phone numbers, names, home addresses, unique IMEI numbers, and driver’s license information.
Once more, a heavily protected enterprise network has been pillaged by data thieves. Last Watchdog convened a roundtable of cybersecurity experts to discuss the ramifications, which seem all too familiar. Here’s what they had to say, edited for clarity and length:
According to the attackers, this was a configuration issue on an access point T-Mobile used for testing. The configuration issue made this access point publicly available on the Internet. This was not a sophisticated attack. T-Mobile left a gate left wide open for attackers – and attackers just had to find the gate.”
T-Mobile is offering two free years of identity protection for affected customers, but ultimately this is pushing the responsibility for the safety of the data onto the user. Instead of addressing the security gaps that have plagued T-Mobile for years, they are offering their customers temporary identity protection when breaches happen, as if to say, ‘This is the best we can do.’
The answer is not easy to pin down. On one hand, one could argue that cyber criminals are waging an increasingly debilitating economic war on consumers and businesses in the form of account hijacking, fraud, and extortion. Meanwhile, nation-states — the superpowers and second-tier nations alike — are hotly pursuing strategic advantage by stealing intellectual property, hacking into industrial controls, and dispersing political propaganda at an unheard-of scale.
Now comes a book by John Arquilla, titled Bitskrieg: The New Challenge of Cyberwarfare, that lays out who’s doing what, and why, in terms of malicious use of digital resources connected over the Internet. Arquilla is a distinguished professor of defense analysis at the United States Naval Postgraduate School. He coined the term ‘cyberwar,’ along with David Ronfeldt, over 20 years ago and is a leading expert on the threats posed by cyber technologies to national security.
Bitskrieg gives substance to, and connects the dots between, a couple of assertions that have become axiomatic:
•Military might no longer has primacy. It used to be the biggest, loudest weapons prevailed and prosperous nations waged military campaigns to achieve physically measurable gains. Today, tactical cyber strikes can come from a variety of operatives – and they may have mixed motives, only one of which happens to be helping a nation-state achieve a geo-political objective.
•Information is weaponizable. This is truer today than ever before. Arquilla references nuanced milestones from World War II to make this point – and get you thinking. For instance, he points out how John Steinbeck used a work of fiction to help stir the resistance movement across Europe.
Steinbeck’s imaginative novel, The Moon is Down, evocatively portrayed how ordinary Norwegians took extraordinary measures to disrupt Nazi occupation. This reference got me thinking about how Donald Trump used social media to stir the Jan. 6 insurrection in … more
There is a well-established business practice referred to as bill of materials, or BOM, that is a big reason why we can trust that a can of soup isn’t toxic or that the jetliner we’re about to board won’t fail catastrophically
A bill of materials is a complete list of the components used to manufacture a product. The software industry has something called SBOM: software bill of materials. However, SBOMs are rudimentary when compared to the BOMs associated with manufacturing just about everything else we expect to be safe and secure: food, buildings, medical equipment, medicines and transportation vehicles.
An effort to bring SBOMs up to par is gaining steam and getting a lot of attention at Black Hat USA 2021 this week in Las Vegas. President Biden’s cybersecurity executive order, issued in May, includes a detailed SBOM requirement for all software delivered to the federal government.
ReversingLabs, a Cambridge, MA-based software vendor that helps companies conduct deep analysis of new apps just before they go out the door, is in the thick of this development. I had the chance to visit with its co-founder and chief software architect Tomislav Pericin. For a full drill down on our discussion please give the accompanying podcast a listen. Here are the big takeaways:
Gordian Knot challenge
The software industry is fully cognizant of the core value of a bill of materials and has been striving for a number of years to adapt it to software development.
Companies in the throes of digital transformation are in hot pursuit of agile software and this has elevated developers to the top of the food chain in computing.
There is an argument to be made that agility-minded developers, in fact, are in a terrific position to champion the rearchitecting of Enterprise security that’s sure to play out over the next few years — much more so than methodical, status-quo-minded security engineers.
With Black Hat USA 2021 reconvening in Las Vegas this week, I had a deep discussion about this with Himanshu Dwivedi, founder and chief executive officer, and Doug Dooley, chief operating officer, of Data Theorem, a Palo Alto, CA-based supplier of a SaaS security platform to help companies secure their APIs and modern applications.
For a full drill down on this evocative conversation discussion please view the accompanying video. Here are the highlights, edited for clarity and length:
LW: Bad actors today are seeking out APIs that they can manipulate, and then they follow the data flow to a weakly protected asset. Can you frame how we got here?
Dwivedi: So 20 years ago, as a hacker, I’d go see where a company registered its IP. I’d do an ARIN Whois look-up. I’d profile their network and build an attack tree. Fast forward 20 years and everything is in the cloud. Everything is in Amazon Web Services, Google Cloud Platform or Microsoft Azure and I can’t tell where anything is hosted based solely on IP registration.
So as a hacker today, I’m no longer looking for a cross-site scripting issue of some website since I can only attack one person at a time with that. I’m looking at the client, which could be an IoT device, or a mobile app or a single page web app (SPA) or it could be an … more
This happened rather quietly as Google announced the official launch of VMCs in a blog post on July 12. Henceforth companies will be able to insert their trademarked logos in Gmail’s avatar slot; many marketers can’t wait to distribute email carrying certified logos to billions of inboxes. They view logoed email as an inexpensive way to boost brand awareness and customer engagement on a global scale.
However, there is a fascinating back story about how Google’s introduction of VMCs – to meet advertising and marketing imperatives — could ultimately foster a profound advance in email security. Over the long term, VMCs, and the underlying Brand Indicators for Message Identification (BIMI) standards, could very well give rise to a bulwark against email spoofing and phishing.
I had a chance to sit down with Dean Coclin, senior director of business development at DigiCert, to get into the weeds of this quirky, potentially profound, security development. DigiCert is a Lehi, Utah-based Certificate Authority (CA) and supplier of Public Key Infrastructure services.
Coclin and I worked through how a huge email security breakthrough could serendipitously arrive as a collateral benefit of VMCs. Here are the main takeaways from our discussion:
It was bound to happen: a supply-chain compromise, ala SolarWinds, has been combined with a ransomware assault, akin to Colonial Pipeline, with devasting implications.
Last Friday, July 2, in a matter of a few minutes, a Russian hacking collective, known as REvil, distributed leading-edge ransomware to thousands of small- and mid-sized businesses (SMBs) across the planet — and succeeded in locking out critical systems in at least 1,500 of them. This was accomplished by exploiting a zero-day vulnerability in Kaseya VSA, a network management tool widely used by managed service providers (MSPs) as their primary tool to remotely manage IT systems on behalf of SMBs.
REvil essentially took full control of the Kaseya VSA servers at the MSP level, then used them for the singular purpose of extorting victimized companies — mostly SMBs — for payments of $45,000, payable in Minera. In a few instances, the attackers requested $70 million, payable in Bitcoin, for a universal decryptor.
Like SolarWinds and Colonial Pipeline, Miami-based software vendor, Kaseya, was a thriving entity humming right along, striving like everyone else to leverage digital agility — while also dodging cybersecurity pitfalls. Now Kaseya and many of its downstream customers find themselves in a crisis recovery mode faced with shoring up their security posture and reconstituting trust. Neither will come easily or cheaply.
We’ve barely scratched the surface of applying artificial intelligence and advanced data analytics to the raw data collecting in these gargantuan cloud-storage structures erected by Amazon, Microsoft and Google. But it’s coming, in the form of driverless cars, climate-restoring infrastructure and next-gen healthcare technology.
In order to get there, one big technical hurdle must be surmounted. A new form of agile cryptography must get established in order to robustly preserve privacy and security as all this raw data gets put to commercial use.
I recently had the chance to discuss this with Kei Karasawa, vice president of strategy, and Fang Wu, consultant, at NTT Research, a Silicon Valley-based think tank which is in the thick of deriving the math formulas that will get us there.
They outlined why something called attribute-based encryption, or ABE, has emerged as the basis for a new form of agile cryptography that we will need in order to kick digital transformation into high gear.
For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:
Cloud exposures
Data lakes continue to swell because each second of every day, every human, on average, is creating 1.7 megabytes of fresh data. These are the rivulets feeding the data lakes.
A zettabyte equals one trillion gigabytes. Big data just keeps getting bigger. And we humans crunch as much of it as we can by applying machine learning and artificial intelligence to derive cool new digital services. But we’re going to need the help of quantum computers to get to the really amazing stuff, and that hardware is coming.
As we press ahead into our digital future, however, we’ll also need to retool the public-key-infrastructure. PKI is the authentication and encryption framework … more
Even before the COVID-19 pandemic turned many office workers into work-from-home (WFH) experts, the trend toward working without having to commute was clear.
As internet bandwidth has become more available, with homes having access to gigabit download speeds, a whole new world of career paths has opened for those who want to control their work hours and conditions. Maybe you want better pay, to be home near your kids or you just like the idea of avoiding the daily drive to an office. Whatever the reason, you can likely find work online.
One of the hottest fields right now on the WFH radar is the information technology (IT) sector. But you’ll first need to learn the specifics to get to work. Fortunately, there are online classes you can take to get that knowledge – and best of all, you can take them for free. Let’s look at what’s available and how you might jumpstart a new career.
Most IT jobs require you to have some sort of experience before you can start charging enough to make them viable as full-time employment. And some are more like a side hustle or temp job.
Having said that, here are some examples of IT careers you can learn online through free courses:
Security specialist
The more we do online, the more criminals want to take advantage of us. That makes fighting cybercrime a definite growth industry. A wide range of companies, in just about every field, are adding computer security specialists. In fact, these jobs are expected toincrease a whopping 31% by 2029. This job involves planning and implementing security measures for large and small companies that rely on computer networks. You will need to develop the ability to anticipate techniques used in future cyberattacks so they can be prevented.
Like a couple of WWE arch rivals, Apple’s Tim Cook and Facebook’s Mark Zuckerberg have squared off against each other in a donnybrook over consumer privacy.
Cook initially body slammed Zuckerberg — when Apple issued new privacy policies aimed at giving U.S. consumers a smidgen more control over their personal data while online.
Zuckerberg then dropped kicked Cook by taking out full-page newspaper ads painting Apple’s social responsibility flexing as bad for business; he then hammered Cook with a pop-up ad campaign designed to undermine Apple’s new privacy policies.
But wait. Here’s Cook rising from the mat to bash Z-Man at the Brussels’ International Privacy Day, labeling his tormentor as an obsessive exploiter who ought to be stopped from so greedily exploiting consumers’ digital footprints for his personal gain.
This colorful chapter in the history of technology and society isn’t just breezing by unnoticed. A recent survey of some 2,000 U.S. iPhone and iPad users, conducted by SellCell.com, a phone and tech trade-in website, shows American consumers are tuned in and beginning to recognize what’s at stake.
Fully 72 percent of those polled by SellCell said they were aware of new privacy changes in recent Apple software updates, not just in a cursory manner, but with a high level of understanding; some 42 percent said they understood the privacy improvements extremely well or at least very well, while 21 percent said they understood them moderately well.
Another telling finding: some 65 percent of respondents indicated they were extremely or very concerned about websites and mobile apps that proactively track their online behaviors, while only 14 percent said they were not at all concerned.
Vulnerabilities in web applications are the leading cause of high-profile breaches.
Related: Log4J’s big lesson Log4j, a widely publicized zero day vulnerability, was first identified in late 2021, yet security teams are still racing to patch and protect their enterprise apps and services. This notorious incident highlights the security risks associated with open-source software, and the challenges of protecting web applications against zero day attacks.
To improve web application security, there are basic steps an organization should take:
•Security test earlier in the development cycle
•Make sure that software and operating systems are kept up to date and patched
•Utilize a multi-layered, defense-in-depth approach.
However, the most significant protection against zero day and other attacks comes from using security technologies that sit very close to how your application works.
In response, Cato Networks today introduced network-based ransomware protection for the Cato SASE Cloud. This is an example of an advanced security capability meeting an urgent need – and it’s also more evidence that enterprises must inevitably transition to a new network security paradigm.
Guest expert: Etay Maor, Senior Director of Security Strategy, Cato Networks
I had the chance to visit with Etay Maor of Cato Networks. We discussed how Secure Access Services Edge – SASE – embodies this new paradigm. In essence, SASE moves the security stack from the on-premises perimeter far out to the edge, just before the cloud.
This gives security teams comprehensive visibility of all network activity, in real time, which makes many high-level security capabilities possible. For a full drill down on my conversation with Etay Maor, please give the accompanying podcast a listen.
Network security developments are progressing. I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
The Deep & Dark Web is a mystery to most in the mainstream today: many have heard about it, but few understand just a fraction of what’s going on there.
Planning your roadmap, executing your projects, and keeping an eye on the barrage of ransomware headlines, it’s understandable if you and your team are feeling some anxiety.
Cyber anxiety can indeed be paralyzing, but new software solutions have the potential to become game-changers for IT departments. These automated programs will hunt the Deep & Dark Web for you, trawling through the deepest and dirtiest pools, looking for the next threat that has your name on it.
There are many facets to what I’ll call “The Underground.” It extends beyond the Deep & Dark Web to: unindexed Web forums, messaging boards, and marketplaces, encrypted messaging systems, and code repositories. It is simply impossible for a human analyst to sort through it all.
Additionally, filtering through these channels is made even more difficult due to language barriers, as well as gaining trust and access to these various forums.
Organizations need to have critical business data made available to the employees that work remotely- and this could include the devices carefully vetted and secured with corporate policies and provided by the organization, but could also include the devices that are not under the organization’s purview.
