Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Steps forward

 

MY TAKE: Massive data breaches persist as agile software development fosters full-stack hacks

By Byron V. Acohido

Data leaks and data theft are part and parcel of digital commerce, even more so in the era of agile software development.

Related: GraphQL APIs stir new exposures

Many of the high-profile breaches making headlines today are the by-product of hackers pounding away at Application Programming Interfaces (APIs) until they find a crease that gets them into the pathways of the data flowing between an individual user and myriad cloud-based resources.

It’s important to understand the nuances of these full-stack attacks if we’re ever to slow them down. I’ve had a few deep discussions about this with Doug Dooley, chief operating officer at Data Theorem, a Palo Alto, Calif.-based software security vendor specializing in API data protection. Here are a few key takeaways:

Targeting low-hanging fruit

Massive data base breaches today generally follow a distinctive pattern: hack into a client -facing application; manipulate an API; follow the data flow to gain access to an overly permissive database or S3 bucket (cloud storage). A classic example of this type of intrusion is the Capital One data breach.

Suspected Capital One hacker Paige Thompson was indicted for her alleged data breach and theft of more than 100 million people including 140,000 social security numbers and 80,000 linked bank accounts. The 33-year-old Amazon Web Services (AWS) software engineer was also accused of stealing cloud computer power on Capital One’s account to “mine” cryptocurrency for her own benefit, a practice known as “cryptojacking.”

Thompson began pounding away on the Capital One’s public-facing applications supposedly protected by their open-source Web Application Firewall (WAF), and succeeded in carrying out a  “Server Side Request Forgery” (SSRF) attack. By successfully hacking the client-facing application, she was then able to relay commands to a legacy AWS metadata service to obtain credentials.

Password and token harvesting is one of the most common techniques in hacking. Using valid credentials, Thompson was able to gain access using APIs … more

MY TAKE: Why monetizing data lakes will require applying ‘attribute-based’ access rules to encryption

By Byron V. Acohido

The amount of data in the world topped an astounding 59 zetabytes in 2020, much of it pooling in data lakes.

Related:  The importance of basic research

We’ve barely scratched the surface of applying artificial intelligence and advanced data analytics to the raw data collecting in these gargantuan cloud-storage structures erected by Amazon, Microsoft and Google. But it’s coming, in the form of driverless cars, climate-restoring infrastructure and next-gen healthcare technology.

In order to get there, one big technical hurdle must be surmounted. A new form of agile cryptography must get established in order to robustly preserve privacy and security as all this raw data gets put to commercial use.

I recently had the chance to discuss this with Kei Karasawa, vice president of strategy, and Fang Wu, consultant, at NTT Research, a Silicon Valley-based think tank which is in the thick of deriving the math formulas that will get us there.

They outlined why something called attribute-based encryption, or ABE, has emerged as the basis for a new form of agile cryptography that we will need in order to kick digital transformation into high gear.

For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

Cloud exposures

Data lakes continue to swell because each second of every day, every human, on average, is creating 1.7 megabytes of fresh data. These are the rivulets feeding the data lakes.

A zettabyte equals one trillion gigabytes. Big data just keeps getting bigger. And we humans crunch as much of it as we can by applying machine learning and artificial intelligence to derive cool new digital services. But we’re going to need the help of quantum computers to get to the really amazing stuff, and that hardware is coming.

As we press ahead into our digital future, however, we’ll also need to retool the public-key-infrastructure. PKI is the authentication and encryption framework … more

ROUNDTABLE: Experts react to DHS assigning TSA to keep track of cyber attacks on pipelines

By Byron V. Acohido

The same federal agency that makes you take your shoes off and examines your belongings before boarding a flight will begin monitoring cyber incidents at pipeline companies.

Related: DHS begins 60-day cybersecurity sprints

The Department of Homeland Security on Thursday issued a directive requiring all pipeline companies to report cyber incidents to DHS’s Transportation Security Administration (TSA.)

This, of course, follows a devastating ransomware attack that resulted in a shutdown of Colonial Pipeline.

It can be argued that this is one small step toward the true level of federal oversight needed to protect critical infrastructure in modern times. I covered the aviation industry in the 1980s and 1990s when safety regulations proved their value by compelling aircraft manufacturers and air carriers to comply with certain standards, at a time when aircraft fleets were aging and new fly-by-wire technology introduced complex risks.

We’re a long way from having regulatory frameworks for data privacy and network security needed for critical infrastructure — akin to what we have to keep aviation and ground transportation safe and secure. However, the trajectory of ransomware attacks, supply chain corruption, denial of service attacks and cyber espionage is undeniable.

It seems clear we’re going to need more regulations to help guide the private sector into doing the right things. The discussion is just getting started, as you can see by this roundtable of comments from industry experts:

Edgard Capdevielle, CEO, Nozomi Networks

Most critical infrastructure sectors don’t have mandatory cyber standards, and until now that included oil and gas. The requirement for mandatory breach reporting will help shine a light on the extent of the problem in this sector.  Cybersecurity is a team sport.

GUEST ESSAY: ‘World password day’ reminds us to embrace password security best practices

By Chad Cragle

We celebrated World Password Day on May 6, 2021.

Related: Credential stuffing fuels account takeovers

Did you know that this unconventional celebration got its start in 2013, and that it’s now an official holiday on the annual calendar? Every year, the first Thursday in May serves as a reminder for us to take control of our personal password strategies.

Passwords are now an expected and typical part of our data-driven online lives. In today’s digital culture, it’s not unusual to need a password for everything—from accessing your smartphone, to signing into your remote workspace, to checking your bank statements, and more. We’ve all grown used to entering passwords dozens of times per day, and because of this, we often take passwords for granted and forget how crucial they are.

With that in mind, what steps can you take to ensure that your personal data is protected at all times? As a data-driven, security-focused company, we’ve rounded up our top tips inspired by World Password Day to help you improve your password game.

Password overhaul

We know… just the mere thought of coming up with (and remembering) yet another new password is daunting. The average person has about 100 different passwords for the various tools, apps, websites, and online services they use on a regular basis. With so many passwords to keep track of, those familiar “Update Password” prompts tend to get bothersome.

But, unfortunately, we live in a world of constant hacking attempts and security breaches. While changing passwords may be inconvenient at times, following this password best practice can help prevent the following data catastrophes:

Last Watchdog podcast: Unwrapping ‘resilience’ guidance discussed at RSA Conference 2021

By Byron V. Acohido

Resilience was the theme of RSA Conference 2021 which took place virtually last week.

Related: Web attacks spike 62 percent in 2020

I’ve been covering this cybersecurity gathering since 2004 and each year cybersecurity materially advances. By the same token, the difficulties of defending modern IT systems has redoubled as organizations try to balance security and productivity.

The outside pressures are indeed as daunting as ever. Migration to cloud infrastructure is accelerating; reliance on wide-open, modular software development is deepening; and the shortage of skilled security analysts is wider than ever. Meanwhile, deep, damaging network breaches persist, affecting companies of all sizes and in all industries.

I visited with Bruce Snell and Setu Kulkarni from NTT Security to discuss this.

Snell is vice president of security strategy; his resume includes a stint as McAfee’s cybersecurity and privacy director.

And Kulkarni joined NTT Security last fall as vice president of corporate strategy, coming over with NTT’s acquisition of WhiteHat Security, where he was VP, Corporate Strategy & Business Development (Editor’s note: an earlier version misstated this title.) For a lively debrief of RSA Conference 2021, please give the accompanying podcast a listen.

 

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

 

MY TAKE: How SASE has begun disrupting IT — by shifting cybersecurity to the ‘services edge’

By Byron V. Acohido

One of the hottest topics at RSA Conference 2021 taking place virtually this week is the Secure Access Services Edge (SASE) security framework.

Related: Cybersecurity experts react to Biden’s EO

SASE (pronounced sassy) essentially is a roadmap for infusing privacy and security deeply into the software coding that gives life to our smartphones, IoT devices and cloud infrastructure, i.e. at the “services edge,” where all the action is taking place.

Coined by Gartner in late 2018, SASE is gaining momentum as a generational disruptive force. It calls for organizations to start proactively managing the myriad new attack vectors they’ve opened up in the pursuit of digital agility — by embracing a bold new IT architecture that extends network security far beyond the traditional perimeter

However, disruption doesn’t happen without displacement. And at this early stage, things are a bit chaotic. As established and newer cybersecurity vendors scramble to catch the SASE wave, marketing messages have sometimes been less than clear.

From the customer’s point of view, some early-adopter enterprises have experienced buyer’s remorse trying out SASE services that don’t really make the grade, says Mike Spanbauer, security evangelist at Juniper Networks, a Sunnyvale, Calif.-based supplier of networking technology.

“What we’ve heard from out in the marketplace is that a number of SASE solutions that supposedly could deliver everything as promised, were found to be lacking in many capacities,” Spanbauer says.

GUEST ESSAY: 3 sure steps to replace legacy network security systems — in a measured way

By Jackson Shaw

Keeping up with the pace of technology, information, and the evolving threat landscape is a challenge for all enterprises.

Related: DHS launches 60-day cybersecurity sprints

To make matters more difficult, implementing new security software and processes to address these issues is another big hurdle, often causing disruption—and not the good kind. But with mounting pressure to replace legacy, perimeter-centric defenses with cloud- and hybrid-cloud protection, many organizations are stuck between a rock and a hard place.

It goes without saying that phasing out a legacy system and putting something modern in its place is a substantial undertaking. IT teams are stretched thin as they install the new system while supporting the old one.

Simultaneously, end-users with years of expertise on the old system must suddenly learn a new one. Between potential downtime and retraining an entire organization on new workflows, processes, and user interface, productivity is at risk, and with it, the bottom line.

Take identity management—arguably one of the most important defenses against cyber threats—for example. Companies make significant investments in identity governance and administration (IGA) or identity access management (IAM), only to realize that these siloed, on-premises systems can’t meet the needs of a modern, flexible, cloud-centric, and digital enterprise.