Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Steps forward

 

MY TAKE: How blockchain technology came to seed the next great techno-industrial revolution

By Byron V. Acohido

Some 20 years ago, the founders of Amazon and Google essentially set the course for how the internet would come to dominate the way we live.

Jeff Bezos of Amazon, and Larry Page and Sergey Brin of Google did more than anyone else to actualize digital commerce as we’re experiencing it today – including its dark underbelly of ever-rising threats to privacy and cybersecurity.

Related: Securing identities in a blockchain

Today we may be standing on the brink of the next great upheaval. Blockchain technology in 2019 may prove to be what the internet was in 1999.

Blockchain, also referred to as distributed ledger technology, or DLT,  is much more than just the mechanism behind Bitcoin and cryptocurrency speculation mania. DLT holds the potential to open new horizons of commerce and culture, based on a new paradigm of openness and sharing.

Some believe that this time around there won’t be a handful of tech empresarios grabbing a stranglehold on the richest digital goldmines. Instead, optimists argue, individuals will arise and grab direct control of minute aspects of their digital personas – and companies will be compelled to adapt their business models to a new ethos of sharing for a greater good.

At least that’s one Utopian scenario being widely championed by thought leaders like economist and social theorist Jeremy Rifkin, whose talk, “The Third Industrial Revolution: A Radical New Sharing Economy,” has garnered 3.5 million views on YouTube. And much of the blockchain innovation taking place today is being directed by software prodigies, like Ethereum founder Vitalik Buterin, who value openness and independence above all else.

Public blockchains and private DLTs are in a nascent stage, as stated above, approximately where the internet was in the 1990s. This time around, however, many more complexities are in play – and consensus is forming that blockchain will take us somewhere altogether different from where the internet took us.

“With the Internet, a single company could take a strategic decision and then forge ahead, but that’s not so with DLT,” says Forrester analyst Martha Bennett, whose cautious view of blockchain we’ll hear later. “Blockchains are a team sport. There needs to be major shifts in approach and corporate culture, towards collaboration among competitors, before blockchain-based networks can become the norm.”

That said, here are a few important things everyone should understand about the gelling blockchain revolution. …more

SHARED INTEL: APIs hook up new web and mobile apps — and break attack vectors wide open

By Byron V. Acohido

If your daily screen time is split between a laptop browser and a smartphone, you may have noticed that a few browser web pages are beginning to match the slickness of their mobile apps.

Related: The case for a microservices firewall

Netflix and Airbnb are prime examples of companies moving to single-page applications, or SPAs, in order to make their browser webpages as responsive as their mobile apps.

The slickest SPAs leverage something called GraphQL, which is a leading edge way to build and query application programing interfaces, or APIs. If you ask the builders of these SPAs, they will tell you that the scale and simplicity of retrieving lots of data with GraphQL is superior to a standard RESTful API. And that brings us to cybersecurity.

APIs are being created in batches on a daily basis by the Fortune 500 and any company that is creating mobile and web applications. APIs are the conduits for moving data to-and-fro in our digitally transformed world. And each new API is a pathway to the valuable sets of data fueling each new application.

Trouble is that at this moment no one is keeping very good track of the explosion of APIs. Meanwhile, the rising use of SPA and GraphQL underscores how API growth is shifting into a higher gear. This means the attack surface available to cyber criminals looking to make money off of someone else’s data is, yet again, expanding.

I had a chance to discuss this with Doug Dooley, COO of Data Theorem, a Silicon Valley-based application security startup helping companies deal with these growing API exposures. For a full drill down, give a listen to the accompanying podcast. Here are a few key takeaways:

Cool new experiences

Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba Cloud supply computer processing and data storage as a utility. DevOps has decentralized the creation and delivery of  smart applications that can mine humongous data sets to create cool new user experiences.

Microservices are little snippets of modular code of which smart apps are made of. Written by far-flung third-party developers, microservices get mixed and matched and reused inside of software containers. And each instance of a microservice connecting to another microservice, or to a container, is carried out by an API.

In short, APIs are multiplying fast and creating the automated highways of data. The growth of APIs on the public Internet grew faster in 2019 than in previous years, according to ProgrammableWeb.  And this doesn’t account for all the private APIs business built and use. The services on that smartphone you’re holding makes use of hundreds of unique APIs.  …more

NEW TECH: ‘Passwordless authentication’ takes us closer to eliminating passwords as the weak link

By Byron V. Acohido

If there ever was such a thing as a cybersecurity silver bullet it would do one thing really well: eliminate passwords.

Threat actors have proven to be endlessly clever at abusing and misusing passwords. Compromised logins continue to facilitate cyber attacks at all levels, from phishing ruses to credential stuffing to enabling hackers to probe deep inside of a breached network.

Related: The Internet of Things is just getting started

The technology to get rid of passwords is readily available; advances in hardware token and biometric authenticators continue apace. So what’s stopping us from getting rid of passwords altogether?

The hitch, of course, is that password-enabled account logins are too deeply engrained in legacy network infrastructure. For most large enterprises, it would be much too costly and too disruptive to jettison the use of passwords entirely.

That said, we may very well be in the early adopter phase of weaving leading-edge “password-less authentication” solutions into pliant areas of legacy networks. I recently had the chance to drill down on this trend with Trusona, a 3-year-old Scottsdale, AZ company that is pioneering a password-less multi-factor authentication platform.

I interviewed Sharon Vardi, Trusona’s chief marketing officer, about what the path forward looks like, in terms of someday eliminating passwords from digital commerce. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways.

History lesson

A couple of thousand years ago, Roman troops used passwords to decipher friend from foe as they patrolled the empire. In 1960, an MIT computer scientist named Fernando Corbató introduced the use of passwords in a mainframe computing project, not really to lock any intruders out. Corbató sought a simple way to let his colleagues store private files on multiple terminals – and passwords fit the bill.

As computers shrank in size, and then pervaded into our homes and everyday workplaces, passwords stuck around. Username and password logins emerged as the go-to way to control access to network servers, business applications and Internet-delivered consumer services. Passwords may have been very effective securing Roman roads. But they quickly proved to be a very brittle cybersecurity mechanism. …more

SHARED INTEL: How NTA/NDR systems get to ‘ground truth’ of cyber attacks, unauthorized traffic

By Byron V. Acohido

The digital footprints of U.S. consumers’ have long been up for grabs. No one stops the tech giants, media conglomerates and online advertisers from intensively monetizing consumers’ online behaviors, largely without meaningful disclosure.

Related: The state of ransomware

Who knew that much the same thing routinely happens to enterprises? A recent report by network detection and response vendor ExtraHop details how third-party security and analytics tools routinely “phone home” in order to exfiltrate network behavior data back to their home base, without explicitly asking permission.

It’s tempting to chalk this up to competitive frenzy – a simple case of third-party suppliers seeking whatever edge they can get away with. But there is a larger lesson here. ExtraHop’s finding vividly shows how, as digital transformation ramps up, companies really have no clue what moves back and forth, nor in and out, of their networks on a daily basis.

In one case, ExtraHop tracked a made-in-China surveillance cam sending UDP traffic logs, every 30 minutes, to a known malicious IP address with ties to China. It appears the cam in question was unwittingly set up by an employee for personal security reasons.

In another case, a device management tool was deployed in a hospital and used the WiFi network to insure data privacy, as it provisioned connected devices. But ExtraHop noticed that the tool also opening encrypted connections to vendor-owned cloud storage, a major HIPAA violation.

Getting to ground truth

I had a chance to discuss the wider implication of these findings with Raja Mukerji, co-founder and chief customer officer at ExtraHop. We met at Black Hat 2019. Mukerji and fellow co-founder Jesse Rothstein, ExtraHop’s chief technology officer, were colleagues at Seattle-based network switching systems supplier F5 Networks.

Launched in Seattle in 2007, ExtraHop set out to help companies gain an actionable understanding of their IT environments. Since then it has raised $61.6 million in VC backing, grown to more than 450 employees and now finds itself in the thick of a hot emerging cybersecurity space, Network Traffic Analysis (NTA,) as so declared by tech industry consultancy Gartner. ExtraHop refers to what it does as Network Detection and Response (NDR.) …more

MY TAKE: CASBs help companies meet ‘shared responsibility’ for complex, rising cloud risks

By Byron V. Acohido

Cloud Access Security Brokers – aka “caz-bees” — have come a long way in a short time.

CASBs, a term coined by tech industry consultancy Gartner, first cropped about seven years ago to help organizations enforce security and governance policies as they commenced, in earnest, their march into the cloud.

Related: Implications of huge Capital One breach

CASBs supplied a comprehensive set of tools to monitor and manage the multitude of fresh cyber risks spinning out of the rise in in corporate reliance on cloud services. In doing so, CASBs became the fastest growing security category ever, as declared by Gartner. Yet, somehow, catastrophic cloud breaches continued to occur, ala Capital One recently losing 100 million customer records kept in its Amazon Web Services S3 data storage buckets.

I had the chance to speak with Mahesh Rachakonda, vice president of products and solution engineering at CipherCloud, a San Jose, CA-based CASB, about this. We met at Black Hat 2019 and had a wide ranging discussion about the complex challenges companies face meeting their end of the security burden, while using cloud services. For a drill down, give a listen to the accompanying podcast. Here are key takeaways:

Fresh attack tiers

CASBs innovated like crazy to make it OK for enterprises to steadily move more and more of their on-premises operations onto a cloud service. Leading-edge CASB systems gave companies granular visibility and control over infrastructure (IaaS,) platform (PaaS) and software applications (SaaS) supplied by a cloud services vendor.

Still, the added complexities of cloud migration translated into fresh tiers of wide-open attack vectors. It turned out that moving traditional on-premises systems for HR, IT services, management, finance, accounting, ERP and CRM onto a cloud service run by a third party – made it much more difficult to implement a unified enforcement policy, Rachakonda says. …more

NEW TECH: Human operatives maintain personas, prowl the Dark Net for intel to help companies

By Byron V. Acohido

It seems like any discussion of cybersecurity these days invariably circles back to automation.

Our growing fixation with leveraging artificial intelligence to extract profits from Big Data – for both constructive and criminal ends—is the order of the day.

Related: Why Cyber Pearl Harbor is upon us

Vigilante is a cybersecurity startup that cuts against that grain. With an operational launch in October, Vigilante is the spin-off of an elite intelligence unit of InfoArmor, the identity monitoring technology supplier that was acquired by Allstate late last year.

At its core, Vigilante is comprised of operative teams who’ve spent years deeply-embedded in the virtual threat space, nurturing their dark net personas and proactively gathering intelligence on behalf of specific clients.

“We go out into the criminal space, on our clients’ behalf, to gather threat intelligence and put it into useful context,” Adam Darrah, Vigilante’s director of intelligence, told me. “This gives our clients an advantage in their security decision making.”

I met with Darrah at Black Hat 2019. We had a fascinating discussion about the distinctive services Vigilante will now seek to make more widely available on a commercial basis. For a full drill down, please give a listen to the accompanying podcast. Here are key takeaways:

Fresh feeds

Threat intelligence feeds gathered from automated defenses, such as next-gen firewalls and SIEMs, make up the vast majority of information companies have in hand depicting the activity of threat actors. In order to better defend their networks, companies struggle on a daily basis with the massive challenge of ingesting and extracting actionable insights from a fire hose.

Vigilante directs a team of operatives who serve, in effect, as intelligence gathering agents on patrol on the ground floor of the cyber underground. “We operate exclusively outside of our clients’ networks,” Darrah told me. “We don’t touch their networks. …more

SHARED INTEL: Threat actors add a human touch to boost effectiveness of automated attacks

By Byron V. Acohido

Trends in fashion and entertainment come and go. The same holds true for the cyber underground.

Related: Leveraging botnets to scale attacks

For a long while now, criminal hackers have relied on leveraging low-cost botnet services to blast out cyber attacks as far and wide as they could, indiscriminately. Over the past 18 months or so, a fresh trend has come into vogue. It essentially involves applying hands-on human cleverness to the task of extracting highest value from assets gained in the automated sweeps.

British antimalware and network security vendor Sophos refers to this new tactic as “automated, active attacks.” Sophos Senior Security Advisor John Shier broke it down for me. We met at Black Hat 2019. For a full drill down, give a listen to the accompanying podcast. Here are the key takeaways:

Human touch

It has long been common practice to use botnets to blast out wave after wave of e-mails carrying tainted PDFs or Word docs, or a web link pointing to a booby-trapped page – and seeing who would bite. Lately, progressive criminal rings are taking a page out of the playbook of nation-state sponsored APT strikes — by adding more human nuances to their attacks.

“They may discover their targets through some sort of automated technique, which gets them a toehold into the company, or they might just simply go to Shodan (search engine) to discover open, available RDP hosts,” Shier told me. “Once they’re in the front door, now the humans get involved.”

Related: How ransomware became a scourge

Specialists get assigned to poke around, locate key servers and find stealthy paths to send in more malware. They’ll take more manual steps to encrypt servers, exfiltrate data – or do both.

“Cyber criminals are getting into the environment, elevating privileges as much as they can and moving laterally to other segments of the network,” Shier says. “And then, instead of encrypting one or two or ten machines, they’ll encrypt everything.”

The wave of catastrophic ransomware attacks that wrought tens of millions in recovery costs for the cities of Baltimore and Atlanta and prompted numerous small cities to pay six figure ransoms for decryption keys is a prime example of this, Shier says. …more