Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

New Tech

 

MY TAKE: Why locking down ‘firmware’ has now become the next big cybersecurity challenge

By Byron V. Acohido

Locking down firmware. This is fast becoming a profound new security challenge for all companies – one that can’t be pushed to a side burner.

Related: The rise of ‘memory attacks’

I’m making this assertion as federal authorities have just commenced steps to remove and replace switching gear supplied, on the cheap, to smaller U.S. telecoms by Chinese tech giant  Huawei. These are the carriers that provide Internet access to rural areas all across America.

Starks

Federal Communications Commission member Geoffrey Starks recently alluded to the possibility that China may have secretly coded the firmware in Huawei’s equipment to support cyber espionage and cyber infrastructure attacks.

This isn’t an outlier exposure, by any means. Firmware is the coding that’s embedded below the software layer on all computing devices, ranging from printers to hard drives and motherboards to routers and switches. Firmware carries out the low-level input/output tasks, without which the hardware would be inoperable.

However, the security of firmware has been largely overlooked over the past two decades. It has only been in the past four years or so that white hat researchers and black hat hackers have gravitated over to this unguarded terrain – and begun making hay.

I recently had the chance to discuss this with John Loucaides, vice-president of engineering at Eclypsium, a Beaverton, OR-based security startup that is introducing technology to scan for firmware vulnerabilities. Here are the big takeaways:

Bypassing protection

Firmware exposures are in the early phases of an all too familiar cycle. Remember when, over the course of the 2000s and 2010s, the cybersecurity industry innovated like crazy to address software flaws in operating systems and business applications? Vulnerability research took on a life of its own.

As threat actors wreaked havoc, companies strove to ingrain security into code writing, and make it incrementally harder to exploit flaws that inevitably surfaced in a vast threat landscape. Then, much the same cycle unfolded as virtual computing came along and became popular; and then the cycle repeated itself, yet again, as web browsers took center stage in digital commerce. …more

NEW TECH: DataLocker extends products, services to encrypt data on portable storage devices

By Byron V. Acohido

No matter how reliant we ultimately become on cloud storage and streaming media, it’s hard to image consumers ever fully abandoning removable storage devices.

There’s just something about putting your own two hands on a physical device, whether it’s magnetic tape, or a floppy disk, or a CD. Today, it’s more likely to be an external drive, a thumb drive or a flash memory card.

Related: Marriott reports huge data breach

Ever thought about encrypting the data held on a portable storage device? Jay Kim, co-founder and CEO DataLocker, did.

Launched as a one-man operation in 2007, DataLocker has grown into a leading manufacturer of encrypted external drives, thumb drives, flash drives and self-encrypting, recordable CDs and DVDs.

DataLocker today has 40 employees and last year moved into a larger facility in Overland Park, Kansas, with room to grow. I had the chance at RSA 2019 to visit with Shauna Park, channel manager at DataLocker, to discuss what’s new in  the encrypted portable drive space. For a full drill down please listen to the accompanying podcast. Key takeaways:

Protected backup

Even with increased adoption of cloud computing, external storage devices, like USB thumb drives and external hard drives, still have a major role in organizations of all sizes. These drives still serve a purpose, such as transporting data from one computer to another, accessing presentations outside of the office, or as an additional backup solution. …more

NEW TECH: SlashNext dynamically inspects web page contents to detect latest phishing attacks

By Byron V. Acohido

Humans are fallible. Cyber criminals get this.

Human fallibility is the reason social engineering has proven to be so effective – and why phishing persists. Consider these metrics from messaging security firm Proofpoint:

•Email-based corporate credential phishing attacks quadrupled in Q3 2018 vs. the previous quarter.

•Web-based social engineering attacks jumped 233% vs. the previous quarter.

•99% of the most highly targeted email addresses in the quarter didn’t rank as such in the previous report, suggesting that attackers are constantly shifting targets.

What’s more, a study by antivirus vendor Webroot informs that more than 46,000 new phishing sites go live each day, with most disappearing in a few hours. And a recent survey conducted by SlashNext, a Pleasanton, CA-based supplier of advanced antiphishing systems, revealed that 95% of IT professionals underestimate phishing attack risks. This holds true even though nearly half the respondents reported their organizations experience 50 or more phishing attacks per month, with 14% experiencing 500 phishing attacks per month.

It’s not as if companies and cybersecurity vendors have been sitting on their hands. Vast resources have been directed at filtering emails – the traditional delivery vehicle for phishing campaigns – and at identifying and blacklisting webpages that serve as landing pages and payload delivery venues.

So quite naturally, cyber criminals have shifted their attack strategies. They are pursuing fresh vectors and honing innovative payload delivery tactics. The bad guys are taking full advantage of the fact that many companies continue to rely on legacy defenses geared to stop tactics elite phishing rings are no longer using.

I recently had an eye-opening discussion about this with Jan Liband, SlashNext’s chief marketing officer. Here are the key takeaways from that interview:

Unguarded vectors

By now, most mid-sized and large enterprises have a secure email gateway that’s highly effective at filtering out 80%-95% of phishing emails. So phishers have moved on to comparatively unguarded vectors: social media channels, SMS (text), ads, pop-ups, chat apps, IM, malvertising and rogue browser extensions, Liband told me.

Platforms like Facebook, Twitter and Instagram are wide open for intelligence gathering. With knowledge of our friends, families and preferences, phishers are able to craft postings and messages targeting groups of victims, or specific individuals. The end game is to funnel victims to landing pages. …more

NEW TECH: How Semperis came to close a huge gap in Active Directory disaster preparedness

By Byron V. Acohido

In today’s complex IT environments, a million things can go wrong, though only a few systems touch everything.

Related: Why Active Directory is so heavily targeted

For companies running Microsoft Windows, one such touch-all system is Active Directory, or AD, the software that organizes and provides access to information across the breadth of Windows systems. Over 80 percent of recent headline-grabbing attacks have involved breaking into  AD — the “keys to the kingdom” if you will.

Semperis is a security company, launched in 2014, that is entirely focused on AD – or, to put it more precisely, on delivering state-of-art AD cyber resilience, threat mitigation and rapid recovery from cyber breaches.

I had the chance at RSA 2019 to visit with Semperis CEO Mickey Bresman. He filled me in on how the company, based in the new World Trade Center in Lower Manhattan, got started; and I learned more about why Semperis is thriving. To hear our full conversation, please give the accompanying podcast a listen. Here are a few key takeaways:

The beginning

Active Directory is a critical part of a vast majority of enterprise networks; some 90 percent of all companies rely on AD. It holds the keys to pretty much everything in your company, as it stores all of the company’s user information. Downtime can result in loss of access to line-of-business applications, lost revenue and, in some cases, a complete organizational shutdown.

With so much at stake, it’s a marvel that AD disaster recovery protocol traditionally has been based on a 60-page white paper that needs to be manually followed. This clunky solution to a potentially catastrophic failure, typically has required bringing in a specialist troubleshooter to get the company up and running again.

This, in fact, was the service Semperis set out to provide when it launched in 2014. At the time, most AD attacks were the work of a malicious insider. In one situation, prior to forming Semperis, Semperis co-founders  parachuted into a live, unfolding disaster recovery assignment: …more

NEW TECH: Alcide introduces a “microservices firewall” as a dynamic ‘IaaS’ market takes shape

By Byron V. Acohido

As a tech reporter at USA TODAY, I wrote stories about how Google fractured Microsoft’s Office monopoly, and then how Google clawed ahead of Apple to dominate the global smartphone market.

Related: A path to fruition of ‘SecOps’

And now for Act 3, Google has thrown down the gauntlet at Amazon, challenging the dominant position of Amazon Web Services in the fast-emerging cloud infrastructure global market.

I recently sat down with Gadi Naor, CTO and co-founder of Alcide, to learn more about the “microservices firewall” this Tel Aviv-based security start-up is pioneering. However, in diving into what Alcide is up to, Gadi and I segued into a stimulating discussion about this latest clash of tech titans. Here are key takeaways:

Google’s Kubernetes play

First some context. Just about every large enterprise today relies on software written by far-flung  third-party developers, who specialize in creating modular “microservices” that can get mixed and matched and reused inside of software “containers.” This is how companies have begun to  scale the delivery of cool new digital services — at high velocity.

The legacy ‘on-premises’ data centers enterprises installed 10 to 20 years ago are inadequate to  support this new approach. Thus, digital infrastructure is being shifted to “serverless” cloud computing services, with AWS blazing the trail and Microsoft Azure and Google Cloud in hot pursuit.

Microservices and containers have been around for a long while, to be sure. Google, for instance, has long made use of the equivalent of microservices and containers, internally, to scale the development and deployment of the leading-edge software it uses to run its businesses. …more

NEW TECH: Circadence deploys ‘gamification’ training to shrink cybersecurity skills gap

By Byron V. Acohido

It’s clear that closing the cybersecurity skills gap has to happen in order to make our internet-centric world as private and secure as it ought to be.

Related: The need for diversity in cybersecurity personnel

One of the top innovators in the training space is Circadence®. The Boulder, CO-based company got its start in the mid-1990s as a pioneer of massive multi-player  video games. It then took its expertise in moving massive amounts of gaming data and applied it first to training military cyber warfare specialists, and, next, to training security analysts in the enterprise, government and academic communities.

I had the chance at RSA 2019 to visit again with Circadence security evangelist Keenan Skelly. We discussed the thinking behind using vivid, persistent learning modules, to both upskill cyber teams and attract fresh talent. Give a listen to the full interview via the accompanying podcast. Here’s a summary of the big takeaways:

Gamification defined

Gamification is an increasingly popular teaching tool, used everywhere from board rooms to kindergarten classrooms. Could it play a role in closing the skills gap?

Even though game is in the name, gamification isn’t about turning a Power Point presentation into an interactive Angry Birds tournament. Instead, it sets up an environment that’s immersive but fun for the user, taking them down an engaging path that makes them want to continue learning.

The way people are trained in cybersecurity right now is the opposite of gamification. It isn’t very exciting and not necessarily something the user wants to continue to train. But what if that training looked more like the game Call of Duty? …more

NEW TECH: Brinqa takes a ‘graph database’ approach to vulnerability management, app security

By Byron V. Acohido

Imposing just the right touch of policies and procedures towards mitigating cyber risks is a core challenge facing any company caught up in digital transformation.

Related: Data breaches fuel fledgling cyber insurance market

Enterprises, especially, tend to be methodical and plodding. Digital transformation is all about high-velocity innovation and on-the-fly change. The yawning gap between the two is where fresh attack vectors are arising, creating a candy-store environment for threat actors.

Brinqa, an Austin, TX-based security vendor has come up with a cyber risk management platform designed to help companies take a much more dynamic approach to closing that gap, specifically in the areas of vulnerability management and application security, to start.

Brinqa was founded in 2009 by Amad Fida and Hilda Perez, industry veterans seeking to leverage their collective expertise in risk management and identity and access management. Early on, a customer of their cyber risk management solution asked if they could assess a physical location, down to the fire extinguishers.

An early version of their platform was already live. But that assignment led Fida and Perez to re-architecture the platform around graph databases and knowledge graphs. It was an approach they felt would be flexible enough to keep up with rapidly-evolving enterprise technology infrastructure.

I had the chance at RSA 2019 to meet with Syed Abdur, Brinqa’s director of products, who provided more background. For a full drill down, please give a listen to the full Last Watchdog interview via the accompanying podcast. Here are the key takeaways:

Blistering pace

On-premises data centers look to remain a big part of hybrid cloud networks, going forward, and keeping these systems up to date, with respect to vulnerability patching, isn’t getting easier.

By many measures, the vulnerability management challenge companies face is getting steeper. The National Institute of Standards and Technology’s National Vulnerbility Database, logged around 14,000 unique vulnerabilities, up from 13,000 in 2017 and 6,000 in 2016. …more