Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Steps forward

 

MY TAKE: Why locking down ‘firmware’ has now become the next big cybersecurity challenge

By Byron V. Acohido

Locking down firmware. This is fast becoming a profound new security challenge for all companies – one that can’t be pushed to a side burner.

Related: The rise of ‘memory attacks’

I’m making this assertion as federal authorities have just commenced steps to remove and replace switching gear supplied, on the cheap, to smaller U.S. telecoms by Chinese tech giant  Huawei. These are the carriers that provide Internet access to rural areas all across America.

Starks

Federal Communications Commission member Geoffrey Starks recently alluded to the possibility that China may have secretly coded the firmware in Huawei’s equipment to support cyber espionage and cyber infrastructure attacks.

This isn’t an outlier exposure, by any means. Firmware is the coding that’s embedded below the software layer on all computing devices, ranging from printers to hard drives and motherboards to routers and switches. Firmware carries out the low-level input/output tasks, without which the hardware would be inoperable.

However, the security of firmware has been largely overlooked over the past two decades. It has only been in the past four years or so that white hat researchers and black hat hackers have gravitated over to this unguarded terrain – and begun making hay.

I recently had the chance to discuss this with John Loucaides, vice-president of engineering at Eclypsium, a Beaverton, OR-based security startup that is introducing technology to scan for firmware vulnerabilities. Here are the big takeaways:

Bypassing protection

Firmware exposures are in the early phases of an all too familiar cycle. Remember when, over the course of the 2000s and 2010s, the cybersecurity industry innovated like crazy to address software flaws in operating systems and business applications? Vulnerability research took on a life of its own.

As threat actors wreaked havoc, companies strove to ingrain security into code writing, and make it incrementally harder to exploit flaws that inevitably surfaced in a vast threat landscape. Then, much the same cycle unfolded as virtual computing came along and became popular; and then the cycle repeated itself, yet again, as web browsers took center stage in digital commerce. …more

GUEST ESSAY: Only cloud-based security can truly protect cloud-delivered web applications

By Vivek Gopalan

Web applications have become central for the existence and growth of any business. This is partly the result of Software as a Service, or SaaS, becoming a preferred mode of consumption for software services.

Related: AppTrana free trial offer

Most companies today own a web application and if that application is an integral part of their business, then they cannot afford to think of website security risk as an afterthought.

In a lot of cases, pure SaaS vendors such as an online e-commerce company, the website/app itself is the reason for the existence of the business. And, increasingly,  their customers are questioning them about the security of sensitive personal and business data.

This rising trepidation, with respect to web app security, should come as no surprise. Technology research firm Gartner estimates that over 70% of security vulnerabilities exist at the application layer – and 75% of security breaches happen at the application layer.

Meanwhile, the National Institute of Standards and Technology says that 92% of reported vulnerabilities are in applications, not networks; and NIST pegs the cost of fixing such bugs in the field at $30,000 vs. $5,000 if the bug is fixed during coding.

The speed factor

There is compelling rationale for companies to take proactive steps to continually improve web application security. For one, compliance with standards, such as section 6.6 of Payment Card Industry Data Security Standard, requires either secure code review or deployment of a Web Application Firewall (WAF.) …more

MY TAKE: NIST Cybersecurity Framework has become a cornerstone for securing networks

By Byron V. Acohido

If your company is participating in the global supply chain, either as a first-party purchaser of goods and services from other organizations, or as a third-party supplier, sooner or later you’ll encounter the NIST Cybersecurity Framework.

Related: How NIST protocols fit SMBs

The essence of the NIST CSF is showing up in the privacy regulations now being enforced in Europe, as well as in a number of U.S. states. And the protocols it lays out inform a wide range of best-practices guides put out by trade groups and proprietary parties, as well.

I had the chance at RSA 2019 to visit with George Wrenn, founder and CEO of CyberSaint Security, a cybersecurity software firm  that plays directly in this space.

Prior to launching CyberSaint, Wrenn was CSO of Schneider Electric, a supplier of technologies used in industrial control systems. While at Schneider, Wrenn participated with other volunteer professionals in helping formulate the NIST CSF.

The participation led to the idea behind CyberSaint. The company supplies a platform, called CyberStrong, that automatically manages risk and compliance assessments across many types of frameworks. This includes not just the NIST CSF, but also the newly minted NIST Risk Management Framework 2.0, and the upcoming NIST Privacy Framework. For a full drill down on the wider context, give a listen to the accompanying podcast. Here are key takeaways:

Collective wisdom

Think of NIST as Uncle Sam’s long-established standards-setting body. “They are the people who brought you 36 inches in a yard,” Wrenn observed. To come up with its cybersecurity framework, NIST assembled top experts and orchestrated a global consensus- building process that resulted in a robust set of protocols. The CSF is comprehensive and flexible; it can be tailored to fit a specific organization’s needs. And the best part is it’s available for free. …more

MY TAKE: How digital technology and the rising gig economy are exacerbating third-party risks

By Byron V. Acohido

Accounting for third-party risks is now mandated by regulations — with teeth.

Related: Free ‘VRMM’ tool measures third-party exposure

Just take a look at Europe’s GDPR, NYDFS’s cybersecurity requirements or even California’s newly minted Consumer Privacy Act.

What does this mean for company decision makers, going forward, especially as digital transformation and expansion of the gig economy deepens their reliance on subcontractors?

I had the chance at RSA 2019 to discuss that question with Catherine Allen, chairman and CEO of the Santa Fe Group, and Mike Jordan, senior director of Santa Fe’s Shared Assessments program.

Allen is a widely respected thought leader on this topic, having launched Shared Assessments in 2005 as an intel-sharing and training consortium focused on third-party risks. And Jordan has had a hands-on role working third-party risk issues for more than a decade.

To hear the full interview, please give the accompanying podcast a listen. Here are a few key takeaways.

Addressing third-parties

Allen founded The Santa Fe Group in 1995 and established it as a leading consultancy, specializing on emerging technologies. With subcontractors playing a rising role and third party risk covering so many complex fields of expertise, six big banks and the Big Four accounting/consulting firms tasked her with coming up with a standardized approach for assessing third party vendor risk.

What emerged was a quasi-trade association – Shared Assessments. The founding participants developed assessment regimes and tools, all having to do with measuring and assessing, essentially, third-party risks. It was a natural step to expand and evolve these protocols and tools, and to invite companies from other sectors to participate. Collaborating in advance on what’s important in third party risk lets organizations and their vendors come to a faster agreement on what to do about those risks. That out of the way, business can proceed with less risk. …more

NEW TECH: Alcide introduces a “microservices firewall” as a dynamic ‘IaaS’ market takes shape

By Byron V. Acohido

As a tech reporter at USA TODAY, I wrote stories about how Google fractured Microsoft’s Office monopoly, and then how Google clawed ahead of Apple to dominate the global smartphone market.

Related: A path to fruition of ‘SecOps’

And now for Act 3, Google has thrown down the gauntlet at Amazon, challenging the dominant position of Amazon Web Services in the fast-emerging cloud infrastructure global market.

I recently sat down with Gadi Naor, CTO and co-founder of Alcide, to learn more about the “microservices firewall” this Tel Aviv-based security start-up is pioneering. However, in diving into what Alcide is up to, Gadi and I segued into a stimulating discussion about this latest clash of tech titans. Here are key takeaways:

Google’s Kubernetes play

First some context. Just about every large enterprise today relies on software written by far-flung  third-party developers, who specialize in creating modular “microservices” that can get mixed and matched and reused inside of software “containers.” This is how companies have begun to  scale the delivery of cool new digital services — at high velocity.

The legacy ‘on-premises’ data centers enterprises installed 10 to 20 years ago are inadequate to  support this new approach. Thus, digital infrastructure is being shifted to “serverless” cloud computing services, with AWS blazing the trail and Microsoft Azure and Google Cloud in hot pursuit.

Microservices and containers have been around for a long while, to be sure. Google, for instance, has long made use of the equivalent of microservices and containers, internally, to scale the development and deployment of the leading-edge software it uses to run its businesses. …more

Q&A: How cutting out buzzwords could actually ease implementation of powerful security tools

By Byron V. Acohido

The central dilemma posed by digital transformation is this: How do companies reap the benefits of high-velocity software development without creating onerous security exposures?

Related: Golden Age of cyber spying dawns

The best practices standards and protocols to pull off this delicate balancing act have been thoroughly vetted and are readily available. And there’s certainly no shortage of sophisticated technology solutions.

So what’s missing? Why have organizations, of all sizes and in all sectors, failed to make more progress shrinking a security gap that appears, in fact, to be inexorably widening?

These were questions I discussed at RSA 2019 with Samantha Madrid, a veteran executive in the enterprise security space, who recently joined Juniper Networks as vice president, security & business strategy. Juniper has been in the vanguard of integrating security deeper into the plumbing of modern business networks.

Madrid observed that the white noise of overlapping marketing messages has not made it any easier for enterprises to chart a truer course for securing their networks. One of the first things Madrid told me she did when she arrived at Juniper was to ask her colleagues to stop using marketing buzzwords.

“A vendor should be able to explain, in simple terms, how they can help solve a customer’s problem,” she said.

Having covered tech security since 2004, I can attest that there is plenty of room for more clarity, and less hype, in security products marketing. To hear my conversation with Madrid in its entirety, please give a listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW:  Can you frame the security challenges companies are facing in today’s very dynamic environment? …more

NEW TECH: Critical Start delivers managed security services with ‘radical transparency’

By Byron V. Acohido

It was in 2012 that CRITICALSTART burst onto the Managed Security Service Provider (MSSP) scene with bold intentions.

Related: How SMBs can leverage threat intelligence.

The Plano, TX-based company sought to elevate the “MSSP” space high above the accepted standard at the time. It set out to do this by delivering security services based on Zero-Trust and that also provided radical transparency to its customers.

CRITICALSTART has since grown to 105 employees, serving hundreds of customers. In 2018, revenues generated by its core Managed Detection and Response (MDR) service grew 300 percent as compared to 2017.

What struck me most as I prepared to meet up with Jordan Mauriello, CRITICALSTART’s VP of Managed Services, was how the company has been able to stick to its guns providing Zero-Trust and “radical transparency” to its customers.

No one in the cybersecurity community would dispute the fact that widely sharing intel detailing what the bad guys are doing, as well as measures that prove effective in deterring them, should be standard practice – for the greater good.

However, in reality, competitive instincts still get in the way all too often. It was with this in mind that I met with Mauriello at RSA 2019, and he walked me through the path CRITICALSTART has successfully navigated. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways:

Foundation of trust

Radical transparency isn’t a new thing, but we are seeing it more in security, as well as an increase in the need for Zero-Trust model. Mauriello observed that companies shopping for contracted security services are open to taking a trust-but-verify approach, and are looking for service providers to build that trust foundation by operating out in the open. …more