Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

CyberArk shows how ‘shadow admins’ can be created in cloud environments

By Byron V. Acohido

There’s little doubt “digital transformation” is here to stay. And it is equally clear that just about all of the fundamental network vulnerabilities we already know about will escalate, in lockstep, with any benefits accrued.

It turns out that speeding up tech innovation cuts both ways.

Related article: How safeguarding privileged accounts can lower insurance

A vivid illustration of this  truism comes from the rising challenges businesses face locking down privileged accounts. I had the chance to visit with CyberArk security researchers Lavi Lazarovitz and Asaf Hecht just after they carried out a stunning demo at RSA Conference 2018.

The pair showed how threat actors can create all-powerful  “shadow admin” accounts within cloud platforms, such as Amazon Web Services, Microsoft Azure and Google Cloud, simply by manipulating the very design features meant to make cloud services nimble and agile.

For a full drill down on our discussion, please listen to the accompanying podcast. Here are key takeaways.

On-premise vs. cloud

Some context: When I interviewed CyberArk CEO Udi Mokady back in 2013, we discussed how most organizations had a lot to learn about privileged access security best practices. The vast majority of organizations at the time underestimated the number of privileged accounts that existed in their networks, allowed employees to widely share passwords, did not use two-factor authentication much, and changed passwords infrequently.

Since then companies have made substantial progress. Privileged access security technologies and best practices have been more widely adopted with respect to on-premises data centers. Companies are paying much closer attention to the use —  and abuse — of privileged accounts, credentials and secrets, especially those that provide root access to mission-critical systems. (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

GUEST ESSAY: The Facebook factor: Zuckerberg’s mea culpa reveals intolerable privacy practices

By Elizabeth A. Rogers, Adrienne S. Erhardt and Ryan T. Sulkin

In the words of the Nobel Prize writer Bob Dylan, “The times, they are a-changin.’” Revelations in the press about Facebook’s current privacy problems, and a new comprehensive European Union privacy framework that impacts American businesses, may be changing the climate towards more data privacy regulations by United States lawmakers.

As technology and uses for data surge ahead at breakneck speed, however, the testimony of Facebook CEO Mark Zuckerberg seemed to highlight both the public’s and lawmakers’ limited understanding of the impact that dizzying advancement has on individual privacy and on our society at-large.

Related article: Good privacy practices can improve bottom line

Against these rapidly changing times, the challenge now is for …more

GUEST ESSAY: How data science and cybersecurity will secure ‘digital transformation’

By Roger Huang

In today’s environment of rapid-fire technical innovation, data science and cybersecurity not only share much in common, it can be argued that they have an important symbiotic relationship.

A fundamental understanding of the distinctions – and similarities – of these two fields is good to have. Both must flourish separately and together to fuel “digital transformation” in a way that makes our connected world as  secure as it needs to be.

Related article: Machine-learning does heavy-lifting

Data science focuses more on data structures, algorithms and computability. Cybersecurity emphasizes knowledge of systems administration, architecture, operating systems and web applications. However, both data science and cybersecurity rely on proficiency across a shared base of technical knowledge.

Both …more

Why antivirus has endured as a primary layer of defense — 30 years into the cat vs. mouse chase

By Byron V. Acohido

Antivirus software, also known as antimalware, has come a long, long way since it was born in the late 1980’s to combat then nascent computer viruses during a time when a minority of families had a home computer.

One notable company’s journey in the space started in 1987 when three young men, Peter Paško, Rudolf Hrubý, and Miroslav Trnka, built one of the earliest antivirus prototypes while working out of a house in the former Czechoslovakia. A few years later they formally launched ESET in the central European country of Slovakia in the city of Bratislava.

Related article: NSA super weapons fuel cyber attacks

ESET has endured as part of a select group of legacy antivirus companies that got started in that era. The list includes Avira, Avast, AVG, Bitdefender, F-Secure, G Data, Kaspersky, McAfee, Panda, Sophos, Symantec and Trend Micro.

It’s amazing that these companies all continue to thrive years later, long after pundits declared traditional antivirus too anachronistic to keep pace with the rise of ecommerce, cloud computing, mobile computing and now the Internet of Things. But they were wrong.

Today the “endpoint security” market, which includes antimalware, antispyware and firewalls, is as healthy as ever; research firm Marketsandmarkets estimates global spending on endpoint security will rise to $17.4 billion by 2020, up from $11.6 billion in 2015, a robust 8% per annum growth rate.

I had the chance to discuss ESET’s evolution from traditional antivirus to a full suite of security solutions (ransomware protection, threat intelligence, encryption and the like) with Tony Anscombe, ESET’s global security evangelist, at RSA Conference 2018. For a drill down on our conversation please give the accompanying podcast a listen. A few big takeaways: …more

MY TAKE: Why DDoS attacks continue to escalate — and how businesses need to respond

By Byron V. Acohido

Law enforcement’s big win last month dismantling ‘Webstresser,’ an online shopping plaza set up to cater to anyone wishing to purchase commoditized DDoS attack services, was a stark reminder of the ever present threat posed by Distributed Denial of Service attacks.

Related video: How DDoS attacks leverage the Internet’s DNA

The threat actors running Webstresser accepted all paying customers — no questions asked.  Anybody could use Webstresser’s online payment system to rent out stressers or booters, available for hire for as little as $18 per month — and most effective at flooding targeted servers with traffic, no technical skills required.

Webstresser had more than 136,000 registered users who patronized it to launch some 4 million DDoS attacks against government agencies, banks, police and gambling sites, according to Europol. Keep in mind, Webstresser is just one colorful example of how far DDoS attacks have come.

DDoS originated a decade or more before anyone ever thought up ransomware attacks; and DDoS has advanced and expanded, approximately on par with targeted phishing and leading-edge data breach tactics.

I recently had a chance to discuss the current state of DDoS threats with Lee Chen, CEO of A10 Networks, a leading supplier of advanced DDoS detection and mitigation systems. For a full drill down on our discussion please listen to the accompanying podcast. Here are a few takeaways: …more

MY TAKE: Why the unfolding SIEMs renaissance fits hand-in-glove with ‘digital transformation’

SIEM systems have been on the comeback trail for a few years now. And now SIEMs could be on the verge of a full-blown renaissance.

Related article: Freeing SOC analysts from tedious tasks

I spoke with several vendors who are contributing to this at RSA Conference 2018. One of them  was Securonix, a supplier advanced next-generation SIEM  (security and information management) technology. The Addison, Tex.-based company is also a leading innovator in UEBA (user and entity based analytics) systems.

For a full drill down of my conversation with Nitin Agale, Securonix’s SVP of products, please listen to the accompanying podcast. A few takeaways from our discussion:

SIEMs’ second wind

SIEMs, you may recall, first cropped up in 2005, and, at the time, got unfairly hyped as something of a silver bullet. SIEMs are designed as a tool to collect event log data from internet data as well as corporate hardware and software assets, and then cull meaningful security intelligence from a massive volume of potential security events.

For a number of reasons, SIEMs never quite lived up to their initial promise. Now, 13 years later, we’re in the midst of a “digital transformation” that has resulted in an exponential increase in the volume of business data, much of it circulating in the cloud. …more

LW’s NEWS WRAP: ‘Spectre-NG’ — the latest family of chip vulnerabilities; expect more to come

By Byron V. Acohido

Last Watchdog’s News Wrap Vol. 1, No. 7.  Google and Microsoft don’t team up very often. But the software rivals, to their credit, have been moving in unison to help the business community get ahead of a new class of hardware-level security flaws  that affect most of the networks now in service.

Researchers at Google’s Project Zero recently uncovered more such hardware flaws, which originate inside the central processing unit, or CPU, and first came to light when the milestone Meltdown and Spectre vulnerabilities came to light in early January.

Related article: A primer on ‘microcode’ vulnerabilities

I’ve previously unraveled how a design short cut, called ‘speculative execution,’  has finally come home to roost in the form of a vast security exposure. Speculative execution was a shortcut which Intel decided to take some 20 years ago in order to increase processing speed.

Google on Monday VERIFY formally disclosed this latest iteration of these chip flaws: eight new vulnerabilities dubbed  ‘Spectre Next Generation’ or ‘Spectre-NG.’ Then on Tuesday VERIFY Microsoft issued security patches to eliminate this specific flaw on chips companies are using to run Windows operating systems.

Get used to this pattern of disclosure and patching. These vulnerabilities won’t be eliminated until the next generation of chips arrive years from how.

Dods

“It’s safe to assume there are still quite a few flaws that have yet to be discovered,” Craig Dods, Juniper Networks chief security architect, told me. “I’m hesitant to conclude that things will only get worse with time. The barrier to entry for this type of research is quite high and generally remains possible for only the most skilled engineers.”

It will be nice if Dods’ conservative assessment holds true and we never seen anything bad come from chip flaws. However,  Russia- and China-backed cyber operatives and for-profit criminal rings certainly have deep pockets and top engineering talent – so why wouldn’t they jump into a race with white hats to find more vulnerabilites — and/or exploit known flaws in unpatched systems?  I have a feeling we’ll hear from them sooner, rather than later. …more