Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Steps forward

 

ROUNDTABLE: Mayorkas’ 60-day cybersecurity sprints win support; also a prove-it-to-me response

By Byron V. Acohido

The Biden Administration is wasting no time fully re-engaging the federal government in cybersecurity.

Related: Supply-chains become top targets

Homeland Security Secretary Alejandro Mayorkas has assumed a very visible and vocal role. Mayorkas has been championing an extensive portfolio of initiatives to rally public-private collaboration to fend off cyber criminals and state-sponsored threat actors.

The need is great, of course. The Solarwinds hack and Microsoft Exchange breach, not to mention the latest rounds of massive thefts of personal data from Facebook and LinkedIn demonstrate this in spades.

Mayorkas announced a series of 60-day sprints to quell ransomware and to bolster the cyber defenses of industrial control systems, transportation networks and election systems. Mayorkas also pledged to increase the diversity of the Cybersecurity and Infrastructure Security Agency’s workforce, noting that roughly a third of CISA’s workers are part of minority groups.

This reminds me of how President Obama used his bully pulpit back in 2015 to promote accelerated sharing of threat intelligence and to push for a consumers’ bill of rights for online privacy.

SHARED INTEL: IT pros gravitate to ‘passwordless’ authentication to improve security, boost agility

By Byron V. Acohido

Passwordless authentication as a default parameter can’t arrive too soon.

Related: Top execs call for facial recognition to be regulated

The good news is that passwordless technologies are not only ready for prime time, they appear to be gaining traction in ways that suggest we’re on the cusp of a period of wide-scale adoption. That’s the upshot of a new report, The State of Passwordless Security 2021, put out by HYPR, a New York City-based supplier of advanced authentication systems.

HYPR polled 427 IT professionals and found a high level of awareness about passwordless authenticators — and not just for enhanced security. The IT pros also recognized how passwordless systems contribute to operational agility, as well, and they’ve begun to factor this into their planning.

Some 91 percent of the respondents agreed that passwordless authentication was important to stop credential theft and phishing. Meanwhile, 64 percent saw value in improving user experiences and 21 percent said it could help achieve digital transformation.

“Adoption of passwordless authentication is moving faster than we expected,” says George Avetisov, HYPR’s co-founder and chief executive officer. “The rise of remote work has created a huge urgency around adopting passwordless multifactor authentication, and the no.1 use case is remote access.”

I recently sat down with Avetisov to discuss a few other notable findings in HYPR’s study. For a full drill down on our conversation, please give a listen to the accompanying podcast. Here are a few big takeaways.

GUEST ESSAY: The missing puzzle piece in DevSecOps — seamless source code protection

By Rui Ribeiro

We live in a time where technology is advancing rapidly, and digital acceleration is propelling development teams to create web applications at an increasingly faster rhythm. The DevOps workflow has been accompanying the market shift and becoming more efficient every day – but despite those efforts, there was still something being overlooked: application security.

Related: ‘Fileless’ attacks on the rise

The awareness that the typical approach to DevOps was downplaying the role of security led to an evolution of this workflow, which today has come to be known as DevSecOps. This new mindset puts application security at the foundation of DevOps, rather than it being an afterthought.

In the ideal DevSecOps implementation, security controls are fully integrated into the continuous integration (CI) and continuous delivery (CD) pipelines and development teams possess the necessary skills to handle and automate several security processes.

Plain sight gaps

As companies grew into the concept of DevSecOps, they typically focused on technologies like SAST or DAST to provide an extra layer of security at the earlier development stages. These technologies help check the source code for vulnerabilities that could be exploited by attackers in a production environment. However, finding and fixing those vulnerabilities is still not enough to guarantee end-to-end protection of the source code – there is still one key missing piece.

MY TAKE: Why ‘basic research’ is so vital to bringing digital transformation to full fruition

By Byron V. Acohido

Basic research, also called pure research, is aimed at advancing scientific theories unfettered by commercial interests.

Related: The case for infusing ethics into Artifical Intelligence.

Basic research is the foundational theorizing and testing scientists pursue in order to advance their understanding of a phenomenon in the natural world, and, increasingly, in the digital realm. NTT Research opened its doors in Silicon Valley in July 2019 to help nurture basic research in three subject areas that happen to be at the core of digital transformation: quantum physics, medical informatics and cryptography.

Backed by Japanese telecom giant NTT Group, this new facility instantly jumped into the vanguard of basic research already underway that will eventually enable the routine use of quantum computers, which, in turn, will open the door to things like driverless cars and Star Trekkian medical treatments.

Along the way, of course, cybersecurity must get addressed. Ongoing basic research in advanced cryptography concepts is pivotal to putting the brakes on widening cyber risks and ultimately arriving at a level of privacy and security that makes sense.

I had a lively discussion about all of this with NTT Research’s Kazuhiro Gomi, president and chief executive officer, and Kei Karasawa, vice president of strategy. These senior executives wholeheartedly support the concept of basic research. Yet at the same time, they’re also charged with keeping an eye on the eventual “productization” of all this rarefied research. For a full drill down on this conversation, please give the accompanying podcast a listen. Here are a few key takeaways:

‘Big dreams’

Lots of big companies sponsor basic research; it’s how progress gets made. An estimated 60% of research and development in scientific and technical fields is carried out by private industry, with academic institutions and government accounting for 20% and 10%, respectively, according to the Organization for Economic Cooperation and Development.

NTT Group, for instance, typically spends more than $3.6 billion annually for … more

GUEST ESSAY: Now more than ever, companies need to proactively promote family Online Safety

By Ellen Sabin

Cybersecurity training has steadily gained traction in corporate settings over the past decade, and rightfully so.

In response to continuing waves of data breaches and network disruptions, companies have made a concerted effort and poured substantial resources into promoting data security awareness among employees, suppliers and clients. Safeguarding data in workplace settings gets plenty of attention.

Related: Mock attack help schools prepare for hackers

However, the sudden and drastic shift to work-from-home and schooling-from-home settings has changed the ball game. The line between personal and professional use of digital tools and services, which was blurry even before the global pandemic, has now been obliterated by Covid-19.

Moving forward, companies can no longer afford to focus awareness training on just employees, partners and clients. It has become strategically important for them to promote best security practices in home settings, including the training of children.

Bringing smart habits into homes and minds is good for kids, good for parents, and, it turns out, good for businesses, too.

We’re all connected

Consider that kids are constantly connected on the internet with online games, streaming devices, virtual schooling, and zoom play dates. Adults increasingly are working from home, and usually on networks they share with their children. Mistakes online by one family member can lead to compromises in a household’s network, placing computers, personal data, and perhaps even work-related content at risk.

Cyber criminals have increased attacks as they see these opportunities. Companies must take this into account and consider extending employee training to also promote security and privacy habits among all family

GUEST ESSAY: HIPAA’s new ‘Safe Harbor’ rules promote security at healthcare firms under seige

By Riyan N. Alam

The Health Insurance Portability and Accountability Act — HIPAA — has undergone some massive changes in the past few years to minimize the burden of healthcare entities.

Related: Hackers relentless target healthcare providers

Despite these efforts, covered-entities and business associates continue to find HIPAA to be overwhelming and extensive, to say the least.

Cyberattacks against healthcare entities rose 45 percent between November 2020 and January 2021, according to Check Point . Meanwhile, the healthcare sector accounted for 79 percent of all reported data breaches during the first 10 months of 2020, a study by Fortified Health Security tells us.

At last, some good news has surfaced that encourages healthcare providers to implement the best security practices and meet HIPAA requirements. Amidst all of the turmoil, President Donald Trump officially signed H.R. 7898, known as the HIPAA Safe Harbor Bill, into law on January 5, 2021.

It is a new sign of relief for entities that could do very little against unavoidable and highly sophisticated cyberattacks. This bill is one of many recent industry efforts aimed at improving cybersecurity. The legislation amends the HITECH Act to require the Department of Health and Human Services (HHS) to reward organizations that follow the best cybersecurity practices for meeting HIPAA requirements.

AUTHOR Q&A: New book, ‘Hackable,’ suggests app security is the key to securing business networks

By Byron V. Acohido

The cybersecurity operational risks businesses face today are daunting, to say the least.

Related: Embedding security into DevOps.

Edge-less networks and cloud-supplied infrastructure bring many benefits, to be sure. But they also introduce unprecedented exposures – fresh attack vectors that skilled and motivated threat actors are taking full advantage of.

Adopting and nurturing a security culture is vital for all businesses. But where to start? Ted Harrington’s new book Hackable: How To Do Application Security Right argues for making application security a focal point, while laying out a practical framework that covers many of the fundamental bases.

Harrington is an executive partner at Independent Security Evaluators (ISE), a company of ethical hackers known for hacking cars, medical devices and password managers. He told me he wrote Hackable to inform folks oblivious to the importance of securing apps, even as corporate and consumer reliance on apps deepens.

Here are excerpts of an exchange Last Watchdog had with Harrington about his new book, edited for clarity and length:

LW: Why is it smart for companies to make addressing app security a focal point?

Harrington: Software runs the world. Application security is the soft underbelly to almost all security domains, from network security to social engineering and everything in between.