Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Privacy

 

PODCAST: Can ‘gamification’ of cyber training help shrink the human attack vector?

By Byron V. Acohido

The human attack vector remains the most pervasively probed path for malicious hackers looking to gain a foothold inside a company’s firewall.

And yet, somehow, cyber awareness training has not kept pace. Circadence hopes to change that. The Boulder, Colo.-based company got its start in the gaming industry 20 years ago, shifted to supplying cyber warfare training ranges to the military, and now is making a push to help companies add truly effective employee cyber awareness training as a key component to keeping their networks safe.

Related article: Why employee cyber training needs an overhaul

For years, teachers told us that learning can be fun. Circadence is taking that philosophy and running with it. The company is seeking to adapt “gamification” technologies to employee cyber awareness training. If it succeeds, it could help set a new paradigm for addressing the “people” component of defending networks.

I had the chance to converse with Keenan Skelly, Circadence vice president of global partnerships and security evangelist, at RSA Conference 2018 in San Francisco. For a drill down on our discussion, give a listen to the accompanying podcast. Here are a few high-level takeaways:

Gamers’ edge

Circadence got its start in the early 1990s as a publisher of one of the earliest massively multiplayer games. It turned out that the company’s expertise in generating and displaying complex graphics and getting high fidelity data from point A to point B in fantasy landscapes had a very useful real-world application – helping U.S. military operatives maintain an edge while engaging in ongoing cyber warfare. …more

GUEST ESSAY: Rising workplace surveillance is here to stay; here’s how it can be done responsibly

By Elizabeth Rogers

People often recite the cynical phrase that ‘privacy is dead.’  I enthusiastically disagree and believe, instead, that anonymity is dead.

One area where this is being increasingly demonstrated is in the workplace. Employee surveillance has been rising steadily in the digital age. And because it’s difficult, if not impossible, to keep ones digital work life separate from ones digital private life, the potential for abuse to happen while carrying out an employee surveillance program is real.

Related video: SXSW panel hashes over employee monitoring

However, I firmly believe that, together, we can preserve the employee privacy through clearly stated social ‘contracts’ and fair enforcement of same.

Let’s begin with the notion that employees, unless advised otherwise, have a right to privacy in the workplace. However, the scales also tip in favor of the employer to monitor threats to  the company’s intellectual property.

Unique ties

Employers and employees share a unique relationship built on trust.  When it comes to assets of the company, it is in the mutual interest of both that they stay protected.  Generally, employees will sign a contract, in the form of a Non-disclosure Agreement that yields to the …more

PODCAST: Why companies need a strategy to manage compliance, now more than ever

By Byron V. Acohido

Businesses are embracing the public cloud at an accelerated pace — and for good reason. By tapping hosted services,  companies of all sizes and in all verticals are finding fresh, dynamic ways to engage with employees, suppliers, partners and customers.

Related articles: 5 things to do to prep for GDPR

However, as companies race to mix and match cloud-delivered storage, processing power and business apps from the likes of Amazon Web Services, Microsoft Azure and Google Cloud, unforeseen gaps in traditional perimeter network defenses are turning up. Smitten by the benefits of cloud computing, many companies have not bothered to fully address the “shared responsibility” model for security underlying the public cloud.

By the same token, ever-opportunistic cyber criminals have already begun pouncing on these emerging exposures. Emergent cloud computing vulnerabilities have gotten a lot of attention by the cybersecurity community, as well they should.

Much less well understand, and, yet, quite possibly a much more clear and present risk for many thousands of companies is the risk of non-compliance. It turns out that in rush to move to the cloud, companies have created many more opportunities for violating the matrix of industry standards and government regulations that touch on data handling and data privacy. …more

MY TAKE: A breakdown of why Spectre, Meltdown signal a coming wave of ‘microcode’ attacks

By Byron V. Acohido

Hundreds of cybersecurity vendors are making final preparations to put their best foot forward at the RSA Conference at San Francisco’s sprawling Moscone Center next week. This will be my 15th RSA, and I can say that there is a distinctively dark undertone simmering under this year’s event. It has to do with a somewhat under-the-radar disclosure in early January about a tier of foundational security holes no one saw coming.

Related article: Meltdown, Spectre foreshadow another year of nastier attacks

Spectre and Meltdown drew a fair amount of mainstream news coverage. But I fear their true significance hasn’t resonated. We now know that there will be no quick way to fix this pair of milestone vulnerabilities that lurk in the architecture of just about every modern processor chip.

As I get ready to head to RSA, it struck me that none of the legacy security systems being hyped at the glitzy exhibition booths I’ll see at RSA seem able to solve this problem or mitigate the risks.

Raza

“Spectre and Meltdown will be the enormous elephants in the room at RSA”, said Atiq Raza, CEO of security firm Virsec. “The chip and OS vendors have failed with multiple patches and are asking for patience. Meanwhile, few security vendors understand or monitor what happens between applications and processors. This is leaving most customers worried and scratching their heads.”

Chip/kernel 101

To understand how profoundly Spectre and Meltdown have changed the cybersecurity landscape requires a bit of technical context. Processor chips are formally referred to as the Central Processing Unit, or CPU. These are the semiconductor chips manufactured by Intel, AMD, ARM and a few others.

CPUs give life to any computing device you can name. CPUs interact with the operating system, or OS, such as Windows, Macintosh, iOS and Linux. The OS, in turn, enables applications such web browsers, smartphones, business apps, web apps, games, video — and the digital infrastructure behind them — to run.

Around 1995, CPUs started getting dramatically faster and have been getting incrementally faster ever since. This happened both because of improvements in the hardware and clever ways engineers found to make processes more efficient. Every OS has a core piece of software, called the kernel, that manages and directs how each application can tap into the CPU. Keep in mind, …more

MY TAKE: Why the SEC’s reporting guidance, Yahoo’s $80M payout will shake up board rooms

By Byron V. Acohido

The most encouraging thing about the U.S. Securities and Exchange Commission formally issuing cybersecurity reporting “guidance” for public companies last month was, ironically, commissioner Kara Stein’s disappointment that her colleagues did not go much further.

Related video: Howard Schmidt’s 2015 observations on board involvement

Stein said she would have liked to have seen the commission do a lot more than rehash staff-written best practices suggestions that have been laying around since 2011. Her assertive stance resonated just a few days later when Yahoo agreed to settle a milestone securities case, for a cool $80 million.

Data thieves stole personal records for 1 billion individuals from Yahoo. So now the portal giant will pay a legal settlement that’s more than four times the $18.5 million payout Target had to cough up losing data for  41 million customers.

Yahoo’s poor practices — neglecting to  encrypt and sufficiently protect data; failing to detect and disclose the breach in a timely manner; bulling ahead with the sale to Verizon — resulted in exponentially more victims than Target.

More crucially, unlike the Target case, the Yahoo case was pressed by plaintiff’s attorneys representing consumers  in securities-related lawsuit. (Attorney generals from 47 states sued Target.)  And the private attorneys hit the jackpot. In addition the $80 million for injured consumers, the plaintiffs’ attorneys have asked the court to order Yahoo to pay $20 million in legal fees, and up to $750,000 as reimbursement for other work.expenses.

Buck stops with board

Together the SEC’s freshly-minted advice, the Yahoo settlement shines a bright light on D&O liability. It’s now crystal clear that board directors and senior executives can be held accountable for any major data breach that occurs on their watch. …more

LW’s NEWS WRAP: Russian bots conduct social media blitz to discredit Trump-Russia probe

By Byron V. Acohido

Last Watchdog’s News Wrap, Vol. 1, No. 3. The use of Russian bots and trolls in social media  propaganda blitzes continues. Counter terrorism expert Malcolm Nance minced no words in lambasting the latest deployment of Russian botnets to influence American politics.

Related article: Trump is top bait used in spam campaigns

Nance appeared on the Stephanie Miller radio show to decry as ‘treasonous’ the bold move by House Republicans to spread word of — but no details from —  a top secret memo purportedly discrediting the FBI’s Trump-Russia investigation.

Nance

This move was accompanied by the unleashing of Russian bots and trolls to hype the #Releasethememo campaign on Twitter and other social media platform. This appeared to be an attempt to add validity to the memo in question — by suggesting a cover-up.

Lest we forget, Russian botnets fueled wildly conflicting polling results during the 2016 presidential race, and fabricated 6.1 million Twitter followers for then-candidate Trump. This week’s blitz represents another level of finesse.

Insurance halo effect

Here’s more evidence that the insurance industry is aggressively seeking to nurture the anticipated $20 billion-plus market for cyber liability insurance policies. Insurance carriers and underwriters need to figure out how to triangulate complex cyber risks —  not as easy as setting actuarial tables for fires or earthquakes. …more

MY TAKE: Rising hacks on energy plants suggest ongoing global cyber war has commenced

By Byron V. Acohido

We all fret over the smorgasbord of cultural and geopolitical controversies complicating our daily lives. That being the case, not enough public attention is being paid to the increasingly plausible scenario of an ongoing global cyber war.

I say this because in recent months there has been a series of public disclosures about progressively more sophisticated hacks into power plants and other critical infrastructure. These intrusions clearly are nation-state sponsored, as they require significant resources to orchestrate, and there is no clear financial motivation behind them.

Related podcast: How Russia’s election meddling relates to plant hacks

And one more important thing: each of the power plant hacks we know about to date seem to be mainly about testing weak points, probing for footholds and generally maneuvering to get the strategic upper hand against a rival nation-state.

The ‘Triton’ hack is a case in point, disclosed on Dec. 14 by security vendor FireEye, a global security company with an extensive threat intelligence team (obtained via its acquisition of Mandiant) and a long history of tracking nation-state cyber groups.

Hackers caused an operational outage at a critical infrastructure site by deploying a new form of sophisticated malware. They were able to stealthily – for a while at least — take control of the plant’s Schneider Electric Triconex Safety Instrumented System (SIS). Such systems are used to automatically shut down industrial processes when operating parameters approach a dangerous state. …more