Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Podcasts

 

MY TAKE: NIST Cybersecurity Framework has become a cornerstone for securing networks

By Byron V. Acohido

If your company is participating in the global supply chain, either as a first-party purchaser of goods and services from other organizations, or as a third-party supplier, sooner or later you’ll encounter the NIST Cybersecurity Framework.

Related: How NIST protocols fit SMBs

The essence of the NIST CSF is showing up in the privacy regulations now being enforced in Europe, as well as in a number of U.S. states. And the protocols it lays out inform a wide range of best-practices guides put out by trade groups and proprietary parties, as well.

I had the chance at RSA 2019 to visit with George Wrenn, founder and CEO of CyberSaint Security, a cybersecurity software firm  that plays directly in this space.

Prior to launching CyberSaint, Wrenn was CSO of Schneider Electric, a supplier of technologies used in industrial control systems. While at Schneider, Wrenn participated with other volunteer professionals in helping formulate the NIST CSF.

The participation led to the idea behind CyberSaint. The company supplies a platform, called CyberStrong, that automatically manages risk and compliance assessments across many types of frameworks. This includes not just the NIST CSF, but also the newly minted NIST Risk Management Framework 2.0, and the upcoming NIST Privacy Framework. For a full drill down on the wider context, give a listen to the accompanying podcast. Here are key takeaways:

Collective wisdom

Think of NIST as Uncle Sam’s long-established standards-setting body. “They are the people who brought you 36 inches in a yard,” Wrenn observed. To come up with its cybersecurity framework, NIST assembled top experts and orchestrated a global consensus- building process that resulted in a robust set of protocols. The CSF is comprehensive and flexible; it can be tailored to fit a specific organization’s needs. And the best part is it’s available for free. …more

NEW TECH: How Semperis came to close a huge gap in Active Directory disaster preparedness

By Byron V. Acohido

In today’s complex IT environments, a million things can go wrong, though only a few systems touch everything.

Related: Why Active Directory is so heavily targeted

For companies running Microsoft Windows, one such touch-all system is Active Directory, or AD, the software that organizes and provides access to information across the breadth of Windows systems. Over 80 percent of recent headline-grabbing attacks have involved breaking into  AD — the “keys to the kingdom” if you will.

Semperis is a security company, launched in 2014, that is entirely focused on AD – or, to put it more precisely, on delivering state-of-art AD cyber resilience, threat mitigation and rapid recovery from cyber breaches.

I had the chance at RSA 2019 to visit with Semperis CEO Mickey Bresman. He filled me in on how the company, based in the new World Trade Center in Lower Manhattan, got started; and I learned more about why Semperis is thriving. To hear our full conversation, please give the accompanying podcast a listen. Here are a few key takeaways:

The beginning

Active Directory is a critical part of a vast majority of enterprise networks; some 90 percent of all companies rely on AD. It holds the keys to pretty much everything in your company, as it stores all of the company’s user information. Downtime can result in loss of access to line-of-business applications, lost revenue and, in some cases, a complete organizational shutdown.

With so much at stake, it’s a marvel that AD disaster recovery protocol traditionally has been based on a 60-page white paper that needs to be manually followed. This clunky solution to a potentially catastrophic failure, typically has required bringing in a specialist troubleshooter to get the company up and running again.

This, in fact, was the service Semperis set out to provide when it launched in 2014. At the time, most AD attacks were the work of a malicious insider. In one situation, prior to forming Semperis, Semperis co-founders  parachuted into a live, unfolding disaster recovery assignment: …more

MY TAKE: How digital technology and the rising gig economy are exacerbating third-party risks

By Byron V. Acohido

Accounting for third-party risks is now mandated by regulations — with teeth.

Related: Free ‘VRMM’ tool measures third-party exposure

Just take a look at Europe’s GDPR, NYDFS’s cybersecurity requirements or even California’s newly minted Consumer Privacy Act.

What does this mean for company decision makers, going forward, especially as digital transformation and expansion of the gig economy deepens their reliance on subcontractors?

I had the chance at RSA 2019 to discuss that question with Catherine Allen, chairman and CEO of the Santa Fe Group, and Mike Jordan, senior director of Santa Fe’s Shared Assessments program.

Allen is a widely respected thought leader on this topic, having launched Shared Assessments in 2005 as an intel-sharing and training consortium focused on third-party risks. And Jordan has had a hands-on role working third-party risk issues for more than a decade.

To hear the full interview, please give the accompanying podcast a listen. Here are a few key takeaways.

Addressing third-parties

Allen founded The Santa Fe Group in 1995 and established it as a leading consultancy, specializing on emerging technologies. With subcontractors playing a rising role and third party risk covering so many complex fields of expertise, six big banks and the Big Four accounting/consulting firms tasked her with coming up with a standardized approach for assessing third party vendor risk.

What emerged was a quasi-trade association – Shared Assessments. The founding participants developed assessment regimes and tools, all having to do with measuring and assessing, essentially, third-party risks. It was a natural step to expand and evolve these protocols and tools, and to invite companies from other sectors to participate. Collaborating in advance on what’s important in third party risk lets organizations and their vendors come to a faster agreement on what to do about those risks. That out of the way, business can proceed with less risk. …more

NEW TECH: Circadence deploys ‘gamification’ training to shrink cybersecurity skills gap

By Byron V. Acohido

It’s clear that closing the cybersecurity skills gap has to happen in order to make our internet-centric world as private and secure as it ought to be.

Related: The need for diversity in cybersecurity personnel

One of the top innovators in the training space is Circadence®. The Boulder, CO-based company got its start in the mid-1990s as a pioneer of massive multi-player  video games. It then took its expertise in moving massive amounts of gaming data and applied it first to training military cyber warfare specialists, and, next, to training security analysts in the enterprise, government and academic communities.

I had the chance at RSA 2019 to visit again with Circadence security evangelist Keenan Skelly. We discussed the thinking behind using vivid, persistent learning modules, to both upskill cyber teams and attract fresh talent. Give a listen to the full interview via the accompanying podcast. Here’s a summary of the big takeaways:

Gamification defined

Gamification is an increasingly popular teaching tool, used everywhere from board rooms to kindergarten classrooms. Could it play a role in closing the skills gap?

Even though game is in the name, gamification isn’t about turning a Power Point presentation into an interactive Angry Birds tournament. Instead, it sets up an environment that’s immersive but fun for the user, taking them down an engaging path that makes them want to continue learning.

The way people are trained in cybersecurity right now is the opposite of gamification. It isn’t very exciting and not necessarily something the user wants to continue to train. But what if that training looked more like the game Call of Duty? …more

MY TAKE: Most companies blissfully ignorant of rising attacks on most-used endpoint: mobile devices

By Byron V. Acohido

A dozen years after Apple launched the first iPhone, igniting the smartphone market, the Bring Your Own Device to work phenomenon is alive and well.

Related: Stopping mobile device exploits.

The security issues posed by BYOD are as complex and difficult to address as ever. Meanwhile, the pressure for companies to proactively address mobile security is mounting from two quarters.

On one hand, regulators are ahead of the curve on this one; they’ve begun mandating that companies  account for data losses, including breaches in which mobile devices come into play. And on the other hand, cyber criminals are hustling to take full advantage of the corporate world’s comparatively slow response to a fast-rising threat.

Metrics are piling up showing just how pervasive mobile threats have become. Some  33 percent of companies participating in Verizon’s Mobile Security Index 2019 survey admitted to having suffered a compromise involving a mobile device —  and the majority of those affected said that the impact was major.

Verizon’s poll also found that 67 percent of organizations were less confident of the security of mobile devices, as compared to other IT assets. And all of this is unfolding as employees continue to increasingly use both company-issued phones, and their personally-owned devices, to access sensitive data and conduct business.

“The reality is users don’t care whether it’s a corporate-owned device or a BYOD, and neither do the attackers” said J.T. Keating, vice president of product strategy at Zimperium, a Dallas, TX-based supplier of mobile security systems. “Our phones are completely blended, in terms of access to corporate data and personal data.”

I had a lively discussion with Keating at RSA 2019. For a drill down on the full interview, give a listen to the accompanying podcast. Here are a few key takeaways.

Endpoint is an endpoint

That queasy feeling senior execs have about the murkiness of mobile security is well founded, based on the results of a simple experiment Zimperium conducted …more

NEW TECH: Brinqa takes a ‘graph database’ approach to vulnerability management, app security

By Byron V. Acohido

Imposing just the right touch of policies and procedures towards mitigating cyber risks is a core challenge facing any company caught up in digital transformation.

Related: Data breaches fuel fledgling cyber insurance market

Enterprises, especially, tend to be methodical and plodding. Digital transformation is all about high-velocity innovation and on-the-fly change. The yawning gap between the two is where fresh attack vectors are arising, creating a candy-store environment for threat actors.

Brinqa, an Austin, TX-based security vendor has come up with a cyber risk management platform designed to help companies take a much more dynamic approach to closing that gap, specifically in the areas of vulnerability management and application security, to start.

Brinqa was founded in 2009 by Amad Fida and Hilda Perez, industry veterans seeking to leverage their collective expertise in risk management and identity and access management. Early on, a customer of their cyber risk management solution asked if they could assess a physical location, down to the fire extinguishers.

An early version of their platform was already live. But that assignment led Fida and Perez to re-architecture the platform around graph databases and knowledge graphs. It was an approach they felt would be flexible enough to keep up with rapidly-evolving enterprise technology infrastructure.

I had the chance at RSA 2019 to meet with Syed Abdur, Brinqa’s director of products, who provided more background. For a full drill down, please give a listen to the full Last Watchdog interview via the accompanying podcast. Here are the key takeaways:

Blistering pace

On-premises data centers look to remain a big part of hybrid cloud networks, going forward, and keeping these systems up to date, with respect to vulnerability patching, isn’t getting easier.

By many measures, the vulnerability management challenge companies face is getting steeper. The National Institute of Standards and Technology’s National Vulnerbility Database, logged around 14,000 unique vulnerabilities, up from 13,000 in 2017 and 6,000 in 2016. …more

Q&A: Researchers find evidence of emerging market for stolen, spoofed machine identities

By Byron V. Acohido

It’s edifying what you can find shopping in the nether reaches of the dark web.

Related: Why government encryption backdoors should never be normalized.

Academic researchers from Georgia State University in the U.S. and the University of Surrey in the U.K. recently teamed up and found evidence of an emerging market for stolen and spoofed machine identities.

Specifically, the researchers found:

•A ready inventory of stolen SSL/TLS certificates, along with a range of related services and products, for sale, priced from $260 to $1,600, depending on the type of certificate offered and the scope of additional services.

•Extended validation certificates, packaged with services to support malicious websites, such as Google-indexed “aged” domains, after-sale support, web design services, and integration with a range of payment processors – including Stripe, PayPal and Square.

•A vendor offering to issue certificates from reputable Certificate Authorities (CAs), along with forged company documentation, as part of a package of services enabling an attacker to credibly present themselves as a trusted U.S. or U.K. company for less than $2,000.

This emerging black market for machine identities is but a mere starting point for cyber criminals who recognize a huge, unguarded exposure when they see one. Thus, threat actors have begun moving with alacrity to capitalize on it, before companies get around to protecting their exposed machine identity.

Repeated missteps

As a famous American sports hero once said, “It’s Déjà vu all over again.” In cobbling together our classic business networks, we did an imperfect job setting up privileged access for human users – and we continue to pay the price.  And yet, we are about to repeat the same missteps with respect to the over-privileging of non-human, or machine, identities.

Machine identities are what make hybrid business networks possible; they are nothing less than the key to stitching together emerging IoT- and 5G-centric systems. Think about the coming generation of smart homes, public venues, utilities and transportation systems. They will require an exploding number of APIs to connect each microservice, to each software container, to each orchestration tool, on up the software stack, to each new mobile app delivering each of our daily digital experiences. …more