Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For consumers

 

SHARED INTEL: New book on cyber warfare foreshadows attacks on elections, remote workers

By Byron V. Acohido

It’s difficult to convey the scope and scale of cyber attacks that take place on a daily basis, much less connect the dots between them.

Related: The Golden Age of cyber spying

A new book by Dr. Chase Cunningham —  Cyber Warfare – Truth, Tactics, and Strategies —   accomplishes this in a compelling, accessible way. Cunningham has the boots-on-the-ground experience and storytelling chops to pull this off. As a  cybersecurity principal analyst at Forrester,  he advises enterprise clients on how to stay in front of the latest iterations of cyber attacks coming at them from all quarters.

Cunningham’s 19 years as a US Navy chief spent in cyber forensic and cyber analytic operations included manning security controls at the NSA, CIA and FBI. He holds a PhD and MS in computer science from Colorado Technical University and a BS from American Military University focused on counter-terrorism operations in cyberspace.

Cunningham sets the table in Cyber Warfare by relating detailed anecdotes that together paint the bigger picture. Learning about how hackers were able to intercept drone feed video from CIA observation drones during the war in Iraq, for instance, tells us a lot about how tenuous sophisticated surveillance technology really can be, out in the Internet wild.

And Cunningham delves into some fascinating, informative nuance about industrial systems attacks in the wake of Stuxnet. He also adds historical and forward-looking context to the theft and criminal deployment of the Eternal Blue hacking tools, which were stolen from the NSA, and which have been used to cause so much havoc, vis-à-vis WannaCry and NotPetya. What’s more, he comprehensively lays out why ransomware and deep fake campaigns are likely to endure, posing a big threat to organizations in all sectors for the foreseeable future.

SHARED INTEL: How attacks on web, mobile apps are being fueled by rising API vulnerabilities

By Byron V. Acohido

Application programming interface. API. It’s the glue holding digital transformation together.

Related: A primer on ‘credential stuffing’

APIs are the conduits for moving data to-and-fro in our digitally transformed world. APIs are literally everywhere in the digital landscape, and more are being created every minute. APIs connect the coding that enables the creation and implementation of new applications.

However, APIs also manifest as a wide open, steadily expanding attack vector. Many organizations caught up in the frenzy of digital transformation don’t fully appreciate the gaping exposures APIs have come to represent.

I had the chance to discuss this with Matt Keil, director of product marketing at Cequence Security, a Sunnyvale, Calif.-based application security vendor that’s in the thick of helping businesses mitigate web application exposures. We spoke at RSA 2020. For a full drill down, please give the accompanying podcast a listen. Here are key takeaways:

Romance scams

Like many modern companies, Zoosk, the popular San Francisco-based dating site, rests on infrastructure that’s predominantly cloud-based. Zoosk’s core service is delivered via a mobile app that has 20 different registration and/or login pages – all are API driven.

Thus, it was well worth it for a hacking group to study Zoosk’s IT stack to reconnoiter its weak points.  Here’s how Keil breaks down what happened:

BEST PRACTICES: Mock attacks help local agencies, schools prepare for targeted cyber scams

By Byron V. Acohido

Cyber criminals who specialize in plundering local governments and school districts are in their heyday.

Related: How ransomware became a scourge

Ransomware attacks and email fraud have spiked to record levels across the U.S. in each of the past three years, and a disproportionate number of the hardest hit organizations were local public agencies.

Lucy Security, a security training company based in Zug, Switzerland that works with many smaller public entities, has been in the thick of this onslaught. The company’s software is used to run public servants and corporate employees through mock cyberattack training sessions. There’s an obvious reason smaller public entities have become a favorite target of cybercriminals: most are run on shoestring budgets and corners tend to get cut in IT security, along with everything else operationally.

I had a chance to discuss this with Lucy Security Inc. CEO Colin Bastable at RSA 2020. Another factor I never thought about, until meeting with Bastable, is that public servants typically possess a can-do work ethic. This can make them particularly susceptible to social engineering trickery, the trigger for online extortion and fraud campaigns, Bastable told me.

For a drill down on my full interview with Bastable, give the accompanying podcast a listen. Here are the key takeaways:

Simple, lucrative fraud

What happened in the state of Texas earlier last January is a microcosm of intensifying pressure all local agencies face from motivated hackers and scammers.

Fraudsters did enough online intelligence gathering on the Manor Independent School District, in Manor, Texas, to figure out which vendors were in line to receive large bank transfers as part of the school district spending the proceeds of a large school bond. They also studied the employees who handled the transactions.

SHARED INTEL: Bogus Coronavirus email alerts underscore risk posed by weaponized email

By Byron V. Acohido

It comes as no surprise that top cyber crime rings immediately pounced on the Coronavirus outbreak to spread a potent strain of malware via malicious email and web links.

Related: Credential stuffing fuels cyber fraud

IBM X-Force researchers shared details about how emails aimed at Japanese-speaking individuals have been widely dispersed purporting to share advice on infection-prevention measures for the disease. One of the waves of weaponized emails actually is designed to spread a digital virus: the notorious Emotet banking Trojan designed to steal sensitive information.

One cybersecurity company, Tel Aviv-based Votiro, is taking a different approach to strengthen protection against such weaponized documents, using technology that disarms files before they are delivered to the recipient’s inbox.   I had the chance to visit with Votiro CEO and founder Aviv Grafi at RSA 2020. For a full drill down give a listen to the accompanying podcast. Here are a few key takeaways:

Filtering falls short

As a former penetration tester who specialized in testing employees aptitude for resisting email lures, Grafi saw time-and-again how – and why – attackers leverage timely events, such as celebrity deaths, holidays or tax deadlines to lure email recipients to click on corrupted Word docs or PDF attachments.

Votiro introduced their ‘Disarmer’ technology, called CDR, for “content, disarm and reconstruction” to the U.S. market in 2019. CDR takes a prevention, instead of detection, approach to disarming weaponized email and deterring document-delivered malware.

SHARED INTEL: Survey shows some CEOs have quit Tweeting, here’s why they were smart to do so

By Byron V. Acohido

Cyber threats now command the corporate sector’s full attention. It’s reached the point where some CEOs have even begun adjusting their personal online habits to help protect themselves, and by extension, the organizations they lead. Corporate consultancy PwC’s recent poll of 1,600 CEOs worldwide found that cyber attacks are now considered the top hinderance to corporate performance, followed by the shortage of skilled workers and the inability to keep up with rapid tech advances.

Related: How ‘credential stuffing’ enables online fraud

As a result, some CEOs admit they’ve stopped Tweeting and deleted their LinkedIn and other social media accounts – anything to help reduce their organization’s exposure to cyber criminals. “Senior C-level executives and board members are paying more attention now to cybersecurity than two years ago, by far,” observes Jeff Pollard, vice president and principal analyst at tech research firm Forrester.

Awareness is a vital step forward, no doubt. But it’s only a baby step. Corporate inertia still looms large. For many Chief Information Security Officers, having the CEO’s ear, at the moment, is proving to be a double-edged sword, Pollard told me. “We find many CISOs spend their time explaining what threats matter and why, as opposed to why cybersecurity matters in the first place,” he says. “Security leaders must also find ways to explain why budgets that have steadily increased, year after year, have not solved the security problems”.

SHARED INTEL: Former NSA director says cybersecurity solutions need to reflect societal values

By Byron V. Acohido

Is America’s working definition of “national security” too narrow for the digital age?

Yes, observes retired Admiral Michael Rogers, who served as a top White House cybersecurity advisor under both Presidents Obama and Trump. 

Related: The golden age of cyber espionage

The United States, at present, operates with a “nebulous” definition of what constitutes a cyber attack that rises to the level of threatening national security, asserts Rogers, who was   commander, U.S. Cyber Command, as well as director, National Security Agency, and chief, Central Security Service, from March 2014 until he retired from military service in May 2018.

“National security in the digital age, to me, is the confluence of the traditional ways we used to look at security issues as a nation-state, as well as taking into consideration how economic-competitiveness and long-term economic viability play in,” Rogers told an audience of cybersecurity executives, invited to attend the grand opening of Infosys’ state-of-the art Cyber Defense Center in Indianapolis earlier this week.

Rogers made his remarks as part of a panel discussion on securing digital transformation moderated by Infosys CISO Vishal Salvi. It was a wide-ranging, eye-opening discussion. Here are a few key takeaways I came away with:

Rising cyber exposures

Enterprises today are engaged in a struggle to balance security and agility. Leveraging cloud services and IoT systems to streamline workloads makes a ton of sense. Yet cyber exposures are multiplying. Compliance penalties, lawsuits, loss of intellectual property, theft of customer personal data and loss of reputation — due to poor cyber defenses — are now getting board level attention.

MY TAKE: Why new tools, tactics are needed to mitigate risks introduced by widespread encryption

By Byron V. Acohido

It was just a few short years ago that the tech sector, led by Google, Mozilla and Microsoft, commenced a big push to increase the use of HTTPS – and its underlying TLS authentication and encryption protocol.

Related: Why Google’s HTTPS push is a good thing

At the time, just 50 % of Internet traffic used encryption. Today the volume of encrypted network traffic is well over 80% , trending strongly toward 100%, according to Google.

There is no question that TLS is essential, going forward. TLS is the glue that holds together not just routine website data exchanges, but also each of the billions of machine-to-machine handshakes occurring daily to enable DevOps, cloud computing and IoT systems. Without TLS, digital transformation would come apart at the seams.

However, the sudden, super-saturation of TLS, especially over the past two years, has had an unintended security consequence. Threat actors are manipulating TLS to obscure their attack footprints from enterprise network defenses. The bad guys know full well that legacy security systems were designed mainly to filter unencrypted traffic. So cyber criminals, too, have begun regularly using TLS to encrypt their attacks.

TLS functions as the confidentiality and authenticity cornerstone of digital commerce. It authenticates connections that take place between a smartphone and a mobile app, for instance, as well as between an IoT device and a control server, and even between a microservice and a software container. It does this by verifying that the server involved is who it claims to be, based on the digital certificate issued to the server. It then also encrypts the data transferred between the two digital assets.