Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Steps forward

 

Q&A: Here’s how the ‘Matter’ protocol will soon reduce vulnerabilities in smart home devices

By Byron V. Acohido

After years of competitive jockeying, the leading tech giants have agreed to embrace a brand new open-source standard – called Matter – that will allow consumers to mix and match smart home devices and platforms.

Related: The crucial role of ‘Digital Trust’

After numerous delays and course changes, the Matter protocol, is set to roll out this fall, in time for the 2022 holiday shopping season. To start, seven types of smart home devices will be capable of adopting the Matter protocol, and thus get affixed with a Matter logo.

Matter is intended to foster interoperability of smart home devices – so a homeowner can stick with just one voice assistance platform and have the freedom to choose from a wide selection of smart devices sporting the Matter logo.

What this boils down to is that a consumer living in a smart home filled with Matter devices would no longer be forced to use Amazon’s Alexa to control some devices, while having to switch to Apple’s Siri, Google’s Assistant or Samsung’s SmartThings to operate other devices. No surprise: Amazon, Google, Apple and Samsung are the biggest names on a list of 250 companies supporting the roll out of Matter.

The qualifying types of smart home devices, to start, include light bulbs and switches; smart plugs; smart locks; smart window coverings; garage door openers; thermostats; and HVAC controllers. If all goes smoothly, surveillance cams, smart doorbells and robot vacuums would soon follow.

FIRESIDE CHAT: ‘Attack surface management’ has become the centerpiece of cybersecurity

By Byron V. Acohido

Post Covid 19, attack surface management has become the focal point of defending company networks.

Related: The importance of ‘SaaS posture management’

As digital transformation continues to intensify, organizations are relying more and more on hosted cloud processing power and data storage, i.e. Platform as a Service (PaaS,) as well as business tools of every stripe, i.e. Software as a Service (SaaS.)

I had the chance to visit with Jess Burn, a Forrester senior analyst, about the cybersecurity ramifications.

Guest expert: Jess Burn, Senior Analyst, Forrester Research

We discussed how the challenge has become defending the cloud-edge perimeter. This entails embracing new security frameworks, like Zero Trust Network Access, as well as adopting new security tools and strategies.

This boils down to getting a comprehensive handle on all of the possible connections to sensitive cyber assets, proactively managing software vulnerabilities and detecting and responding to live attacks.

A new category of attack surface management tools and services is gaining traction and fast becoming a must-have capability. To learn more, please give the accompanying Last Watchdog Fireside Chat podcast a listen.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Q&A: Here’s why VPNs are likely to remain a valuable DIY security tool for consumers, SMBs

By Byron V. Acohido

It is astounding that billions of online accounts have been breached over the past 18 years and that US consumer accounts are by far the most compromised.

Related: VPNs vs ZTNA

Now comes hard metrics quantifying the scope of this phenomenon. It’s in findings of a deep dive data analytics study led by Surfshark, a supplier of VPN services aimed at the consumer and SMB markets.

Surfshark partnered with a number of independent cybersecurity researchers to quantify the scope and pattern of data breaches over the past couple of decades. For this study, a data breach was defined as an intruder copying or leaking user data such as names, surnames, email addresses, passwords, etc. Much of the hard evidence came from correlating breached databases sitting in the open Internet.

Data scientists sorted through 27,000 leaked databases and created 5 billion combinations of data. Researchers could then sort those combinations based on specific data points, such as countries, and perform a statistical analysis of their findings.

The data analytics show:

•A total 2.3 billion U.S. accounts have been breached so far. The scale is so massive that it makes up 15 percent of all breached users globally since 2004 (the year data breaches became widespread)

•More than two thirds of American accounts are leaked with the password, putting breached users in danger of account takeover.

FIRESIDE CHAT: The inevitable replacement of VPNs by ‘ZTNA’ — zero trust network access

By Byron V. Acohido

Virtual Private Networks – VPNs – remain widely used in enterprise settings. Don’t expect them to disappear anytime soon.

Related: Taking a risk assessment approach to vulnerability management.

This is so, despite the fact that the fundamental design of a VPN runs diametrically opposed to  zero trust security principles.

I had the chance to visit with David Holmes, network security analyst at Forrester, to learn more about how this dichotomy is playing out as companies accelerate their transition to cloud-centric networking.

Guest expert: David Holmes, Analyst for Zero Trust, Security and Risk, Forrester Research

 

VPNs encrypt data streams and protect endpoints from unauthorized access, essentially by requiring all network communications to flow over a secured pipe. VPNs verify once and that’s it.

Zero trust — and more specifically zero trust network access, or ZTNA — never trusts and always verifies. A user gets continually vetted, with only the necessary level of access granted, per device and per software application; and behaviors get continually analyzed to sniff out suspicious patterns.

Remote access is granted based on granular policies that take the least-privilege approach. For many reasons, and for most operating scenarios, ZTNA solutions makes more sense, going forward, than legacy VPN systems, Holmes told me. But that doesn’t mean VPN obsolescence is inevitable. To learn more, please give the accompanying Last Watchdog Fireside Chat podcast a listen.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

GUEST ESSAY: New SEC rules aim to help C-levels, board members quantify cyber risks

By Nick Sanna

The U.S. Securities and Exchange Commission (SEC) is taking steps to crack down on insufficient cyber risk reporting.

Related: Making third-party risk audits actionable

Seeking to minimize cybersecurity threat effects, the SEC has proposed several amendments requiring organizations to report on cyber risk in a “fast, comparable, and decision-useful manner.”

Worryingly, threats are beginning to outpace organizations’ ability to effectively prevent and respond to them. Leaders are no longer as confident in their organization’s cyber resilience, and employees often lack awareness.

The SEC, in essence, is compelling businesses, public companies and large investment firms to better prepare for inevitable cyber attacks. The new rules urge companies to build more robust cyber risk management programs.

This should provide better visibility into the impact of cyber risk and demonstrate the adequacy of risk mitigation investments.

Many organizations base their risk mitigation programs on standard risk quantification models such as FAIR (Factor Analysis of Information Risk). Cyber risk officers can use FAIR to quantify cyber risk in financial terms, a language familiar to business executives and boards of directors.

FIRESIDE CHAT: New ‘SASE’ weapon chokes off ransomware before attack spreads laterally

By Byron V. Acohido

It’s stunning that the ransomware plague persists.

Related: ‘SASE’ blends connectivity and security

Verizon’s Data Breach Incident Report shows a 13 percent spike in 2021, a jump greater than the past  years combined; Sophos’ State of Ransomware survey shows victims routinely paying $1 million ransoms.

In response, Cato Networks today introduced network-based ransomware protection for the Cato SASE Cloud. This is an example of an advanced security capability meeting an urgent need – and it’s also more evidence that enterprises must inevitably transition to a new network security paradigm.

Guest expert: Etay Maor, Senior Director of Security Strategy, Cato Networks

I had the chance to visit with Etay Maor of Cato Networks. We discussed how Secure Access Services Edge – SASE – embodies this new paradigm. In essence, SASE moves the security stack from the on-premises perimeter far out to the edge, just before the cloud.

This gives security teams comprehensive visibility of all network activity, in real time, which makes many high-level security capabilities possible. For a full drill down on my conversation with Etay Maor, please give the accompanying podcast a listen.

Network security developments are progressing. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

GUEST ESSAY: Five steps to improving identity management — and reinforcing network security

By Jackson Shaw

The identity management market has grown to $13 billion and counting. While intuition would tell you enterprises have identity under control, that is far from reality.

Related: Taking a zero-trust approach to access management

Current events, such as the global pandemic and ‘The Great Resignation,’ which have accelerated cloud adoption, remote working environments, and the number of business applications and systems in use has complicated matters.

As a result, new solutions and features to address identity challenges have emerged. In a sense, this is a positive trend: change makers are innovating and trying to stay ahead of imminent threats.

On the other hand, there’s a good deal of snake oil on the market, making it hard for organizations to realize the value of their tech investments. Last, and perhaps most significant, many solutions don’t work together harmoniously, making it hard for employees to get work done.

When you consider these points, it’s understandable why businesses end up with too many solutions to effectively manage, or simply default to manual, inefficient processes to address identity- and security-related tasks. But for progress to happen, we must first get to the root of why this is happening.