Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Steps forward

 

MY TAKE: Can embedding security deep inside mobile apps point the way to securing IoT?

By Byron V. Acohido

The full blossoming of the Internet of Things is on the near horizon – or is it?

Enterprises across the planet are revving up their IoT business models, and yet there is a sense of foreboding about a rising wave of IoT-related security exposures.

Related: The security and privacy implications of driverless vehicles

Some 25 percent of 700 organizations surveyed in five nations reported IoT security-related losses of at least $34 million in the last two years, according to the 2018 State of IoT Security study sponsored  by certificate authority DigiCert.

Similarly, software security company Irdeto polled 220 security decision makers in the healthcare, transportation and manufacturing sectors and found 80 percent experienced a cyberattack on their IoT devices in the past 12 months, sustaining, on average, $330,000 in losses.

Cyber criminals know a good thing when they see it. IoT systems introduce added layers of network complexity, which translates into an enlarged attack surface. Threat actors gleefully recognize that IoT is being implemented off of an already huge and poorly defended attack surface: legacy networks.

Clearly, IoT won’t begin to approach full fruition until and unless a few deep-seated security weaknesses get adequated addressed. I had the chance at  Black Hat USA 2019 to discuss this with Mark Hearn and Catherine Chambers, of Irdeto, a 50-year-old software security and media technology company based in Amsterdam.

Irdeto recently introduced a new service—Trusted Software – aimed at developers of mobile apps. The service enables app developers to conveniently embed top-shelf security into the source code of their new mobile apps, as a final step, just before distribution to user.

…more

NEW TECH: Trend Micro inserts ‘X’ factor into ‘EDR’ – endpoint detection and response

By Byron V. Acohido

With all the talk of escalating cyber warfare, the spread of counterfeit smartphones and new forms of self-replicating malware, I came away from Black Hat USA 2019 (my 15th) marveling, once more, at the panache of modern cyber criminals.

Related: Lessons learned from Capital One breach

Yet, I also had the chance to speak one-on-one with dozens of security vendors who are innovating like crazy to improve security. And I came away, once again, much encouraged. I met with Kevin Simzer, for instance, Trend Micro’s chief operating officer.

Trend Micro is among the top five endpoint security vendors who’ve been in the battle since the earliest iterations of antivirus software, more than three decades ago. The company has evolved far beyond those days. They came to Las Vegas prepared to push detection and response beyond the endpoint.

While endpoint detection and response (EDR) is one of the most significant advancements made by endpoint security vendors in the past six years, enterprises need more. Companies have silos of security data that need the same type of visibility that EDR brings to the end point.

Enter Trend Micro’s new answer to the change of much needed visibility and threat alert overload. I came away from my interview with Simzer with a strong sense that they have a very  comprehensive managed detection and response offering, and that even more innovation from Trend and others is assured, going forward.

For a full drill down, give a listen to the accompanying podcast. Here are my big takeaways:

Prevention vs. detection

In 2013, Gartner analyst Anton Chuvakin coined “EDR” to classify an emerging set of tools designed to go beyond signature-based antivirus software which was designed primarily to identify specific malicious binary files. Instead, EDR tools were tuned to recognize anomalous activities on endpoints, then trigger alerts that warranted further investigations. …more

NEW TECH: A couple of tools that deserve wide use — to preserve the integrity of U.S. elections

By Byron V. Acohido

As the presidential debate season ramps up, the specter of nation-state sponsored hackers wreaking havoc, once more, with U.S. elections, looms all too large.

It’s easy to get discouraged by developments such as  Sen. McConnell recently blocking a bi-partisan bill to fund better election security, as well as the disclosure that his wife, Transportation Security Elaine Chao, has accepted money from voting machine lobbyists.

Related: Why not train employees as phishing cops?

That’s why I was so encouraged to learn about two new tools that empower individual candidates – and local election officials – to take proactive steps to make election tampering much more difficult to successfully pull off. In the current geo-political environment, every forthright step can make a huge difference.

First, there’s a tool called the Rapid Cyber Risk Scorecard. NormShield, the Vienna, VA-based, cybersecurity firm that supplies this service, recently ran scores for all of the 26 declared presidential candidates —  and found the average cyber risk score to be B+.

What this tells me is that the presidential candidates, at least, actually appear to be heeding lessons learned from the hacking John Podesta’s email account – and all of the havoc Russia was able to foment in our 2016 elections. NormShield found that all of the 2020 presidential hopefuls, thus far,  are making sure their campaigns are current on software patching, as well as Domain Name System (DNS) security; and several are doing much more.

My takeaway: other candidates can use this scorecard, which runs assessments of 10 cyber risk categories, as a starting point to harden their campaigns.

Another such service that can do a ton of good was announced last week by Global Cyber Alliance (GCA), in partnership with Craig Newmark Philanthropies and the Center for Internet Security. It’s a free cybersecurity toolkit for elections that gives local election authorities actionable guidance on how to mitigate the most common risks to trustworthy elections.

…more

MY TAKE: Why locking down ‘firmware’ has now become the next big cybersecurity challenge

By Byron V. Acohido

Locking down firmware. This is fast becoming a profound new security challenge for all companies – one that can’t be pushed to a side burner.

Related: The rise of ‘memory attacks’

I’m making this assertion as federal authorities have just commenced steps to remove and replace switching gear supplied, on the cheap, to smaller U.S. telecoms by Chinese tech giant  Huawei. These are the carriers that provide Internet access to rural areas all across America.

Starks

Federal Communications Commission member Geoffrey Starks recently alluded to the possibility that China may have secretly coded the firmware in Huawei’s equipment to support cyber espionage and cyber infrastructure attacks.

This isn’t an outlier exposure, by any means. Firmware is the coding that’s embedded below the software layer on all computing devices, ranging from printers to hard drives and motherboards to routers and switches. Firmware carries out the low-level input/output tasks, without which the hardware would be inoperable.

However, the security of firmware has been largely overlooked over the past two decades. It has only been in the past four years or so that white hat researchers and black hat hackers have gravitated over to this unguarded terrain – and begun making hay.

I recently had the chance to discuss this with John Loucaides, vice-president of engineering at Eclypsium, a Beaverton, OR-based security startup that is introducing technology to scan for firmware vulnerabilities. Here are the big takeaways:

Bypassing protection

Firmware exposures are in the early phases of an all too familiar cycle. Remember when, over the course of the 2000s and 2010s, the cybersecurity industry innovated like crazy to address software flaws in operating systems and business applications? Vulnerability research took on a life of its own.

As threat actors wreaked havoc, companies strove to ingrain security into code writing, and make it incrementally harder to exploit flaws that inevitably surfaced in a vast threat landscape. Then, much the same cycle unfolded as virtual computing came along and became popular; and then the cycle repeated itself, yet again, as web browsers took center stage in digital commerce. …more

GUEST ESSAY: Only cloud-based security can truly protect cloud-delivered web applications

By Vivek Gopalan

Web applications have become central for the existence and growth of any business. This is partly the result of Software as a Service, or SaaS, becoming a preferred mode of consumption for software services.

Related: AppTrana free trial offer

Most companies today own a web application and if that application is an integral part of their business, then they cannot afford to think of website security risk as an afterthought.

In a lot of cases, pure SaaS vendors such as an online e-commerce company, the website/app itself is the reason for the existence of the business. And, increasingly,  their customers are questioning them about the security of sensitive personal and business data.

This rising trepidation, with respect to web app security, should come as no surprise. Technology research firm Gartner estimates that over 70% of security vulnerabilities exist at the application layer – and 75% of security breaches happen at the application layer.

Meanwhile, the National Institute of Standards and Technology says that 92% of reported vulnerabilities are in applications, not networks; and NIST pegs the cost of fixing such bugs in the field at $30,000 vs. $5,000 if the bug is fixed during coding.

The speed factor

There is compelling rationale for companies to take proactive steps to continually improve web application security. For one, compliance with standards, such as section 6.6 of Payment Card Industry Data Security Standard, requires either secure code review or deployment of a Web Application Firewall (WAF.) …more

MY TAKE: NIST Cybersecurity Framework has become a cornerstone for securing networks

By Byron V. Acohido

If your company is participating in the global supply chain, either as a first-party purchaser of goods and services from other organizations, or as a third-party supplier, sooner or later you’ll encounter the NIST Cybersecurity Framework.

Related: How NIST protocols fit SMBs

The essence of the NIST CSF is showing up in the privacy regulations now being enforced in Europe, as well as in a number of U.S. states. And the protocols it lays out inform a wide range of best-practices guides put out by trade groups and proprietary parties, as well.

I had the chance at RSA 2019 to visit with George Wrenn, founder and CEO of CyberSaint Security, a cybersecurity software firm  that plays directly in this space.

Prior to launching CyberSaint, Wrenn was CSO of Schneider Electric, a supplier of technologies used in industrial control systems. While at Schneider, Wrenn participated with other volunteer professionals in helping formulate the NIST CSF.

The participation led to the idea behind CyberSaint. The company supplies a platform, called CyberStrong, that automatically manages risk and compliance assessments across many types of frameworks. This includes not just the NIST CSF, but also the newly minted NIST Risk Management Framework 2.0, and the upcoming NIST Privacy Framework. For a full drill down on the wider context, give a listen to the accompanying podcast. Here are key takeaways:

Collective wisdom

Think of NIST as Uncle Sam’s long-established standards-setting body. “They are the people who brought you 36 inches in a yard,” Wrenn observed. To come up with its cybersecurity framework, NIST assembled top experts and orchestrated a global consensus- building process that resulted in a robust set of protocols. The CSF is comprehensive and flexible; it can be tailored to fit a specific organization’s needs. And the best part is it’s available for free. …more

MY TAKE: How digital technology and the rising gig economy are exacerbating third-party risks

By Byron V. Acohido

Accounting for third-party risks is now mandated by regulations — with teeth.

Related: Free ‘VRMM’ tool measures third-party exposure

Just take a look at Europe’s GDPR, NYDFS’s cybersecurity requirements or even California’s newly minted Consumer Privacy Act.

What does this mean for company decision makers, going forward, especially as digital transformation and expansion of the gig economy deepens their reliance on subcontractors?

I had the chance at RSA 2019 to discuss that question with Catherine Allen, chairman and CEO of the Santa Fe Group, and Mike Jordan, senior director of Santa Fe’s Shared Assessments program.

Allen is a widely respected thought leader on this topic, having launched Shared Assessments in 2005 as an intel-sharing and training consortium focused on third-party risks. And Jordan has had a hands-on role working third-party risk issues for more than a decade.

To hear the full interview, please give the accompanying podcast a listen. Here are a few key takeaways.

Addressing third-parties

Allen founded The Santa Fe Group in 1995 and established it as a leading consultancy, specializing on emerging technologies. With subcontractors playing a rising role and third party risk covering so many complex fields of expertise, six big banks and the Big Four accounting/consulting firms tasked her with coming up with a standardized approach for assessing third party vendor risk.

What emerged was a quasi-trade association – Shared Assessments. The founding participants developed assessment regimes and tools, all having to do with measuring and assessing, essentially, third-party risks. It was a natural step to expand and evolve these protocols and tools, and to invite companies from other sectors to participate. Collaborating in advance on what’s important in third party risk lets organizations and their vendors come to a faster agreement on what to do about those risks. That out of the way, business can proceed with less risk. …more