Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

My Take

 

MY TAKE: Technologists, privacy advocates point to flaws in the Apple-Google COVID-19 tracing app

By Byron V. Acohido

If the devastating health and economic ramifications weren’t enough, individual privacy is also in the throes of being profoundly and permanently disrupted by the coronavirus pandemic. The tech giants are partnering on a tool for public good, but critics worry it will ultimately get used for predatory surveillance.

Related: Europe levies big fines for data privacy missteps

Apple and Google are partnering up to bring technology to bear on COVID-19 contact tracing efforts. The tech giants are laudably putting aside any competitive urgings to co-develop a solution that combines mobile operating system, Bluetooth and GPS technologies to help us all get past the burgeoning health crisis.

However, in an apparent effort to live down Google’s abjectly poor track record respecting consumer privacy, the Apple-Google partnership is treading lightly to avoid anything that might hint at an undue invasion of individual privacy. In doing so, their proposed solution has a number of glaring technical and privacy-protection shortcomings, according to several technologists I spoke with.  In fact, the Apple-Google project has exacerbated a privacy controversy that flared up in Europe in the early stages, one that has more recently been picking up steam in the U.S., as well. Here’s how technologists and privacy experts see things stacking up:

Bluetooth-based tracing

Infected persons will be able to use their iPhones or Android devices to make their status known to a central server, which then correlates an anonymized identifier of the infected person to anonymized IDs of non-infected persons who happen to be in close proximity. The server then alerts the non-infected persons to self-immunize.

MY TAKE: COVID-19 cements the leadership role CISOs must take to secure company networks

By Byron V. Acohido

Chief Information Security Officers were already on the hot seat well before the COVID-19 global pandemic hit, and they are even more so today.

Related: Why U.S. cybersecurity policy needs to match societal values

CISOs must preserve and protect their companies in a fast-changing business environment at a time when their organizations are under heavy bombardment. They must rally the troops to proactively engage, day-to-day, in the intricate and absolutely vital mission of preserving the security of IT assets, without stifling innovation. And they must succeed on executive row, with middle management and amongst the troops in the operational trenches.

That’s a very tall order, made all the more challenging by a global health crisis that has slowed the global economy to a crawl, with no end yet in sight. One new challenge CISOs’ suddenly face is how to lock down web conferencing tools, like Zoom, Skype and Webex, without gutting their usefulness.

Cyber criminals have discovered Zoom logons, in particular, to be useful for carrying out credential stuffing campaigns to probe for deeper access inside of breached networks. Thanks to the sudden rise in use of Zoom and other video conferencing systems by an expanding work-from-home workforce, their logons are begin targeted by threat actors; underground forums today are bristling with databases holding hundreds of thousands of recycled Zoom logon credentials.

I had the chance to discuss this state of affairs with Vishal Salvi, CISO of Infosys. In its 2020 fiscal year, ending March 31, Infosys reported revenue of $12.8 billion, with $7.8 billion coming from North America, $3.1 billion from Europe, $333 million from India and $1.5 billion internationally

MY TAKE: COVID-19’s silver lining could turn out to be more rapid, wide adoption of cyber hygiene

By Byron V. Acohido

Long before COVID-19, some notable behind-the-scenes forces were in motion to elevate cybersecurity to a much higher level.

Related: How the Middle East has advanced mobile security regulations

Over the past couple of decades, meaningful initiatives to improve online privacy and security, for both companies and consumers, incrementally gained traction in the tech sector and among key regulatory agencies across Europe, the Middle East and North America. These developments would have, over the next decade or so, steadily and materially reduced society’s general exposure to cybercrime and online privacy abuses.

Then COVID-19 came along and obliterated societal norms and standard business practices. A sweeping overhaul of the status quo – foreshadowed by the sudden and acute shift to a predominantly work-from-home workforce – lies ahead.

One thing is certain, as this global reset plays out, cyber criminals will seize upon fresh opportunities to breach company and home networks, and to steal, defraud and disrupt, which they’ve already commenced doing.

Yet there are a few threads of a silver lining I’d like to point out. It is possible, if not probable, that we are about to witness an accelerated rate of adoption of cyber hygiene best practices, as well as more intensive use of leading-edge security tools and services. And this positive upswing could be reinforced by stricter adherence to, not just the letter, but the spirit of data security laws already on the books in several nations.

There is an urgency in the air to do the right thing. Several key variables happen to be tilting in an advantageous direction. Here’s a primer about how cyber hygiene best practices – and supporting security tools and services – could gain significant steam in the months ahead, thanks to COVID-19.

MY TAKE: Why COVID-19 ‘digital distancing’ is every bit as vital as ‘social distancing’

By Byron V. Acohido

As coronavirus-themed cyber attacks ramp up, consumers and companies must practice digital distancing to keep themselves protected.

Related: Coronavirus scams leverage email

As we get deeper into dealing with the coronavirus outbreak, the need for authorities and experts to communicate reliably and effectively with each other, as well as to the general public, is vital.

That, of course, presents the perfect environment for cybercrime that pivots off social engineering. Sadly, coronavirus phishing and ransomware hacks already are in high gear.

“There’s a special ring of hell reserved for those who take advantage of a public health crisis to make money,” says Adam Levin, founder and chairman of CyberScout, a Scottsdale, AZ-based  supplier of identity and data theft recovery services. I agree wholeheartedly with Levin on this, as I imagine most folks would.

Social engineering invariably is the first step in cyber attacks ranging from phishing and ransomware to business email compromise (BEC) scams and advanced persistent threat (APT) hacks.

“While this kind of fraud is the new normal, often fine-tuned for specific holidays and big news stories, a global health disaster creates an even more fertile field than usual for fraudsters,” Levin observes.

MY TAKE: ‘Network Detection and Response’ emerges as an Internet of Things security stopgap

By Byron V. Acohido

There’s no stopping the Internet of Things now.

Related: The promise, pitfalls of IoT

Companies have commenced the dispersal of IoT systems far and wide. Data collected by IoT devices will increasingly get ingested into cloud-centric networks where it will get crunched by virtual servers. And fantastic new IoT-enabled services will spew out of the other end.

The many privacy and security issues raised by IoT, however, are another story. The addressing of IoT privacy and security concerns lags far, far behind. Commendably, the global cybersecurity community continues to push companies to practice cyber hygiene. And industry groups and government regulators are stepping up efforts to incentivize IoT device makers to embed security at the device level.

Very clearly, something more is needed. That’s where a cottage industry of security companies in the Network Detection and Response (NDR) space comes into play. NDR vendors champion the notion that it’s a good idea for someone to be keeping an eagle eye on the rivers of packets that crisscross modern enterprise networks, especially packets flooding in from IoT systems. That can be done very efficiently today, and would markedly improve network security without waiting for better security practices or tougher industry standards to take hold, they argue.

I had a fascinating discussion about this with Sri Sundaralingam, vice president of cloud and security solutions at ExtraHop, a Seattle-based supplier of NDR technologies. We spoke at RSA 2020. For a full drill down on our conversation, give the accompanying podcast a listen. Here are the key takeaways:

IoT surge

According to Fortune Business Insights, the global IoT market will top $1.1 trillion by 2026, up from $190 billion in 2018. That’s a compounded annual growth rate of a whopping 24.7 percent.

MY TAKE: Deploying ‘machine learning’ at router level helps companies prepare for rise of 5G

By Byron V. Acohido

Machine learning (ML) and digital transformation (DX) go hand in glove.

We’ve mastered how to feed data into pattern-recognition algorithms. And as we accelerate the digitalization of everything, even more data is being generated.

Related: Defending networks with no perimeter

Machine learning already is deeply embedded in the online shopping, banking, entertainment and social media systems we’ve come to rely on. Meanwhile, criminal hacking groups increasingly leverage ML  to pillage those very same online systems.

At RSA 2020, I was encouraged by strong evidence that the cybersecurity industry has now jumped fully on board the ML bandwagon. Juniper Networks, known for its high-performance routers, is in the vanguard of established technology and cybersecurity vendors applying ML and automation to defend company networks.

I had the chance to sit down with Laurence Pitt, Juniper’s global security strategy director. We had a lively discussion about the surge of fresh data about to hit as 5G interconnectedness gains traction — and how this will surely result in a spike in fresh vulnerabilities. For a full drill down please give the accompanying podcast a listen. A few key takeaways:

Trust factor

This is an exciting time in the world of network security, with the growth of 5G pushing industries into a world where virtually anything can be connected. The proliferation of connected devices means that anything with a vulnerability can become an attack vector for the network, however, and it requires massive resources to manage all these systems and identify possible threats.

SHARED INTEL: FireMon survey shows security lags behind fast pace of hybrid cloud deployments

By Byron V. Acohido

Corporate America’s love affair with cloud computing has hit a feverish pitch. Yet ignorance persists when it comes to a momentous challenge at hand: how to go about tapping the benefits of digital transformation while also keeping cyber exposures to a minimum level.

Related: Why some CEOs have quit tweeting

That’s the upshot of FireMon’s second annual State of Hybrid Cloud Security Report of 522 IT and security professionals, some 14 percent of whom occupy C-suite positions.

Nearly 60 percent of the respondents indicated the pace of their cloud deployments have surpassed their ability to secure them in a timely manner. Notably, that’s essentially the same response FireMon got when it posed this same question in its inaugural hybrid cloud survey some 14 months ago.

That’s not a good thing, given migration to cloud-based business systems, reliance on mobile devices and onboarding of IoT systems are all on an upward sweep. “It doesn’t seem like we’ve moved the needle on security at all,” says Tim Woods, vice president of technology alliances at FireMon, the leading provider of automated network security policy management systems.

I had the chance to visit with Woods at RSAC 2020 in San Francisco recently. For a full drill down on our discussion, please give a listen to the accompanying podcast. Here’s a summary of key takeaways:

Shared burden confusion

Hybrid cloud refers to the mixing and matching of on-premise IT systems, aka private clouds, with processing power, data storage, and collaboration tools leased from public cloud services, such as Amazon Web Services, Microsoft Azure and Google Cloud. Hybrid clouds are being leveraged to refresh legacy networks, boost productivity and innovate new software services at breakneck speed, to keep pace with rivals.