Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For consumers

 

How ‘identity governance’ addresses new attack vectors opened by ‘digital transformation’

By Byron V. Acohido

Mark McClain and Kevin Cunningham didn’t rest for very long on their laurels, back in late 2003, after they had completed the sale of Waveset Technologies to Sun Microsystems. Waveset at the time was an early innovator in the then-nascent identity and access management (IAM) field.

The longtime business partners immediately stepped up planning for their next venture, SailPoint Technologies, which they launched in 2005 to pioneer a sub segment of IAM, now referred to as identity governance. Today SailPoint has 800-plus employees and growing global sales.

Related article: What the Uber hack tells us about DevOps exposures

The company is coming off a successful initial public offering last November in which it raised $240 million. SailPoint’s share price has climbed from the mid-teens to the mid-twenties since its IPO.

I had the chance to visit with McClain, SailPoint’s CEO – Cunningham serves as chief strategy officer—at RSA Conference 2018. We had an invigorating discussion about how “digital transformation” has intensified the urgency for organizations to comprehensively address network security, and how identity governance is an important piece of that puzzle. For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and space:

LW: Your focus is on helping companies do much better at a fundamental security best practice.

McClain: Exactly. Within the big realm of security, we’re within the realm of identity, which is getting a lot of airtime these days.  And within identity, our focus is on what’s called identity governance . . . The company has been around for a while now. We work in almost every industry vertical and focus on mid-sized enterprises with 2,000 to 3,000 employees all the way to the largest global enterprises in the world. …more

PODCAST: How managing ‘privileged accounts’ can help make ‘digital transformation’ more secure

By Byron V. Acohido

One of the most basic things a company can do to dramatically improve their security posture is to keep very close track of who has what access to which privileged accounts inside the company firewall.

This is a best practice of privileged account management, which is a burgeoning sector of the identity and access management (IAM) field. For a variety of reasons, IAM is once again becoming acutely problematic.

Related article: Why savvy companies lock down privileged access

Not nearly enough attention was paid to IAM best practices when we first cobbled together digital business systems 20 years ago — and then piggybacked them onto the Internet. In general, the corporate world still is not very good at enforcing policies that ensure only the proper people have access to an organization’s technology resources.

And now the “digital transformation” of corporate networks is steamrolling downhill. As we meld legacy company systems to cloud services, IAM exposures are flaring up once again. A recent survey of IT organizations in the U.S. and Europe by Atlanta-based security vendor Bomgar found that risky employee password-usage practices continues to be a challenge for a majority of organizations.

Bomgar was founded in 2003 by Joel Bomgar, who was then a college student moonlighting as a techie contractor helping companies update and manage their Windows computers. One day Bomgar realized he was losing valuable time driving from client to client to resolve simple issues. So he developed his own proprietary solution to access his clients’ computers, and began providing his services remotely.

That quickly evolved into a platform of solutions that allow IT administrators and security professionals to securely manage access to systems and privileged accounts. Bomgar (the company) subsequently emerged as a leading provider of IAM and security solutions and has grown to than 300 employees with offices in five countries. …more

Q&A: How to prepare for Spectre, Meltdown exploits — and next-gen ‘microcode’ attacks

By Byron V. Acohido

If you think the cyber threat landscape today is nasty, just wait until the battle front drops to the processor chip level.

Related artilce: A primer on microcode vulnerabilities

It’s coming, just around the corner. The disclosure in early January of Spectre and Meltdown, critical vulnerabilities that exist in just about all modern computer processing chips, introduced virgin territory for well-funded, highly motivated criminal hackers. And this is where the front lines will inevitably shift — to a much deeper level of the digital systems we take for granted.

Spectre and Meltdown are the first examples of a new class of flaws so deep and so profound that they really can’t be fixed until the next generation of chips gets here. That suggests that well-financed, highly motivated criminal hacking rings have years, if not a decade or more, ahead of them to take full advantage.

We are in this predicament because the chipmakers, led by Intel, AMD and ARM, aided and abetted by the operating system suppliers, Microsoft, Apple and Linux, made a decision in 1995 to toss security in the back seat as they embarked, hell bent, on a race to build and leverage faster and faster Central Processing Units, or CPUs.

The chipmakers came up with a technique, called “speculative execution,” essentially taking shortcuts at the chip level, slightly delaying verification checks to buy more clock speed. Meltdown and Spectre represent two approaches hackers can now take to manipulate speculative execution at the chip level and thereby gain access to any sensitive data residing a level above — in the operating system memory. …more

MY TAKE: A breakdown of why Spectre, Meltdown signal a coming wave of ‘microcode’ attacks

By Byron V. Acohido

Hundreds of cybersecurity vendors are making final preparations to put their best foot forward at the RSA Conference at San Francisco’s sprawling Moscone Center next week. This will be my 15th RSA, and I can say that there is a distinctively dark undertone simmering under this year’s event. It has to do with a somewhat under-the-radar disclosure in early January about a tier of foundational security holes no one saw coming.

Related article: Meltdown, Spectre foreshadow another year of nastier attacks

Spectre and Meltdown drew a fair amount of mainstream news coverage. But I fear their true significance hasn’t resonated. We now know that there will be no quick way to fix this pair of milestone vulnerabilities that lurk in the architecture of just about every modern processor chip.

As I get ready to head to RSA, it struck me that none of the legacy security systems being hyped at the glitzy exhibition booths I’ll see at RSA seem able to solve this problem or mitigate the risks.

Raza

“Spectre and Meltdown will be the enormous elephants in the room at RSA”, said Atiq Raza, CEO of security firm Virsec. “The chip and OS vendors have failed with multiple patches and are asking for patience. Meanwhile, few security vendors understand or monitor what happens between applications and processors. This is leaving most customers worried and scratching their heads.”

Chip/kernel 101

To understand how profoundly Spectre and Meltdown have changed the cybersecurity landscape requires a bit of technical context. Processor chips are formally referred to as the Central Processing Unit, or CPU. These are the semiconductor chips manufactured by Intel, AMD, ARM and a few others.

CPUs give life to any computing device you can name. CPUs interact with the operating system, or OS, such as Windows, Macintosh, iOS and Linux. The OS, in turn, enables applications such web browsers, smartphones, business apps, web apps, games, video — and the digital infrastructure behind them — to run.

Around 1995, CPUs started getting dramatically faster and have been getting incrementally faster ever since. This happened both because of improvements in the hardware and clever ways engineers found to make processes more efficient. Every OS has a core piece of software, called the kernel, that manages and directs how each application can tap into the CPU. Keep in mind, …more

GUEST ESSAY: How Orbitz’s poor execution of a systems upgrade left data exposed

By Natalie Williams

In case you thought it had been a suspiciously long time since a massive data breach was announced, well, here you go. Just a couple of days ago, Orbitz (part of the massive travel conglomerate Expedia) revealed that during the second part of last year, the personal data of many of their users was breached.

And by “many,” I mean somewhere in the neighborhood of 880,000. And while Orbitz promises that no Social Security Numbers were compromised, a lot of other data was: names, dates-of-birth, even email and street addresses. And, of course, credit card  information. Let’s not forget that.

Related podcast: Why 2018 will be the year of the CISO

Importantly, this was not a phishing attack. It was a system hack, and although the exact method is unknown, the hackers did target an older Orbitz platform (not Orbitz.com), as well as a partner sites (separate occasions), and were able to access records still embedded in it.

 And unlike with Equifax, this also doesn’t appear to be a situation in which administrators followed blatantly terrible password security practices. These data loss situations are always somewhat harder to assess, since they can’t be directly traced back to a clear and specific bad decision. They’re also harder to pass judgement on or attempt to provide solutions for, for the same reason. And yet, anytime this much data is exposed, there’s a serious issue. Something wasn’t adequately protected—someone wasn’t doing what they were …more

MY TAKE: What ace-in-the-hole does Devon Nunes have that McCarthy would have loved?

By Byron V. Acohido

When Russian botnet controllers deployed their bots on yet another social media blitz last week, they participated in a campaign that took a page from Sen. Joseph McCarthy’s play book,

On Feb. 9, 1950, at the height of the Cold War, McCarthy infamously brandished a list of what he claimed were 57 subversive communists who had infiltrated the heart of the U.S. government. It was baseless propaganda, of course. McCarthy never made contents of his list public.

Fast forward to January 2018. Rep. Devon Nunes (R-Calif.) comes up with a  top secret memo purporting to show how the FBI was being manipulated to persecute Donald Trump. On cue, Russian botnets unleashed the #Releasethememo campaign, spoofing a supposed grass roots call to make the contents of Nunes’ memo public.

Machiavellian move

McCarthy, of course, didn’t want the contents of his list revealed. Seems clear to me that neither Nunes, nor the Russian botnet operators, really wanted the text of  his memo made public either.  The botnet-driven social media blitz, I believe, was a Machiavellian attempt to add validity to the secret memo — by intimating a cover-up. …more

LW’s NEWS WRAP: Russian bots conduct social media blitz to discredit Trump-Russia probe

By Byron V. Acohido

Last Watchdog’s News Wrap, Vol. 1, No. 3. The use of Russian bots and trolls in social media  propaganda blitzes continues. Counter terrorism expert Malcolm Nance minced no words in lambasting the latest deployment of Russian botnets to influence American politics.

Related article: Trump is top bait used in spam campaigns

Nance appeared on the Stephanie Miller radio show to decry as ‘treasonous’ the bold move by House Republicans to spread word of — but no details from —  a top secret memo purportedly discrediting the FBI’s Trump-Russia investigation.

Nance

This move was accompanied by the unleashing of Russian bots and trolls to hype the #Releasethememo campaign on Twitter and other social media platform. This appeared to be an attempt to add validity to the memo in question — by suggesting a cover-up.

Lest we forget, Russian botnets fueled wildly conflicting polling results during the 2016 presidential race, and fabricated 6.1 million Twitter followers for then-candidate Trump. This week’s blitz represents another level of finesse.

Insurance halo effect

Here’s more evidence that the insurance industry is aggressively seeking to nurture the anticipated $20 billion-plus market for cyber liability insurance policies. Insurance carriers and underwriters need to figure out how to triangulate complex cyber risks —  not as easy as setting actuarial tables for fires or earthquakes. …more