Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

MY TAKE: Remote classes, mobile computing heighten need for a security culture in K-12 schools

By Byron V. Acohido

Parents have long held a special duty to protect their school-aged children from bad actors on the Internet.

Related: Mock attacks help schools defend themselves

Now COVID-19 has dramatically and permanently expanded that parental responsibility, as well as extended it to ill-prepared school officials in K-12 campuses all across the nation. The prospect of remotely-taught lessons remaining widespread for some time to come has profound privacy and cybersecurity implications, going forward.

Overnight, those in charge must learn how to operate all of our elementary, junior high and high schools as if they were digital-native startups. Students, parents and teachers at each K-12 facility, henceforth, need to be treated as the equivalent of remote workers given to using a wide variety of personally-owned computing devices and their favorite cloud services subscriptions. And it must be assumed that many of them are likely ignorant of good cyber hygiene practices.

School district officials will have to adapt and embrace a bold, new paradigm – and they’ll have to do it fast. The stakes are very high. Organized hacking groups will be quick to single out — and plunder — the laggards. Here’s what all parents and school officials need to spend the summer thinking about and planning for:

Zoom-bombing lessons

“Zoom-bombing” entered our lexicon soon after schools began their first attempts at using the suddenly indispensable video conferencing tool to conduct classes online. Attackers quickly figured how to slip obscenities and even pornographic videos into live classes.

This was an early indicator of how far most schools have to go in adopting an appropriate security posture. No one enforced the use of passwords, nor insisted on strict teacher control of those lessons. To Zoom’s credit, password protection and a “waiting room” feature, (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

NEW TECH: Cequence Security’s new ‘API Sentinel’ helps identify, mitigate API exposures

By Byron V. Acohido

Application Programming Interfaces – APIs. Without them digital transformation would never have gotten off the ground.

Related: Defending botnet-driven business logic hacks

APIs made possible the astounding cloud, mobile and IoT services we have today. This happened, at a fundamental level, by freeing up software developers to innovate on the fly. APIs have exploded in enterprise use over the past several years.

However, API deployments have scaled so high and so fast that many companies don’t know how many APIs they have, which types they’re using and how susceptible their APIs might be to being compromised.

Cequence Security, a Sunnyvale, Calif.-based application security vendor, today is launching a new solution, called API Sentinel, designed to help companies jump in and start proactively mitigating API risks, without necessarily having to slow down their innovation steam engine. I had the chance to discuss this with Matt Keil, Cequence’s director of product marketing. For a full drill down, please give the accompanying podcast a listen. Here are key takeaways from our conversation:

API 101

Digital transformation took off when companies discovered that instead of developing monolithic applications that were updated annually – at best – they could tap into the skill and creativity of their developers. This was possible because APIs – the conduits that enable two software applications to exchange information – are open and decentralized, exactly like the Internet.

Q&A: NIST’s new ‘Enterprise Risk Management’ guidelines push cyber risks to board level

By Byron V. Acohido

Enterprise risk management (ERM) is a comparatively new corporate discipline. The basic notion is that in today’s complex operating environment, it is important for businesses to proactively identify operational hazards and have a plan in place to account for them.

Related: Poll shows senior execs get cybersecurity

A hazard is anything that can interfere with a company meeting its objectives; it could be something physical, such as a fire, a theft or a natural disaster; or it could  be an abstract risk, such as a lawsuit or a regulatory fine.

As part of its role promoting cybersecurity best practices, the National Institute of Standards and Technology (NIST) has stepped forward to make sure complex and expanding cybersecurity exposures become part and parcel of evolving ERM frameworks.

NIST has been getting positive feedback to draft guidelines it issued in late March which essentially serves as a roadmap for enterprises to account for complex cybersecurity exposures when implementing ERM strategies. The guidelines — NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) – are specifically aimed at fostering the integration of cybersecurity risk management best practices and ERM frameworks.

The Internet Security Alliance (ISA) is a trade association and think tank whose members include prominent corporations in a wide cross section of industries. In February, ISA, in partnership with the National Association of Corporate Directors (NACD), published the 2020 edition of their Cyber-Risk Oversight Handbook for Corporate Boards.

ISA President Larry Clinton noted how well the trade groups’ handbook meshes with NIST’s new guidelines. “The NIST filing does an excellent job linking many of the principles directors have articulated as necessary for effective cybersecurity,” he says. “The NISTIR, like the NACD-ISA handbook, urges enterprises to utilize the modern models that are being developed to help organizations appropriately balance economic growth and cyber risk.”

I had the chance to drill down on this with … more

MY TAKE: Technologists, privacy advocates point to flaws in the Apple-Google COVID-19 tracing app

By Byron V. Acohido

If the devastating health and economic ramifications weren’t enough, individual privacy is also in the throes of being profoundly and permanently disrupted by the coronavirus pandemic. The tech giants are partnering on a tool for public good, but critics worry it will ultimately get used for predatory surveillance.

Related: Europe levies big fines for data privacy missteps

Apple and Google are partnering up to bring technology to bear on COVID-19 contact tracing efforts. The tech giants are laudably putting aside any competitive urgings to co-develop a solution that combines mobile operating system, Bluetooth and GPS technologies to help us all get past the burgeoning health crisis.

However, in an apparent effort to live down Google’s abjectly poor track record respecting consumer privacy, the Apple-Google partnership is treading lightly to avoid anything that might hint at an undue invasion of individual privacy. In doing so, their proposed solution has a number of glaring technical and privacy-protection shortcomings, according to several technologists I spoke with.  In fact, the Apple-Google project has exacerbated a privacy controversy that flared up in Europe in the early stages, one that has more recently been picking up steam in the U.S., as well. Here’s how technologists and privacy experts see things stacking up:

Bluetooth-based tracing

Infected persons will be able to use their iPhones or Android devices to make their status known to a central server, which then correlates an anonymized identifier of the infected person to anonymized IDs of non-infected persons who happen to be in close proximity. The server then alerts the non-infected persons to self-immunize.

SHARED INTEL: New book on cyber warfare foreshadows attacks on elections, remote workers

By Byron V. Acohido

It’s difficult to convey the scope and scale of cyber attacks that take place on a daily basis, much less connect the dots between them.

Related: The Golden Age of cyber spying

A new book by Dr. Chase Cunningham —  Cyber Warfare – Truth, Tactics, and Strategies —   accomplishes this in a compelling, accessible way. Cunningham has the boots-on-the-ground experience and storytelling chops to pull this off. As a  cybersecurity principal analyst at Forrester,  he advises enterprise clients on how to stay in front of the latest iterations of cyber attacks coming at them from all quarters.

Cunningham’s 19 years as a US Navy chief spent in cyber forensic and cyber analytic operations included manning security controls at the NSA, CIA and FBI. He holds a PhD and MS in computer science from Colorado Technical University and a BS from American Military University focused on counter-terrorism operations in cyberspace.

Cunningham sets the table in Cyber Warfare by relating detailed anecdotes that together paint the bigger picture. Learning about how hackers were able to intercept drone feed video from CIA observation drones during the war in Iraq, for instance, tells us a lot about how tenuous sophisticated surveillance technology really can be, out in the Internet wild.

And Cunningham delves into some fascinating, informative nuance about industrial systems attacks in the wake of Stuxnet. He also adds historical and forward-looking context to the theft and criminal deployment of the Eternal Blue hacking tools, which were stolen from the NSA, and which have been used to cause so much havoc, vis-à-vis WannaCry and NotPetya. What’s more, he comprehensively lays out why ransomware and deep fake campaigns are likely to endure, posing a big threat to organizations in all sectors for the foreseeable future.

STEPS FORWARD: How the Middle East led the U.S. to implement smarter mobile security rules

By Byron V. Acohido

We’ve come to rely on our smartphones to live out our digital lives, both professionally and personally.

When it comes to securing mobile computing devices, the big challenge businesses have long grappled with is how to protect company assets while at the same time respecting an individual’s privacy.

Reacting to the BYOD craze, mobile security frameworks have veered from one partially effective approach to the next over the past decade. However, I recently learned about how federal regulators in several nations are rallying around a reinvigorated approach to mobile security: containerization. Containerizing data is a methodology that could anchor mobile security, in a very robust way, for the long haul.

Interestingly, leadership for this push came from federal regulators in, of all places, the Middle East.  In May 2017, the Saudi Arabian Monetary Authority (SAMA) implemented its Cyber Security Framework mandating prescriptive measures, including a requirement to containerize data in all computing formats. A few months later the United Arab Emirates stood up its National Electronic Security Authority (NESA) which proceeded to do much the same thing.

Earlier this year, US regulators essentially followed the Middle East’s lead by rolling out sweeping new rules — referred to as Cybersecurity Maturity Model Certification (CMMC)  — which require use of data containerization along much the same lines as Saudi Arabia and the UAE mandated some three years ago. The implementation of CMMC represents a big change from past U.S. federal data handling rules for contractors, for which compliance was by-and-large voluntary.

BEST PRACTICES: Mock attacks help local agencies, schools prepare for targeted cyber scams

By Byron V. Acohido

Cyber criminals who specialize in plundering local governments and school districts are in their heyday.

Related: How ransomware became a scourge

Ransomware attacks and email fraud have spiked to record levels across the U.S. in each of the past three years, and a disproportionate number of the hardest hit organizations were local public agencies.

Lucy Security, a security training company based in Zug, Switzerland that works with many smaller public entities, has been in the thick of this onslaught. The company’s software is used to run public servants and corporate employees through mock cyberattack training sessions. There’s an obvious reason smaller public entities have become a favorite target of cybercriminals: most are run on shoestring budgets and corners tend to get cut in IT security, along with everything else operationally.

I had a chance to discuss this with Lucy Security Inc. CEO Colin Bastable at RSA 2020. Another factor I never thought about, until meeting with Bastable, is that public servants typically possess a can-do work ethic. This can make them particularly susceptible to social engineering trickery, the trigger for online extortion and fraud campaigns, Bastable told me.

For a drill down on my full interview with Bastable, give the accompanying podcast a listen. Here are the key takeaways:

Simple, lucrative fraud

What happened in the state of Texas earlier last January is a microcosm of intensifying pressure all local agencies face from motivated hackers and scammers.

Fraudsters did enough online intelligence gathering on the Manor Independent School District, in Manor, Texas, to figure out which vendors were in line to receive large bank transfers as part of the school district spending the proceeds of a large school bond. They also studied the employees who handled the transactions.

SHARED INTEL: How ransomware evolved from consumer trickery to deep enterprise hacks

By David Balaban

Ransomware is undoubtedly one of the most unnerving phenomena in the cyber threat landscape. Numerous strains of this destructive code have been the front-page news in global computer security chronicles for almost a decade now, with jaw-dropping ups and dramatic downs accompanying its progress.

Related: What local government can do to repel ransomware

Ransomware came into existence in 1989 as a primitive program dubbed the AIDS Trojan that was spreading via 5.25-inch diskettes. This debut was followed by the emergence of several marginal blackmail threats in the mid-2000s that never gained significant traction among online criminals. The epidemic went truly mainstream with the release of CryptoLocker back in 2013, and it has since transformed into a major dark web economy spawning the likes of Sodinokibi, Ryuk, and Maze lineages that are targeting the enterprise on a huge scale in 2020.

Although most people think of ransomware as a dodgy application that encrypts data and holds it for ransom, the concept is much more heterogeneous than that. It additionally spans mild-impact screen lockers, data wipers disguised as something else, infections that overwrite the master boot record (MBR), and most recently, nasties that enhance the attack logic with data theft.

The above-mentioned AIDS Trojan hailing from the distant pre-Internet era was the progenitor of the trend, but its real-world impact was close to zero. The Archiveus Trojan from 2006 was the first one to use RSA cipher, but it was reminiscent of a proof of concept and used a static 30-digit decryption password that was shortly cracked. None of these early threats went pro. In this timeline, I will instead focus on the strains that became the driving force of the ransomware evolution.

FBI spoofs

2012 – 2013. During this period, the ransomware ecosystem was dominated by Trojans that locked the screen or web browser with fake alerts impersonating law enforcement agencies. These warnings would state that the victim committed a … more

NEW TECH: Silverfort helps companies carry out smarter human and machine authentications

By Byron V. Acohido

Doing authentication well is vital for any company in the throes of digital transformation.

Digital commerce would fly apart if businesses could not reliably affirm the identities of all humans and all machines, that is, computing instances, that are constantly connecting to each other across the Internet.

Related: Locking down ‘machine identities’

At the moment, companies are being confronted with a two-pronged friction challenge, when it comes to authentication. On the one hand, they’re encountering crippling friction when attempting to migrate legacy, on-premises systems to the cloud. And on the other hand, there’s no authentication to speak of  – when there needs to be some — when it comes to machine-to-machine connections happening on the fly to make digital processes possible.

I had an enlightening discussion about this with Dana Tamir, vice president of market strategy for Silverfort, a Tel Aviv-based supplier of agentless multi-factor authentication technology. We spoke at RSA 2020. For a full drill down of the interview, please listen to the accompanying podcast. Here are excerpts, edited for clarity and length:

LW: Can you frame the authentication challenge companies face today?

Tamir: One of the biggest changes taking place is that there are many more remote users, many more employees bringing their own devices, and many more cloud resources are being used. This has basically dissolved the network perimeter. You can’t assume trust within the perimeter  because the perimeter doesn’t exist anymore.

And yet we know that threats exist everywhere, within our own environments, and out in the cloud. So that changes the way security needs to be applied, and how we authenticate our users. We now need to authenticate users everywhere, not only when they enter the network.

LW: What obstacles are companies running into with cloud migration?

GUEST ESSAY: What everyone should know about the pros and cons of online fingerprinting

By Ebbe Kernel

When it was first introduced, device fingerprinting – or online fingerprinting in general – was meant to create a safer, more responsible internet. The idea was that by fingerprinting devices used to connect to the internet we could achieve better accountability.

Related: Why Satya Nadella calls for regulation of facial recognition systems

The concept itself is still very much relevant today. Fingerprinting is considered a necessary practice to fight challenges such as fake accounts and the misuse of internet services. However, online fingerprinting is also being used to track users. Now, fingerprinting is a tool in the marketer’s toolbox. Has it failed in its initial mission?

If you are not familiar with the concept of online fingerprinting, the principles behind it are very simple. More about it can be found on Smartproxy. Whenever you access a web server, details about your IP address, your browser information, your device information, and other information are recorded in logs. Logged online activities are easier to trace so service providers can perform the necessary security check if one is required.

Fingerprinting makes it difficult for irresponsible parties to create fake accounts or social media pages. Service providers can recognize signs of fake accounts from similarities in their fingerprints, allowing further action to be taken against those accounts. In the era of bots and fake news, fingerprinting is supposed to work seamlessly.

The Electronic Frontier Foundation (EFF) recently revealed just how many details are leaked and stored when you access a web server. The number

of details that are recorded is simply staggering, with information such as your approximate location, the referrer site, and whether you have Do Not Track activated being leaked.