Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

GUEST ESSAY. Everyone should grasp these facts about cyber threats that plague digital commerce

By Ashley Lukehart

Regardless of how familiar you are with Information Security, you’ve probably come across the term ‘malware’ countless times. From accessing your business-critical resources and sensitive information to halting business operations and services, a malware infection can quickly become an organization’s worst nightmare come true.

Related: Companies must bear a broad security burden.

As a business owner, you must be aware of the implications of different types of malware on your company’s bottom line, and what steps you can take to protect your company from future attacks.

This article will walk you through the various types of malware, how to identify and prevent a malware attack, and how to mitigate the risks.

What is Malware  

Malware, a combination of the terms ‘malicious’ and ‘software,’ includes all malicious programs that intend to exploit computer devices or entire network infrastructures to extract victim’s data, disrupt business operations, or simply, cause chaos.

There’s no definitive method or technique that defines malware; any program that harms the computer or system owners and benefits the perpetrators is malware. (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

SHARED INTEL: Forrester poll – security decision makers report breaches escalated as Covid 19 spread

By Byron V. Acohido

Human suffering and economic losses weren’t the only two things that escalated with the spread of Covid 19 last year.

Related: Can ‘SASE’ help companies secure connectivity?

Network breaches also increased steadily and dramatically month-to-month in 2020. This development is delineated in a recent report from technology research firm Forrester.

In its summary report – The State of Network Security, 2020 To 2021—Forrester combined findings derived from several surveys the firm conducted during the course of last year; Forrester polled security decision makers in organizations across North America and Europe.

The overarching takeaway: more organizations were breached, more often, in 2020 that 2019; some 58% of security decision-makers in North America and Europe reported dealing with at least one breach in 2020 as compared to 48% in 2019.

Notably, the number of organizations that said they were breached more than three times in the 12-month period was up significantly, as well.

Both external and internal cyber assaults were pervasive. Attacks routinely routed through through employees, contractors and vendors; in short, folks granted access for legitimate reasons in order to participate in cloud-based commerce.

Some 40% of respondents who experienced a breach due to an internal incident said it was due to intentional abuse of access rights from current or former employees; 38% said it was from accidental or inadvertent misuse by employees; and 22% said it was a combination of both.

ROUNDTABLE: Targeting the supply-chain: SolarWinds, then Mimecast and now UScellular

By Byron V. Acohido

It’s only February — and 2021 already is rapidly shaping into the year of supply-chain hacks.

Related: The quickening of cyber warfare

The latest twist: mobile network operator UScellular on Jan. 21 disclosed how cybercriminals broke into its Customer Relationship Management (CRM) platform as a gateway to compromise the cell phones of an undisclosed number of the telecom giant’s customers.

This bad news from UScellular follows similarly troubling disclosures from networking software supplier SolarWinds and from email security vendor Mimecast.

The SolarWinds hack came to light in mid-December and has since become a red hot topic in the global cybersecurity community.

Video: What all companies need to know about the SolarWinds hack

Meanwhile, Mimecast followed its Jan. 12 disclosure of a digital certificate compromise with a Jan. 26 posting confirming that the compromise was at the hands of the same nation-state threat group behind the SolarWinds hack and subsequent attacks on various technology companies and federal government agencies.

And now UScellular admits that it detected its network breach on Jan. 6, some two days after the attackers gained unauthorized access. The intruders got in by tricking UScellular retail store employees into downloading malicious software on store computers.

MY TAKE: How Russia is leveraging insecure mobile apps to radicalize disaffected males

By Byron V. Acohido

How did we get to this level of disinformation? How did we, the citizens of the United States of America, become so intensely divided?

It’s tempting to place the lion’s share of the blame on feckless political leaders and facile news media outlets. However, that’s just the surface manifestation of what’s going on.

Related: Let’s not call it ‘fake news’ any more.

Another behind-the-scenes component — one that is not getting the mainstream attention it deserves — has been cyber warfare. Russian hacking groups have set out to systematically erode Western democratic institutions — and they’ve been quite successful at it. There’s plenty of evidence illustrating how Russia has methodically stepped-up cyber attacks aimed at achieving strategic geopolitical advantage over rivals in North America and Europe.

I’m not often surprised by cybersecurity news developments these days. Yet, one recent disclosure floored me. A popular meme site, called iFunny, has emerged as a haven for disaffected teen-aged boys who are enthralled with white supremacy. iFunny is a Russian company; it was launched in 2011 and has been downloaded to iOS and Android phones an estimated 10 million times.

In the weeks leading up to the 2020 U.S. presidential election, investigators at Pixalate, a Palo Alto, Calif.-based supplier of fraud management technology, documented how iFunny distributed data-stealing malware and, in doing so, actually targeted smartphone users in the key swing states of Pennsylvania, Michigan and Wisconsin. The public is unlikely to ever learn who ordered this campaign, and what they did — or intend to do, going forward — with this particular trove of stolen data.

Advertising practices

Even so, this shared intelligence from Pixalate is instructive. It vividly illustrates how threat actors have gravitated to hacking vulnerable mobile apps. The state of mobile app security is poor. Insecure mobile apps represent a huge and growing attack vector. Mobile apps are being pushed out of development more rapidly than ever, … more

NEW TECH: Will ‘Secure Access Service Edge’ — SASE — be the answer to secure connectivity?

By Byron V. Acohido

Company networks have evolved rather spectacularly in just 20 years along a couple of distinct tracks: connectivity and security.

We began the new millennium with on-premises data centers supporting servers and desktops that a technician in sneakers could service. Connectivity was relatively uncomplicated. And given a tangible network perimeter, cybersecurity evolved following the moat-and-wall principle. Locking down web gateways and erecting a robust firewall were considered the be-all and end-all.

Related: The shared burden of securing the Internet of Things

Fast forward to the 21st Century’s third decade. Today, connectively is a convoluted mess. Company networks must support endless permutations of users and apps, both on-premises and in the Internet cloud. Security, meanwhile, has morphed into a glut of point solutions that mostly serve to highlight the myriad gaps in an ever-expanding attack surface. And threat actors continue to take full advantage.

These inefficiencies and rising exposures are not being ignored. Quite the contrary, there’s plenty of clever innovation, backed by truckloads of venture capital, seeking to help networks run smoother, while also buttoning down the attack surface. One new approach that is showing a lot of promise cropped up in late 2019. It’s called Secure Access Service Edge, or SASE, as coined by research firm Gartner.

SASE (pronounced sassy) replaces the site-centric, point-solution approach to security with a user-centric model that holds the potential to profoundly reinforce digital transformation. The beauty of SASE is that it accomplishes this not by inventing anything new, but simply by meshing mature networking and security technologies together and delivering them as a single cloud service —  with all of the attendant efficiency and scalability benefits.

To get a better idea of SASE, I had the chance to visit with Elad Menahem, director of security, and Dave Greenfield, secure networking evangelist,  at Cato Networks, a Tel Aviv-based startup that’s in the thick of the SASE movement. Here are the key takeaways … more

STEPS FORWARD: Math geniuses strive to make a pivotal advance — by obfuscating software code

By Byron V. Acohido

Most of time we take for granted the degree to which fundamental components of civilization are steeped in mathematics.

Everything from science and engineering to poetry and music rely on numeric calculations. Albert Einstein once observed that “pure mathematics is, in its way, the poetry of logical ideas.”

Related: How Multi Party Computation is disrupting encryption

An accomplished violinist, Einstein, no doubt, appreciated the symmetry of his metaphor. He was keenly aware of how an expressive Haydn symphony applied math principles in a musical context in much the same way has he did in deriving breakthrough physics theorems.

Math once more is being conjured to help civilization make a great leap forward. Digital technology, like music, is all about math. We’ve come a long way leveraging algorithms to deliver an amazing array of digital services over the past 30 years; yet so much more is possible.

Math is the linchpin to innovations that can dramatically improve the lives of billions of people, perhaps even save the planet. However, a quintessential math conundrum, is, for the moment, holding these anticipated advancements in check. The math community refers to this bottleneck as “indistinguishability obfuscation,” or iO.

Our top math geniuses point to iO as a cornerstone needed to unleash the full potential of artificially intelligent (AI) programs running across highly complex and dynamic cloud platforms, soon to be powered by quantum computers. Simply put, iO must be achieved in order to preserve privacy and security while tapping into the next generation of IT infrastructure.

I recently had the chance to discuss iO with Dr. Tatsuaki Okamoto, director of NTT Research’s Cryptography and Information Security (CIS) Lab, and Dr. Amit Sahai, professor of computer science at UCLA Samueli School of Engineering and director of UCLA Center for Encrypted Functionalities (CEF). NTT Research sponsored research led by Sahai that recently resulted in a achieving an important iO milestone.

SHARED INTEL: Coming soon — ‘passwordless authentication’ as a de facto security practice

By Byron V. Acohido

As a tradeoff for enjoying our digital lives, we’ve learned to live with password overload and even tolerate two-factor authentication.

But now, at long last, we’re on the brink of eliminating passwords altogether, once and for all.

Related:  CEOs quit Tweeting to protect their companies

A confluence of technical and social developments points to username-and-password logons becoming obsolete over the next few years. What’s more, this shift could very well kick into high gear as part of the solidifying of post Covid-19 business practices and online habits.

I had a chance to discuss this seminal transition with George Avetisov, co-founder and chief executive officer of HYPR, a Manhattan-based supplier of advanced authentication technologies. For a full drill down on our eye-opening conversation, please give a listen to the accompanying podcast. Here are a few big takeaways.

Password tradeoffs 

Passwords have always been a big pain. They must be convoluted to be any good, which means they’re difficult to remember, especially since the average person has to juggle passwords to access dozens of online accounts. From a business perspective, managing and resetting passwords chews up scarce resources, and yet even with the best possible maintenance passwords are trivial to hack.

For most of the Internet era, we’ve learned to live with these tradeoffs. However, in the last couple of years the harm wrought by the abuse of passwords has spiked exponentially. The reason: credential stuffing. This is a type of advanced, brute-force hacking that leverages automation.

By deploying botnets pre-loaded with stolen data, credential stuffing gangs are able to insert stolen usernames and passwords into web page forms, at scale, until they gain access to a valuable account. Credential stuffing has enabled criminal hacking rings to turbo-charge their malware spreading and account hijacking campaigns. And when Covid-19 hit, these attackers opportunistically pivoted to plundering Covid-19 relief funds at an ungodly scale.

MY TAKE: Why companies and consumers must collaborate to stop the plundering of IoT systems

By Byron V. Acohido

The Internet of Things (IoT) has come a long, long way since precocious students at Carnegie Melon University installed micro-switches inside of a Coca-Cola vending machine so they could remotely check on the temperature and availability of their favorite beverages.

Related: Companies sustain damage from IoT attacks

That was back in 1982. Since then, IoT devices have become widely and deeply integrated into our homes, businesses, utilities and transportations systems. This has brought us many benefits. And yet our pervasive deployment of IoT systems has also vastly expanded the cyber attack surface of business networks, especially in just the past few years.

And now Covid-19 is having a multiplier effect on these rising IoT exposures. Nine months into the global pandemic an ominous dynamic is playing out.

Remote work and remote schooling have spiked our reliance on IoT systems to a scale no one could have predicted; and much of this sudden, dramatic increase is probably going to be permanent. In response, threat actors are hustling to take full advantage.

This shift is just getting started. IoT-enabled scams and hacks quickly ramped up to a high level – and can be expected to accelerate through 2021 and beyond. This surge can, and must, be blunted. The good news is that we already possess the technology, as well as the best practices frameworks, to mitigate fast-rising IoT exposures.

However, this will require a concerted, proactive effort by the business community —  enterprises and small- and mid-sized businesses alike. Individual citizens, consumers and workers have a big role to play as well. Each one of us will have to cooperate and make sacrifices. A lot is at stake. Here’s what all companies and individuals should fully grasp about our IoT systems under attack, post Covid-19.

GUEST ESSAY: ‘CyberXchange’ presents a much-needed platform for cybersecurity purchases

By Armistead Whitney

There is no shortage of innovative cybersecurity tools and services that can help companies do a much better job of defending their networks.

Related: Welcome to the CyberXchange Marketplace

In the U.S. alone, in fact, there are more than 5,000 cybersecurity vendors. For organizations looking to improve their security posture, this is causing confusion and vendor fatigue, especially for companies that don’t have a full time Chief Information Security Officer.

The vendors are well-intentioned. They are responding to a trend of companies moving to meet rising compliance requirements, such as PCI-DSS and GDPR. Senior management is now  focused on embracing well-vetted best practices such as those outlined in FFIEC and SOC 2, and many more. According to a recent study by PwC, 91% of all companies are following cybersecurity frameworks, like these, as they build and implement their cybersecurity programs.

All of this activity has put a strain on how companies buy and sell cybersecurity solutions. Consider that PCI-DSS alone has over 250 complex requirements that include things like endpoint protection, password management, anti-virus, border security, data recovery and awareness training.

Traditional channels for choosing the right security solutions are proving to be increasingly ineffective. This includes searching through hundreds of companies on Google, attending trade shows and conferences (not possible today with COVID), or dealing with constant cold calls and cold emails from security company sales reps.

NEW TECH: A better way to secure agile software — integrate app scanning, pen testing into WAF

By Byron V. Acohido

The amazing array of digital services we so blithely access on our smartphones wouldn’t exist without agile software development.

Related: ‘Business logic’ hacks on the rise

Consider that we began this century relying on the legacy “waterfall” software development process. This method required a linear plan, moving in one direction, that culminated in a beta deliverable by a hard and fast deadline. To set this deadline required a long, often tortured planning cycle. And this invariably led to the delivery of a bug-ridden version 1.0, if not outright project failure.

By contrast, the agile approach, aka DevOps, thrives on uncertainty. DevOps expects changes as part of being responsive to end users. Agile software development is all about failing fast — discovering flaws quickly and making changes on the fly. Agile has given us Netflix, Twitter, Uber, TikTok and much more.

Of course the flip side is that all of this speed and agility has opened up endless fresh attack vectors – particularly at the web application layer of digital commerce. “The heart of any business is its applications,” says Venky Sundar, founder and chief marketing officer of Indusface. “And application-level attacks have come to represent the easiest target available to hackers.”

Based in Bengalura, India, Indusface helps its customers defend their applications with a portfolio of services that work in concert with its flagship web application firewall (WAF,) a technology that has been around for about 15 years. WAFs have become a table stakes; any company with a public-facing website should by now have a WAF. Fundamentally, WAFs monitor all of the  HTTP traffic hitting a company’s web servers and block known malicious traffic, such as the threats listed in the OWASP Top 10 application level attacks

A few of the big-name vendors in the WAF space include Imperva, Cloudflare, Akamai and Barracuda and even Amazon Web Services offers a WAF. Indusface has differentiated itself by … more

SHARED INTEL: How ransomware evolved from consumer trickery to deep enterprise hacks

By David Balaban

Ransomware is undoubtedly one of the most unnerving phenomena in the cyber threat landscape. Numerous strains of this destructive code have been the front-page news in global computer security chronicles for almost a decade now, with jaw-dropping ups and dramatic downs accompanying its progress.

Related: What local government can do to repel ransomware

Ransomware came into existence in 1989 as a primitive program dubbed the AIDS Trojan that was spreading via 5.25-inch diskettes. This debut was followed by the emergence of several marginal blackmail threats in the mid-2000s that never gained significant traction among online criminals. The epidemic went truly mainstream with the release of CryptoLocker back in 2013, and it has since transformed into a major dark web economy spawning the likes of Sodinokibi, Ryuk, and Maze lineages that are targeting the enterprise on a huge scale in 2020.

Although most people think of ransomware as a dodgy application that encrypts data and holds it for ransom, the concept is much more heterogeneous than that. It additionally spans mild-impact screen lockers, data wipers disguised as something else, infections that overwrite the master boot record (MBR), and most recently, nasties that enhance the attack logic with data theft.

The above-mentioned AIDS Trojan hailing from the distant pre-Internet era was the progenitor of the trend, but its real-world impact was close to zero. The Archiveus Trojan from 2006 was the first one to use RSA cipher, but it was reminiscent of a proof of concept and used a static 30-digit decryption password that was shortly cracked. None of these early threats went pro. In this timeline, I will instead focus on the strains that became the driving force of the ransomware evolution.

FBI spoofs

2012 – 2013. During this period, the ransomware ecosystem was dominated by Trojans that locked the screen or web browser with fake alerts impersonating law enforcement agencies. These warnings would state that the victim committed a … more

NEW TECH: Cequence Security’s new ‘API Sentinel’ helps identify, mitigate API exposures

By Byron V. Acohido

Application Programming Interfaces – APIs. Without them digital transformation would never have gotten off the ground.

Related: Defending botnet-driven business logic hacks

APIs made possible the astounding cloud, mobile and IoT services we have today. This happened, at a fundamental level, by freeing up software developers to innovate on the fly. APIs have exploded in enterprise use over the past several years.

However, API deployments have scaled so high and so fast that many companies don’t know how many APIs they have, which types they’re using and how susceptible their APIs might be to being compromised.

Cequence Security, a Sunnyvale, Calif.-based application security vendor, today is launching a new solution, called API Sentinel, designed to help companies jump in and start proactively mitigating API risks, without necessarily having to slow down their innovation steam engine. I had the chance to discuss this with Matt Keil, Cequence’s director of product marketing. For a full drill down, please give the accompanying podcast a listen. Here are key takeaways from our conversation:

API 101

Digital transformation took off when companies discovered that instead of developing monolithic applications that were updated annually – at best – they could tap into the skill and creativity of their developers. This was possible because APIs – the conduits that enable two software applications to exchange information – are open and decentralized, exactly like the Internet.

Q&A: NIST’s new ‘Enterprise Risk Management’ guidelines push cyber risks to board level

By Byron V. Acohido

Enterprise risk management (ERM) is a comparatively new corporate discipline. The basic notion is that in today’s complex operating environment, it is important for businesses to proactively identify operational hazards and have a plan in place to account for them.

Related: Poll shows senior execs get cybersecurity

A hazard is anything that can interfere with a company meeting its objectives; it could be something physical, such as a fire, a theft or a natural disaster; or it could  be an abstract risk, such as a lawsuit or a regulatory fine.

As part of its role promoting cybersecurity best practices, the National Institute of Standards and Technology (NIST) has stepped forward to make sure complex and expanding cybersecurity exposures become part and parcel of evolving ERM frameworks.

NIST has been getting positive feedback to draft guidelines it issued in late March which essentially serves as a roadmap for enterprises to account for complex cybersecurity exposures when implementing ERM strategies. The guidelines — NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) – are specifically aimed at fostering the integration of cybersecurity risk management best practices and ERM frameworks.

The Internet Security Alliance (ISA) is a trade association and think tank whose members include prominent corporations in a wide cross section of industries. In February, ISA, in partnership with the National Association of Corporate Directors (NACD), published the 2020 edition of their Cyber-Risk Oversight Handbook for Corporate Boards.

ISA President Larry Clinton noted how well the trade groups’ handbook meshes with NIST’s new guidelines. “The NIST filing does an excellent job linking many of the principles directors have articulated as necessary for effective cybersecurity,” he says. “The NISTIR, like the NACD-ISA handbook, urges enterprises to utilize the modern models that are being developed to help organizations appropriately balance economic growth and cyber risk.”

I had the chance to drill down on this with … more

AUTHOR Q&A: New book on cyber warfare foreshadows attacks on elections, remote workers

By Byron V. Acohido

It’s difficult to convey the scope and scale of cyber attacks that take place on a daily basis, much less connect the dots between them.

Related: The Golden Age of cyber spying

A new book by Dr. Chase Cunningham —  Cyber Warfare – Truth, Tactics, and Strategies —   accomplishes this in a compelling, accessible way. Cunningham has the boots-on-the-ground experience and storytelling chops to pull this off. As a  cybersecurity principal analyst at Forrester,  he advises enterprise clients on how to stay in front of the latest iterations of cyber attacks coming at them from all quarters.

Cunningham’s 19 years as a US Navy chief spent in cyber forensic and cyber analytic operations included manning security controls at the NSA, CIA and FBI. He holds a PhD and MS in computer science from Colorado Technical University and a BS from American Military University focused on counter-terrorism operations in cyberspace.

Cunningham sets the table in Cyber Warfare by relating detailed anecdotes that together paint the bigger picture. Learning about how hackers were able to intercept drone feed video from CIA observation drones during the war in Iraq, for instance, tells us a lot about how tenuous sophisticated surveillance technology really can be, out in the Internet wild.

And Cunningham delves into some fascinating, informative nuance about industrial systems attacks in the wake of Stuxnet. He also adds historical and forward-looking context to the theft and criminal deployment of the Eternal Blue hacking tools, which were stolen from the NSA, and which have been used to cause so much havoc, vis-à-vis WannaCry and NotPetya. What’s more, he comprehensively lays out why ransomware and deep fake campaigns are likely to endure, posing a big threat to organizations in all sectors for the foreseeable future.

STEPS FORWARD: How the Middle East led the U.S. to implement smarter mobile security rules

By Byron V. Acohido

We’ve come to rely on our smartphones to live out our digital lives, both professionally and personally.

When it comes to securing mobile computing devices, the big challenge businesses have long grappled with is how to protect company assets while at the same time respecting an individual’s privacy.

Reacting to the BYOD craze, mobile security frameworks have veered from one partially effective approach to the next over the past decade. However, I recently learned about how federal regulators in several nations are rallying around a reinvigorated approach to mobile security: containerization. Containerizing data is a methodology that could anchor mobile security, in a very robust way, for the long haul.

Interestingly, leadership for this push came from federal regulators in, of all places, the Middle East.  In May 2017, the Saudi Arabian Monetary Authority (SAMA) implemented its Cyber Security Framework mandating prescriptive measures, including a requirement to containerize data in all computing formats. A few months later the United Arab Emirates stood up its National Electronic Security Authority (NESA) which proceeded to do much the same thing.

Earlier this year, US regulators essentially followed the Middle East’s lead by rolling out sweeping new rules — referred to as Cybersecurity Maturity Model Certification (CMMC)  — which require use of data containerization along much the same lines as Saudi Arabia and the UAE mandated some three years ago. The implementation of CMMC represents a big change from past U.S. federal data handling rules for contractors, for which compliance was by-and-large voluntary.

BEST PRACTICES: Mock attacks help local agencies, schools prepare for targeted cyber scams

By Byron V. Acohido

Cyber criminals who specialize in plundering local governments and school districts are in their heyday.

Related: How ransomware became a scourge

Ransomware attacks and email fraud have spiked to record levels across the U.S. in each of the past three years, and a disproportionate number of the hardest hit organizations were local public agencies.

Lucy Security, a security training company based in Zug, Switzerland that works with many smaller public entities, has been in the thick of this onslaught. The company’s software is used to run public servants and corporate employees through mock cyberattack training sessions. There’s an obvious reason smaller public entities have become a favorite target of cybercriminals: most are run on shoestring budgets and corners tend to get cut in IT security, along with everything else operationally.

I had a chance to discuss this with Lucy Security Inc. CEO Colin Bastable at RSA 2020. Another factor I never thought about, until meeting with Bastable, is that public servants typically possess a can-do work ethic. This can make them particularly susceptible to social engineering trickery, the trigger for online extortion and fraud campaigns, Bastable told me.

For a drill down on my full interview with Bastable, give the accompanying podcast a listen. Here are the key takeaways:

Simple, lucrative fraud

What happened in the state of Texas earlier last January is a microcosm of intensifying pressure all local agencies face from motivated hackers and scammers.

Fraudsters did enough online intelligence gathering on the Manor Independent School District, in Manor, Texas, to figure out which vendors were in line to receive large bank transfers as part of the school district spending the proceeds of a large school bond. They also studied the employees who handled the transactions.

GUEST ESSAY: Now more than ever, companies need to proactively promote family Online Safety

By Ellen Sabin

Cybersecurity training has steadily gained traction in corporate settings over the past decade, and rightfully so.

In response to continuing waves of data breaches and network disruptions, companies have made a concerted effort and poured substantial resources into promoting data security awareness among employees, suppliers and clients. Safeguarding data in workplace settings gets plenty of attention.

Related: Mock attack help schools prepare for hackers

However, the sudden and drastic shift to work-from-home and schooling-from-home settings has changed the ball game. The line between personal and professional use of digital tools and services, which was blurry even before the global pandemic, has now been obliterated by Covid-19.

Moving forward, companies can no longer afford to focus awareness training on just employees, partners and clients. It has become strategically important for them to promote best security practices in home settings, including the training of children.

Bringing smart habits into homes and minds is good for kids, good for parents, and, it turns out, good for businesses, too.

We’re all connected

Consider that kids are constantly connected on the internet with online games, streaming devices, virtual schooling, and zoom play dates. Adults increasingly are working from home, and usually on networks they share with their children. Mistakes online by one family member can lead to compromises in a household’s network, placing computers, personal data, and perhaps even work-related content at risk.

Cyber criminals have increased attacks as they see these opportunities. Companies must take this into account and consider extending employee training to also promote security and privacy habits among all family

GUEST ESSAY: HIPAA’s new ‘Safe Harbor’ rules promote security at healthcare firms under seige

By Riyan N. Alam

The Health Insurance Portability and Accountability Act — HIPAA — has undergone some massive changes in the past few years to minimize the burden of healthcare entities.

Related: Hackers relentless target healthcare providers

Despite these efforts, covered-entities and business associates continue to find HIPAA to be overwhelming and extensive, to say the least.

Cyberattacks against healthcare entities rose 45 percent between November 2020 and January 2021, according to Check Point . Meanwhile, the healthcare sector accounted for 79 percent of all reported data breaches during the first 10 months of 2020, a study by Fortified Health Security tells us.

At last, some good news has surfaced that encourages healthcare providers to implement the best security practices and meet HIPAA requirements. Amidst all of the turmoil, President Donald Trump officially signed H.R. 7898, known as the HIPAA Safe Harbor Bill, into law on January 5, 2021.

It is a new sign of relief for entities that could do very little against unavoidable and highly sophisticated cyberattacks. This bill is one of many recent industry efforts aimed at improving cybersecurity. The legislation amends the HITECH Act to require the Department of Health and Human Services (HHS) to reward organizations that follow the best cybersecurity practices for meeting HIPAA requirements.

AUTHOR Q&A: New book, ‘Hackable,’ suggests app security is the key to securing business networks

By Byron V. Acohido

The cybersecurity operational risks businesses face today are daunting, to say the least.

Related: Embedding security into DevOps.

Edge-less networks and cloud-supplied infrastructure bring many benefits, to be sure. But they also introduce unprecedented exposures – fresh attack vectors that skilled and motivated threat actors are taking full advantage of.

Adopting and nurturing a security culture is vital for all businesses. But where to start? Ted Harrington’s new book Hackable: How To Do Application Security Right argues for making application security a focal point, while laying out a practical framework that covers many of the fundamental bases.

Harrington is an executive partner at Independent Security Evaluators (ISE), a company of ethical hackers known for hacking cars, medical devices and password managers. He told me he wrote Hackable to inform folks oblivious to the importance of securing apps, even as corporate and consumer reliance on apps deepens.

Here are excerpts of an exchange Last Watchdog had with Harrington about his new book, edited for clarity and length:

LW: Why is it smart for companies to make addressing app security a focal point?

Harrington: Software runs the world. Application security is the soft underbelly to almost all security domains, from network security to social engineering and everything in between.

Q&A: SolarWinds, Mimecast hacks portend intensified third-party, supply-chain compromises

By Byron V. Acohido

SolarWinds and Mimecast are long-established, well-respected B2B suppliers of essential business software embedded far-and-wide in company networks.

Related: Digital certificates destined to play key role in securing DX

Thanks to a couple of milestone hacks disclosed at the close of 2020 and start of 2021, they will forever be associated with putting supply-chain vulnerabilities on the map.

Remember how the WannaCry and NotPetya worms signaled the trajectory of ransomware, which has since become an enduring, continually advancing operational hazard?

Similarly, the SolarWinds and Mimecast hacks are precursors of increasingly clever and deeply-damaging hacks of the global supply chain sure to come.

Supplier trojans

Quick recap: SolarWinds supplies the Orion platform to some 33,000 enterprises that use it to monitor and manage their entire IT stack. On Dec. 8, security vendor FireEye reported that it had been compromised by a state-sponsored adversary; then on Dec. 13, FireEye and Microsoft published this technical report, disclosing how the adversary got in: via trojan malware, dubbed Sunburst, carried in an Orion software update sent to FireEye.

SolarWinds subsequently disclosed to the SEC that threat actors inserted Sunburst into the Orion updates issued to customers between March and June 2020. The threat actors, it was noted, were careful not to tamper with Orion’s source code.