Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Steps forward

 

GUEST ESSAY: Ransomware pivot 2021: attackers now grab, threaten to leak sensitive data

By Dr. Darren Williams

Ransomware attacks have reached a record high this year, with nearly 250 attacks recorded to date and months to go. As we’ve seen with major attacks like Kaseya and Colonial Pipeline, cybercriminals have continued to innovate, developing new tools and tactics to encrypt and exfiltrate data.

Related: Kaseya breach worsens supply chain worries

Where previously ransomware gangs relied solely on the attack’s disruption to daily business to be enough for the victim to pay the ransom, today’s stakes are much higher, with gangs exfiltrating information to make ransom threats to sell or publish victims’ information far and wide.

This leaves many organizations frustrated, damaged and ultimately devastated, as fully recovering from the loss of sensitive and confidential files detailing financial information, business IP, customer data and more, can be a nearly impossible task.

The ongoing battle to secure data from highly sophisticated ransomware gangs like REvil and others continues to rage on, despite recent news that these groups have disbanded in response to pressure from law enforcement.

SHARING INTEL: Here’s why it has become so vital to prioritize the security-proofing of APIs

By Byron V. Acohido

Application Programming Interface. APIs. Where would we be without them?

Related: Supply-chain exposures on the rise

APIs are the snippets of code that interconnect the underlying components of all the digital services we can’t seem to live without. Indeed, APIs have opened new horizons of cloud services, mobile computing and IoT infrastructure, with much more to come.

Yet, in bringing us here, APIs have also spawned a vast new tier of security holes. API vulnerabilities are ubiquitous and multiplying; they’re turning up everywhere. Yet, API security risks haven’t gotten the attention they deserve. It has become clear that API security needs to be prioritized as companies strive to mitigate modern-day cyber exposures.

Consider that as agile software development proliferates, fresh APIs get flung into service to build and update cool new apps. Since APIs are explicitly used to connect data and services between applications, each fresh batch of APIs and API updates are like a beacon to malicious actors.

Organizations don’t even know how many APIs they have, much less how those APIs are exposing sensitive data. Thus security-proofing APIs has become a huge challenge. APIs are like snowflakes: each one is unique. Therefore, every API vulnerability is necessarily unique. Attackers have taken to poking and prodding APIs to find inadvertent and overlooked flaws; even better yet, from a hacker’s point of view, many properly designed APIs are discovered to be easy to  manipulate — to gain access and to steal sensitive data.

Meanwhile, the best security tooling money can buy was never designed to deal with this phenomenon.

GUEST ESSAY: Until we eliminate passwords, follow these 4 sure steps to password hygiene

By Rob Gabriele

More Americans than ever are working remotely and seeking out entertainment online, and this increase of internet activity has fueled a dramatic spike in cybercrime. With so much critical data now stored in the cloud, how can people protect their accounts?

Related: Training human sensors

Until biometrics or a quantum solution change our everyday approach to encryption, passwords remain our first line of defense against data breaches, hackers, and thieves.

Guarding our digital lives (and real-world identities) with just a few keystrokes seems a tactic too simple to ignore, and if users are careful and stick with best practices, these simple measures can be remarkably effective.

Proper password hygiene doesn’t require a degree in rocket science. Follow these four easy tips, and you’ll sleep better and safer at night.

1) Create sufficiently-complex passwords. This may seem obvious, but most users have poor password habits because it’s far simpler to remember your pet’s name and birthday than a combination of random numbers and letters. But simpler passwords are much easier to hack. Anything quickly conceived can be deciphered with the same speed, so forget your old tricks and stick to these ground rules instead:

•Longer is better. The National Institute of Standards and Technology’s (NIST) latest guidelines stress that a password’s length is its most critical component. Make sure your code has at least eight characters, but it’s best to pick a dozen or more.

•Don’t use words or names. Words and phrases are easier to remember but highly susceptible to cracking. Hackers can run through entire dictionaries in seconds, making this approach similar to hiding a key under the doormat.

GUEST ESSAY: Securely managing access controls is vital to preserving the privacy of healthcare data

By Balraj Dhillon

There’s no doubt, the increasing use of telemedicine, the explosion of health-based cloud apps, and innovative medical IoT devices are improving the patient care experience.

Related: Hackers relentlessly target healthcare providers

However, healthcare data ranks at the top of the list for needing improvements in security and privacy protections. This data is managed by different entities, such as primary care facilities, acute care facilities and within associated applications that collect, store and track health data, creating numerous exposure vulnerabilities.

There are many reasons for the vulnerable state of healthcare data. One significant factor is the merger and acquisition renaissancethat the healthcare industry is undergoing, which according to a new report from Moody’s Investors Service is expected to continue.

Healthcare organizations pursue merger and acquisitions for many reasons, including improving the ability to meet patient consumerization requirements, providing more

GUEST ESSAY: How stricter data privacy laws have redefined the ‘filing’ of our personal data

By Patricia Thaine

Filing systems, historically speaking, have been all about helping its users find information quickly.

 Related: GDPR and the new privacy paradigm

Europe’s General Data Protection Regulations (GDPR) changed the game. Generally, filing systems sort by date, department, topic, etc. Legacy filing systems were not built to keep track of the personal data of specific individuals primarily to be in compliance with the many data protection regulations popping up around the world.

Since it took effect in 2018, GDPR’s core guidelines have been copied by LGDP in Brazil, POPIA in South Africa, and the PDPB in India. Under the GDPR, a filing system is defined as “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis” (GDPR Article 4.6).

We can see, by this definition, that the focus of how filing systems should be organized shifts significantly with a central purpose now being the ability to classify individuals and the personal data an organization collects on them.

GUEST ESSAY: Tapping Bitcoin’s security — to put a stop to ‘51% attacks’ of cryptocurrency exchanges

By Maxwell Sanchez

Over the past five years, cryptocurrency exchanges have been the target of increasingly damaging “51% attacks” resulting in the theft of over $30 million worth of cryptocurrency to date.

Related: Wildland restores control of data to individuals

However, these attacks aren’t due to exchange security flaws; malicious actors are exploiting the underlying consensus protocols of blockchains themselves.

Every blockchain uses a consensus protocol which allows all nodes on the network to agree on the current state of the blockchain. In Bitcoin, for example, a process known as “Proof-of-Work” (“PoW”) involves miners solving a difficult mathematical problem with powerful computers.

And whichever miner finds a solution adds a block to the blockchain, which contains transactions from users on the network. Each node validates the solution before accepting the block, and miners should begin working on solving the problem for the next block.

SHARED INTEL: Automating PKI certificate management alleviates outages caused by boom

By Byron V. Acohido

Our Public Key Infrastructure is booming but also under a strain that manual certificate management workflows are not keeping up with.

Related: A primer on advanced digital signatures

PKI and digital certificates were pivotal in the formation of the commercial Internet, maturing in parallel with ecommerce. With digital transformation leading to a boom in the use of digital certificates, our bedrock authentication and encryption framework is at an inflection point, where the demand and adoption of automation is set to rapidly accelerate to keep up with technology requirements.

As business networks shift into the era of cloud computing and agile software, the volume of digital certificates has swelled dramatically. This scaling up of PKI has put companies in a mad scramble.

Large enterprises now typically must manage 50,000 or more PKI certificates, placing a huge burden on manual processes. This, in turn, has triggered a surge in certificate outages: some two-thirds of 400 enterprises participating in a recent survey reported certificates expiring unexpectedly – with 25 percent experiencing five to six such outages in a recent six month period.