Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Privacy

 

GUEST ESSAY: Pentagon’s security flaws highlighted in GAO audit — and recent data breach

By Sherban Naum

Being the obvious target that it is, the U.S. Department of Defense presumably has expended vast resources this century on defending its digital assets from perennial cyber attacks.

Related: Why carpet bombing email campaigns endure

And yet two recent disclosures highlight just how brittle the military’s cyber defenses remain in critical areas. By extension these developments are yet another reminder of why constantly monitoring and proactively defending business networks must be a prime directive at all large organizations, public and private.

A U.S.  Government Accountability Office audit last week found that the defense department is playing catch up when it comes to securing weapons systems from cyberattacks.  At an earlier Senate hearing,  GAO auditors described how DoD has failed to adequately address numerous warnings about how the rising use of automation and connectivity in weapons systems also tend to result in a fresh tier of critical vulnerabilities.

And then last Friday, as if to serve as a reminder that even routine security best practices may  not be getting the emphasis they deserve, the Pentagon disclosed how attackers manipulated the account of a third-party vendor to access DoD travel records.

The result: personal information and credit card data of at least 30,000 U.S. military and civilian personnel were compromised.  Don’t be surprised if the number of victims climbs higher, as we learned from the 2015 hack of 21.5 million personnel records from the U.S. Office of Personnel Management.

Supply chain gaps

The hacking of DoD travel records raises an important nuance. Five years after hackers broke into Target via its HVAC vendor, it remains as crucial as ever to stay on top of trust decisions about who can gain access to a supply chain, and under what criteria.

Naum

One has to assume that DoD specified certain security controls at the time the contract was awarded to the travel services vendor. …more

Q&A: The troubling implications of normalizing encryption backdoors — for government use

By Byron V. Acohido

Should law enforcement and military officials have access to a digital backdoor enabling them to bypass any and all types of encryption that exist today?

We know how Vladmir Putin, Xi Jinping and Kim Jung-un  would answer: “Of course!”

Related: Nation-state hacks suggest cyber war is underway

The disturbing thing is that in North America and Europe more and more arguments are being raised in support of creating and maintaining encryption backdoors for government use. Advocates claim such access is needed to strengthen national security and hinder terrorism.

But now a contingent of technology industry leaders has begun pushing back. These technologists are in in full agreement with privacy and civil rights advocates who argue that this is a terrible idea

They assert that the risk of encryption backdoors ultimately being used by criminals, or worse than that, by a dictator to support a totalitarian regime, far outweighs any incremental security benefits. I had an invigorating discussion with Jeff Hudson, CEO of Venafi, about this at Black Hat USA 2018.

Venafi is the leading provider of machine identity protection. Machine to machine connection and communication needs to be authenticated  to access systems, so this technology is where the rubber meets the road, with respect to this debate. For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and space:

LW: What’s wrong with granting governments the ability to break encryption?

Venafi: It has been established over a long period of time that the minute you put a backdoor in, and you think it’s secure, it almost immediately will fall into the wrong hands. Because it’s there, the bad guys will get to it. This makes backdoors the worst possible things for security.

The government wants to be able to surveil network traffic and They want  backdoors so they can see everything. If they can see all the traffic all the time, they can just sit back and surveil everything. …more

MY TAKE: Poorly protected local government networks cast shadow on midterm elections

By Byron V. Acohido

In March 2018, the city of Atlanta fell victim to a ransomware attack that shut down its computer network. City agencies were unable to collect payment. Police departments had to handwrite reports. Years of data disappeared.

Related: Political propaganda escalates in U.S.

The attack also brought cybersecurity to the local level. It’s easy to think of it as a problem the federal government must address or something that enterprises deal with, but cybersecurity has to be addressed closer to home, as well.

I spoke to A.N. Ananth, CEO of EventTracker, a Netsurion company, about this at Black Hat USA 2018. His company supplies a co-managed SIEM service to mid-sized and large enterprises, including local government agencies.

EventTracker has a bird’s eye view; its unified security information and event management (SIEM) platform includes – behavior analytics, threat detection and response, honeynet deception, intrusion detection and vulnerability assessment – all of which are coupled with their SOC for a co-managed solution. For a drill down on our discussion, give the accompanying podcast a listen. Here are key takeaways:

Local risks

Security of local and state government agencies takes on a higher level of urgency as we get closer to the midterm elections.

“State and local governments are not immune to the digital transformation so their dependence on IT is as high as it’s ever been,” says Ananth. “Consequently, the security of these kinds of systems has become paramount.”

If all politics are local, elections are even more so. According to the National Conference of State Legislatures, security for elections is in the hands of local election administrators, overseen by the state’s chief election official, but protection has been lacking.

During 2016, 39 states were hacked. At least one state saw an attempt to delete voter rolls; …more

MY TAKE: As phishers take aim at elections, why not train employees to serve as phishing police?

By Byron V. Acohido

If there is a data breach or some other cybersecurity incident, a phishing attack was probably involved. Over 90 percent of incidents begin with a phishing email. One of the more infamous hacks in recent years, the DNC data breach, was the result of a phishing attack.

Related: Carpet bombing of phishing emails endures

Phishing is the number one way organizations are breached, Aaron Higbee, CTO and co-founder of Cofense, told me at Black Hat USA 2018 in Las Vegas. Even though phishing has been a problem for years and most people are aware of what a phishing email looks like, we still fall for them.

Higbee and I discussed why phishing remains so effective and how organizations can improve their anti-phishing defenses. For a full run-through of our conversation, please listen to the accompanying podcast. Here are a few major takeaways:

Targeting the DNC

The Democratic National Committee is like other grassroot organizations. While there are some professional staff at the top, most of the organization is made up by volunteers, juggling their time doing committee work with their day jobs. Most of them are using their own smartphones, tablets and laptops. These organizations don’t operate under IT security controls you find in enterprise.

Yet, Higbee points out, the DNC was following at least one recommended security protocol: Multi-factor authentication (MFA) was enabled through Office 365. …more

MY TAKE: The back story on the convergence, continuing evolution of endpoint security

By Byron V. Acohido

No one in cybersecurity refers to “antivirus” protection any more. The technology that corrals malicious software circulating through desktop PCs, laptops and mobile devices has evolved into a multi-layered security technology referred to as ‘endpoint security.’

This designation change unfolded a few years back. It was a reflection of attackers moving to take full advantage of the fresh attack vectors cropping up as companies retooled their legacy networks – comprised of ‘on-premises’ servers and clients – to operate in the expanding world of cloud services, mobile devices and the Internet of Things.

Having covered the Symantec, McAfee, Trend Micro, Sophos, Kaspersky, et. al. since the nascent days of the antivirus market, I find in fascinating that the top dozen or so antivirus players have all managed to remain in the game. What’s more, they’ve all successfully grown into multi-layered full-service endpoint security suppliers.

I visited with Joe Sykora, vice president of worldwide channel development for Bitdefender, at Black Hat USA 2018, and asked him to put the remarkable staying power of endpoint security in context. In 1990, Florin and Mariuca Talpes parlayed a $300 stake borrowed from a relative into a company which would become Bitdefender in 2001. Founded in Bucharest, the company of 1,600 employees is in the thick of reshaping endpoint security.

For a drill down on my discussion with Sykora, please listen to the accompanying podcast. Here are a few big takeaways: …more

Q&A: Here’s how Google’s labeling HTTP websites “Not Secure” will strengthen the Internet

By Byron V. Acohido

In a move to blanket the Internet with encrypted website traffic, Google is moving forward with its insistence that straggling website publishers adopt HTTPS Secure Sockets Layer (SSL).

Related: How PKI can secure IoT

Google’s Chrome web browser commands a 60% market share. So the search giant has been leading the push to get 100% of websites to jettison HTTP and replace it with HTTPS. The former – Hypertext Transfer Protocol – standardized the way web browsers fetch a web page from its host server and thus made the world wide web as we know it today possible.

But HTTP connections are carried out in plain text. This makes it trivial for eavesdroppers to snatch plain-text communications, such as when users fill out forms on web pages or use shopping carts or conduct online banking. This makes any personal information and details of financial transactions typed on HTTP web pages easy pickings.

So along came SSL and its successor, Transport Layer Security (TLS), the underpinnings of secure online transactions. SSL and TLS come into play in the form of digital certificates issued by Certificate Authorities (CAs) —  vendors that diligently verify the authenticity of websites, and then also help the website owners encrypt the information consumers type into web page forms.

The PKI (public key infrastructure) encryption protocol makes all this happen instantaneously, triggering a visual confirmation – the tiny green padlock preceding the HTTPS address in Chrome’s address bar.

With the release its Chrome 68 browser on July 24, any web page not running HTTPS with a valid TLS certificate will display a “Not Secure” warning in Chrome’s address bar. …more

Q&A: How your typing and screen swiping nuances can verify your identity

By Byron V. Acohido

The recent data breaches at Timehop and Macy’s are the latest harbingers of what’s in store for companies that fail to vigorously guard access to all of their mission-critical systems.

Related podcast: Why identities are the new firewall

A common thread to just about every deep network breach these days is the failure of the victimized entity to effectively deploy multi-factor authentication (MFA) to at least make it harder for threat actors to access their sensitive systems.

Compromised accounts came into play in data breaches of Uber, Tesla, Gemalto, Aviva, Equifax and many others. Threat actors are authenticating themselves at numerous junctures in order to gain deep access and deliver malicious payloads without being detected.

And with “digital transformation” accelerating, there are so many more weakly-secured login accounts just waiting to be maliciously manipulated.

Generally speaking, companies have yet to fully address authentication weaknesses, with respect to their legacy on-premises systems. And yet they doubling down on public cloud services, as well as increasing their dependence on an entire new solar system of  software “microservices” and  “containers” that come and go.

The vast majority of these new, interconnected components and layers that make up digital transformation require login accounts, which translates into a fresh galaxy of attack vectors.

The good news is that this is a solvable problem. The Identity Access Management (IAM) space is one of the more mature subsectors of the cybersecurity industry. And IAM vendors are innovating like crazy. They are bringing data-analytics, machine-learning and behavioral biometrics to bear, to help companies more effectively manage account authentication, without slowing down digital transformation.

For instance, IAM supplier Optimal IdM recently  announced that it is partnering with TypingDNA to add “typing behavior analysis” as an added feature to its core MFA services. I asked Chris Curcio, vice-president of channel sales at Optimal IdM to set the wider context. Here are excerpts of the interview, edited for clarity and length. …more