Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Privacy

 

NEW TECH: Silverfort deploys ‘multi-factor authentication’ to lock down ‘machine identities’

By Byron V. Acohido

From the start, two-factor authentication, or 2FA, established itself as a simple, effective way to verify identities with more certainty.

Related: A primer on IoT security risks

The big hitch with 2FA, and what it evolved into – multi-factor authentication, or MFA – has always been balancing user convenience and security. That seminal tension still exists today even as the global cybersecurity community is moving to extend MFA as a key security component in much more complex digital systems spinning out of digital transformation.

One leading innovator in this space is Tel Aviv-based Silverfort. I’ve had a number of conversations with company co-founder and CEO Hed Kovetz over the past couple of years, and I had the chance to meet with him again at Black Hat 2019.

One thing I learned from Kovetz this time was that secure authentication seems destined to play a major role, going forward in verifying, not just human identities, but also machine identities. In terms of baking in security at a fundamental level of future systems, that’s very significant. For a drill down on why that’s so, give a listen to our full discussion in the accompanying podcast. Here are the key takeaways:

A machine’s world

Machines are taking over. A machine, in this context, is any piece of hardware or software that can accept and execute instructions. This includes the beefy servers humming along in vast data centers and providing the infrastructure for cloud services.

And it also include software: the modular “microservices” written by third-party developers; the software “containers” inside of which these microservices get mixed and matched; and the billions of APIs that enable two disparate machines to exchange data. In this realm, the identity of each and every machine must be verified, or chaos would rule.

Machine identities are verified by digital certificates that leverage the public key infrastructure (PKI), a framework for encrypting data and authenticating web entities. These identity certificates — and the encrypted keys to authenticate them – get issued bu Certificate Authorities (CAs) —  vendors that diligently verify the authenticity of websites. …more

MY TAKE: How blockchain technology came to seed the next great techno-industrial revolution

By Byron V. Acohido

Some 20 years ago, the founders of Amazon and Google essentially set the course for how the internet would come to dominate the way we live.

Jeff Bezos of Amazon, and Larry Page and Sergey Brin of Google did more than anyone else to actualize digital commerce as we’re experiencing it today – including its dark underbelly of ever-rising threats to privacy and cybersecurity.

Related: Securing identities in a blockchain

Today we may be standing on the brink of the next great upheaval. Blockchain technology in 2019 may prove to be what the internet was in 1999.

Blockchain, also referred to as distributed ledger technology, or DLT,  is much more than just the mechanism behind Bitcoin and cryptocurrency speculation mania. DLT holds the potential to open new horizons of commerce and culture, based on a new paradigm of openness and sharing.

Some believe that this time around there won’t be a handful of tech empresarios grabbing a stranglehold on the richest digital goldmines. Instead, optimists argue, individuals will arise and grab direct control of minute aspects of their digital personas – and companies will be compelled to adapt their business models to a new ethos of sharing for a greater good.

At least that’s one Utopian scenario being widely championed by thought leaders like economist and social theorist Jeremy Rifkin, whose talk, “The Third Industrial Revolution: A Radical New Sharing Economy,” has garnered 3.5 million views on YouTube. And much of the blockchain innovation taking place today is being directed by software prodigies, like Ethereum founder Vitalik Buterin, who value openness and independence above all else.

Public blockchains and private DLTs are in a nascent stage, as stated above, approximately where the internet was in the 1990s. This time around, however, many more complexities are in play – and consensus is forming that blockchain will take us somewhere altogether different from where the internet took us.

“With the Internet, a single company could take a strategic decision and then forge ahead, but that’s not so with DLT,” says Forrester analyst Martha Bennett, whose cautious view of blockchain we’ll hear later. “Blockchains are a team sport. There needs to be major shifts in approach and corporate culture, towards collaboration among competitors, before blockchain-based networks can become the norm.”

That said, here are a few important things everyone should understand about the gelling blockchain revolution. …more

SHARING INTEL: Why full ‘digital transformation’ requires locking down ‘machine identities’

By Byron V. Acohido

Digital commerce has come to revolve around two types of identities: human and machine.

Great effort has gone into protecting the former, and yet human identities continue to get widely abused by cyber criminals. By comparison, scant effort has gone into securing the latter. This is so in spite of the fact that machine identities are exploding in numbers and have come to saturate digital transformation.

Related: IoT exposures explained

I’ve conversed several times with Jeff Hudson about this. Hudson is CEO of Salt Lake City, UT-based Venafi, a leading provider of machine identity protection solutions. Each time I’ve come away with a better grasp of how machine identities have come to play such a pivotal role in the IT systems taking us forward – and yet how vulnerable they remain to attack in the current environment.

We had a chance to meet again at Black Hat 2019. For a full drill down of our wide-ranging discussion please give a listen to the accompanying podcast. Here are a few key takeaways:

Machines on the march

Cloud computing and DevOps have given rise to a whirlwind of new types of machines. A machine, in this context, refers to any piece of hardware or software that can accept and execute instructions. The hardware servers humming along in vast data centers are, indeed, machines.

And so are the modular “microservices” written by far-flung third-party developers, who specialize in mixing, matching and reusing microservices assembled inside of software “containers,” which are another type of machine. APIs, the interface coding that allows two different machines to exchange data – for instance, an IoT device and a command server — are machines as well. This is how cool new digital services are getting spun up at high velocity. …more

NEW TECH: ‘Passwordless authentication’ takes us closer to eliminating passwords as the weak link

By Byron V. Acohido

If there ever was such a thing as a cybersecurity silver bullet it would do one thing really well: eliminate passwords.

Threat actors have proven to be endlessly clever at abusing and misusing passwords. Compromised logins continue to facilitate cyber attacks at all levels, from phishing ruses to credential stuffing to enabling hackers to probe deep inside of a breached network.

Related: The Internet of Things is just getting started

The technology to get rid of passwords is readily available; advances in hardware token and biometric authenticators continue apace. So what’s stopping us from getting rid of passwords altogether?

The hitch, of course, is that password-enabled account logins are too deeply engrained in legacy network infrastructure. For most large enterprises, it would be much too costly and too disruptive to jettison the use of passwords entirely.

That said, we may very well be in the early adopter phase of weaving leading-edge “password-less authentication” solutions into pliant areas of legacy networks. I recently had the chance to drill down on this trend with Trusona, a 3-year-old Scottsdale, AZ company that is pioneering a password-less multi-factor authentication platform.

I interviewed Sharon Vardi, Trusona’s chief marketing officer, about what the path forward looks like, in terms of someday eliminating passwords from digital commerce. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways.

History lesson

A couple of thousand years ago, Roman troops used passwords to decipher friend from foe as they patrolled the empire. In 1960, an MIT computer scientist named Fernando Corbató introduced the use of passwords in a mainframe computing project, not really to lock any intruders out. Corbató sought a simple way to let his colleagues store private files on multiple terminals – and passwords fit the bill.

As computers shrank in size, and then pervaded into our homes and everyday workplaces, passwords stuck around. Username and password logins emerged as the go-to way to control access to network servers, business applications and Internet-delivered consumer services. Passwords may have been very effective securing Roman roads. But they quickly proved to be a very brittle cybersecurity mechanism. …more

SHARED INTEL: Threat actors add a human touch to boost effectiveness of automated attacks

By Byron V. Acohido

Trends in fashion and entertainment come and go. The same holds true for the cyber underground.

Related: Leveraging botnets to scale attacks

For a long while now, criminal hackers have relied on leveraging low-cost botnet services to blast out cyber attacks as far and wide as they could, indiscriminately. Over the past 18 months or so, a fresh trend has come into vogue. It essentially involves applying hands-on human cleverness to the task of extracting highest value from assets gained in the automated sweeps.

British antimalware and network security vendor Sophos refers to this new tactic as “automated, active attacks.” Sophos Senior Security Advisor John Shier broke it down for me. We met at Black Hat 2019. For a full drill down, give a listen to the accompanying podcast. Here are the key takeaways:

Human touch

It has long been common practice to use botnets to blast out wave after wave of e-mails carrying tainted PDFs or Word docs, or a web link pointing to a booby-trapped page – and seeing who would bite. Lately, progressive criminal rings are taking a page out of the playbook of nation-state sponsored APT strikes — by adding more human nuances to their attacks.

“They may discover their targets through some sort of automated technique, which gets them a toehold into the company, or they might just simply go to Shodan (search engine) to discover open, available RDP hosts,” Shier told me. “Once they’re in the front door, now the humans get involved.”

Related: How ransomware became a scourge

Specialists get assigned to poke around, locate key servers and find stealthy paths to send in more malware. They’ll take more manual steps to encrypt servers, exfiltrate data – or do both.

“Cyber criminals are getting into the environment, elevating privileges as much as they can and moving laterally to other segments of the network,” Shier says. “And then, instead of encrypting one or two or ten machines, they’ll encrypt everything.”

The wave of catastrophic ransomware attacks that wrought tens of millions in recovery costs for the cities of Baltimore and Atlanta and prompted numerous small cities to pay six figure ransoms for decryption keys is a prime example of this, Shier says. …more

MY TAKE: ‘Perimeter-less’ computing requires cyber defenses to extend deeper, further forward

By Byron V. Acohido

Threat actors are opportunistic, well-funded, highly-motivated and endlessly clever.

Therefore cybersecurity innovations must take hold both deeper inside and at the leading edges of modern business networks.

Related: Lessons learned from Capital One breach

Most of the promising new technologies I’ve had the chance to preview this year validate this notion. The best and brightest security innovators continue to roll out solutions designed to stop threat actors very deep – as deep as in CPU memory — or at the cutting edge, think cloud services, IoT and DevOps exposures.

Juniper Networks, the Sunnyvale, CA – based supplier of networking equipment, I discovered, is actually doing both. I came to this conclusion after meeting with Oliver Schuermann, Juniper’s senior director of enterprise marketing.

We met at Black Hat 2019 and Schuermann walked me through how Juniper’s security play pivots off the evolving infrastructure of a typical corporate network. For a full drill down, please give a listen to the accompanying podcast. Here are the key takeaways:

Deeper sharing

Wider threat intelligence sharing continues to advance apace. I was in the audience at Stanford in 2015 when President Obama signed an executive order urging the corporate sector to accelerate the sharing of threat feeds among themselves and with the federal government.

Since then, a number of threat intel sharing consortiums have either formed or expanded their activities. One recent example is how five midwestern universities – Indiana, Northwestern, Purdue, Rutgers and Nebraska – partnered to create a joint security operation center to gather, analyze and act on threat feeds.

Juniper gathers threat feeds via a security framework, called SecIntl, that runs off servers tied together by Juniper equipment deployed globally in corporate networks. …more

NEW TECH: The march begins to make mobile app security more robust than legacy PC security

By Byron V. Acohido

Is mobile technology on a course to become more secure than traditional computing?

Seven or eight years ago, that was a far-fetched notion. Today, the answer to that question is, “Yes, it must, and soon.”

Related: Securing the Internet of Things

I’ve been writing about organizations struggling to solve the productivity vs. security dilemma that’s part and parcel of the BYOD craze for some time now. I can recall President Obama issuing BlackBerry phones and ordering his administration to copy his personal practice of using only hardened mobile devices. Yet, many of the government-issued BlackBerry phones got used sporadically, as staffers reverted to their personally owned iPhones and Androids.

What has happened over the past couple of years is that mobile computing has become the cornerstone of our work and personal lives. Meanwhile, threat actors, as you might expect, are increasingly probing for, regularly discovering and enthusiastically exploiting mobile security flaws.

The good news is that cybersecurity vendors continue to innovate, as they have all along. And they appear to be closing in on fresh approaches that should translate into solutions for the longer haul. It is early still, but it looks like we may not have to carry two smartphones, after all, a locked-down company phone, as well as our favorite personal device.

I had the chance to discuss this with Jonas Gyllensvaan and Brian Egenrieder, Chief Executive Officer and Chief Revenue Officer, respectively, of mobile security vendor SyncDog. We spoke at Black Hat 2019. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways:

Securing provisioned devices

From the very start of the smartphone era, employees demonstrated that they did not mind paying for the latest, coolest device and use it for both home and work tasks. By 2011 or so, it was clear the BYOD trend was unstoppable, and companies began to impose much tighter security constraints.

Along came MDMs (mobile device management) services to handle the inventorying and provisioning of these new endpoints. MDMs gave companies the ability to micromanage company-issued devices, adding password protection and remote wiping capabilities. A security staffer could remotely “brick” a company device gone temporarily missing, even if it had just slipped under a couch cushion. The employer could even block access to apps stores, disable phone cameras or use the device’s GPS function to monitor where an employee spends work and personal hours.

Employee’s bristled – and companies responded by exerting even more granular control by embedding EMM (enterprise mobility management,) MAM (mobile application management) and UEM (unified endpoint management) systems on provisioned devices. …more