Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For consumers

 

GUEST ESSAY: The true cost of complacency, when it comes to protecting data, content

By John Safa

Facebook was lucky when the Information Commissioner’s Office (ICO)—the UK’s independent authority set up to uphold information rights in the public interest—hit the U.S. social media company with a £500,000 fine.

Related: Zuckerberg’s mea culpa rings hollow

This penalty was in connection with Facebook harvesting user data, over the course of seven years — between 2007 and 2014. This user data became part of the now infamous Cambridge Analytica scandal.

Facebook was very lucky, indeed, that its misdeeds happened before May 25, 2018. On that date, the EU General Data Protection Regulation (GDPR) came into force.

If its violation had happened after that, the fine could have been up to £17 million or 4 percent of global turnover. Yet, even with the prospect of stupendously steep fines hanging over the heads, insecure enterprises still don’t grasp the true cost of data privacy complacency.

According to research by one law firm, pre-GDPR regulatory fines had almost doubled, on average, between 2017 and 2018, up from £73,191 to £146,412. Those figures pale when stacked against the potential bottom line impact that now exists. …more

GUEST ESSAY: 5 security steps all companies should adopt from the Intelligence Community

By Angela Hill and Edwin Hill

The United States Intelligence Community, or IC, is a federation of 16 separate U.S. intelligence agencies, plus a 17th administrative office.

The IC gathers, stores and processes large amounts of data, from a variety of sources,  in order to provide actionable information for key stakeholders. And, in doing so, the IC has developed an effective set of data handling and cybersecurity best practices.

Related video: Using the NIST framework as a starting point

Businesses at large would do well to model their data collection and security processes after what the IC refers to as the “intelligence cycle.” This cycle takes a holistic approach to detecting and deterring external threats and enforcing best-of-class data governance procedures.

The IC has been using this approach to generate reliable and accurate intelligence that is the basis for making vital national security decisions, in particular, those having to do with protecting critical U.S. infrastructure from cyber attacks.

In the same vein, businesses at large can use the intelligence cycle as a model to detect and deter any attacks coming from foreign intelligence services. Such threats impact more businesses than you may think.

Per a 2017 CNN source, nearly 100,000 agents from as many as 80 nations operate within the United States with the intention of targeting businesses to gain …more

GUEST ESSAY: Atrium Health data breach highlights lingering third-party exposures

By Jonathan Simkins

The healthcare industry has poured vast resources into cybersecurity since 2015, when a surge of major breaches began.  While the nature of these breaches has evolved over the last four years, the growth in total healthcare incidents has unfortunately continued unabated.

Related: How to get off of HIPAA’s hit list

The recent disclosure from Atrium Health that more than 2.65 million patients had significant amounts of PII exposed by the healthcare provider’s third-party billing vendor, AccuDoc Solutions, shows the healthcare sector remains acutely vulnerable to attacks exploiting third-party contractors even as their first-party security posture hardens.

Atrium Health operates over 40 hospitals and almost 1,000 other healthcare facilities, primarily in North Carolina and South Carolina.  AccuDoc kept payment records from several Atrium Health locations.  A hacker accessed AccuDoc’s databases from September 22-29.

The compromised databases included names, addresses, dates of birth, insurance policy details, medical record numbers, account balances and dates of service — of both guarantors and patients.  Additionally, the Social Security numbers of about 700,000 patients were also exposed.

Weak links

The Atrium breach demonstrates how any third party in a company’s digital ecosystem can be the weak link that gives attackers a clear path to exposed data.  The fact that this incident is being labeled “the Atrium breach” in the media also shows where the reputational risk lies. …more

MY TAKE: Massive Marriott breach continues seemingly endless run of successful hacks

By Byron V. Acohido

I have a Yahoo email account, I’ve shopped at Home Depot and Target, my father was in the military and had a security clearance, which included a dossier on his family, archived at the U.S. Office of Personnel Management, I’ve had insurance coverage from Premera Blue Cross and I’ve stayed at the Marriott Marquis in San Francisco.

Related: Uber hack shows DevOps risk

The common demonitor: All of those organizations have now disclosed massive data breaches over a span of the past five years.

On Friday, Starwood Properties, which merged with Marriott in 2016, disclosed as many as 500 million people who made reservations at their hotels may have had their personal information accessed in a breach that lasted as long as four years.

The Starwood hack appears to come in second in scale only to the 2013 Yahoo breach, which affected as many as 3 billion accounts, while a subsequent Yahoo breach also hit 500 million accounts.

The breach is rightly attracting attention of regulators in Europe and the United States. Marriott shares fell nearly 6 percent to $114.67 in Friday afternoon trading. Here’s a roundup of reaction from cybersecurity thought leaders: …more

MY TAKE: Why security innovations paving the way for driverless cars will make IoT much safer

By Byron V. Acohido

Intelligent computing systems have been insinuating themselves into our homes and public gathering places for a while now.

But smart homes, smart workplaces and smart shopping malls are just the warm-up act. Get ready for smart ground transportation.

Related: Michigan’s Cyber Range hubs help narrow talent gap

Driverless autos, trucks and military transport vehicles are on a fast track for wide deployment in the next five years. The good news is that there is some very deep, behind-the-scenes research and development work being done to make driverless vehicles safe and secure enough for public acceptance.

I’m encouraged that this work should produce a halo effect on other smart systems, ultimately making less-critical Internet of Things systems much more secure, as well.

These sentiments settled in upon returning from my recent visit to Detroit, Ann Arbor and Grand Rapids. I was part of a group of journalists escorted on a tour of cybersecurity programs and facilities hosted by the Michigan Economic Development Corp., aka the MEDC.

One of our stops was at a freshly-erected skunk works for auto software research set up in a low-slung warehouse – previously a country western bar – in rural Sparta, on the outskirts of Grand Rapids. The warehouse today is home to Grimm, an Arlington, VA – based cyber research firm that specializes in embedded systems security, and whose claim to fame is doing proprietary projects for U.S. military and intelligence agencies.

Deep testing

Grimm received a $216,000 MEDC grant to set up shop in Sparta and direct its expertise towards discovering security flaws in autonomous vehicle systems under development by Detroit’s big car makers. …more

MY TAKE: Michigan’s Cyber Range hubs provide career paths to high-schoolers, underutilized adults

By Byron V. Acohido

Michigan is cultivating a collection of amazing cybersecurity training facilities, called Cyber Range hubs, that are shining models for what’s possible when inspired program leaders are given access to leading-edge resources, wisely supplied by public agencies and private foundations.

As a guest of the Michigan Economic Development Corporation, I recently had the chance to tour the Pinckney Community High School Cyber Training Institute in a rural community outside of Ann Arbor, and the newly opened Cyber Range hub at the West Michigan Center for Arts + Technology, or WMCAT, in Grand Rapids. These two facilities lacked nothing in terms of state-of-the-art telepresence equipment and training and testing curriculums.

Both were well-equipped to teach, test and train individuals ranging from teen-agers and non-technical adults, to working system administrators and even seasoned tech security pros.

Merit 1981

State-of-the-art telepresence gear, supplied by Merit Network, funnels everything from capture-the-flag exercises to full course work and certification testing to earn 42 different professional designations.

Related: Michigan establishes a roadmap for cybersecurity readiness.

Merit Network, by the way, is quite unique. The Ann Arbor-based nonprofit began as a partnership among three state universities in 1966 and is one of the original building blocks of the Internet. Today Merit supplies IT infrastructure to schools, universities, government and other entities across the state. For a drill down on Merit, and its role supplying Cyber Range infrastructure, please listen to the accompanying podcast with Pierrette Dagg, Merit’s director of marketing and communications.

Human scale advances

What jumped out at me on my visit to Pinckney Township and Grand Rapids was not so much the tech gear and the curriculum, which in each case was top notch. I came away most impressed by the dedication and creativity of the program leaders, which clearly is making a big difference on a very human scale.

Ozias

Take, for example, 17-year-old Pinckney senior Aidan Ozias. I looked over Aidan’s shoulder as he typed away on a class project of his design. His task was to lead a team of students in improving the security posture of a fully mocked-up city network, called Alphaville, pumped into his high school lab courtesy of Merit.

Across the hallway, a few of his classmates hacked away, remotely, at the controls of a drone, attempting to knock it out of the sky. Another cluster of students attempted to crack into an Alphaville industrial controls system.

“I like this a lot because it gives me an opportunity to explore a lot of my other interests,” Aidan told me. …more

GUEST ESSAY: 5 anti-phishing training tools that can reduce employees’ susceptibility to scams

By Rishab Gogoi

The vast majority of cyber attacks against organizations pivot off the weakest security link: employees.  The good news is that companies today have ready access to a wide variety of tools that can simulate common types of attacks and boost employee awareness. Here’s a guide to five such services.

PhishMe

This tool, from Cofense, proactively engages employees via simulated attacks based on real-time threats for various phishing tactics. Wide varieties of scenarios are offered to make the employees more aware of such attacks.

Related: Gamification training gains traction.

PhishMe’s online forum provides a series of scenarios, landing pages, attachments and educational pages. This methodology is distributed over a period of a year giving employees time to understand various phishing strategies.  Employees can account for any suspicious emails, through an easy report feature,

Knowbe4

This is a platform for security awareness training and simulated phishing tests focusing on the problem of social-engineering. Its cloud-based service helps its’ clients to schedule automated training campaigns and simulated phishing attacks.

A free test is provided for up-to 100 employees. Organizations select the phishing templates and landing page for simulation. …more