Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Steps forward

 

MY TAKE: COVID-19’s silver lining could turn out to be more rapid, wide adoption of cyber hygiene

By Byron V. Acohido

Long before COVID-19, some notable behind-the-scenes forces were in motion to elevate cybersecurity to a much higher level.

Related: How the Middle East has advanced mobile security regulations

Over the past couple of decades, meaningful initiatives to improve online privacy and security, for both companies and consumers, incrementally gained traction in the tech sector and among key regulatory agencies across Europe, the Middle East and North America. These developments would have, over the next decade or so, steadily and materially reduced society’s general exposure to cybercrime and online privacy abuses.

Then COVID-19 came along and obliterated societal norms and standard business practices. A sweeping overhaul of the status quo – foreshadowed by the sudden and acute shift to a predominantly work-from-home workforce – lies ahead.

One thing is certain, as this global reset plays out, cyber criminals will seize upon fresh opportunities to breach company and home networks, and to steal, defraud and disrupt, which they’ve already commenced doing.

Yet there are a few threads of a silver lining I’d like to point out. It is possible, if not probable, that we are about to witness an accelerated rate of adoption of cyber hygiene best practices, as well as more intensive use of leading-edge security tools and services. And this positive upswing could be reinforced by stricter adherence to, not just the letter, but the spirit of data security laws already on the books in several nations.

There is an urgency in the air to do the right thing. Several key variables happen to be tilting in an advantageous direction. Here’s a primer about how cyber hygiene best practices – and supporting security tools and services – could gain significant steam in the months ahead, thanks to COVID-19.

One Comment | Read | May 11th, 2020 | Best Practices | For consumers | For technologists | My Take | Privacy | Steps forward | Top Stories

BEST PRACTICES: How testing for known memory vulnerabilities can strengthen DevSecOps

By Byron V. Acohido

DevOps wrought Uber and Netflix. In the very near future DevOps will help make driverless vehicles commonplace.

Related: What’s driving  ‘memory attacks’

Yet a funny thing has happened as DevOps – the philosophy of designing, prototyping, testing and delivering new software as fast as possible – has taken center stage. Software vulnerabilities have gone through the roof.

Over a five year period the number technical software vulnerabilities reported to the National Institute of Standards and Technology’s National Vulnerability Database  (NVD) more than tripled – from 5,191 in  2013 to a record 16,556 in 2018.

Total vulnerabilities reported in the NVD dropped a bit in 2019, down to 12,174 total flaws. Some credit for that decline surely goes to the DevSecOps movement that has come into its own in the past two to three years.

DevSecOps proponents are pushing for security-by-design practices to get woven into the highly agile DevOps engineering culture. Still, 12,000-plus fresh software vulnerabilities is a lot, folks. And that’s not counting the latent vulnerabilities getting overlooked in this fast-paced environment – flaws sure to be discovered and exploited down the line by opportunistic threat actors.

San Jose-based application security vendor, Virsec, is seeking to tilt the balance a bit more to the side of good.

Comment | Read | April 30th, 2020 | Best Practices | For technologists | Podcasts | RSA Podcasts | Steps forward | Top Stories

NEW TECH: CASBs continue evolving to help CISOs address multiplying ‘cloud-mobile’ risks

By Byron V. Acohido

It can be argued that we live in a cloud-mobile business environment.

Related: The ‘shared responsibility’ burden

Most organizations are all caught up, to one degree or another, in migrating to hybrid cloud networks. And startups today typically launch with cloud-native IT infrastructure.

Mobile comes into play everywhere. Employees, contractors, suppliers and customers consume and contribute from remote locations via their smartphones. And the first tools many of them grab for daily is a cloud-hosted productivity suite: Office 365 or G Suite.

The cloud-mobile environment is here to stay, and it will only get more deeply engrained going forward. This sets up an unprecedented security challenge that companies of all sizes, and in all sectors, must deal with. Cloud Access Security Brokers (CASBs), referred to as “caz-bees,” are well-positioned to help companies navigate this shifting landscape.

I had the chance to discuss this with Salah Nassar, vice president of marketing at CipherCloud, a leading San Jose, CA-based CASB vendor. We met at RSA 2020 and had a lively discussion about how today’s cloud-mobile environment enables network users to bypass traditional security controls creating gaping exposures, at this point, going largely unaddressed.

Comment | Read | April 29th, 2020 | For technologists | New Tech | Podcasts | RSA Podcasts | Steps forward | Top Stories

SHARED INTEL: New book on cyber warfare foreshadows attacks on elections, remote workers

By Byron V. Acohido

It’s difficult to convey the scope and scale of cyber attacks that take place on a daily basis, much less connect the dots between them.

Related: The Golden Age of cyber spying

A new book by Dr. Chase Cunningham —  Cyber Warfare – Truth, Tactics, and Strategies —   accomplishes this in a compelling, accessible way. Cunningham has the boots-on-the-ground experience and storytelling chops to pull this off. As a  cybersecurity principal analyst at Forrester,  he advises enterprise clients on how to stay in front of the latest iterations of cyber attacks coming at them from all quarters.

Cunningham’s 19 years as a US Navy chief spent in cyber forensic and cyber analytic operations included manning security controls at the NSA, CIA and FBI. He holds a PhD and MS in computer science from Colorado Technical University and a BS from American Military University focused on counter-terrorism operations in cyberspace.

Cunningham sets the table in Cyber Warfare by relating detailed anecdotes that together paint the bigger picture. Learning about how hackers were able to intercept drone feed video from CIA observation drones during the war in Iraq, for instance, tells us a lot about how tenuous sophisticated surveillance technology really can be, out in the Internet wild.

And Cunningham delves into some fascinating, informative nuance about industrial systems attacks in the wake of Stuxnet. He also adds historical and forward-looking context to the theft and criminal deployment of the Eternal Blue hacking tools, which were stolen from the NSA, and which have been used to cause so much havoc, vis-à-vis WannaCry and NotPetya. What’s more, he comprehensively lays out why ransomware and deep fake campaigns are likely to endure, posing a big threat to organizations in all sectors for the foreseeable future.

Comment | Read | April 27th, 2020 | Book Excerpts | For consumers | For technologists | Steps forward | Top Stories

NEW TECH: Why it makes more sense for ‘PAM’ tools to manage ‘Activities,’ instead of ‘Access’

By Byron V. Acohido

Privileged Access Management (PAM) arose some 15 years ago as an approach to restricting  access to sensitive systems inside of a corporate network.

Related: Active Directory holds ‘keys to the kingdom’

The basic idea was to make sure only the folks assigned “privileged access’’ status could successfully log on to sensitive servers. PAM governs a hierarchy of privileged accounts all tied together in a Windows Active Directory (AD) environment.

It didn’t take cyber criminals too long to figure out how to subvert PAM and AD – mainly by stealing or spoofing credentials to log on to privileged accounts. All it takes is one phished or hacked username and password to get a toehold on AD. From there, an intruder can quickly locate and take control of other privileged accounts. This puts them in position to systematically embed malware deep inside of compromised networks.

Shoring up legacy deployments of PAM and AD installations has become a cottage industry unto itself, and great strides have been made. Even so, hacking groups continue to manipulate PAM and AD to plunder company networks. And efforts to securely manage privileged access accounts isn’t going to get any easier, going forward, as companies increase their reliance on hybrid IT infrastructures.

I had the chance to discuss this with Gerrit Lansing, Field CTO at Stealthbits Technologies, a Hawthorne, NJ-based supplier of software to protect sensitive company data. We spoke at RSA 2020. For a full drill down of our discussion, give the accompanying podcast a listen. Here are the key takeaways.

Enticing target

For 90 percent of organizations, Windows Active Directory is the hub for all identities, both human and machine. AD keeps track of all identities and enables all human-to-machine and machine-to-machine communications that take place on the network. PAM grants privileges to carry out certain activities on higher level systems.

Comment | Read | April 22nd, 2020 | For technologists | New Tech | Podcasts | RSA Podcasts | Steps forward

NEW TECH: Semperis introduces tools to improve security resiliency of Windows Active Directory

By Byron V. Acohido

Ransomware continues to endure as a highly lucrative criminal enterprise.

Ransomware hacking groups extorted at least $144.35 million from U.S. organizations between January 2013 and July 2019. That’s the precise figure recently disclosed by the FBI — the true damage is almost certainly a lot steeper, given only a portion of cyber crimes ever get reported to law enforcement.

To get a foot in the door, ransomware purveyors direct weaponized email at a targeted employee. Once inside a network, they move laterally to locate and encrypt mission-critical systems; a ransom demand for a decryption key follows. In many cases, the lateral movement phase is being facilitated by the hijacking of an ubiquitous network administrator’s tool: Windows Active Directory, or AD.

I had a chance, once again, to discuss the yin vs. yang relating to Active Directory’s pivotal placement in the heart of corporate networks with Mickey Bresman,  co-founder and CEO of Semperis, an identity-driven cyber resilience company based in the new World Trade Center in Lower Manhattan. We met at RSA 2020. For a drill down on our discussion, give the accompanying podcast a listen. Here are key excerpts.

Ransomware uptick

AD enables IT staffers to manage access to servers and applications across the breadth of any Windows-based network; it’s used in 90 percent of U.S. organizations, which translates into tens of thousands of companies and agencies. In the spring of 2017, the WannaCry and NotPetya ransomware worms blasted around the globe, freezing up the Active Directory systems of thousands of companies.

One Comment | Read | April 16th, 2020 | For technologists | Podcasts | RSA Podcasts | Steps forward | Top Stories

STEPS FORWARD: How the Middle East led the U.S. to implement smarter mobile security rules

By Byron V. Acohido

We’ve come to rely on our smartphones to live out our digital lives, both professionally and personally.

When it comes to securing mobile computing devices, the big challenge businesses have long grappled with is how to protect company assets while at the same time respecting an individual’s privacy.

Reacting to the BYOD craze, mobile security frameworks have veered from one partially effective approach to the next over the past decade. However, I recently learned about how federal regulators in several nations are rallying around a reinvigorated approach to mobile security: containerization. Containerizing data is a methodology that could anchor mobile security, in a very robust way, for the long haul.

Interestingly, leadership for this push came from federal regulators in, of all places, the Middle East.  In May 2017, the Saudi Arabian Monetary Authority (SAMA) implemented its Cyber Security Framework mandating prescriptive measures, including a requirement to containerize data in all computing formats. A few months later the United Arab Emirates stood up its National Electronic Security Authority (NESA) which proceeded to do much the same thing.

Earlier this year, US regulators essentially followed the Middle East’s lead by rolling out sweeping new rules — referred to as Cybersecurity Maturity Model Certification (CMMC)  — which require use of data containerization along much the same lines as Saudi Arabia and the UAE mandated some three years ago. The implementation of CMMC represents a big change from past U.S. federal data handling rules for contractors, for which compliance was by-and-large voluntary.

Comment | Read | April 13th, 2020 | For technologists | Podcasts | RSA Podcasts | Steps forward | Top Stories

Older Articles »