Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Steps forward

 

MY TAKE: With disinformation running rampant, embedding ethics into AI has become vital

By Byron V. Acohido

Plato once sagely observed, “A good decision is based on knowledge and not on numbers.” 

Related: How a Russian social media site radicalized U.S. youth

That advice resonates today, even as we deepen our reliance on number crunching — in the form of the unceasing machine learning algorithms whirring away in the background of our lives, setting in motion many of the routine decisions each of us make daily.

However, as Plato seemingly foresaw, the underlying algorithms we’ve come to rely on are only as good as the human knowledge they spring from. And sometimes the knowledge transfer from humans to math formulas falls well short.

Last  August, an attempt by the UK government to use machine learning to conjure and dispense final exam grades to quarantined high-schoolers proved to be a disastrous failure. Instead of keeping things operable in the midst of a global pandemic, the UK officials ended up exposing the deep systemic bias of the UK’s education systems, in a glaring way. 

Then, in November, the algorithms pollsters invoked to predict the outcome of the 2020 U.S. presidential election proved drastically wrong — again, even after the pollsters had poured their knowledge into improving their predictive algorithms after the 2016 elections.  

Q&A: Here’s why securing mobile apps is an essential key to tempering political division

By Byron V. Acohido

Finally, Facebook and Twitter muzzled Donald Trump, preventing him from using his favorite online bully pulpits to spread disinformation. It only took Trump inciting a failed coup d’état that cost five lives.

Related: How a Russian social media app is radicalizing disaffected youth

The action taken by Facebook and Twitter last week was a stark reminder of how digital tools and services can be manipulated by badly motivated parties in insidious ways.

The risks and exposures intrinsic to our favorite digital tools and services runs very deep, indeed. This is something that we’re going to have to address. As the presidential election unfolded in the fall, for example, there were revelations about how mobile apps used by political candidates were rife with security flaws that played right into the hands of propagandists and conspiracy theorists.

Data Theorem, a Palo Alto, Calif.-based software security vendor specializing in API exposures, took a close look at the gaping vulnerabilities in mobile app used by the Biden and Trump campaigns, respectively, and came up with a scoring system to rate the security-level of each camp’s main mobile app to reach voters.

On Android, the Official Trump 2020 App ranked nearly three times as secure as the Vote Joe App, for a simplistic reason: the Trump app used the most recent version of Android OS. Newer versions of Android provided more security and privacy benefits.

That said, neither the Biden nor the Trump apps enforced Android’s Verify Apps feature, which scans for potentially harmful Apps on the device. If the Verify Apps feature is turned off, any apps side-loaded onto the user’s device do not get scanned for malware, Doug Dooley, Data Theorem’s chief operating officer, told me.

GUEST ESSAY: Here’s how Secure Access Service Edge — ‘SASE’ — can help, post Covid-19

By Liraz Postan

One legacy of the ongoing global pandemic is that companies now realize that a secured and well-supported remote workforce is possible. Recently, the University of Illinois and the Harvard Business School conducted a study, and 16% of companies reported switching their employees to work at home from offices at least twice a week.

Related: SASE translates into secure connectivity

The problem here is that a secured, cost-effective, and efficient networkmust be developed to support remote operations at scale.  Gartner refers to this as the Secure Access Service Edge (SASE), which is a framework combining the functionality of Wide Area Network (WAN) with network security services to shield against any cyber threats or cloud-enabled SaaS.

The makeup of SASE 

Many enterprises have accelerated their use of Virtual Private Network (VPN) solutions to support remote workers during this pandemic.

However deploying VPNs on a wide-scale basis introduces performance and scalability issues. SASE can function as security infrastructure and as the core IT network of large enterprises. It incorporates zero-trust technologies and software-defined wide area networking (SD-WAN). SASE then provides secure connectivity between the cloud and users, much as with a VPN. But it much further. It can also deploy web filtering, threat prevention, DNS security, sandboxing, data loss prevention, next-generation firewall policies, information security and credential theft prevention. 

Thus SASE combines advanced threat protection and secure access with enterprise-class data loss prevention. Given the climbing rate of remote workers, SASE has shifted from being a developing solution to being very timely, sophisticated response to leading-edge cyber attacks. Here are a few  guidelines to follow when looking for vendors pitching SASE services:.

NEW TECH: Will ‘Secure Access Service Edge’ — SASE — be the answer to secure connectivity?

By Byron V. Acohido

Company networks have evolved rather spectacularly in just 20 years along a couple of distinct tracks: connectivity and security.

We began the new millennium with on-premises data centers supporting servers and desktops that a technician in sneakers could service. Connectivity was relatively uncomplicated. And given a tangible network perimeter, cybersecurity evolved following the moat-and-wall principle. Locking down web gateways and erecting a robust firewall were considered the be-all and end-all.

Related: The shared burden of securing the Internet of Things

Fast forward to the 21st Century’s third decade. Today, connectively is a convoluted mess. Company networks must support endless permutations of users and apps, both on-premises and in the Internet cloud. Security, meanwhile, has morphed into a glut of point solutions that mostly serve to highlight the myriad gaps in an ever-expanding attack surface. And threat actors continue to take full advantage.

These inefficiencies and rising exposures are not being ignored. Quite the contrary, there’s plenty of clever innovation, backed by truckloads of venture capital, seeking to help networks run smoother, while also buttoning down the attack surface. One new approach that is showing a lot of promise cropped up in late 2019. It’s called Secure Access Service Edge, or SASE, as coined by research firm Gartner.

SASE (pronounced sassy) replaces the site-centric, point-solution approach to security with a user-centric model that holds the potential to profoundly reinforce digital transformation. The beauty of SASE is that it accomplishes this not by inventing anything new, but simply by meshing mature networking and security technologies together and delivering them as a single cloud service —  with all of the attendant efficiency and scalability benefits.

To get a better idea of SASE, I had the chance to visit with Elad Menahem, director of security, and Dave Greenfield, secure networking evangelist,  at Cato Networks, a Tel Aviv-based startup that’s in the thick of the SASE movement. Here are the key takeaways … more

STEPS FORWARD: Math geniuses strive to make a pivotal advance — by obfuscating software code

By Byron V. Acohido

Most of time we take for granted the degree to which fundamental components of civilization are steeped in mathematics.

Everything from science and engineering to poetry and music rely on numeric calculations. Albert Einstein once observed that “pure mathematics is, in its way, the poetry of logical ideas.”

Related: How Multi Party Computation is disrupting encryption

An accomplished violinist, Einstein, no doubt, appreciated the symmetry of his metaphor. He was keenly aware of how an expressive Haydn symphony applied math principles in a musical context in much the same way has he did in deriving breakthrough physics theorems.

Math once more is being conjured to help civilization make a great leap forward. Digital technology, like music, is all about math. We’ve come a long way leveraging algorithms to deliver an amazing array of digital services over the past 30 years; yet so much more is possible.

Math is the linchpin to innovations that can dramatically improve the lives of billions of people, perhaps even save the planet. However, a quintessential math conundrum, is, for the moment, holding these anticipated advancements in check. The math community refers to this bottleneck as “indistinguishability obfuscation,” or iO.

Our top math geniuses point to iO as a cornerstone needed to unleash the full potential of artificially intelligent (AI) programs running across highly complex and dynamic cloud platforms, soon to be powered by quantum computers. Simply put, iO must be achieved in order to preserve privacy and security while tapping into the next generation of IT infrastructure.

I recently had the chance to discuss iO with Dr. Tatsuaki Okamoto, director of NTT Research’s Cryptography and Information Security (CIS) Lab, and Dr. Amit Sahai, professor of computer science at UCLA Samueli School of Engineering and director of UCLA Center for Encrypted Functionalities (CEF). NTT Research sponsored research led by Sahai that recently resulted in a achieving an important iO milestone.

SHARED INTEL: Coming soon — ‘passwordless authentication’ as a de facto security practice

By Byron V. Acohido

As a tradeoff for enjoying our digital lives, we’ve learned to live with password overload and even tolerate two-factor authentication.

But now, at long last, we’re on the brink of eliminating passwords altogether, once and for all.

Related:  CEOs quit Tweeting to protect their companies

A confluence of technical and social developments points to username-and-password logons becoming obsolete over the next few years. What’s more, this shift could very well kick into high gear as part of the solidifying of post Covid-19 business practices and online habits.

I had a chance to discuss this seminal transition with George Avetisov, co-founder and chief executive officer of HYPR, a Manhattan-based supplier of advanced authentication technologies. For a full drill down on our eye-opening conversation, please give a listen to the accompanying podcast. Here are a few big takeaways.

Password tradeoffs 

Passwords have always been a big pain. They must be convoluted to be any good, which means they’re difficult to remember, especially since the average person has to juggle passwords to access dozens of online accounts. From a business perspective, managing and resetting passwords chews up scarce resources, and yet even with the best possible maintenance passwords are trivial to hack.

For most of the Internet era, we’ve learned to live with these tradeoffs. However, in the last couple of years the harm wrought by the abuse of passwords has spiked exponentially. The reason: credential stuffing. This is a type of advanced, brute-force hacking that leverages automation.

By deploying botnets pre-loaded with stolen data, credential stuffing gangs are able to insert stolen usernames and passwords into web page forms, at scale, until they gain access to a valuable account. Credential stuffing has enabled criminal hacking rings to turbo-charge their malware spreading and account hijacking campaigns. And when Covid-19 hit, these attackers opportunistically pivoted to plundering Covid-19 relief funds at an ungodly scale.

GUEST ESSAY: ‘CyberXchange’ presents a much-needed platform for cybersecurity purchases

By Armistead Whitney

There is no shortage of innovative cybersecurity tools and services that can help companies do a much better job of defending their networks.

Related: Welcome to the CyberXchange Marketplace

In the U.S. alone, in fact, there are more than 5,000 cybersecurity vendors. For organizations looking to improve their security posture, this is causing confusion and vendor fatigue, especially for companies that don’t have a full time Chief Information Security Officer.

The vendors are well-intentioned. They are responding to a trend of companies moving to meet rising compliance requirements, such as PCI-DSS and GDPR. Senior management is now  focused on embracing well-vetted best practices such as those outlined in FFIEC and SOC 2, and many more. According to a recent study by PwC, 91% of all companies are following cybersecurity frameworks, like these, as they build and implement their cybersecurity programs.

All of this activity has put a strain on how companies buy and sell cybersecurity solutions. Consider that PCI-DSS alone has over 250 complex requirements that include things like endpoint protection, password management, anti-virus, border security, data recovery and awareness training.

Traditional channels for choosing the right security solutions are proving to be increasingly ineffective. This includes searching through hundreds of companies on Google, attending trade shows and conferences (not possible today with COVID), or dealing with constant cold calls and cold emails from security company sales reps.