Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Privacy

 

GUEST ESSAY: 3 key ingredients to stress-free compliance with data handling regulations

By Izak Bovee

The variety of laws and regulations governing how organizations manage and share sensitive information can look like a bowl of alphabet soup: HIPAA, GDPR, SOX, PCI and GLBA. A multinational conglomerate, government contractor, or public university must comply with ten or more, which makes demonstrating regulatory compliance seem like a daunting, even impossible, undertaking. But there are a manageable number of precautions you can take to secure customer data that will tick the boxes for many different regulations.

Organizations that have control of their information have an easier time demonstrating compliance with regulations. Passing a compliance audit boils down to proving to auditors that your organization has implemented three fundamental things:  adequate data security, …more

Mobile security advances to stopping device exploits — not just detecting malicious apps

By Byron V. Acohido

The most profound threat to corporate networks isn’t the latest, greatest malware. It’s carbon-based life forms.

Humans tend to be gullible and impatient. With our affiliations and preferences put in play by search engines and social media, we’re perfect patsies for social engineering. And because we are slaves to convenience, we have a propensity for taking shortcuts when it comes to designing, configuring and using digital systems.

Related article: Is your mobile device spying on you?

This hasn’t worked terribly well for defending modern business networks from cyberattacks. And now we are on the verge of making matters dramatically worse as smartphones and IoT  devices proliferate.

I recently had a chance to discuss this state of affairs with J.T. Keating, vice president of product strategy at Zimperium, a Dallas-based supplier of mobile device security systems. Launched in 2010 by a Samsung consultant who saw the handwriting on the wall, Zimperium has grown to 140 employees and attracted $60 million in venture capital from Warburg Pincus, SoftBank, Samsung, Telstra and Sierra Ventures.

The company is seeking to frame and address mobile security much differently than the traditional approach to endpoint security. “When you have billions of mobile devices that aren’t well protected, and the users are primarily responsible for controlling them, it makes for very ripe targeting,” Keating told me.

For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW: What’s most worrisome about mobile security?

Keating: If you’re a consumer, you should really care about malicious apps. The vast majority of the mobile malware we see is designed for fraud. A perfect example of one going around right now is called Bankbot. A user will …more

Will GDPR usher in a new paradigm for how companies treat consumers’ online privacy?

By Byron V. Acohido

Back in 2001, Eric Schmidt, then Google’s CEO, described the search giant’s privacy policy as “getting right up to the creepy line and not crossing it.

Well, Europe has now demarcated the creepy line – and it is well in favor of its individual citizens. The General Data Protection Regulation, or GDPR, elevates the privacy rights of individuals and imposes steep cash penalties for companies that cross the creepy line – now defined in specific detail.

Related article: Zuckerberg’s mea culpa reveals reprehensible privacy practices

Europe’s revised online privacy regulations took effect last Friday. European businesses are bracing for disruption – and U.S. companies won’t be immune to the blowback. There are more than 4,000 U.S. companies doing business in Europe, including many small and midsize businesses. All of them, from Google, Facebook and Microsoft, down to mom-and-pop wholesalers and service providers, now must comply with Europe’s new rules for respecting an individual’s online privacy.

The EU is expected to levy GDPR fines totaling more than $6 billion in the next 12 months, an estimate put out by insurance giant Marsh & McLennan. As these penalties get dished out, senior management will become very uncomfortable; they’ll be forced to assume greater responsibility for cybersecurity and privacy, and not just leave it up to the IT department.

This is all unfolding as companies globally are racing to embrace digital transformation – the leveraging of cloud services, mobile computing and the Internet of Things to boost innovation and profitability. In such a heady business environment, a regulatory hammer was necessary to give companies pause to consider the deeper implications of poorly defending their networks and taking a cavalier attitude toward sensitive personal data. …more

PODCAST: Can ‘gamification’ of cyber training help shrink the human attack vector?

By Byron V. Acohido

The human attack vector remains the most pervasively probed path for malicious hackers looking to gain a foothold inside a company’s firewall.

And yet, somehow, cyber awareness training has not kept pace. Circadence hopes to change that. The Boulder, Colo.-based company got its start in the gaming industry 20 years ago, shifted to supplying cyber warfare training ranges to the military, and now is making a push to help companies add truly effective employee cyber awareness training as a key component to keeping their networks safe.

Related article: Why employee cyber training needs an overhaul

For years, teachers told us that learning can be fun. Circadence is taking that philosophy and running with it. The company is seeking to adapt “gamification” technologies to employee cyber awareness training. If it succeeds, it could help set a new paradigm for addressing the “people” component of defending networks.

I had the chance to converse with Keenan Skelly, Circadence vice president of global partnerships and security evangelist, at RSA Conference 2018 in San Francisco. For a drill down on our discussion, give a listen to the accompanying podcast. Here are a few high-level takeaways:

Gamers’ edge

Circadence got its start in the early 1990s as a publisher of one of the earliest massively multiplayer games. It turned out that the company’s expertise in generating and displaying complex graphics and getting high fidelity data from point A to point B in fantasy landscapes had a very useful real-world application – helping U.S. military operatives maintain an edge while engaging in ongoing cyber warfare. …more

GUEST ESSAY: Rising workplace surveillance is here to stay; here’s how it can be done responsibly

By Elizabeth Rogers

People often recite the cynical phrase that ‘privacy is dead.’  I enthusiastically disagree and believe, instead, that anonymity is dead.

One area where this is being increasingly demonstrated is in the workplace. Employee surveillance has been rising steadily in the digital age. And because it’s difficult, if not impossible, to keep ones digital work life separate from ones digital private life, the potential for abuse to happen while carrying out an employee surveillance program is real.

Related video: SXSW panel hashes over employee monitoring

However, I firmly believe that, together, we can preserve the employee privacy through clearly stated social ‘contracts’ and fair enforcement of same.

Let’s begin with the notion that employees, unless advised otherwise, have a right to privacy in the workplace. However, the scales also tip in favor of the employer to monitor threats to  the company’s intellectual property.

Unique ties

Employers and employees share a unique relationship built on trust.  When it comes to assets of the company, it is in the mutual interest of both that they stay protected.  Generally, employees will sign a contract, in the form of a Non-disclosure Agreement that yields to the …more

PODCAST: Why companies need a strategy to manage compliance, now more than ever

By Byron V. Acohido

Businesses are embracing the public cloud at an accelerated pace — and for good reason. By tapping hosted services,  companies of all sizes and in all verticals are finding fresh, dynamic ways to engage with employees, suppliers, partners and customers.

Related articles: 5 things to do to prep for GDPR

However, as companies race to mix and match cloud-delivered storage, processing power and business apps from the likes of Amazon Web Services, Microsoft Azure and Google Cloud, unforeseen gaps in traditional perimeter network defenses are turning up. Smitten by the benefits of cloud computing, many companies have not bothered to fully address the “shared responsibility” model for security underlying the public cloud.

By the same token, ever-opportunistic cyber criminals have already begun pouncing on these emerging exposures. Emergent cloud computing vulnerabilities have gotten a lot of attention by the cybersecurity community, as well they should.

Much less well understand, and, yet, quite possibly a much more clear and present risk for many thousands of companies is the risk of non-compliance. It turns out that in rush to move to the cloud, companies have created many more opportunities for violating the matrix of industry standards and government regulations that touch on data handling and data privacy. …more

MY TAKE: A breakdown of why Spectre, Meltdown signal a coming wave of ‘microcode’ attacks

By Byron V. Acohido

Hundreds of cybersecurity vendors are making final preparations to put their best foot forward at the RSA Conference at San Francisco’s sprawling Moscone Center next week. This will be my 15th RSA, and I can say that there is a distinctively dark undertone simmering under this year’s event. It has to do with a somewhat under-the-radar disclosure in early January about a tier of foundational security holes no one saw coming.

Related article: Meltdown, Spectre foreshadow another year of nastier attacks

Spectre and Meltdown drew a fair amount of mainstream news coverage. But I fear their true significance hasn’t resonated. We now know that there will be no quick way to fix this pair of milestone vulnerabilities that lurk in the architecture of just about every modern processor chip.

As I get ready to head to RSA, it struck me that none of the legacy security systems being hyped at the glitzy exhibition booths I’ll see at RSA seem able to solve this problem or mitigate the risks.

Raza

“Spectre and Meltdown will be the enormous elephants in the room at RSA”, said Atiq Raza, CEO of security firm Virsec. “The chip and OS vendors have failed with multiple patches and are asking for patience. Meanwhile, few security vendors understand or monitor what happens between applications and processors. This is leaving most customers worried and scratching their heads.”

Chip/kernel 101

To understand how profoundly Spectre and Meltdown have changed the cybersecurity landscape requires a bit of technical context. Processor chips are formally referred to as the Central Processing Unit, or CPU. These are the semiconductor chips manufactured by Intel, AMD, ARM and a few others.

CPUs give life to any computing device you can name. CPUs interact with the operating system, or OS, such as Windows, Macintosh, iOS and Linux. The OS, in turn, enables applications such web browsers, smartphones, business apps, web apps, games, video — and the digital infrastructure behind them — to run.

Around 1995, CPUs started getting dramatically faster and have been getting incrementally faster ever since. This happened both because of improvements in the hardware and clever ways engineers found to make processes more efficient. Every OS has a core piece of software, called the kernel, that manages and directs how each application can tap into the CPU. Keep in mind, …more