Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Book Excerpts

 

Author Q&A: In modern cyberwarfare ‘information security’ is one in the same with ‘national security’

By Byron V. Acohido

What exactly constitutes cyberwarfare?

The answer is not easy to pin down. On one hand, one could argue that cyber criminals are waging an increasingly debilitating economic war on consumers and businesses in the form of account hijacking, fraud, and extortion. Meanwhile, nation-states — the superpowers and second-tier nations alike — are hotly pursuing strategic advantage by stealing intellectual property, hacking into industrial controls, and dispersing political propaganda at an unheard-of scale.

Related: Experts react to Biden’s cybersecurity executive order

Now comes a book by John Arquilla, titled Bitskrieg: The New Challenge of Cyberwarfare, that lays out who’s doing what, and why, in terms of malicious use of digital resources connected over the Internet. Arquilla is a distinguished professor of defense analysis at the United States Naval Postgraduate School. He coined the term ‘cyberwar,’ along with David Ronfeldt, over 20 years ago and is a leading expert on the threats posed by cyber technologies to national security.

Bitskrieg gives substance to, and connects the dots between, a couple of assertions that have become axiomatic:

•Military might no longer has primacy. It used to be the biggest, loudest weapons prevailed and prosperous nations waged military campaigns to achieve physically measurable gains. Today, tactical cyber strikes can come from a variety of operatives – and they may have mixed motives, only one of which happens to be helping a nation-state achieve a geo-political objective.

•Information is weaponizable. This is truer today than ever before. Arquilla references nuanced milestones from World War II to make this point – and get you thinking. For instance, he points out how John Steinbeck used a work of fiction to help stir the resistance movement across Europe.

Steinbeck’s imaginative novel, The Moon is Down, evocatively portrayed how ordinary Norwegians took extraordinary measures to disrupt Nazi occupation. This reference got me thinking about how Donald Trump used social media to stir the Jan. 6 insurrection in … more

AUTHOR Q&A: New book, ‘Hackable,’ suggests app security is the key to securing business networks

By Byron V. Acohido

The cybersecurity operational risks businesses face today are daunting, to say the least.

Related: Embedding security into DevOps.

Edge-less networks and cloud-supplied infrastructure bring many benefits, to be sure. But they also introduce unprecedented exposures – fresh attack vectors that skilled and motivated threat actors are taking full advantage of.

Adopting and nurturing a security culture is vital for all businesses. But where to start? Ted Harrington’s new book Hackable: How To Do Application Security Right argues for making application security a focal point, while laying out a practical framework that covers many of the fundamental bases.

Harrington is an executive partner at Independent Security Evaluators (ISE), a company of ethical hackers known for hacking cars, medical devices and password managers. He told me he wrote Hackable to inform folks oblivious to the importance of securing apps, even as corporate and consumer reliance on apps deepens.

Here are excerpts of an exchange Last Watchdog had with Harrington about his new book, edited for clarity and length:

LW: Why is it smart for companies to make addressing app security a focal point?

Harrington: Software runs the world. Application security is the soft underbelly to almost all security domains, from network security to social engineering and everything in between.

AUTHOR Q&A: New book on cyber warfare foreshadows attacks on elections, remote workers

By Byron V. Acohido

It’s difficult to convey the scope and scale of cyber attacks that take place on a daily basis, much less connect the dots between them.

Related: The Golden Age of cyber spying

A new book by Dr. Chase Cunningham —  Cyber Warfare – Truth, Tactics, and Strategies —   accomplishes this in a compelling, accessible way. Cunningham has the boots-on-the-ground experience and storytelling chops to pull this off. As a  cybersecurity principal analyst at Forrester,  he advises enterprise clients on how to stay in front of the latest iterations of cyber attacks coming at them from all quarters.

Cunningham’s 19 years as a US Navy chief spent in cyber forensic and cyber analytic operations included manning security controls at the NSA, CIA and FBI. He holds a PhD and MS in computer science from Colorado Technical University and a BS from American Military University focused on counter-terrorism operations in cyberspace.

Cunningham sets the table in Cyber Warfare by relating detailed anecdotes that together paint the bigger picture. Learning about how hackers were able to intercept drone feed video from CIA observation drones during the war in Iraq, for instance, tells us a lot about how tenuous sophisticated surveillance technology really can be, out in the Internet wild.

And Cunningham delves into some fascinating, informative nuance about industrial systems attacks in the wake of Stuxnet. He also adds historical and forward-looking context to the theft and criminal deployment of the Eternal Blue hacking tools, which were stolen from the NSA, and which have been used to cause so much havoc, vis-à-vis WannaCry and NotPetya. What’s more, he comprehensively lays out why ransomware and deep fake campaigns are likely to endure, posing a big threat to organizations in all sectors for the foreseeable future.

BOOK REVIEW: ‘Security Yearbook’ preserves cybersecurity history — highlights tectonic shift

By Byron V. Acohido

Along with Richard Stiennon, I belong to a small circle of journalists and tech industry analysts who’ve been paying close attention to cybersecurity since Bill Gates curtailed commercial work on Windows to rivet Microsoft’s attention on defending its software code.

Related: The role of PKI is securing digital transformation

That was in 2002. Back then, email spam was a nuisance evolving into a potent attack vector, and the top malware innovators were script kiddies seeking bragging rights.  Much has changed; much has remained the same.

Cybersecurity, which started with antivirus suites, spam filters and firewalls, has mushroomed into a $103 billion industry. Companies today spent vast amounts on incredibly sophisticated defenses, such as next-gen firewalls, EDR, DLP and IDS technologies that generate oceans of threat feeds pouring into artificially intelligent  SIEMs, UEBAs and other analytics platforms.

Yet, catastrophic breaches persist. And that’s why Stiennon and I are among the 45,000 or so attendees of RSA Conference 2020 here at San Franscisco’s Moscone Center. This is my 16th RSA.

I recently had a chance to have a rich discussion about the state of cybersecurity with Stiennon, the occasion being him sending me a copy of his new book: Security Yearbook 2020: A History and Directory of the IT Security Industry. Here are takeaways from our discussion:

Preserving history

Steinnon told me he got inspired to write Security Yearbook one year ago at RSA 2019, as he sat in a booth signing copies of previous book, Secure Cloud Transformation. A lot of folks came up to him and told him they were new to the industry and had been sent to RSA to learn it.

Then as he wandered the exhibits floors, Stiennon ran into startup after startup pitching their great new cybersecurity  innovation. “There were all these great ideas that were going to change the world, but it looked just like stuff that came … more

GUEST ESSAY: Strategic tactics are key to a robust Cloud Security Posture Management regime

By Yuri Diogenes and Dr. Erdal Ozkaya

A cyber strategy is a documented approach to handling various aspects of cyberspace. It is mostly developed to address the cybersecurity needs of an entity by focusing on how data, networks, technical systems, and people are protected. An effective cyber strategy is normally on par with the cybersecurity risk exposure of an entity. It covers all possible attack landscapes that can be targeted by malicious parties.

Editor’s note: This is an excerpt from  Cybersecurity – Attack and Defense Strategies, Second Edition, a detailed overview of Cloud Security Posture Management (CSPM) and an assessment of the current threat landscape.

Cybersecurity is the focal point of most cyber strategies because cyber threats are continuously becoming more advanced as more sophisticated exploit tools and techniques become available to threat actors. Due to these threats, organizations are advised to develop cyber strategies that ensure the protection of their cyber infrastructure from these various threats.

In this article, we introduce how you can build effective cyber defense strategies. Please note, the steps given are meant to help you formulate your own cyber defense strategy and can be customized according to your need.

Understand the Business

The more you know about your business, the better you can secure it. It’s really important to know the Goals of your organization, Objectives, the People you work with, the Industry, the current Trends, your Business risks, how to Risk appetite and tolerance the risks, as well your Most valuable assets. Everything we do must be a reflection of the business requirements which is approved by the senior leadership, as it has been manded also in ISO 27001.

GUEST ESSAY: The true cost of complacency, when it comes to protecting data, content

By John Safa

Facebook was lucky when the Information Commissioner’s Office (ICO)—the UK’s independent authority set up to uphold information rights in the public interest—hit the U.S. social media company with a £500,000 fine.

Related: Zuckerberg’s mea culpa rings hollow

This penalty was in connection with Facebook harvesting user data, over the course of seven years — between 2007 and 2014. This user data became part of the now infamous Cambridge Analytica scandal.

Facebook was very lucky, indeed, that its misdeeds happened before May 25, 2018. On that date, the EU General Data Protection Regulation (GDPR) came into force.

If its violation had happened after that, the fine could have been up to £17 million or 4 percent of global turnover. Yet, even with the prospect of stupendously steep fines hanging over the heads, insecure enterprises still don’t grasp the true cost of data privacy complacency.

According to research by one law firm, pre-GDPR regulatory fines had almost doubled, on average, between 2017 and 2018, up from £73,191 to £146,412. Those figures pale when stacked against the potential bottom line impact that now exists.

MY TAKE: Once upon a time, circa 2003-2004, botnets emerged as the engine of cybercrime

By Byron V. Acohido

Betty Carty figured she ought to be in the digital fast lane.

Last Christmas, Carty purchased a Dell desktop computer, then signed up for a Comcast high-speed Internet connection. But her new Windows XP machine crashed frequently and would only plod across the Internet.

(Editor’s note: This 2,200 word article was originally published, Sept. 8, 2004,  in print form as a USA TODAY Money section cover story, part of one of a three part series on the emergence of botnets for systemic criminal use. Botnets are today much larger, stealthier and more sophisticated. They actually pivot off cloud-based services — and they continue to be the engine that drives most forms of Internet-centric hacking.)

Dell was no help. The PC maker insisted — correctly — that Carty’s hardware worked fine.

But in June, Comcast curtailed Carty’s outbound e-mail privileges after pinpointing her PC as a major source of e-mail spam. An intruder had turned Carty’s PC into a “zombie,” spreading as many as 70,000 pieces of e-mail spam a day.

Related article: The care and feeding of botnets in 2017

The soft-spoken Carty, 54, a grandmother of three from southern New Jersey, was flabbergasted. “Someone had broken into my computer,” she says.

Since early 2003, wave after wave of infectious programs have begun to saturate the Internet, causing the number of PCs hijacked by hackers and turned into so-called zombies to soar into the millions — mostly in homes like Carty’s, at small businesses and on college campuses. And, much like zombies of voodoo legend, they mindlessly do the bidding of their masters and help commit crimes online.

Personal computers have never been more powerful — and dangerous. Just as millions of Americans are buying new PCs and signing up for ultrafast Internet connections, cybercrooks are stepping up schemes to take control of their machines — and most consumers don’t have a clue.

“We thought things were bad in … more