Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Author Archive

 

Q&A: SolarWinds, Mimecast hacks portend intensified third-party, supply-chain compromises

By Byron V. Acohido

SolarWinds and Mimecast are long-established, well-respected B2B suppliers of essential business software embedded far-and-wide in company networks.

Related: Digital certificates destined to play key role in securing DX

Thanks to a couple of milestone hacks disclosed at the close of 2020 and start of 2021, they will forever be associated with putting supply-chain vulnerabilities on the map.

Remember how the WannaCry and NotPetya worms signaled the trajectory of ransomware, which has since become an enduring, continually advancing operational hazard?

Similarly, the SolarWinds and Mimecast hacks are precursors of increasingly clever and deeply-damaging hacks of the global supply chain sure to come.

Supplier trojans

Quick recap: SolarWinds supplies the Orion platform to some 33,000 enterprises that use it to monitor and manage their entire IT stack. On Dec. 8, security vendor FireEye reported that it had been compromised by a state-sponsored adversary; then on Dec. 13, FireEye and Microsoft published this technical report, disclosing how the adversary got in: via trojan malware, dubbed Sunburst, carried in an Orion software update sent to FireEye.

SolarWinds subsequently disclosed to the SEC that threat actors inserted Sunburst into the Orion updates issued to customers between March and June 2020. The threat actors, it was noted, were careful not to tamper with Orion’s source code.

MY TAKE: With disinformation running rampant, embedding ethics into AI has become vital

By Byron V. Acohido

Plato once sagely observed, “A good decision is based on knowledge and not on numbers.” 

Related: How a Russian social media site radicalized U.S. youth

That advice resonates today, even as we deepen our reliance on number crunching — in the form of the unceasing machine learning algorithms whirring away in the background of our lives, setting in motion many of the routine decisions each of us make daily.

However, as Plato seemingly foresaw, the underlying algorithms we’ve come to rely on are only as good as the human knowledge they spring from. And sometimes the knowledge transfer from humans to math formulas falls well short.

Last  August, an attempt by the UK government to use machine learning to conjure and dispense final exam grades to quarantined high-schoolers proved to be a disastrous failure. Instead of keeping things operable in the midst of a global pandemic, the UK officials ended up exposing the deep systemic bias of the UK’s education systems, in a glaring way. 

Then, in November, the algorithms pollsters invoked to predict the outcome of the 2020 U.S. presidential election proved drastically wrong — again, even after the pollsters had poured their knowledge into improving their predictive algorithms after the 2016 elections.  

GUEST ESSAY: 5 steps for raising cyber smart children — who know how to guard their privacy

By Ellen Sabin

Today’s children are online at a young age, for many hours, and in more ways than ever before. As adults, we know that bad online decisions can have negative or dangerous effects for years to come.

Related: Web apps are being used to radicalize youth

The question isn’t whether we should educate children about online safety, but how we can best inspire them to learn to be thoughtful, careful, and safe in the cyber world for their lifetime. For adults doing the teaching, it’s no easy task.

Teaching children about good cyber security habits starts with helping them realize their power to learn to make smart choices. Often, messages about online security are presented as ‘to-do’ lists that can make even the most pliant of us feel like we are being preached to. Instead, let children think about why they want to become smart about online decisions and how they can make good choices.

Here are some tips to excite kids about cybersecurity.

Q&A: Here’s why securing mobile apps is an essential key to tempering political division

By Byron V. Acohido

Finally, Facebook and Twitter muzzled Donald Trump, preventing him from using his favorite online bully pulpits to spread disinformation. It only took Trump inciting a failed coup d’état that cost five lives.

Related: How a Russian social media app is radicalizing disaffected youth

The action taken by Facebook and Twitter last week was a stark reminder of how digital tools and services can be manipulated by badly motivated parties in insidious ways.

The risks and exposures intrinsic to our favorite digital tools and services runs very deep, indeed. This is something that we’re going to have to address. As the presidential election unfolded in the fall, for example, there were revelations about how mobile apps used by political candidates were rife with security flaws that played right into the hands of propagandists and conspiracy theorists.

Data Theorem, a Palo Alto, Calif.-based software security vendor specializing in API exposures, took a close look at the gaping vulnerabilities in mobile app used by the Biden and Trump campaigns, respectively, and came up with a scoring system to rate the security-level of each camp’s main mobile app to reach voters.

On Android, the Official Trump 2020 App ranked nearly three times as secure as the Vote Joe App, for a simplistic reason: the Trump app used the most recent version of Android OS. Newer versions of Android provided more security and privacy benefits.

That said, neither the Biden nor the Trump apps enforced Android’s Verify Apps feature, which scans for potentially harmful Apps on the device. If the Verify Apps feature is turned off, any apps side-loaded onto the user’s device do not get scanned for malware, Doug Dooley, Data Theorem’s chief operating officer, told me.

MY TAKE: How Russia is leveraging insecure mobile apps to radicalize disaffected males

By Byron V. Acohido

How did we get to this level of disinformation? How did we, the citizens of the United States of America, become so intensely divided?

It’s tempting to place the lion’s share of the blame on feckless political leaders and facile news media outlets. However, that’s just the surface manifestation of what’s going on.

Related: Let’s not call it ‘fake news’ any more.

Another behind-the-scenes component — one that is not getting the mainstream attention it deserves — has been cyber warfare. Russian hacking groups have set out to systematically erode Western democratic institutions — and they’ve been quite successful at it. There’s plenty of evidence illustrating how Russia has methodically stepped-up cyber attacks aimed at achieving strategic geopolitical advantage over rivals in North America and Europe.

I’m not often surprised by cybersecurity news developments these days. Yet, one recent disclosure floored me. A popular meme site, called iFunny, has emerged as a haven for disaffected teen-aged boys who are enthralled with white supremacy. iFunny is a Russian company; it was launched in 2011 and has been downloaded to iOS and Android phones an estimated 10 million times.

In the weeks leading up to the 2020 U.S. presidential election, investigators at Pixalate, a Palo Alto, Calif.-based supplier of fraud management technology, documented how iFunny distributed data-stealing malware and, in doing so, actually targeted smartphone users in the key swing states of Pennsylvania, Michigan and Wisconsin. The public is unlikely to ever learn who ordered this campaign, and what they did — or intend to do, going forward — with this particular trove of stolen data.

Advertising practices

Even so, this shared intelligence from Pixalate is instructive. It vividly illustrates how threat actors have gravitated to hacking vulnerable mobile apps. The state of mobile app security is poor. Insecure mobile apps represent a huge and growing attack vector. Mobile apps are being pushed out of development more rapidly than ever, … more

GUEST ESSAY: Here’s how Secure Access Service Edge — ‘SASE’ — can help, post Covid-19

By Liraz Postan

One legacy of the ongoing global pandemic is that companies now realize that a secured and well-supported remote workforce is possible. Recently, the University of Illinois and the Harvard Business School conducted a study, and 16% of companies reported switching their employees to work at home from offices at least twice a week.

Related: SASE translates into secure connectivity

The problem here is that a secured, cost-effective, and efficient networkmust be developed to support remote operations at scale.  Gartner refers to this as the Secure Access Service Edge (SASE), which is a framework combining the functionality of Wide Area Network (WAN) with network security services to shield against any cyber threats or cloud-enabled SaaS.

The makeup of SASE 

Many enterprises have accelerated their use of Virtual Private Network (VPN) solutions to support remote workers during this pandemic.

However deploying VPNs on a wide-scale basis introduces performance and scalability issues. SASE can function as security infrastructure and as the core IT network of large enterprises. It incorporates zero-trust technologies and software-defined wide area networking (SD-WAN). SASE then provides secure connectivity between the cloud and users, much as with a VPN. But it much further. It can also deploy web filtering, threat prevention, DNS security, sandboxing, data loss prevention, next-generation firewall policies, information security and credential theft prevention. 

Thus SASE combines advanced threat protection and secure access with enterprise-class data loss prevention. Given the climbing rate of remote workers, SASE has shifted from being a developing solution to being very timely, sophisticated response to leading-edge cyber attacks. Here are a few  guidelines to follow when looking for vendors pitching SASE services:.

NEW TECH: Will ‘Secure Access Service Edge’ — SASE — be the answer to secure connectivity?

By Byron V. Acohido

Company networks have evolved rather spectacularly in just 20 years along a couple of distinct tracks: connectivity and security.

We began the new millennium with on-premises data centers supporting servers and desktops that a technician in sneakers could service. Connectivity was relatively uncomplicated. And given a tangible network perimeter, cybersecurity evolved following the moat-and-wall principle. Locking down web gateways and erecting a robust firewall were considered the be-all and end-all.

Related: The shared burden of securing the Internet of Things

Fast forward to the 21st Century’s third decade. Today, connectively is a convoluted mess. Company networks must support endless permutations of users and apps, both on-premises and in the Internet cloud. Security, meanwhile, has morphed into a glut of point solutions that mostly serve to highlight the myriad gaps in an ever-expanding attack surface. And threat actors continue to take full advantage.

These inefficiencies and rising exposures are not being ignored. Quite the contrary, there’s plenty of clever innovation, backed by truckloads of venture capital, seeking to help networks run smoother, while also buttoning down the attack surface. One new approach that is showing a lot of promise cropped up in late 2019. It’s called Secure Access Service Edge, or SASE, as coined by research firm Gartner.

SASE (pronounced sassy) replaces the site-centric, point-solution approach to security with a user-centric model that holds the potential to profoundly reinforce digital transformation. The beauty of SASE is that it accomplishes this not by inventing anything new, but simply by meshing mature networking and security technologies together and delivering them as a single cloud service —  with all of the attendant efficiency and scalability benefits.

To get a better idea of SASE, I had the chance to visit with Elad Menahem, director of security, and Dave Greenfield, secure networking evangelist,  at Cato Networks, a Tel Aviv-based startup that’s in the thick of the SASE movement. Here are the key takeaways … more