Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Best Practices

 

GUEST ESSAY: The Top 5 online privacy and data security threats faced by the elderly

By Lyle Solomon

What is it about the elderly that makes them such attractive targets for cybercriminals? A variety of factors play a role.

Related: The coming of bio-digital twins

Unlike many younger users online, they may have accumulated savings over their lives — and those nest eggs are a major target for hackers. Now add psychological variables to the mix of assets worth stealing.

Perhaps elderly folks who haven’t spent a lot of time online are easier to deceive. And, let’s be honest, the deceptive writing phishing assaults and other cyber threats today employ are skilled enough to fool even the most trained, internet-savvy experts.

Ever present threats

Some of our elderly may be concerned that any hint of weakness will convince their relatives that they can no longer live alone. Thus hackers rely on them not revealing they’ve been duped. That said, here are what I consider to be the Top 5 online threats seniors face today:

•Computer tech support scams. These scams take advantage of seniors’ lack of computer and cybersecurity knowledge. A pop-up message or blank screen typically appears on a computer or phone, informing you that your system has been compromised and requires repair.

GUEST ESSAY – The role of automation in keeping software from malicious, unintended usage

By Dan Chernov

Writing a code can be compared to writing a letter.

Related: Political apps promote division

When we write a letter, we write it in the language we speak — and the one that the recipient understands. When writing a code, the developer does it in a language that the computer understands, that is, a programing language.  With this language, the developer describes a program scenario that determines what the program is required to do, and under what circumstances.

If we make mistakes or typos in the text of the letter, its content becomes distorted. Our intentions or requests can get misinterpreted. The same thing happens when the developer makes errors in the code, resulting in inadvertent vulnerabilities.

Then the operating scenarios of the system become different from those originally intended by the software developer. As a result, the system can be brought into a non-standard condition, which was not provided for by the software developer. Thus, an attacker can manipulate these non-standard conditions for their own purposes.

As an example, let’s take SQL injection, one of the most well-known methods of hacking online applications. Suppose we have an online service, an online bank, for instance. We enter our login and password to sign in.  In a SQL injection attack the intruder inserts malicious code into the lines that are sent to the server for analysis and execution. With a user account, the attacker can bring the system into an abnormal condition and get access to other users’ accounts.

RSAC insights: Malware is now spreading via weaponized files circulating in data lakes, file shares

By Byron V. Acohido

The zero trust approach to enterprise security is well on its way to mainstream adoption. This is a very good thing.

Related: Covid 19 ruses used in email attacks

At RSA Conference 2022, which takes place this week (June 6 – 9) in San Francisco, advanced technologies to help companies implement zero trust principals will be in the spotlight. Lots of innovation has come down the pike with respect to imbuing zero trust into two pillars of security operations: connectivity and authentication.

However, there’s a third pillar of zero trust that hasn’t gotten quite as much attention: directly defending data itself, whether it be at the coding level or in business files circulating in a highly interconnected digital ecosystem. I had a chance to discuss the latter with Ravi Srinivasan, CEO of  Tel Aviv-based Votiro which launched in 2010 and has grown to  .

Votiro has established itself as a leading supplier of advanced technology to cleanse weaponized files. It started with cleansing attachments and weblinks sent via email and has expanded to sanitizing files flowing into data lakes and circulating in file shares. For a full drill down on our discussion, please give the accompanying podcast a listen. Here are key takeaways.

RSAC insights: How ‘TPRM’ can help shrink security skills gap — while protecting supply chains

By Byron V. Acohido

Third-Party Risk Management (TPRM) has been around since the mid-1990s – and has become something of an auditing nightmare.

Related: A call to share risk assessments

Big banks and insurance companies instilled the practice of requesting their third-party vendors to fill out increasingly bloated questionnaires, called bespoke assessments, which they then used as their sole basis for assessing third-party risk.

TPRM will be in the spotlight at the RSA Conference 2022 this week (June 6 -9) in San Francisco. This is because third-party risk has become a huge problem for enterprises in the digital age. More so than ever, enterprises need to move beyond check-the-box risk assessments; there’s a clear and present need to proactively mitigate third-party risks.

The good news is that TPRM solution providers are innovating to meet this need, as will be showcased at RSA. One leading provider is Denver, Colo.-based CyberGRX. I had the chance to sit down with their CISO, Dave Stapleton, to learn more about the latest advancements in TPRM security solutions. For a full drill down of our discussion, please give the accompanying podcast a listen. Here are key takeaways:

Smoothing audits

CyberGRX launched in 2016 precisely because bespoke assessments had become untenable. Questionnaires weren’t standardized, filling them out and collecting them had become a huge burden, and any truly useful analytics just never happened.

“Sometimes you’d get a 500-question questionnaire and that would be one out of 5,000 you’d get over the course of a year,” Stapleton says, referring to a scenario that a large payroll processing company had to deal with.

GUEST ESSAY: A Memorial Day call to upskill more veterans for in-demand cybersecurity roles

By Jack Koziol

It’s no secret that cybersecurity roles are in high demand. Today there are more than 500,000 open cybersecurity roles in the U.S., leaving organizations vulnerable to cyber threats.

Related: Deploying employees as threat sensors

Meanwhile, 200,000 well-trained and technically skilled military service members are discharged each year.

These individuals have many transferable skills that would make cybersecurity a prosperous civilian career. Yet, there’s still work to be done to make this path more accessible and known among the veteran and transitioning military community.

Fundamentally, cybersecurity professionals identify weaknesses and design systems and processes to protect any organization — government agencies, private companies — from cyberattacks. Veterans have the characteristics that make them ideal for these roles. They’re exceptional at working in high-pressure environments, managing confidential information, solving complex problems and responding systematically.

Better still, cybersecurity jobs offer the individuals who have served our country a fulfilling career. Cybersecurity jobs are always available and offer many options for people who want to work remotely or move around the country for family or career reasons. Plus — they tend to pay well too. The average salary is $116,000 annually plus benefits.

GUEST ESSAY: Here’s why managed security services — MSS and MSSP — are catching on

By Morten Kjaersgaard

The unification revolution of cybersecurity solutions has started – and managed security service providers are leading the way. Managed security services (MSS) refer to a service model that enable the monitoring and managing of security technologies, systems, or even software-as-a-service (SaaS) products. Here’s more on the various types and benefits of MSS, as well as the state of the MSS(P) market in 2022!

Related: Reviving ‘observability’ to secure complex networks

Fully-managed vs. co-managed

The current unification in the cybersecurity market is driving a massive movement towards fewer vendors, which at the same time means more polarization of either using MSS/MSSP or doing the security work internally.

In terms of Managed Security Services, they can be fully-managed or co-managed. In the case of fully-managed security services, the provider of security services owns the security technologies and maintains and monitors the incidents gathered by these tools and technologies. Fully-managed security services represent, of course, a particularly good bet for budget-conscious companies or for those who lack the internal capabilities to study and handle a wide range of technologies

Co-managed security services best suit those companies that capitalize a variety of security systems but lack the internal security personnel needed to monitor these solutions 24 hours a day, seven days per week. Managed security services providers (MSSP) can help their customers learn more about the capabilities and functioning of each tool, as well as set up the appropriate configuration, allowing their employees to focus on more strategic security objectives.

Tipping the scale favorably

Whether you prioritize cybersecurity or not, cybercriminals will always prioritize (their own) profit, as the attacks described in our 2021 Threat Report prove. Under these circumstances, it’s crucial to understand that MSS can truly help you tip the scales in your favor. Here’s why:

•Managed security services provide round-the-clock monitoring 24 hours a day, seven days a week, and 365 days a year. A significant advantage, because handling business security … more

GUEST ESSAY: A primer on content management systems (CMS) — and how to secure them

By Sebastian Gierlinger

You very likely will interact with a content management system (CMS) multiple times today.

Related: How ‘business logic’ hackers steal from companies

For instance, the The Last Watchdog article you are reading uses a CMS to store posts, display them in an attractive manner, and provide search capabilities. Wikipedia uses a CMS for textual entries, blog posts, images, photographs, videos, charts, graphics, and “talk pages” that help its many contributors collaborate.

Chances are strong that your corporate website uses a CMS, and perhaps you have a separate CMS for documents and other files shared by your employees, partners, and suppliers.

Security is essential for a CMS. That’s obviously true if the content in that system requires some level of privacy and access control for internal use, such as for legal documents, customer contracts, and other assets. Security is also necessary if your retrieval system (such as a website or mobile app) has a paywall or is restricted to only a subset of people, such as customers or resellers.

What about public information? Even if you give your content away, you don’t want to allow unauthorized people to add, delete, or tamper with your files.