Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For technologists

 

Why big companies ignore SAP security patches — and how that could bite them, big time

By Byron V. Acohido

Threat actors in the hunt for vulnerable targets often look first to ubiquitous platforms. It makes perfect sense for them to do so.

Related article: Triaging open-source exposures

Finding a coding or design flaw on Windows OS can point the way to unauthorized to access to a treasure trove of company networks that use Windows. The same holds true for probing widely used open source protocols, as occurred when Heartbleed and Shellshock came to light.

There is yet another widely-used business platform that malicious hackers have turned their attention to. It is SAP’s enterprise resource planning (ERP) applications.

SAP serves as the digital plumbing for dozens of multinationals; it is deeply embedded in 87 percent of the top 2000 global companies, enabling and integrating ERP functions, such as sales, production, human resources and finance, as well as other core systems.

SAP is no different than any other complex software. Vulnerability researchers, ranging from penetration testers to threat actors, continually seek out fresh security flaws which SAP subsequently issues patches for. The trouble has been that SAP patches can be troublesome to implement, and so very often get postponed.

In 2016 the U.S. Department of Homeland Security’s Computer Emergency Response Team (US-CERT) issued three separate security alerts warning SAP customers to install security patches, including one issued six years earlier that had gone widely ignored.

Many large enterprises have been lagging in SAP patches. This exposure is pervasive. And it is only a matter of time before threat actors pull off a high-profile data breach. …more

Mobile security advances to stopping device exploits — not just detecting malicious apps

By Byron V. Acohido

The most profound threat to corporate networks isn’t the latest, greatest malware. It’s carbon-based life forms.

Humans tend to be gullible and impatient. With our affiliations and preferences put in play by search engines and social media, we’re perfect patsies for social engineering. And because we are slaves to convenience, we have a propensity for taking shortcuts when it comes to designing, configuring and using digital systems.

Related article: Is your mobile device spying on you?

This hasn’t worked terribly well for defending modern business networks from cyberattacks. And now we are on the verge of making matters dramatically worse as smartphones and IoT  devices proliferate.

I recently had a chance to discuss this state of affairs with J.T. Keating, vice president of product strategy at Zimperium, a Dallas-based supplier of mobile device security systems. Launched in 2010 by a Samsung consultant who saw the handwriting on the wall, Zimperium has grown to 140 employees and attracted $60 million in venture capital from Warburg Pincus, SoftBank, Samsung, Telstra and Sierra Ventures.

The company is seeking to frame and address mobile security much differently than the traditional approach to endpoint security. “When you have billions of mobile devices that aren’t well protected, and the users are primarily responsible for controlling them, it makes for very ripe targeting,” Keating told me.

For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW: What’s most worrisome about mobile security?

Keating: If you’re a consumer, you should really care about malicious apps. The vast majority of the mobile malware we see is designed for fraud. A perfect example of one going around right now is called Bankbot. A user will …more

With passwords here to stay, a ‘Zero Trust’ approach to authentication makes eminent sense

By Byron V. Acohido

When I first started writing about technology for USA Today in 2000, reporters were required to use what at the time was a cutting-edge 2-factor authentication device to securely log into the newspaper’s editing and publishing network.

Related article: The case for rethinking security

It was an RSA SecurID token. I attached it to my key chain, and activated it to issue a one-time 6-digit code, each time I needed to log in to file a story.

Today that same functionality has been vastly improved. One-time security codes routinely get pushed to smartphones to affect a second factor of authentication in a wide array of scenarios. An approach referred to the “Zero Trust” model, takes it a few steps further.

Increasingly, behavior monitoring and machine learning are being brought to bear to assess details of each separate login to each service. This enables companies to make decisions as to whether any specific access request is routine – or suspicious.

Companies can tune such systems to automatically take a range of actions, from requiring a second-factor of authentication, to permitting only very limited access or even blocking access altogether. And they are able to do this at scale, in real time, while watching effectiveness improve as the machine learning algorithms crunch more and more data.

Last Watchdog asked Andy Smith, vice president of product marketing at Centrify, a leading supplier of identity and access management (IAM) technologies, to supply context for the Zero Trust model. One big takeaway was this: the Zero Trust model has come along in perfect timing to support stronger authentication requirements happening on the fly as part of digital transformation.

For a full drill down, please listen to the accompanying podcast. Here are excerpts of our conversation edited for clarity and length.

LW: Keeping track of identities and controlling access has always been a big challenge. Now the challenge is escalating, getting more complex. …more

Last Watchdog’s coverage of cybersecurity and privacy earns 4th Top Blog award

By Byron V. Acohido

Our daily mission here at Last Watchdog is to keep the public usefully informed about emerging cybersecurity and privacy exposures.

Related article: The road to a Pulitzer

Though we don’t spend any time seeking it out, one measure of our success is peer recognition. So I’m happy to let our audience know that Last Watchdog has been recognized for the fourth time in recent months as a trusted source of useful intelligence.

Threat Stack, a Boston-based security startup that helps companies stay protected in the cloud, and publisher of the informative Threat Stack Blog, has just included LastWatchdog.com on its lists of 50 Essential Cloud Security Blogs for IT Professionals and Cloud Enthusiasts.

Earlier, Watchdog Reviews selected LastWatchdog.com as …more

Security start-up deploys advanced AI, aka ‘deep learning,’ to detect malware on endpoints

By Byron V. Acohido

Based in Tel Aviv, Israel, Deep Instinct was one of the more intriguing cybersecurity vendors I had the privilege of spending some time with at RSA Conference 2018.

The company lays claims to being the first to apply “deep learning” to a truly innovative protection system that extends machine learning and artificial intelligence down to the level of every computer and mobile device of each employee.

Accompanying podcast: Deep Instinct pioneers AI-infused endpoint security

The company has been doing something right. Launched in 2015, it has grown rapidly to 100 employees. It has attracted $32 million in venture funding and won a satchel full of industry awards, including being named by Dark Reading’s “most innovative startup” at Black Hat Las Vegas last summer.

Deep learning is an advanced branch of machine learning and artificial intelligence. It works by sifting through the oceans of data that course through a company’s network in a series of layers, referred to as a neural network. This layered, systematic approach to making cross correlations is modeled after the human brain.

Once it is switched on, deep learning never stops. The more data fed into its algorithms, the more accurately the system recognizes things it was designed to recognize, in this case fresh malware variants. If that sounds like a gargantuan computing task, it is.

Deep Instinct’s founders not only crafted proprietary algorithms to achieve this, they also innovated a way to distribute the results (malware alerts) down to the level of personal computing devices.

Kaftzan

Jonathan Kaftzan, vice president of marketing, walked me through how these breakthroughs are helping companies protect their networks. For a full drill down on our discussion, please listen to the accompanying podcast. Here are excerpts of our discussion edited for clarity and length:

LW: What’s deep learning all about? …more

Why the ‘golden age’ of cyber espionage is upon us

By Byron V. Acohido

Researchers at Cisco’s Talos intelligence unit have now expressed high confidence that the Russian government is behind VPNFilter, a malware strain designed to usurp control of small office and home routers and network access control devices.

If you doubt VPNFilter’s capacity to fuel cyber chaos on a global scale, please peruse the FBI’s recently issued alert about this very nasty piece of leading-edge malware.

Related article: Obsolescence creeping into legacy security systems

VPNFilter is precisely the kind of cyber weaponry nation state-backed military and intelligence operatives routinely deploy to knock down critical infrastructure, interfere with elections and spy on each other.

One of the top analysts on the daily use of malware across the planet is Dr. Kenneth Geers, senior research scientist, at Comodo Cybersecurity. His main duties at Comodo revolve around monitoring and analyzing malware spikes as they unfold on a daily basis, and correlating cyber attacks to global news and political events.

Geers recently walked me through the cyber attack trends and patterns he’s currently monitoring. Bottom line: cyber espionage is on the cusp of a golden age; and the only way to deter this is for the private sector to do a much better job of defending home and business networks.

Why so? Because vulnerable networks supply the communications channels and processing power made so easily accessible to cyber criminals and combatants.

For a full drill down on my fascinating chat with Geers, please listen to the accompanying podcast.  Here are excerpts edited for clarity and length. …more

Q&A: How EventTracker breathes new life into SIEMs — by co-managing company systems

By Byron V. Acohido

Security information and event management systems – aka SIEMs — arrived in the corporate environment some 13 years ago holding much promise.

Related article: WannaCry revives self-spreading viruses

SIEMs hoovered up anything that might be a security issue in real-time from various event and data sources. Companies could pump in all of the data traffic crisscrossing their networks, and out the other end would come intelligence about anything deemed suspicious.

Despite growing into a multi-billion dollar market, SIEMs never really lived up to the early hype. The knock on SIEMs is two-fold. First, they haven’t kept pace with the advancing complexity of business networks, such as the rise of cloud systems, mobile and IoT. And, second, SIEMs, to be truly effective, must be nurtured daily by human security analysts, who happen to be in very short supply.

One of the cybersecurity vendors I met with at RSA Conference 2018, EventTracker, a Netsurion company, aims to remove much of the frustration of operating SIEMs. EventTracker  has set out to help mid-sized enterprises overcome SIEMs’ intrinsic shortcomings, and thus breathe new life into this comparatively old technology.

I sat down with EventTracker CEO A.N. Ananth who walked me through his company’s business model, which revolves around supplying a “co-managed” SIEM service. For a full drill down, please listen to the accompanying podcast. Here are excerpts, edited for clarity and length. …more