Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For technologists

 

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

By Thomas Segura

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures.

Related: The coming of agile cryptography

These secrets work similarly to passwords, allowing systems to interact with one another. However, unlike passwords intended for a single user, secrets must be distributed.

For most security leaders today, this is a real challenge. While there are secret management and distribution solutions for the development cycle, these are no silver bullets.

Managing this sensitive information while avoiding pitfalls has become extremely difficult due to the growing number of services in recent years. According to BetterCloud, the average number of software as a service (SaaS) applications used by organizations worldwide has increased 14x between 2015 and 2021. The way applications are built also evolved considerably and makes much more use of external functional blocks, for which secrets are the glue.

GUEST ESSAY: Testing principles to mitigate real-world risks to ‘SASE’ and ‘Zero Trust’ systems

By Sashi Jeyaretnam

A new generation of security frameworks are gaining traction that are much better aligned to today’s cloud-centric, work-from-anywhere world.

Related: The importance of ‘attack surface management’

I’m referring specifically to Secure Access Service Edge (SASE) and Zero Trust (ZT).

SASE replaces perimeter-based defenses with more flexible, cloud-hosted security that can extend multiple layers of protection anywhere. ZT shifts networks to a “never-trust, always-verify” posture, locking down resources by default and requiring granular context to grant access.

With most business applications and data moving to cloud and users connecting from practically anywhere, SASE and Zero Trust offer more versatile and effective security. Assuming, of course, that they work the way they’re supposed to.

Effective testing

Modern SASE/ZT solutions can offer powerful protection for today’s distributed, cloud-centric business networks, but they also introduce new uncertainties for IT. Assuring performance, interoperability, resilience, and efficacy of a SASE implementation can be tricky.

What’s more, striking the right balance between protecting against advanced threats and ensuring high Quality of Experience (QoE) is not easy when new DevOps/SecOps tools are pushing out a 10X increase in software releases.

GUEST ESSAY: The case for complying with ISO 27001 — the gold standard of security frameworks

By Matthew Sciberras

Of the numerous security frameworks available to help companies protect against cyber-threats, many consider ISO 27001 to be the gold standard.

Related: The demand for ‘digital trust’

Organizations rely on ISO 27001 to guide risk management and customer data protection efforts against growing cyber threats that are inflicting record damage, with the average cyber incident now costing $266,000 and as much as $52 million for the top 5% of incidents.

Maintained by the International Organization for Standardization (ISO), a global non-governmental group devoted to developing common technical standards, ISO 27001 is periodically updated to meet the latest critical threats. The most recent updates came in October 2022, when ISO 27001 was amended with enhanced focus on the software development lifecycle (SDLC).

These updates address the growing risk to application security (AppSec), and so they’re critically important for organizations to understand and implement in their IT systems ASAP.

GUEST ESSAY: Too many SMBs continue to pay ransomware crooks — exacerbating the problem

By Zac Amos

Well-placed malware can cause crippling losses – especially for small and mid-sized businesses.

Related: Threat detection for SMBs improves

Not only do cyberattacks cost SMBs money, but the damage to a brand’s reputation can also hurt growth and trigger the loss of current customers.

One report showed ransomware attacks increased by 80 percent in 2022, with manufacturing being one of the most targeted industries. Attack that drew public scrutiny included:

•Ultimate Kronos Group got sued after a ransomware attack disrupted its Kronos Private Cloud payment systems, relied upon by huge corporations such as Tesla, MGM Resorts and hospitals That ransomware attack shut down payroll and human resources systems.

•The Ward Hadaway law firm lost sensitive client data to ransomware purveyors who demanded $6 million, or else they’d publish the data from the firm’s high profile clients online.

SHARED INTEL: The expected impacts of Pres. Biden’s imminent National Cybersecurity Strategy

By Shannon Flynn

The United States will soon get some long-awaited cybersecurity updates.

Related: Spies use Tik Tok, balloons

That’s because the Biden administration will issue the National Cyber Strategy within days. Despite lacking an official published document, some industry professionals have already seen a draft copy of the strategic plan and weighed in with their thoughts. Here’s a look at some broad themes to expect and how they will impact businesses:

•New vendor responsibilities.  Increased federal regulation puts more responsibility on hardware and software vendors compared to the customers who ultimately use their products.

Until now, people have primarily relied on market forces rather than regulatory authority. However, that approach often leads to bug-filled software because makers prioritize new product releases over ensuring they’re sufficiently secure.

These changes mean business representatives may see more marketing materials angled toward what hardware and software producers do to align with the new regulations.

FIRESIDE CHAT: New automated tools, practices ascend to help companies wrangle PKI

By Byron V. Acohido

Arguably one of the biggest leaps forward an enterprise can make in operational reliability, as well as security, is to shore up its implementations of the Public Key Infrastructure.

Related: Why the ‘Matter’ standard matters

Companies have long relied on PKI to deploy and manage the digital certificates and cryptographic keys that authenticate and protect just about every sensitive digital connection you can name.

Reliance on PKI is only intensifying – as a direct result of the rise of massively interconnected digital systems. This has created a daunting operational and security challenge for many enterprises.

The good news is that a new batch of technical standards and protocols, as well as advanced tools and services, are on the ascension, as well.

Guest expert: Mike Malone, founder and CEO of Smallstep

One technology start-up in the thick of helping companies more effectively “wrangle” PKI is San Francico-based Smallstep, as Mike Malone, founder and CEO, puts it.

Smallstep launched in April 2022 with $26 million in funding, including a seed round of $7 million led by boldstart ventures with participation from Accel Partners, Bain Capital Ventures and Upside Partnership, LLC., and a Series A of $19 million led by StepStone Group.

I recently had the chance recently to visit with Malone; we discussed how advances in automation can help companies begin to proactively manage the swelling volume of digital certificates and encryption keys that are part and parcel of the massively interconnected digital systems. For a full drill down, please give the accompanying podcast a listen.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

GUEST ESSAY: Advanced tools are ready to help SMBs defend Microsoft 365, Google Workspace

By Adrien Gendre

Throughout 2022, we saw hackers become far more sophisticated with their email-based cyber attacks. Using legitimate services and compromised corporate email addresses became a norm and is likely to continue in 2023 and beyond.

Related: Deploying human sensors

Additionally, with tools like ChatGPT, almost anyone can create new malware and become a threat actor.

According to a recent report, small businesses (defined as those with under 250 employees) receive the highest rate of targeted malicious emails at one in every 323 emails, and 87 percent of those businesses hold customer data that could be targeted in an attack.

Another report by Vade completed last year found that 87 percent of respondents agreed their organization could take the threat from email security more seriously.