Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Searching for: marriott

 

ROUNDTABLE: Massive Marriott breach continues seemingly endless run of successful hacks

By Byron V. Acohido

I have a Yahoo email account, I’ve shopped at Home Depot and Target, my father was in the military and had a security clearance, which included a dossier on his family, archived at the U.S. Office of Personnel Management, I’ve had insurance coverage from Premera Blue Cross and I’ve stayed at the Marriott Marquis in San Francisco.

Related: Uber hack shows DevOps risk

The common demonitor: All of those organizations have now disclosed massive data breaches over a span of the past five years.

On Friday, Starwood Properties, which merged with Marriott in 2016, disclosed as many as 500 million people who made reservations at their hotels may have had their personal information accessed in a breach that lasted as long as four years.

The Starwood hack appears to come in second in scale only to the 2013 Yahoo breach, which affected as many as 3 billion accounts, while a subsequent Yahoo breach also hit 500 million accounts.

The breach is rightly attracting attention of regulators in Europe and the United States. Marriott shares fell nearly 6 percent to $114.67 in Friday afternoon trading. Here’s a roundup of reaction from cybersecurity thought leaders:

BEST PRACTICES: How testing for known memory vulnerabilities can strengthen DevSecOps

By Byron V. Acohido

DevOps wrought Uber and Netflix. In the very near future DevOps will help make driverless vehicles commonplace.

Related: What’s driving  ‘memory attacks’

Yet a funny thing has happened as DevOps – the philosophy of designing, prototyping, testing and delivering new software as fast as possible – has taken center stage. Software vulnerabilities have gone through the roof.

Over a five year period the number technical software vulnerabilities reported to the National Institute of Standards and Technology’s National Vulnerability Database  (NVD) more than tripled – from 5,191 in  2013 to a record 16,556 in 2018.

Total vulnerabilities reported in the NVD dropped a bit in 2019, down to 12,174 total flaws. Some credit for that decline surely goes to the DevSecOps movement that has come into its own in the past two to three years.

DevSecOps proponents are pushing for security-by-design practices to get woven into the highly agile DevOps engineering culture. Still, 12,000-plus fresh software vulnerabilities is a lot, folks. And that’s not counting the latent vulnerabilities getting overlooked in this fast-paced environment – flaws sure to be discovered and exploited down the line by opportunistic threat actors.

San Jose-based application security vendor, Virsec, is seeking to tilt the balance a bit more to the side of good.

MY TAKE: Why it’s now crucial to preserve PKI, digital certificates as the core of Internet security

By Byron V. Acohido

For decades, the cornerstone of IT security has been Public Key Infrastructure, or PKI, a system that allows you to encrypt and sign data, issuing digital certificates that authenticate the identity of users.

Related: How PKI could secure the Internet of Things

If that sounds too complicated to grasp, take a look at the web address for the home page of this website. Take note of how the URL begins with HTTPS.  The ‘S’ in HTTPS stands for ‘secure.’ Your web browser checked the security certificate for this website, and verified that the certificate was issued by a legitimate certificate authority. That’s PKI in action.

As privacy comes into sharp focus as a priority and challenge for cybersecurity, it’s important to understand this fundamental underlying standard.

Because it functions at the infrastructure level, PKI is not as well known as it should be by senior corporate management, much less the public. However, you can be sure cybercriminals grasp  the nuances about PKI, as they’ve continued to exploit them to invade privacy and steal data.

Here’s the bottom line: PKI is the best we’ve got. As digital transformation accelerates, business leaders and even individual consumers are going to have to familiarize themselves with PKI and proactively participate in preserving it. The good news is that the global cybersecurity community understands how crucial it has become to not just preserve, but also reinforce, PKI. Google, thus far, is leading the way.

MY TAKE: How ‘credential stuffing’ and ‘account takeovers’ are leveraging Big Data, automation

By Byron V. Acohido

A pair of malicious activities have become a stunning example of digital transformation – unfortunately on the darknet.

Related: Cyber risks spinning out of IoT

Credential stuffing and account takeovers – which take full advantage of Big Data, high-velocity software, and automation – inundated the internet in massive surges in 2018 and the first half of 2019, according to multiple reports.

Credential stuffing is one of the simplest cybercriminal exploits, a favorite among hackers. Using this technique, the criminal collects your leaked credentials (usually stolen in a data breach) and then applies them to a host of other accounts, hoping they unlock more. If you’re like the majority of users out there, you reuse credentials. Hackers count on it.

A new breed of credential stuffing software programs allows people with little to no computer skills to check the log-in credentials of millions of users against hundreds of websites and online services such as Netflix and Spotify in a matter of minutes. The sophistication level of these cyberthreats is increasing, and there’s an ominous consensus gelling in the cybersecurity community that the worst is yet to come.

“We’ve observed significant growth in credential stuffing and account takeovers for several years. It’s hard to see a short-term change that would slow attempts by attackers,” Patrick Sullivan, Akamai’s senior director of security strategy, told me. “Significant changes to authentication models may be required to alter the growth trajectory of these attacks.”

NEW TECH: How ‘cryptographic splitting’ bakes-in security at a ‘protect-the-data-itself’ level

By Byron V. Acohido

How can it be that marquee enterprises like Capital One, Marriott, Facebook, Yahoo, HBO, Equifax, Uber and countless others continue to lose sensitive information in massive data breaches?

Related: Breakdown of Capital One breach

The simple answer is that any organization that sustains a massive data breach clearly did not do quite enough to protect the data itself.

It’s not for lack of trying. Tech consultancy IDC recently estimated that global spending on security-related hardware, software and services is growing at a compound annual growth rate of 9.2% a year and is on a curve to reach $133.8 billion by 2022.

It’s not for lack of best practices frameworks. There are plenty of good ones by government regulators, such as those compiled and distributed for free by NIST; and there’s no end of  rules and guidance issued by a wide variety of industry standards bodies.

And it’s certainly not for lack of technology; just visit the vast exhibitors’ floor at RSA Conference or Black Hat USA. I attended both again this year, and at the latter I had the chance to meet with Paul Russert, vice president of product and compliance with a Rancho Santa Margarita, Calif.-based start-up, SecurityFirst.

We discussed how SecurityFirst set out three years ago to begin commercially distributing something called cryptographic splitting technology. As I came to understand it, this new approach leverages multi-factor secret sharing algorithms previously only used by government entities.

Cryptographic splitting appears to be a very direct, and much more robust, approach to protecting the data itself, in a way that makes good sense in the current environment. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways:

Security benefits

Protect the data itself. Sounds simple enough. Yet in the age of Big Data and digital transformation many organizations still don’t do this very well. Legacy perimeter defenses are rapidly losing efficacy as … more

MY TAKE: Poll shows senior execs, board members grasp strategic importance of cybersecurity

By Byron V. Acohido

A singular topic has risen to the top of the agenda in executive suites and board rooms all across the planet: cybersecurity.

Related: Security, privacy fallout of IoT

A recent survey by Infosys, a tech consulting and IT services giant based in Bangalore, India, quantifies the degree to which the spotlight has landed on cybersecurity in large organizations.

Infosys polled 867 senior officials from 847 firms in a dozen industries, each with at least $500 million in annual revenue; the companies are based in the US, Europe, Australia or New Zealand. Some 83% of respondents said they viewed cybersecurity as critical to their organization, while 66% of the companies reported having implemented a well-defined cybersecurity strategy.

What jumped out at me was that 60% of C-level executives and 48% of board members indicated they actively participated in formulating cybersecurity strategy. Just five years ago a participation level like this was more of an optimistic hope, than anything else. At least that’s what I took away from a memorable fireside chat I had, back then, with the late Howard Schmidt, former White House Cybersecurity Advisor under Presidents Bush and Obama.

Last week, I had the chance to sit down with Vishal Salvi, Infosys’ chief information security officer. We met at the Infosys Americas Confluence conference in Scottsdale, AZ, and had a well-rounded discussion about the drivers behind this new board-level awareness – and the going forward implications. For a full drill down, please give a listen to the accompanying podcast. Here are a few key takeaways:

Time to execute

Salvi walked me through other survey findings illustrating how pervasively a cybersecurity consciousness has taken hold in the upper echelons of the corporate sector. According to the Infosys poll, these items are on the front burner:

•The top concerns faced by enterprises are hackers and hacktivist (84 percent), low awareness among employees (76 percent), insider threats (75 percent), and corporate … more

NEW TECH: LogicHub introduces ‘virtualized’ security analysts to help elevate SOAR

By Byron V. Acohido

One of the promising cybersecurity trends that I’ve been keeping an eye on is this: SOAR continues to steadily mature.

Security orchestration, automation and response, or SOAR, is a fledgling security technology stack that first entered the cybersecurity lexicon about six years ago.

Related: Here’s how Capital One lost 100 million customer records

SOAR holds the potential to slow – and, ultimately, to help reverse – the acute and worsening cybersecurity skills shortage. SOAR vendors purport to do this by leveraging automation in more sophisticated ways to help enterprises and MSSPs cull the vast data flows that inundate modern business networks.

One SOAR innovator that has been gaining steady traction is Mountain View, Calif.-based LogicHub. I first spoke to Kumar Saurabh, LogicHub’s co-founder and CEO, not long after the company launched in 2016. Saurabh spent 15 years leading product development at ArcSight, the SIEM management company acquired by HP for $1.5 billion, and later co-founded SumoLogic.

Saurabh told me he developed a passion for helping organizations improve the efficiencies of their security operations. And this inspired him to co-found LogicHub. I had the chance to meet with him again at Black Hat 2019 in Las Vegas. He told me about recent breakthroughs LogicHub has made putting smarter tools into the hands of cyber analysts.

For a full drill down on our discussion give a listen to the accompanying podcast. Here are my takeaways:

Skills deficit

Over the past 20 years, enterprises have shelled out small fortunes in order to stock their SOCs with the best firewalls, anti-malware suites, intrusion detection, data loss prevention and sandbox detonators money can buy. But that hasn’t been enough.

Today there exists a widening shortage of security analysts talented and battle tested enough to make sense of the rising tide of data logs inundating their SIEM systems. This skills deficit has been the top worry of IT pros for several years, according to … more