Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

MY TAKE: Why locking down ‘firmware’ has now become the next big cybersecurity challenge

By Byron V. Acohido

Locking down firmware. This is fast becoming a profound new security challenge for all companies – one that can’t be pushed to a side burner.

Related: The rise of ‘memory attacks’

I’m making this assertion as federal authorities have just commenced steps to remove and replace switching gear supplied, on the cheap, to smaller U.S. telecoms by Chinese tech giant  Huawei. These are the carriers that provide Internet access to rural areas all across America.

Starks

Federal Communications Commission member Geoffrey Starks recently alluded to the possibility that China may have secretly coded the firmware in Huawei’s equipment to support cyber espionage and cyber infrastructure attacks.

This isn’t an outlier exposure, by any means. Firmware is the coding that’s embedded below the software layer on all computing devices, ranging from printers to hard drives and motherboards to routers and switches. Firmware carries out the low-level input/output tasks, without which the hardware would be inoperable.

However, the security of firmware has been largely overlooked over the past two decades. It has only been in the past four years or so that white hat researchers and black hat hackers have gravitated over to this unguarded terrain – and begun making hay.

I recently had the chance to discuss this with John Loucaides, vice-president of engineering at Eclypsium, a Beaverton, OR-based security startup that is introducing technology to scan for firmware vulnerabilities. Here are the big takeaways:

Bypassing protection

Firmware exposures are in the early phases of an all too familiar cycle. Remember when, over the course of the 2000s and 2010s, the cybersecurity industry innovated like crazy to address software flaws in operating systems and business applications? Vulnerability research took on a life of its own.

As threat actors wreaked havoc, companies strove to ingrain security into code writing, and make it incrementally harder to exploit flaws that inevitably surfaced in a vast threat landscape. Then, much the same cycle unfolded as virtual computing came along and became popular; and then the cycle repeated itself, yet again, as web browsers took center stage in digital commerce. (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

MY TAKE: ‘Cyberthreat index’ shows SMBs recognize cyber risks — struggling to deal with them

By Byron V. Acohido

Small and midsize businesses — so-called SMBs — face an acute risk of sustaining a crippling cyberattack. This appears to be even more true today than it was when I began writing about business cyber risks at USA TODAY more than a decade ago.

Related: ‘Malvertising’ threat explained

However, one small positive step is that company decision makers today, at least, don’t have their heads in the sand. A recent survey of more than 1,000 senior execs and IT professionals, called the AppRiver Cyberthreat Index for Business Survey, showed a high level of awareness among SMB officials that a cyberattack represents a potentially devastating operational risk.

That said, it’s also clear that all too many SMBs remain ill equipped to assess evolving cyber threats, much less  effectively mitigate them. According to the Cyberthreat Index, 45 percent of all SMBs and 56% of large SMBs believe they are vulnerable to “imminent” threats of cybersecurity attacks.

Interestingly, 61 percent of all SMBs and 79 percent of large SMBs believe cyberhackers have more sophisticated technology at their disposal than the SMBs’ own cybersecurity resources.

“I often see a sizable gap between perceptions and reality among many SMB leaders,” Troy Gill a senior security analyst at AppRiver told me. “They don’t know what they don’t know, and this lack of preparedness often aids and abets cybercriminals.”

What’s distinctive about this index is that AppRiver plans to refresh it on a quarterly basis, going forward, thus sharing an instructive barometer showing how SMBs are faring against cyber exposures that will only continue to steadily evolve and intensify.

I had the chance at RSA 2019 to discuss the SMB security landscape at length with Gill. You can give a listen to the entire interview at this accompanying podcast. Here are key takeaways:

Sizable need

AppRiver is in the perfect position to deliver an SMB cyber risk index. The company got its start in 2002 in Gulf Breeze, Florida, as a two-man operation that set out to help small firms filter the early waves of email spam. It grew steadily into a supplier of cloud-enabled security and productivity services, and today has some 250 employees servicing 60,000 SMBs worldwide. …more

BEST PRACTICES: Mock phishing attacks prep employees to avoid being socially engineered

By Byron V. Acohido

Defending a company network is a dynamic, multi-faceted challenge that continues to rise in complexity, year after year after year.

Related: Why diversity in training is a good thing.

Yet there is a single point of failure common to just about all network break-ins: humans.

Social engineering, especially phishing, continues to trigger the vast majority of breach attempts. Despite billions of dollars spent on the latest, greatest antivirus suites, firewalls and intrusion detection systems, enterprises continue to suffer breaches that can be traced back to the actions of a single, unsuspecting employee.

In 2015, penetration tester Oliver Münchow was asked by a Swiss bank to come up with a better way to test and educate bank employees so that passwords never left the network perimeter. He came up with a new approach to testing and training the bank’s employees – and the basis for a new company, LucySecurity.

Lucy’s’s software allows companies to easily set-up customizable mock attacks to test employees’ readiness to avoid phishing, ransomware and other attacks with a social engineering component. I had the chance at RSA 2019 to sit down with Lucy CEO Colin Bastable, to discuss the wider context. You can listen to the full interview via the accompanying podcast. Here are key takeaways: …more

NEW TECH: Alcide introduces a “microservices firewall” as a dynamic ‘IaaS’ market takes shape

By Byron V. Acohido

As a tech reporter at USA TODAY, I wrote stories about how Google fractured Microsoft’s Office monopoly, and then how Google clawed ahead of Apple to dominate the global smartphone market.

Related: A path to fruition of ‘SecOps’

And now for Act 3, Google has thrown down the gauntlet at Amazon, challenging the dominant position of Amazon Web Services in the fast-emerging cloud infrastructure global market.

I recently sat down with Gadi Naor, CTO and co-founder of Alcide, to learn more about the “microservices firewall” this Tel Aviv-based security start-up is pioneering. However, in diving into what Alcide is up to, Gadi and I segued into a stimulating discussion about this latest clash of tech titans. Here are key takeaways:

Google’s Kubernetes play

First some context. Just about every large enterprise today relies on software written by far-flung  third-party developers, who specialize in creating modular “microservices” that can get mixed and matched and reused inside of software “containers.” This is how companies have begun to  scale the delivery of cool new digital services — at high velocity.

The legacy ‘on-premises’ data centers enterprises installed 10 to 20 years ago are inadequate to  support this new approach. Thus, digital infrastructure is being shifted to “serverless” cloud computing services, with AWS blazing the trail and Microsoft Azure and Google Cloud in hot pursuit.

Microservices and containers have been around for a long while, to be sure. Google, for instance, has long made use of the equivalent of microservices and containers, internally, to scale the development and deployment of the leading-edge software it uses to run its businesses. …more

GUEST ESSAY: The story behind how DataTribe is helping to seed ‘Cybersecurity Valley’ in Maryland

By Steve Kaufman

There’s oil in the state of Maryland – “cyber oil.”

With the largest concentration of cybersecurity expertise –– the “oil” — in the world, Maryland is fast changing from the Old Line State into “Cybersecurity Valley.”

Related: Port Covington cyber hub project gets underway

That’s because Maryland is home to more than 40 government agencies with extensive cyber programs, including the National Security Agency, National Institute of Standards and Technology, Defense Information Systems Agency, Intelligence Advanced Research Projects Activity, USCYBERCOM, NASA and the Department of Defense’s Cyber Crime Center. Within these government labs and agencies, taking place is a groundswell of innovation in deep technology cyber disciplines to the tune of billions of dollars annually over the past three decades.

In addition, the state is home to 16 nationally designated cybersecurity Centers of Excellence and a state university and college system that graduates more cyber-degreed engineers than any other state. The state counts approximately 109,000 cyber engineers.

Not only does the advanced development at these government agencies contribute to the success of cybersecurity in the state, but also so do many Maryland-based cybersecurity companies. Two notable examples are Sourcefire, acquired by Cisco for $2.7B and Tenable, which went public in 2018 with a market capitalization of approximately $4 billion.

Maryland and environs, including Virginia and Washington D.C., has also attracted a powerful and growing flow of venture capital to the region – about $1 Billion in 2018 and growing at an incredible pace.

Such bona fides led to the inaugural private “by invitation”  Global Cyber Innovation Summit (GCIS) in Baltimore in May 2019.  GCIS was a Davos-level conference with no vendors and no selling, where scores of chief security information officers (CISOs), top CEO’s, industry and government thought leaders and leading innovators discussed the myriad challenges in and around cybersecurity and possible solutions in today’s environment.

All this represents the early phases of a foundation-building process that is on track to eventually create a grander landscape. In the eyes of many cyber pros and investors, Maryland is becoming such a fast-growing cybersecurity hub that many believe it will replace the cyber component of Silicon Valley, hence becoming “Cybersecurity Valley,”  within the next five years. …more

GUEST ESSAY: Only cloud-based security can truly protect cloud-delivered web applications

By Vivek Gopalan

Web applications have become central for the existence and growth of any business. This is partly the result of Software as a Service, or SaaS, becoming a preferred mode of consumption for software services.

Related: AppTrana free trial offer

Most companies today own a web application and if that application is an integral part of their business, then they cannot afford to think of website security risk as an afterthought.

In a lot of cases, pure SaaS vendors such as an online e-commerce company, the website/app itself is the reason for the existence of the business. And, increasingly,  their customers are questioning them about the security of sensitive personal and business data.

This rising trepidation, with respect to web app security, should come as no surprise. Technology research firm Gartner estimates that over 70% of security vulnerabilities exist at the application layer – and 75% of security breaches happen at the application layer.

Meanwhile, the National Institute of Standards and Technology says that 92% of reported vulnerabilities are in applications, not networks; and NIST pegs the cost of fixing such bugs in the field at $30,000 vs. $5,000 if the bug is fixed during coding.

The speed factor

There is compelling rationale for companies to take proactive steps to continually improve web application security. For one, compliance with standards, such as section 6.6 of Payment Card Industry Data Security Standard, requires either secure code review or deployment of a Web Application Firewall (WAF.) …more

GUEST ESSAY: Dear America, Facebook is an addictive digital drug of little productive value

By Sen. Josh Hawley

Social media consumers are getting wise to the joke that when the product is free, they’re the ones being sold. But despite the growing threat of consumer exploitation, Washington still shrinks from confronting our social media giants.

Why? Because the social giants have convinced the chattering class that America simply can’t do without them. Confront the industry, we’re told, and you might accidentally kill it ? and with it, all the innovation it has (supposedly) brought to our society.

Related: The cost of being complacent about privacy.

Maybe. But maybe social media’s innovations do our country more harm than good. Maybe social media is best understood as a parasite on productive investment, on meaningful relationships, on a healthy society.

Maybe we’d be better off if Facebook disappeared. Ask the social giants what it is that they produce for America and you’ll hear grand statements about new forms of human interaction. But ask where their money comes from and you’ll get the real truth.

Advertising is what the social giants truly care about, and for an obvious reason. It’s how they turn a profit. And when it comes to making money, they’ve been great innovators. They’ve designed platforms that extract massive amounts of personal data without telling consumers, then sell that data without consumers’ permission.

And in order to guarantee an audience big enough to make their ads profitable, big tech has developed a business model designed to do one thing above all: addict. …more

MY TAKE: Android users beware: Google says ‘potentially harmful apps’ on the rise

By Byron V. Acohido

Even if your company issues you a locked-down smartphone, embracing best security practices remains vital
Our smartphones. Where would we be without them?

Related Q&A: Diligence required of Android users

If you’re anything like me, making a phone call is the fifth or sixth reason to reach for your Android or iPhone. Whichever OS you favor, a good portion of the key components that make up your digital life — email, texting, social media, shopping, banking, hobbies, and work duties — now route through these indispensable contraptions much of the time.

Cybercriminals know this, of course, and for some time now they have been relentlessly seeking out and exploiting the fresh attack vectors spinning out of our smartphone obsession.

Don’t look now, but evidence is mounting that the mobile threats landscape is on the threshold of getting a lot more dicey.

This is because mobile services and smartphone functionalities are rapidly expanding, and, as you might expect, cyberattacks targeting mobile devices and services are also rising sharply. Here are a few key developments everyone should know about.

Malware deliveries

Upon reviewing Android usage data for all of 2018, Google identified a rise in the number of “potentially harmful apps” that were preinstalled or delivered through over-the-air updates. Threat actors have figured out how to insinuate themselves into the processes that preinstall apps on new phones and push out OS updates.

Why did they go there? Instead of having to trick users one by one, fraudsters only have to deceive the device manufacturer, or some other party involved in the supply chain, and thereby get their malicious code delivered far and wide.

In a related development, OneSpan, a Chicago-based supplier of authentication technology to 2,000 banks worldwide, reports seeing a rise in cyber attacks targeting mobile banking patrons. “Popular forms of mobile attacks, at this point in time, include screen scrapers and screen capture mechanisms, as well as the installation of rogue keyboards,” said OneSpan security evangelist Will LaSala. …more

BEST PRACTICES: The case for ‘adaptive MFA’ in our perimeter-less digital environment

By Byron V. Acohido

One of the catch phrases I overheard at RSA 2019 that jumped out at me was this: “The internet is the new corporate network.”

Related: ‘Machine identities’ now readily available in the Dark Net

Think about how far we’ve come since 1999, when the Y2K scare alarmed many, until today, with hybrid cloud networks the norm. There’s no question the benefits of accelerating digital transformation are astounding.

Yet the flip side is that legacy security approaches never envisioned perimeter-less computing. The result, not surprisingly, has been a demonstrative lag in transitioning to security systems that strike the right balance between protection and productivity.

Take authentication, for example. Threat actors are taking great advantage of the lag in upgrading authentication. The good news is that innovation to close the gap is taking place. Tel Aviv-based security vendor Silverfort is playing in this space, and has found good success pioneering a new approach for securing authentication in the perimeterless world.

Founded in 2016 by cryptography experts from the Israeli Intelligence Corps’ elite 8200 cyber unit, Silverfort is backed by leading investors in cybersecurity technologies.

I had the chance to catch up with Dana Tamir, Silverfort’s vice president of market strategy, at RSA 2019. For a full drill down of the interview, please listen to the accompanying podcast. Here are the key takeaways:

Eroding effectiveness

Compromised credentials continue to be the cause of many of today’s data breaches. The use of multi-factor authentication, or MFA, can help protect credentials, but even those solutions have lost much of their effectiveness. The problem is that most MFA solutions are designed for specific systems, rather than today’s more dynamic environments. Traditional MFA may have hit its limitations due to dissolving perimeters.

In the past, Tamir explained, you had a solid perimeter around your network, with one entry point and you added the MFA to that single entry for the extra layer of protection. But that single-entry perimeter doesn’t exist today. We don’t even have a real perimeter anymore. …more

GUEST ESSAY: How stealth, persistence allowed Wipro attacker to plunder supply chain

By Chris Gerritz

The recent network breach of Wipro, a prominent outsourcing company based in India, serves as a stunning reminder that digital transformation cuts two ways.

Our rising dependence on business systems that leverage cloud services and the gig economy to accomplish high-velocity innovation has led to a rise in productivity. However, the flip side is that we’ve also created fresh attack vectors at a rapid rate – exposures that are not being adequately addressed.

Related: Marriott suffers massive breach

We now know, thanks to reporting from cybersecurity blogger Brian Krebs, that the Wipro hack was a multi-month intrusion and likely the work of a nation-state backed threat actor. What’s more, the attackers reportedly were able to use Wipro as a jumping off point to infiltrate the networks of at least a dozen of Wipro’s customers.

Wipro issued a media statement, via its Economic Times division, acknowledging “potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign . . . Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.”

Wipro did not provide many additional details. However, one has to wonder whether, beyond its customers, …more