Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Podcasts

 

NEW TECH: Why it makes more sense for ‘PAM’ tools to manage ‘Activities,’ instead of ‘Access’

By Byron V. Acohido

Privileged Access Management (PAM) arose some 15 years ago as an approach to restricting  access to sensitive systems inside of a corporate network.

Related: Active Directory holds ‘keys to the kingdom’

The basic idea was to make sure only the folks assigned “privileged access’’ status could successfully log on to sensitive servers. PAM governs a hierarchy of privileged accounts all tied together in a Windows Active Directory (AD) environment.

It didn’t take cyber criminals too long to figure out how to subvert PAM and AD – mainly by stealing or spoofing credentials to log on to privileged accounts. All it takes is one phished or hacked username and password to get a toehold on AD. From there, an intruder can quickly locate and take control of other privileged accounts. This puts them in position to systematically embed malware deep inside of compromised networks.

Shoring up legacy deployments of PAM and AD installations has become a cottage industry unto itself, and great strides have been made. Even so, hacking groups continue to manipulate PAM and AD to plunder company networks. And efforts to securely manage privileged access accounts isn’t going to get any easier, going forward, as companies increase their reliance on hybrid IT infrastructures.

I had the chance to discuss this with Gerrit Lansing, Field CTO at Stealthbits Technologies, a Hawthorne, NJ-based supplier of software to protect sensitive company data. We spoke at RSA 2020. For a full drill down of our discussion, give the accompanying podcast a listen. Here are the key takeaways.

Enticing target

For 90 percent of organizations, Windows Active Directory is the hub for all identities, both human and machine. AD keeps track of all identities and enables all human-to-machine and machine-to-machine communications that take place on the network. PAM grants privileges to carry out certain activities on higher level systems.

Comment | Read | April 22nd, 2020 | For technologists | New Tech | Podcasts | RSA Podcasts | Steps forward

NEW TECH: Semperis introduces tools to improve security resiliency of Windows Active Directory

By Byron V. Acohido

Ransomware continues to endure as a highly lucrative criminal enterprise.

Ransomware hacking groups extorted at least $144.35 million from U.S. organizations between January 2013 and July 2019. That’s the precise figure recently disclosed by the FBI — the true damage is almost certainly a lot steeper, given only a portion of cyber crimes ever get reported to law enforcement.

To get a foot in the door, ransomware purveyors direct weaponized email at a targeted employee. Once inside a network, they move laterally to locate and encrypt mission-critical systems; a ransom demand for a decryption key follows. In many cases, the lateral movement phase is being facilitated by the hijacking of an ubiquitous network administrator’s tool: Windows Active Directory, or AD.

I had a chance, once again, to discuss the yin vs. yang relating to Active Directory’s pivotal placement in the heart of corporate networks with Mickey Bresman,  co-founder and CEO of Semperis, an identity-driven cyber resilience company based in the new World Trade Center in Lower Manhattan. We met at RSA 2020. For a drill down on our discussion, give the accompanying podcast a listen. Here are key excerpts.

Ransomware uptick

AD enables IT staffers to manage access to servers and applications across the breadth of any Windows-based network; it’s used in 90 percent of U.S. organizations, which translates into tens of thousands of companies and agencies. In the spring of 2017, the WannaCry and NotPetya ransomware worms blasted around the globe, freezing up the Active Directory systems of thousands of companies.

One Comment | Read | April 16th, 2020 | For technologists | Podcasts | RSA Podcasts | Steps forward | Top Stories

SHARED INTEL: Study shows mismanagement of ‘machine identities’ triggers $52 billion in losses

By Byron V. Acohido

In one sense, digital transformation is all about machines.

Related: Authenticating IoT devices

Physical machines, like driverless vehicles and smart buildings; but, even more so, virtual machines. I’m referring to the snippets of “microservice” coding placed inside of modular software “containers” that get mixed and matched in “storage buckets,” and then processed in  “serverless computers” residing in the Internet cloud.

These virtual machines – which happen to be mushrooming in number — underly the physical machines. This all adds up to high-speed, agile innovation. But the flip side is that fresh software vulnerabilities are getting spun up, as well. Machines control the flow of all types of sensitive data. As a result, the way in which they connect and authorize communication makes them a primary security risk for organizations. And, cyber criminals, no surprise, are taking full advantage.

Now comes a study from Boston-based consultancy Air Worldwide that puts some hard numbers on the degree to which threat actors are plundering virtual machines. The report, titled The Economic Impact of Machine Identity Breaches, was commissioned by Salt Lake City, UT-based security vendor Venafi.

According to the study, poor management of machine identities leads directly to an estimated $52 billion to $72 billion in losses annually. What’s more, large enterprises, i.e. those with $2 billion or more in annual revenue, are getting hit twice as hard as smaller organizations, when it comes to cyber attacks that exploit anemic protections for machine identities.

I had a chance to visit once again with Jeff Hudson, Venafi’s outspoken CEO at RSA 2020. We had a lively discussion about the backdrop of the study, and its going-forward implications. For a full drill down, please give the accompanying podcast a listen. Here are excerpts, edited for clarity and length:

One Comment | Read | April 14th, 2020 | For technologists | Imminent threats | Podcasts | RSA Podcasts

STEPS FORWARD: How the Middle East led the U.S. to implement smarter mobile security rules

By Byron V. Acohido

We’ve come to rely on our smartphones to live out our digital lives, both professionally and personally.

When it comes to securing mobile computing devices, the big challenge businesses have long grappled with is how to protect company assets while at the same time respecting an individual’s privacy.

Reacting to the BYOD craze, mobile security frameworks have veered from one partially effective approach to the next over the past decade. However, I recently learned about how federal regulators in several nations are rallying around a reinvigorated approach to mobile security: containerization. Containerizing data is a methodology that could anchor mobile security, in a very robust way, for the long haul.

Interestingly, leadership for this push came from federal regulators in, of all places, the Middle East.  In May 2017, the Saudi Arabian Monetary Authority (SAMA) implemented its Cyber Security Framework mandating prescriptive measures, including a requirement to containerize data in all computing formats. A few months later the United Arab Emirates stood up its National Electronic Security Authority (NESA) which proceeded to do much the same thing.

Earlier this year, US regulators essentially followed the Middle East’s lead by rolling out sweeping new rules — referred to as Cybersecurity Maturity Model Certification (CMMC)  — which require use of data containerization along much the same lines as Saudi Arabia and the UAE mandated some three years ago. The implementation of CMMC represents a big change from past U.S. federal data handling rules for contractors, for which compliance was by-and-large voluntary.

Comment | Read | April 13th, 2020 | For technologists | Podcasts | RSA Podcasts | Steps forward | Top Stories

MY TAKE: ‘Network Detection and Response’ emerges as an Internet of Things security stopgap

By Byron V. Acohido

There’s no stopping the Internet of Things now.

Related: The promise, pitfalls of IoT

Companies have commenced the dispersal of IoT systems far and wide. Data collected by IoT devices will increasingly get ingested into cloud-centric networks where it will get crunched by virtual servers. And fantastic new IoT-enabled services will spew out of the other end.

The many privacy and security issues raised by IoT, however, are another story. The addressing of IoT privacy and security concerns lags far, far behind. Commendably, the global cybersecurity community continues to push companies to practice cyber hygiene. And industry groups and government regulators are stepping up efforts to incentivize IoT device makers to embed security at the device level.

Very clearly, something more is needed. That’s where a cottage industry of security companies in the Network Detection and Response (NDR) space comes into play. NDR vendors champion the notion that it’s a good idea for someone to be keeping an eagle eye on the rivers of packets that crisscross modern enterprise networks, especially packets flooding in from IoT systems. That can be done very efficiently today, and would markedly improve network security without waiting for better security practices or tougher industry standards to take hold, they argue.

I had a fascinating discussion about this with Sri Sundaralingam, vice president of cloud and security solutions at ExtraHop, a Seattle-based supplier of NDR technologies. We spoke at RSA 2020. For a full drill down on our conversation, give the accompanying podcast a listen. Here are the key takeaways:

IoT surge

According to Fortune Business Insights, the global IoT market will top $1.1 trillion by 2026, up from $190 billion in 2018. That’s a compounded annual growth rate of a whopping 24.7 percent.

One Comment | Read | April 9th, 2020 | For technologists | My Take | Podcasts | RSA Podcasts | Steps forward | Top Stories

SHARED INTEL: How attacks on web, mobile apps are being fueled by rising API vulnerabilities

By Byron V. Acohido

Application programming interface. API. It’s the glue holding digital transformation together.

Related: A primer on ‘credential stuffing’

APIs are the conduits for moving data to-and-fro in our digitally transformed world. APIs are literally everywhere in the digital landscape, and more are being created every minute. APIs connect the coding that enables the creation and implementation of new applications.

However, APIs also manifest as a wide open, steadily expanding attack vector. Many organizations caught up in the frenzy of digital transformation don’t fully appreciate the gaping exposures APIs have come to represent.

I had the chance to discuss this with Matt Keil, director of product marketing at Cequence Security, a Sunnyvale, Calif.-based application security vendor that’s in the thick of helping businesses mitigate web application exposures. We spoke at RSA 2020. For a full drill down, please give the accompanying podcast a listen. Here are key takeaways:

Romance scams

Like many modern companies, Zoosk, the popular San Francisco-based dating site, rests on infrastructure that’s predominantly cloud-based. Zoosk’s core service is delivered via a mobile app that has 20 different registration and/or login pages – all are API driven.

Thus, it was well worth it for a hacking group to study Zoosk’s IT stack to reconnoiter its weak points.  Here’s how Keil breaks down what happened:

Comment | Read | April 7th, 2020 | For consumers | For technologists | Imminent threats | Podcasts | RSA Podcasts | Top Stories

BEST PRACTICES: Mock attacks help local agencies, schools prepare for targeted cyber scams

By Byron V. Acohido

Cyber criminals who specialize in plundering local governments and school districts are in their heyday.

Related: How ransomware became a scourge

Ransomware attacks and email fraud have spiked to record levels across the U.S. in each of the past three years, and a disproportionate number of the hardest hit organizations were local public agencies.

Lucy Security, a security training company based in Zug, Switzerland that works with many smaller public entities, has been in the thick of this onslaught. The company’s software is used to run public servants and corporate employees through mock cyberattack training sessions. There’s an obvious reason smaller public entities have become a favorite target of cybercriminals: most are run on shoestring budgets and corners tend to get cut in IT security, along with everything else operationally.

I had a chance to discuss this with Lucy Security Inc. CEO Colin Bastable at RSA 2020. Another factor I never thought about, until meeting with Bastable, is that public servants typically possess a can-do work ethic. This can make them particularly susceptible to social engineering trickery, the trigger for online extortion and fraud campaigns, Bastable told me.

For a drill down on my full interview with Bastable, give the accompanying podcast a listen. Here are the key takeaways:

Simple, lucrative fraud

What happened in the state of Texas earlier last January is a microcosm of intensifying pressure all local agencies face from motivated hackers and scammers.

Fraudsters did enough online intelligence gathering on the Manor Independent School District, in Manor, Texas, to figure out which vendors were in line to receive large bank transfers as part of the school district spending the proceeds of a large school bond. They also studied the employees who handled the transactions.

One Comment | Read | April 6th, 2020 | Best Practices | For consumers | For technologists | Podcasts | RSA Podcasts | Steps forward | Top Stories

« Newer Articles
Older Articles »