Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Top Stories

 

GUEST ESSAY: A primer on the degrees of privacy tech companies assign to your digital footprints

By Sanjay Mehta

In recent years, brands have started butting up against the line between convenience and privacy.  Shoppers love the convenience of personalized experiences that their data powers, but then horror stories such as the Cambridge Analytica scandal make people skeptical about how much information companies should be collecting and sharing.

Related: Apple battles Facebook over consumer privacy

Fundamentally this comes down to the underlying user identity, what data it contains, who generates that data, and where it resides.

Here we’ll discuss the implications to the third-party tracking and data which has been most impacted by recent privacy regulations and protocols. First it is important to understand the different degrees of data privacy.

Degrees of privacy

Customers share their information either explicitly through forms and transactions, or implicitly through their behaviors such as searches and clickstreams. Data explicitly provided by the user is considered “zero-party” data.

In ecommerce, this commonly comes in the form of a registration, a review, or a purchase. This is used for communication, personalization and

GUEST ESSAY: How SPDX helps reconcile interdependencies of open, proprietary software

By Kate Stewart

Software today is built on a combination of open source and proprietary software packages.  Developers can reuse and build on the packages created by others, which results in the rapid creation of new capabilities and technologies.

Related: How SBOM factors into DevSecOps

This reuse creates dependencies, all of which don’t necessarily stay updated at the same pace. The accurate and authenticated identification of all the relevant software package dependencies is key to preventing software supply chain attacks.

Agreeing on a standard way of cataloging summary information about the packages and their dependencies is necessary for multiple tools to interact efficiently and keep up with the rapid pace of reuse.

History of SPDX

We started the Software Package Data Exchange® (SPDX®) project in 2010. The project had the simple goal of sharing summary information about a software package between the creator and consumer. At that time, to comply with the licenses in open source, you had to find them in the source code.

This resulted in hours of issuing grep commands or working with commercial source scanning tools, and once you had the details, you didn’t have a good way of sharing them.

GUEST ESSAY: What it will take to train the next generation of cybersecurity analysts

By Gary S. Mullen

It is no secret that there is, and has been for some time, a shortage of trained cyber security professionals in corporate IT Security teams.  The Wharton School of the University of Pennsylvania observed that “nowhere is the workforce-skills gap more pronounced than in cybersecurity.”

Related: Deploying ‘human’ sensors’

According to data gathered by CyberSeek under a Commerce Department grant, there are currently nearly 465,000 unfilled cyber jobs across the US alone.  This shortage is significantly impacting corporate America, and it is particularly dire across federal, state and local governments.

The cyber security talent crunch has been a growing issue for many years now.  According to the 2019/2020 Official Annual Cyber Security Jobs Report sponsored by the Herjavec Group, the number of open cyber security positions has grown 350 percent from 2013 to 2021.  Cybersecurity Ventures predicts that there will be 3.5 million unfilled cyber security jobs globally by 2021.

Unfortunately, getting the hands-on experience needed to become a cyber security analyst is out of reach of many today.  In 95% of the hiring decisions being made for open positions, employers are looking for that hands on experience.

According to MIT Technology Review, fewer than one in four candidates applying for cyber security positions are qualified.

GUEST ESSAY – Notable events in hacking history that helped transform cybersecurity assessment

By April Miller

Assessing the risks involved in using the latest technology is something our culture had to adopt in the early days of the computer. New technologies come with risks — there’s no denying that.

Related: How Russia uses mobile apps to radicalize U.S. youth

To minimize their impact, implementing preventive security measures into these advanced systems is crucial. Businesses across all industries can function adequately without worrying about would-be hackers with malicious intent when they secure their networks.

Phishing scams, malware, ransomware and data breaches are just some of the examples of cyberthreats that can devastate business operations and the protection of consumer information.

Here are five notable historical events that influenced cybersecurity assessment and transformed it into what it is today:

The Battle of Midway (1942)

After the devastating blow of Pearl Harbor, U.S. military officials hired data analysts to crack the Japanese secret code known as JN-25.

SHARED INTEL: Reviving ‘observability’ as a means to deeply monitor complex modern networks

By Byron V. Acohido

An array of promising security trends is in motion.

New frameworks, like SASE, CWPP and CSPM, seek to weave security more robustly into the highly dynamic, intensely complex architecture of modern business networks.

Related: 5 Top SIEM myths

And a slew of new application security technologies designed specifically to infuse security deeply into specific software components – as new coding is being developed and even after it gets deployed and begins running in live use.

Now comes another security initiative worth noting. A broad push is underway to retool an old-school software monitoring technique, called observability, and bring it to bear on modern business networks. I had the chance to sit down with George Gerchow, chief security officer at Sumo Logic, to get into the weeds on this.

Based in Redwood City, Calif., Sumo Logic supplies advanced cloud monitoring services and is in the thick of this drive to adapt classic observability to the convoluted needs of company networks, today and going forward. For a drill down on this lively discussion, please give the accompanying podcast a listen. Here are the main takeaways:

Q&A: Surfshark boosts ‘DIY security’ with its rollout of VPN-supplied antivirus protection

By Byron V. Acohido

Surfshark wants to help individual citizens take very direct control of their online privacy and security.

Thus, Surfshark has just become the first VPN provider to launch an antivirus solution as part of its all-in-one security bundle Surfshark One.

Related: Turning humans into malware detectors

This development is part and parcel of rising the trend of VPN providers hustling to deliver innovative “DIY security” services into the hands of individual consumers.

It’s notable that this is happening at a time when Microsoft, Apple and Google are going the opposite direction – by natively embedding more consumer-grade security services into their popular operating systems, like Windows, Mac, IoS and Android. And let’s not forget the longstanding, multi-billion market of antivirus software subscriptions directed at consumers.

The consumer anti-virus vendors have been generating massive subscription revenue for two decades; though this market is mature and in a consolidation phase, it is not going to disappear anytime soon, as suggested by  NortonLifeLock’s $8 billion buyout of Avast.

Last year I agreed to serve a one-year term on Surfshark’s advisory board. I accepted because I appreciated Surfshark’s emphasis on privacy and security — and saw it as a way to learn more about the consumer cybersecurity market.

GUEST ESSAY: Why it’s worrisome that China has integrated Huawei switches into telecoms worldwide

By Sarina Krantzler

In the previous discussion, China’s 14th Five-Year Plan was summarized to capture relevant aspects of dual circulation, the Digital Silk Road (DSR), and the Belt Road Initiative (BRI) that aim to advance China as an economic, technological, and foreign policy powerhouse.

Related: Part 1. China’s 5 year digital plans

Both of those initiatives are well-funded, thoughtful, and strategic in their attempts to spread influence and widespread dependency on Chinese products.

The first blog concluded with a strong message of encouragement for the U.S. to evolve its own creative cybersecurity strategy leveraging strategic goals with economics and public policy to create a sustainable, secure cyber system consistent with Western ethical standards, our free market philosophy, and our democratic traditions.

The FCC’s Rip and Replace Model was introduced, by title only, to provide a glimpse into how the U.S. should, and is beginning to, take action to counteract intrusive Chinese technology within our critical infrastructure. To understand our options in this fight, however, we first need to understand who we’re up against.

Huawei Technologies, or Huawei for short, is a Chinese telecommunications firm that has been fed tens of billions of dollars in financial assistance by the Chinese government on a scale of subsidization that dwarfs the next closest competitors’ monetary receipt. To fuel their rise to the top of the global telecommunications landscape, Huawei had access to as much as $75 billion in state support as it grew from a little-known vendor of phone switches to the world’s largest telecom equipment company (Wall Street Journal).

Subsidies aside, since 1998, Huawei has received an estimated $16 billion in loans, export credits, and other forms of financing from Chinese banks for the firms’ operations and customers.

As referenced in the previous blog, Brazil was originally firmly in opposition of adopting Huawei technology into their infrastructure until the country became desperate amidst the COVID-19 pandemic.