Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

My Take

 

SHARED INTEL: Microsoft discloses how the Nobelium hacking ring engages in routine phishing

By Byron V. Acohido

Microsoft has blunted the ongoing activities of the Nobelium hacking collective, giving us yet another glimpse of the unceasing barrage of hack attempts business networks must withstand on a daily basis.

Related: Reaction to Biden ‘s cybersecurity executive order

Nobelium is the Russian hacking collective best known for pulling off the milestone SolarWinds supply chain hack last December. That caper required the intricate counterfeiting of software updates sent out automatically by SolarWinds to 18,000 customers. And yet, for all of its sophistication, Nobelium also engages in routine phishing campaigns to get a foothold in targeted organizations. This of course is how they get a toehold to go deeper.

In this case, the attackers leveraged information gleaned from a Microsoft worker’s computing device. In a blog posting, Microsoft disclosed that it “detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers” and that “the actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.”

Microsoft said it notified the targeted 150 organizations, which included “IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.”

MY TAKE: A path for SMBs to achieve security maturity: start small controlling privileged accounts

By Byron V. Acohido

The challenge of embracing digital transformation while also quelling the accompanying cyber risks has never been greater for small- and mid-sized businesses.

Related: How ‘PAM’ improves authentication

SMBs today face a daunting balancing act. To boost productivity, they must leverage cloud infrastructure and participate in agile software development. But this also opens up a sprawling array of fresh security gaps that threat actors are proactively probing and exploiting.

Somehow SMBs must keep pace competitively, while also tamping down the rising risk of suffering a catastrophic network breach.

There’s a glut of innovative security solutions, to be sure, and no shortage of security frameworks designed to help companies mitigate cyber risks. Leading-edge cybersecurity systems in service today apply machine learning in some amazing ways to help large enterprises identify and instantly respond to cyber threats.

However, this is overkill for many, if not most, SMBs. Day in and day out their core security struggle boils down to making it harder for intruders to attain and manipulate remote access. And it doesn’t take enterprise-grade security systems to accomplish this.

I’ve had several discussions about this with Maurice Côté, vice president of business solutions at Devolutions, a Montreal, Canada-based supplier of remote desktop management services. We talked about how Devolutions has been guiding its SMB customers

MY TAKE: Massive data breaches persist as agile software development fosters full-stack hacks

By Byron V. Acohido

Data leaks and data theft are part and parcel of digital commerce, even more so in the era of agile software development.

Related: GraphQL APIs stir new exposures

Many of the high-profile breaches making headlines today are the by-product of hackers pounding away at Application Programming Interfaces (APIs) until they find a crease that gets them into the pathways of the data flowing between an individual user and myriad cloud-based resources.

It’s important to understand the nuances of these full-stack attacks if we’re ever to slow them down. I’ve had a few deep discussions about this with Doug Dooley, chief operating officer at Data Theorem, a Palo Alto, Calif.-based software security vendor specializing in API data protection. Here are a few key takeaways:

Targeting low-hanging fruit

Massive data base breaches today generally follow a distinctive pattern: hack into a client -facing application; manipulate an API; follow the data flow to gain access to an overly permissive database or S3 bucket (cloud storage). A classic example of this type of intrusion is the Capital One data breach.

Suspected Capital One hacker Paige Thompson was indicted for her alleged data breach and theft of more than 100 million people including 140,000 social security numbers and 80,000 linked bank accounts. The 33-year-old Amazon Web Services (AWS) software engineer was also accused of stealing cloud computer power on Capital One’s account to “mine” cryptocurrency for her own benefit, a practice known as “cryptojacking.”

Thompson began pounding away on the Capital One’s public-facing applications supposedly protected by their open-source Web Application Firewall (WAF), and succeeded in carrying out a  “Server Side Request Forgery” (SSRF) attack. By successfully hacking the client-facing application, she was then able to relay commands to a legacy AWS metadata service to obtain credentials.

Password and token harvesting is one of the most common techniques in hacking. Using valid credentials, Thompson was able to gain access using APIs … more

MY TAKE: Why monetizing data lakes will require applying ‘attribute-based’ access rules to encryption

By Byron V. Acohido

The amount of data in the world topped an astounding 59 zetabytes in 2020, much of it pooling in data lakes.

Related:  The importance of basic research

We’ve barely scratched the surface of applying artificial intelligence and advanced data analytics to the raw data collecting in these gargantuan cloud-storage structures erected by Amazon, Microsoft and Google. But it’s coming, in the form of driverless cars, climate-restoring infrastructure and next-gen healthcare technology.

In order to get there, one big technical hurdle must be surmounted. A new form of agile cryptography must get established in order to robustly preserve privacy and security as all this raw data gets put to commercial use.

I recently had the chance to discuss this with Kei Karasawa, vice president of strategy, and Fang Wu, consultant, at NTT Research, a Silicon Valley-based think tank which is in the thick of deriving the math formulas that will get us there.

They outlined why something called attribute-based encryption, or ABE, has emerged as the basis for a new form of agile cryptography that we will need in order to kick digital transformation into high gear.

For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

Cloud exposures

Data lakes continue to swell because each second of every day, every human, on average, is creating 1.7 megabytes of fresh data. These are the rivulets feeding the data lakes.

A zettabyte equals one trillion gigabytes. Big data just keeps getting bigger. And we humans crunch as much of it as we can by applying machine learning and artificial intelligence to derive cool new digital services. But we’re going to need the help of quantum computers to get to the really amazing stuff, and that hardware is coming.

As we press ahead into our digital future, however, we’ll also need to retool the public-key-infrastructure. PKI is the authentication and encryption framework … more

MY TAKE: How SASE has begun disrupting IT — by shifting cybersecurity to the ‘services edge’

By Byron V. Acohido

One of the hottest topics at RSA Conference 2021 taking place virtually this week is the Secure Access Services Edge (SASE) security framework.

Related: Cybersecurity experts react to Biden’s EO

SASE (pronounced sassy) essentially is a roadmap for infusing privacy and security deeply into the software coding that gives life to our smartphones, IoT devices and cloud infrastructure, i.e. at the “services edge,” where all the action is taking place.

Coined by Gartner in late 2018, SASE is gaining momentum as a generational disruptive force. It calls for organizations to start proactively managing the myriad new attack vectors they’ve opened up in the pursuit of digital agility — by embracing a bold new IT architecture that extends network security far beyond the traditional perimeter

However, disruption doesn’t happen without displacement. And at this early stage, things are a bit chaotic. As established and newer cybersecurity vendors scramble to catch the SASE wave, marketing messages have sometimes been less than clear.

From the customer’s point of view, some early-adopter enterprises have experienced buyer’s remorse trying out SASE services that don’t really make the grade, says Mike Spanbauer, security evangelist at Juniper Networks, a Sunnyvale, Calif.-based supplier of networking technology.

“What we’ve heard from out in the marketplace is that a number of SASE solutions that supposedly could deliver everything as promised, were found to be lacking in many capacities,” Spanbauer says.

ROUNDTABLE: Experts react to President Biden’s exec order in the aftermath of Colonial Pipeline hack

By Byron V. Acohido

As wake up calls go, the Colonial Pipeline ransomware hack was piercing.

Related: DHS embarks on 60-day cybersecurity sprints

The attackers shut down the largest fuel pipeline in the U.S., compelling Colonial to pay them 75 bitcoins, worth a cool $5 million.

This very high-profile caper is part of an extended surge of ransomware attacks, which  quintupled globally between the first quarter of 2018 and the fourth quarter of 2020, and is expected to rise 20 percent to 40 percent this year,  according to insurance giant Aon.

Ransomware is surging at at time when the global supply chain is being corrupted from inside out, as so vividly illustrated by the SolarWinds supply chain debacle.

In response, President Biden last week issued an executive order requiring more rigorous cybersecurity practices for federal agencies and contractors that develop software for the federal government. Last Watchdog asked a roundtable of cybersecurity industry experts for their reaction. Here’s what they said, responses edited for clarity and length:

Chenxi Wang, founder & general partner, Rain Capital

The new executive order is a swift response from the administration. It’s refreshing to see a government executive order that understands technology trends such as “zero trust”, is able to delineate “Operational Technology (OT)” from “information technology (IT,)” and can talk intelligently about supply chain risks.

While some of the measures stipulated in the order are considered table stakes like multi-factor authentication, the fact that the order exists will help to raise the collective security posture of products and services. It will not be sufficient to defend against sophisticated adversaries, but it will help organizations on the lower end of the capability spectrum to improve their cyber posture and defense.

Keatron Evans, principal security researcher, Infosec Institute

President Biden’s order was drafted with heavy involvement from actual cybersecurity experts, and this is encouraging. Requiring federal agencies to produce an actionable plan to implement Zero Trust Architecture is … more

RSAC insights: Introducing ‘CWPP’ and ‘CSPM,’ new frameworks to secure cloud infrastructure

By Byron V. Acohido

A greater good has come from Capital One’s public pillaging over losing credit application records for 100 million bank customers.

Related: How credential stuffing fuels account takeovers

In pulling off that milestone hack, Paige Thompson took advantage of CapOne’s lack of focus on cloud security as the banking giant rushed headlong into leveraging Amazon Web Services. Luckily, Thompson left an easy trail for the FBI to follow and affect her arrest in August 2019.

The lone wolf hacker’s lasting legacy may be that she gave the cybersecurity industry an impetus to double down on its efforts to help enterprises get a grip on cloud security.

A slew of new cloud-security frameworks have gained traction since the Capital One hack. I recently had the chance to sit down with Kevin Simzer, chief operating officer of Trend Micro, to discuss two of them: Cloud Workload Protection Platform (CWPP) and Cloud Security Posture Management (CSPM.) For a full drill down on our conversation please give the accompanying podcast a listen. Here are the key takeaways:

Cloud migration risks

The summer of 2019 was a heady time for the financial services industry. Capital One’s valuation hit record highs at a time when its senior executives bragged on Wall Street about how the bank’s aggressive adoption of AWS-supplied infrastructure would boost both profits and security. In reality, the bank wasn’t paying close enough attention to its shared responsibility for keeping its cloud-stored assets secure.