Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Q&A: How certifying in-house IT staffers as cyber analysts, pen testers can boost SMB security

By Byron V. Acohido

A security-first mindset is beginning to seep into the ground floor of the IT departments of small and mid-sized companies across the land.

Senior executives at these SMBs are finally acknowledging that a check-box approach to security isn’t enough, and that instilling a security mindset pervasively throughout their IT departments has become the ground stakes.

Related: The ‘gamification’ of cybersecurity  training

Ransomware, business email compromises and direct ACH system hacks continue to morph and intensify. The exposure faced by SMBs is profound. Cyber intruders skilled at taking the quickest route to digitally exfiltrating the largest amount of cash prey on the weak. No small organization can afford to be lackadaisical.

More and more SMBs have begun dispatching their line IT staff to undergo training and get tested in order to earn basic cybersecurity certifications issued by the Computing Technology Industry Association, aka CompTIA, the non-profit trade association that empowers people to build successful tech careers.

Many companies are taking it a step further, selecting certain techies to also receive advanced training and pursue specialty CompTIA certifications in disciplines such as ethical hacking and penetration testing. Last Watchdog recently sat down with James Stanger, CompTIA’s Chief Technology Evangelist, to discuss how and why SMBs have finally come to see the light. Below are excerpts of our discussion edited for clarity and length:

LW: What are the drivers behind SMBs finally ‘getting’ security?

Stanger: It’s two things. First, companies are more reliant on digital systems than ever before. Frankly, a lot of companies got away with using analogue processes for years, and now they’re finally having to adopt the cloud and the Internet of Things. Secondly, businesses with 10 to 250 people generally have felt for a long time that they weren’t big enough to attack. That’s just not the case anymore. (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Q&A: The troubling implications of normalizing encryption backdoors — for government use

By Byron V. Acohido

Should law enforcement and military officials have access to a digital backdoor enabling them to bypass any and all types of encryption that exist today?

We know how Vladmir Putin, Xi Jinping and Kim Jung-un  would answer: “Of course!”

Related: Nation-state hacks suggest cyber war is underway

The disturbing thing is that in North America and Europe more and more arguments are being raised in support of creating and maintaining encryption backdoors for government use. Advocates claim such access is needed to strengthen national security and hinder terrorism.

But now a contingent of technology industry leaders has begun pushing back. These technologists are in in full agreement with privacy and civil rights advocates who argue that this is a terrible idea

They assert that the risk of encryption backdoors ultimately being used by criminals, or worse than that, by a dictator to support a totalitarian regime, far outweighs any incremental security benefits. I had an invigorating discussion with Jeff Hudson, CEO of Venafi, about this at Black Hat USA 2018.

Venafi is the leading provider of machine identity protection. Machine to machine connection and communication needs to be authenticated  to access systems, so this technology is where the rubber meets the road, with respect to this debate. For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and space:

LW: What’s wrong with granting governments the ability to break encryption?

Venafi: It has been established over a long period of time that the minute you put a backdoor in, and you think it’s secure, it almost immediately will fall into the wrong hands. Because it’s there, the bad guys will get to it. This makes backdoors the worst possible things for security.

The government wants to be able to surveil network traffic and They want  backdoors so they can see everything. If they can see all the traffic all the time, they can just sit back and surveil everything. …more

GUEST ESSAY: Did you know these 5 types of digital services are getting rich off your private data?

By Greg Sparrow

Now more than ever before, “big data” is a term that is widely used by businesses and consumers alike.  Consumers have begun to better understand how their data is being used, but many fail to realize the hidden privacy pitfalls in every day technology.

Related: Europe tightens privacy rules

From smart phones, to smart TVs, location services, and speech capabilities, often times user data is stored without your knowledge. Here are some of the most common yet hidden privacy dangers facing consumers today.

•Geo-Location- Geo-Location can be convenient, especially when you’re lost or need GPS services. However, many fail to realize that any information surrounding your location is stored and archived, and then often times sold to a third party who wants to use that information for a wide variety of reasons.

For example, are you aware that data is routine collected while you shop? A variety of stores will purchase location information to determine how long a customer browsed in a particular aisle, so that they can further market to those customers in the future- promoting similar products.  The information may seem harmless, but would you feel that same way if you saw a physical person following you around collecting the same information?

•Social Media- Facebook, Google, Twitter,and Instagram are all social media services that are provided to individuals for “free,” but have you ever wondered what the real cost might be? The hidden cost for utilizing these social media sites is the forfeit of personal information for the social media sites to sell and thus profit from. In fact, Google and Yahoo can actually read their customers personal email.

Some individuals might say they don’t mind because they have “nothing to hide,” but wouldn’t you be wary of publicly posting your login credentials not knowing who might have access? Giving these large organizations rights to your private messages, can be interpreted as pretty much the same thing. …more

NEW TECH: How ‘adaptive multi-factor authentication’ is gaining traction via partnerships

By Byron V. Acohido

Tel Aviv, Israel-based Silverfort continues to make inroads into proving the efficacy of its innovative approach to multi-factor authentication, or MFA, in corporate settings.

Related: Why a ‘zero-trust’ approach to security is necessary

One recent validation comes from two long established, and much larger cybersecurity vendors – Check Point and Palo Alto Networks – that have recently begun integrating Silverfort’s innovative MFA solution into their respective malware detection and intrusion prevention systems.

Silverfort is the brainchild of a band of colleagues who toiled together in the encryption branch of Unit 8200, the elite cybersecurity arm of the Israeli military.

The co-founders took heed of the limitations companies faced in deploying MFA to protect sensitive systems without unduly hindering productivity. They recognized that rising complexities as business networks underwent digital transformation made MFA cumbersome, and sometimes even impossible, to deploy. …more

GUEST ESSAY: A guide to implementing best security practices — before the inevitable breach

By Kirk A. Pelikan and Elizabeth A. Rogers

The United States has experienced the most cybersecurity breaches in the world and the Equifax Breach was one of the first to be considered a “mega breach.”

The headlines immediately attempted to lay the blame, in large part, on the fact that Equifax’s chief information security officer was a music major and did not have a background in technology. Equifax was not special in this regard.

Related: How social media is used to spread malware, influence elections

In fact, recent research reveals that about 60% of information security stakeholders have an IT background, but about the same amount lack formal technical training[1]. That being said, there is no body of evidence that indicates a direct correlation exists between an information security stakeholder’s non-technical background and the likelihood of a breach.

If having a skilled technical staff isn’t critical, then what arrangements should a company have in place to mitigate the occurrence of a data breach and to avoid the fines and penalties that can follow? In the absence of a law that contains prescriptive requirements (e.g., the Health Insurance Portability and Accountability Act (HIPAA)), the answer is generally that a company should implement a “reasonable data privacy and security program” under all circumstances.

Reasonable protections

The standard of a “reasonable data privacy and security program” has been relied upon by the Federal Trade Commission (FTC) in data privacy enforcement actions for years and was recently added to a number of state data breach notification laws as a requirement. Additionally, beginning in May 2018, companies subject to the General Data Protection Regulations (GDPR) have a duty to maintain appropriate technical and organizational measures to safeguard personal data, taking into account available technologies; costs of implementation; and the nature, scope, and purposes of processing personal data. Note that this is an organic expectation. The technologies existing in 2018 will undoubtedly differ from those that exist in 2020.

The FTC considers that ‘reasonable security’ doesn’t mean ‘perfect security.’ …more

GUEST ESSAY: Pentagon’s security flaws highlighted in GAO audit — and recent data breach

By Sherban Naum

Being the obvious target that it is, the U.S. Department of Defense presumably has expended vast resources this century on defending its digital assets from perennial cyber attacks.

Related: Why carpet bombing email campaigns endure

And yet two recent disclosures highlight just how brittle the military’s cyber defenses remain in critical areas. By extension these developments are yet another reminder of why constantly monitoring and proactively defending business networks must be a prime directive at all large organizations, public and private.

A U.S.  Government Accountability Office audit last week found that the defense department is playing catch up when it comes to securing weapons systems from cyberattacks.  At an earlier Senate hearing,  GAO auditors described how DoD has failed to adequately address numerous warnings about how the rising use of automation and connectivity in weapons systems also tend to result in a fresh tier of critical vulnerabilities.

And then last Friday, as if to serve as a reminder that even routine security best practices may  not be getting the emphasis they deserve, the Pentagon disclosed how attackers manipulated the account of a third-party vendor to access DoD travel records.

The result: personal information and credit card data of at least 30,000 U.S. military and civilian personnel were compromised.  Don’t be surprised if the number of victims climbs higher, as we learned from the 2015 hack of 21.5 million personnel records from the U.S. Office of Personnel Management.

Supply chain gaps

The hacking of DoD travel records raises an important nuance. Five years after hackers broke into Target via its HVAC vendor, it remains as crucial as ever to stay on top of trust decisions about who can gain access to a supply chain, and under what criteria.

Naum

One has to assume that DoD specified certain security controls at the time the contract was awarded to the travel services vendor. …more

GUEST ESSAY: Supply chain vulnerabilities play out in latest Pentagon personnel records breach

By Michael Magrath

It is disheartening, but not at all surprising, that hackers continue to pull off successful breaches of well-defended U.S. government strategic systems.

Related podcast: Cyber attacks on critical systems have only just begun

On Friday, Oct. 12, the Pentagon disclosed that intruders breached Defense Department travel records and compromised the personal information and credit card data of U.S. military and civilian personnel.

The Associated Press, quoting a U.S. official familiar with the matter, reported that the breach could have happened months ago, but was only recently discovered. At this juncture, as many as 30,000 federal employees are known to have been victimized, but that number may grow as the investigation continues.

The Pentagon has since issued a statement conceding that a department cyber team informed leaders about the breach on Oct. 4. Pentagon spokesman Lt. Col. Joseph Buccino now says that DoD continues to gather information on the size and scope of the hack, and is attempting to identify the culprits.

It does appear that this is another example of attacks successfully penetrating a weak supply chain link, underscoring the importance of addressing third-party risks.

Third-party risk

Buccino disclosed that authorities are examining a “breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel. …more

MY TAKE: Cyber attacks on industrial controls, operational technology have only just begun

By Byron V. Acohido

“May you live in interesting times.” The old Chinese proverb–some consider it a blessing and others a curse–certainly describes the modern-day cyber landscape.

Related: 7 attacks that put us at the brink of cyber war

In today’s geopolitical terrain, nation-state backed cyber criminals are widening their targets and starting to zero in on their adversaries’ business and industrial sectors, using more and more sophisticated weaponry to do so.

With the bulls-eye on a country’s financial Achilles heel, state-sponsored attackers are sowing chaos, disruption and fear. And the risks are multiplying as more digital devices become connected in insufficiently secured environments.

Monitoring and management of many existing industrial control systems’ (ICS) embedded devices, like pumps, valves and turbines, are ancient in technological terms. And until recently, security surrounding operational technology (OT) – the networks that run production operations – have been siloed, or air-gapped, from information technology (IT) operations, which work in the corporate space. Isolating OT operations from public networks like the internet had once been considered best practice.

Dismantling the silos

But Gartner and others now recommend merging OT and IT security. Convergence of the two in the industrial internet of things (IIoT) makes for better communication and access to online data and processes, but it also flings the door wide open for nefarious activity by cyber criminals. Espionage scenarios that once were the basis of movies and novels now have become real-life exploits.

I talked to Phil Neray, vice president of industrial security at CyberX, a company founded in 2013 that operates a platform for real-time security of the industrial internet.

Read on to learn what Neray has to say about industrial security, then hear a more in-depth discussion on the subject on the accompanying podcast:

As organizations digitize their operations and add more sensors and other devices to the production environment, …more