Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Imminent threats

 

SHARED INTEL: Study shows mismanagement of ‘machine identities’ triggers $52 billion in losses

By Byron V. Acohido

In one sense, digital transformation is all about machines.

Related: Authenticating IoT devices

Physical machines, like driverless vehicles and smart buildings; but, even more so, virtual machines. I’m referring to the snippets of “microservice” coding placed inside of modular software “containers” that get mixed and matched in “storage buckets,” and then processed in  “serverless computers” residing in the Internet cloud.

These virtual machines – which happen to be mushrooming in number — underly the physical machines. This all adds up to high-speed, agile innovation. But the flip side is that fresh software vulnerabilities are getting spun up, as well. Machines control the flow of all types of sensitive data. As a result, the way in which they connect and authorize communication makes them a primary security risk for organizations. And, cyber criminals, no surprise, are taking full advantage.

Now comes a study from Boston-based consultancy Air Worldwide that puts some hard numbers on the degree to which threat actors are plundering virtual machines. The report, titled The Economic Impact of Machine Identity Breaches, was commissioned by Salt Lake City, UT-based security vendor Venafi.

According to the study, poor management of machine identities leads directly to an estimated $52 billion to $72 billion in losses annually. What’s more, large enterprises, i.e. those with $2 billion or more in annual revenue, are getting hit twice as hard as smaller organizations, when it comes to cyber attacks that exploit anemic protections for machine identities.

I had a chance to visit once again with Jeff Hudson, Venafi’s outspoken CEO at RSA 2020. We had a lively discussion about the backdrop of the study, and its going-forward implications. For a full drill down, please give the accompanying podcast a listen. Here are excerpts, edited for clarity and length:

SHARED INTEL: How attacks on web, mobile apps are being fueled by rising API vulnerabilities

By Byron V. Acohido

Application programming interface. API. It’s the glue holding digital transformation together.

Related: A primer on ‘credential stuffing’

APIs are the conduits for moving data to-and-fro in our digitally transformed world. APIs are literally everywhere in the digital landscape, and more are being created every minute. APIs connect the coding that enables the creation and implementation of new applications.

However, APIs also manifest as a wide open, steadily expanding attack vector. Many organizations caught up in the frenzy of digital transformation don’t fully appreciate the gaping exposures APIs have come to represent.

I had the chance to discuss this with Matt Keil, director of product marketing at Cequence Security, a Sunnyvale, Calif.-based application security vendor that’s in the thick of helping businesses mitigate web application exposures. We spoke at RSA 2020. For a full drill down, please give the accompanying podcast a listen. Here are key takeaways:

Romance scams

Like many modern companies, Zoosk, the popular San Francisco-based dating site, rests on infrastructure that’s predominantly cloud-based. Zoosk’s core service is delivered via a mobile app that has 20 different registration and/or login pages – all are API driven.

Thus, it was well worth it for a hacking group to study Zoosk’s IT stack to reconnoiter its weak points.  Here’s how Keil breaks down what happened:

MY TAKE: Iran’s cyber retaliation for Soleimani assassination continues to ramp up

By Byron V. Acohido

Less than 48 hours after the killing of Iran’s General Qasem Soleimani, the U.S. Department of Homeland Security issued a bulletin calling out Iran’s “robust cyber program,” and cautioning everyone to be prepared for Iran to “conduct operations in the United States.”

Related: Cyber warfare enters Golden Age

In fact, strategic cyber operations essentially pitting Russia and Iran against the U.S. and Saudi Arabia have been steadily escalating for at least the past decade, with notable spikes in activity throughout the course of 2019.

The Soleimani assassination simply added kerosene to those long-flickering flames. Since the killing, there has been a marked increase in probing for vulnerable servers – focused on industrial control systems in facilities in both the Middle East and North America. This escalation of reconnaissance is being closely monitored by the global cybersecurity and intelligence communities. Jeremy Samide, CEO of Stealthcare, a Cleveland-based cyberthreats intelligence gathering consultancy, is in the midst of it.

Samide and other experts say what’s coming next is very likely to be a series of varied attacks as combatants on all sides leverage footholds gained from ongoing intelligence gathering and malware planting. Evidence of this gelling scenario are called out in a recent report from Dragos, a Maryland-based supplier of industrial controls security systems, and also in a technical report issued earlier this month by Saudi Arabia’s National Cyber Security Center.

“This isn’t something that’s going to happen overnight,” Samide told me. “Iran’s response will be long and drawn out. There will very likely be a number of smaller and medium-sized attacks, culminating in a larger attack that will be highly coordinated and strike at just the right time. And it might not be Iran directly retaliating alone. It could involve multiple state actors, adversarial to the West, joining forces to co-ordinate an attack, or even multiple attacks.”

There has been plenty of news coverage of certain high-profile Iranian and Russian cyberattacks; … more

MY TAKE: Why we should all now focus on restoring stability to US-Iran relations

By Byron V. Acohido

As tensions escalate between the U.S. and Iran it’s vital not to lose sight of how we arrived at this point.

Related: We’re in the golden age of cyber spying

Mainstream news outlets are hyper focused on the events of the past six days. A Dec. 27 rocket attack on a military base in northern Iraq killed an American contractor and a number of service members. Protesters attacked the US embassy in Baghdad. President Trump then retaliated by ordering a drone strike that killed a top Iranian military leader,  Gen. Qasem Soleimani.

The open assassination of a top Middle East official has ignited a social media frenzy about how we very well may be on the brink of World War III. I very much hope cooler heads prevail.

Iran accord scuttled

A starting point for cooling things off would be for news pundits — as well as anyone who considers himself or herself a social media influencer, i.e, someone who fosters community discussions — to recall the hostile shove Trump gave Iran last May.

That’s when Trump scuttled the 2015 Iran nuclear deal – which was the result of 10 years of negotiation between Iran and the United Nations Security Council. The 2015 Iran accord, agreed to by President Obama, set limits on Iran’s nuclear programs in exchange for the lifting of nuclear-related sanctions.

For his own reasons, Trump declared the 2015 Iran accord the “worst deal ever,” and has spent the past several months proactively escalating tensions with Iran, for instance, by unilaterally imposing multiple rounds of fresh sanctions.

This, of course, pushed Iran into a corner, and, no surprise, Iran has pushed back. It’s important to keep in mind that Iran, as well as Europe and the U.S., were meeting the terms of the 2015 nuclear deal, prior to Trump scuttling the deal.

SHARED INTEL: What can be done — today — to keep quantum computing from killing encryption

By Byron V. Acohido

There’s little doubt that the shift to quantum computing  will open new horizons of digital commerce. But it’s also plain as day that the mainstreaming of quantum processing power will profoundly exacerbate cybersecurity exposures.

Related: The ‘post quantum crytpo’ race is on

This isn’t coming as any surprise to IT department heads. In fact, there’s widespread recognition in corporate circles that the planning to address fresh cyber risks associated with quantum computing should have commenced long ago.

That’s the upshot of a survey of 400 large organizations across critical infrastructure industries in the U.S., Germany and Japan. The study, sponsored by DigiCert, Inc., a Lehi,Utah-based supplier of digital certificates, found 71 percent of global organizations already see the emergence of quantum processing power as a material security threat.

Their trepidation is focused on the potential undermining of a core security component of classical computing systems: encryption. In a nutshell, when quantum processing power becomes widely available – whether that be three years or 10 years from now — threat actors will gain the ability to decrypt everything companies have been protecting with classical encryption.

To its credit, the global cybersecurity community is not asleep on this. A major public-private effort is underway to revamp classical cryptography, and ultimately replace it with something called post-quantum-cryptography, or PQC. DigiCert happens to be in the thick of this effort; I recently had a wide-ranging discussion about this with Tim Hollebeek, DigiCert’s industry and standards technical strategist.

SHARED INTEL: APIs hook up new web and mobile apps — and break attack vectors wide open

By Byron V. Acohido

If your daily screen time is split between a laptop browser and a smartphone, you may have noticed that a few browser web pages are beginning to match the slickness of their mobile apps.

Related: The case for a microservices firewall

Netflix and Airbnb are prime examples of companies moving to single-page applications, or SPAs, in order to make their browser webpages as responsive as their mobile apps.

The slickest SPAs leverage something called GraphQL, which is a leading edge way to build and query application programing interfaces, or APIs. If you ask the builders of these SPAs, they will tell you that the scale and simplicity of retrieving lots of data with GraphQL is superior to a standard RESTful API. And that brings us to cybersecurity.

APIs are being created in batches on a daily basis by the Fortune 500 and any company that is creating mobile and web applications. APIs are the conduits for moving data to-and-fro in our digitally transformed world. And each new API is a pathway to the valuable sets of data fueling each new application.

Trouble is that at this moment no one is keeping very good track of the explosion of APIs. Meanwhile, the rising use of SPA and GraphQL underscores how API growth is shifting into a higher gear. This means the attack surface available to cyber criminals looking to make money off of someone else’s data is, yet again, expanding.

I had a chance to discuss this with Doug Dooley, COO of Data Theorem, a Silicon Valley-based application security startup helping companies deal with these growing API exposures. For a full drill down, give a listen to the accompanying podcast. Here are a few key takeaways:

Cool new experiences

Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba Cloud supply computer processing and data storage as a utility. DevOps has decentralized the creation and delivery … more

MY TAKE: How ‘credential stuffing’ and ‘account takeovers’ are leveraging Big Data, automation

By Byron V. Acohido

A pair of malicious activities have become a stunning example of digital transformation – unfortunately on the darknet.

Related: Cyber risks spinning out of IoT

Credential stuffing and account takeovers – which take full advantage of Big Data, high-velocity software, and automation – inundated the internet in massive surges in 2018 and the first half of 2019, according to multiple reports.

Credential stuffing is one of the simplest cybercriminal exploits, a favorite among hackers. Using this technique, the criminal collects your leaked credentials (usually stolen in a data breach) and then applies them to a host of other accounts, hoping they unlock more. If you’re like the majority of users out there, you reuse credentials. Hackers count on it.

A new breed of credential stuffing software programs allows people with little to no computer skills to check the log-in credentials of millions of users against hundreds of websites and online services such as Netflix and Spotify in a matter of minutes. The sophistication level of these cyberthreats is increasing, and there’s an ominous consensus gelling in the cybersecurity community that the worst is yet to come.

“We’ve observed significant growth in credential stuffing and account takeovers for several years. It’s hard to see a short-term change that would slow attempts by attackers,” Patrick Sullivan, Akamai’s senior director of security strategy, told me. “Significant changes to authentication models may be required to alter the growth trajectory of these attacks.”