Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

My Take

 

RSAC insights: SolarWinds hack illustrates why software builds need scrutiny — at deployment

By Byron V. Acohido

By patiently slipping past the best cybersecurity systems money can buy and evading detection for 16 months, the perpetrators of the SolarWinds hack reminded us just how much heavy lifting still needs to get done to make digital commerce as secure as it needs to be.

Related: DHS launches 60-day cybersecurity sprints

Obviously, one change for the better would be if software developers and security analysts paid much closer attention to the new and updated coding packages being assembled and deployed on the fly, in pursuit of digital agility.

I recently had the chance to discuss this with Tomislav Pericin, chief software architect and co-founder at software security firm ReversingLabs. We talked about how the capacity to, in essence, rapidly reverse engineer new software and software updates — without unduly hindering agility — could make a big difference.

For a full drill down, please give the accompanying podcast a listen. Here are the key takeaways:

Targeting the build

One thing I did not realize about the SolarWinds hack is precisely how the attackers fooled more than 18,000 organizations into accepting an infected update of the widely-used Orion network management tool. I had assumed that they either stole or spoofed a SolarWinds digital certificate, which they then used to authenticate the tainted update. The payload malware: Sunburst, a heavily-obfuscated backdoor.

Actually, these attackers went through a lot of effort to first gain deep access inside of SolarWinds’ network. Next, they located and took control of the build process used to compile the various pieces of coding that SolarWinds’ software developers assembled to make up its Orion software updates.

“People tend to focus on the Sunburst malware, the actual backdoor that ended up in the affected update package,” Pericin told me. “But there was another malicious component, Sunspot, which was a piece of malware specifically designed to run in the Solar Winds environment, on a build machine.

RSAC insights: CyberGRX finds a ton of value in wider sharing of third-party risk assessments

By Byron V. Acohido

The value of sharing threat intelligence is obvious. It’s much easier to blunt the attack of an enemy you can clearly see coming at you.

Related: Supply chains under siege.

But what about trusted allies who unwittingly put your company in harm’s way? Third-party exposures can lead to devastating breaches, just ask any Solar Winds first-party customer.

So could sharing intelligence about third-party suppliers help?

With RSA Conference 2021 technical sessions getting underway today, I sat down with Fred Kneip, CEO of CyberGRX, to hash over the notion that a lot of good could come from more systematic sharing of the risk profiles that large enterprises routinely compile with respect to their third-party contractors.

For a full drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

The genesis of risk-profiles

It turns out there is a ton of third-party risk profiles sitting around not being put to any kind of high use. Back in the mid-1990s, big banks and insurance companies came up with something called “bespoke assessments” as the approach for assessing third party vendor risk.

This took the form of programmatic audits. In order to get the blessing of financiers and insurers, enterprises had to set up systems to get their third-party suppliers to fill out extensive risk-profile questionnaires; and this  cumbersome process had to be repeated on a periodic base for as many contractors as they could get to.

CyberGRX launched in 2016 as a clearinghouse for companies to pool and share standardized assessment data and actually analyze the results for action. The idea was to benefit both the first-party contractors and the third-party suppliers, Kneip says. Thus, the Fortune 1,000 companies who collected and consumed the security profiles of major suppliers could see and analyze that data in aggregate and thus conduct a much higher level of risk analysis.

MY TAKE: Agile cryptography is coming, now that ‘attribute-based encryption’ is ready for prime time

By Byron V. Acohido

Encryption agility is going to be essential as we move forward with digital transformation.

Refer: The vital role of basic research

All of the technical innovation cybersecurity vendors are churning out to deal with ever-expanding cyber risks, at the end of the day, come down to protecting encrypted data. But cryptography historically has been anything but agile; major advances require years, if not decades, of inspired theoretical research.

Now comes something called attribute-based encryption, or ABE, a new approach to encrypting data that holds the potential to infuse agility into how encryption gets done online.

I had the chance to learn more about ABE from Brent Waters, a distinguished scientist in the Cryptography & Information Security (CIS) Lab at NTT Research. Waters has been a leading figure in deriving the mathematical concepts behind ABE. For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

PKI basics

If you’re thinking encryption is the polar opposite of agile, you’re correct, historically speaking. Encryption is an arcane science that has long presented an irresistible challenge to the best and brightest researchers. Top mathematicians have been hammering away at improving encryption since before World War II. And since 2005 or so, one area of focus has been on sharpening the math formulas that make attribute-based encryption possible.

MY TAKE: How consumer-grade VPNs are enabling individuals to do DIY security

By Byron V. Acohido

Historically, consumers have had to rely on self-discipline to protect themselves online.

Related: Privacy war: Apple vs. Facebook.

I’ve written this countless times: keep your antivirus updated, click judiciously, practice good password hygiene. Then about 10 years ago, consumer-grade virtual private networks, or VPNs, came along, providing a pretty nifty little tool that any individual could use to deflect invasive online tracking.

Consumer-grade VPNs have steadily gained a large following. And over the past two to three years, adoption has climbed steeply.

It only recently dawned on me that this rise in popularity of VPNs is probably directly related to the chaotic social unrest, not to mention the global health crisis, we’ve all endured over the past few years.

We’ve become accustomed to hunkering down. As part of this mindset, more consumers are subscribing to a personal VPN service which they use to shield themselves from disinformation sweeps and to protect themselves from Covid 19-related hacks and scams.

SHARED INTEL: Report details how cyber criminals leverage HTTPS TLS to hide malware

By Byron V. Acohido

Google was absolutely right to initiate a big public push a couple of years ago to make HTTPS Transport Layer Security (TLS) a de facto standard.

Related: Malicious activity plagues the cloud services

At the time, in the spring of 2018, only 25 percent of commercial websites used HTTPS; today adoption is at 98 percent and rising. Far beyond just protecting websites, TLS has proven to be a linchpin of network-level communications across the board.

Guess who else has been leveraging TLS? Threat actors quickly figured out how to adapt TLS to their purposes. An intelligence report released today by Sophos illustrates just how widely TLS has come to be used by cyber criminals to hide their malicious activity.

From January through March 2021, TLS concealed 45 percent of the malware Sophos analysts observed circulating on the Internet; that’s double the rate – 23 percent – seen in early 2020, Dan Schiappa, Sophos’ chief product officer, told me in a briefing. TLS, he says, is increasingly being used to cloak a wide array of the operational steps behind the most damaging attacks of the moment, namely ransomware attacks and massive data breaches.

This surge in TLS abuse has shifted the security community’s focus back to a venerable network security tool, the firewall.

MY TAKE: GraphQL APIs rev up innovation – but also introduce a potential security nightmare

By Byron V. Acohido

The software developers who are creating the coolest new mobile apps have a secret weapon. It’s called GraphQL.

Related: How APIs expand the attack surface

GraphQL is a leading-edge approach to deploying APIs, the software conduits that mesh together all of the digital services we use every day and have come to take for granted.

Like every other Internet breakthrough, GraphQL comes with a security tradeoff. A big one. API deployments — and API security vulnerabilities — have been exploding exponentially for the past decade. It should come as no surprise that businesses have glommed onto the data sharing and monetizing benefits of APIs while overlooking the security ramifications of APIs left unprotected.

Now along comes GraphQL, touted as a pathway to new horizons of business agility and user experiences, but also introducing a vast new tier of security exposures – all at the API level. Going forward, what we do about API security, generally – and these new GraphQL data exposures, in particular — will determine the level of privacy and security – or insecurity – we’ll all have to live with.

Quixotically, GraphQL comes to us courtesy of Facebook. In 2015, the social media giant released GraphQL as an open source project. “GraphQL was our opportunity to rethink mobile app data-fetching from the perspective of product designers and developers,” wrote Facebook’s Lee Byron in a blog post. “It moved the focus of development to the client apps, where designers and developers spend their time and attention.”

We’re still early in the adoption curve for GraphQL, but adoption appears to be on a steep trajectory. At the data layer,

ROUNDTABLE: Mayorkas’ 60-day cybersecurity sprints win support; also a prove-it-to-me response

By Byron V. Acohido

The Biden Administration is wasting no time fully re-engaging the federal government in cybersecurity.

Related: Supply-chains become top targets

Homeland Security Secretary Alejandro Mayorkas has assumed a very visible and vocal role. Mayorkas has been championing an extensive portfolio of initiatives to rally public-private collaboration to fend off cyber criminals and state-sponsored threat actors.

The need is great, of course. The Solarwinds hack and Microsoft Exchange breach, not to mention the latest rounds of massive thefts of personal data from Facebook and LinkedIn demonstrate this in spades.

Mayorkas announced a series of 60-day sprints to quell ransomware and to bolster the cyber defenses of industrial control systems, transportation networks and election systems. Mayorkas also pledged to increase the diversity of the Cybersecurity and Infrastructure Security Agency’s workforce, noting that roughly a third of CISA’s workers are part of minority groups.

This reminds me of how President Obama used his bully pulpit back in 2015 to promote accelerated sharing of threat intelligence and to push for a consumers’ bill of rights for online privacy.