Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Uncategorized

 

MY TAKE: How ‘CASBs’ are evolving to close the security gaps arising from digital transformation

By Byron V. Acohido

The Cloud Access Security Broker (CASB) space is maturing to keep pace with digital transformation.

Related: CASBs needed now, more than ever

Caz-bees first took shape as a cottage industry circa 2013 to 2014 in response to a cry for help from companies reeling from new Shadow IT exposures: the risk created by early-adopter employees, quite often the CEO, insisting on using the latest smartphone and Software-as-a-Services tools, without any shred of security vetting.

A wave of acquisitions absorbed a half-dozen early CASB startups. One company still actively innovating as an independent CASB is San Jose, CA-based security vendor CipherCloud. I had the chance to visit with CipherCloud CTO Sundaram Lakshmanan at RSA 2019.

We discussed how the basic notion of flowing all data coming into a company’s network — from whatever device or web app — through a cloud gateway for security scanning has become elemental. For a full drill down, give the accompanying podcast a listen. Here are the key takeaways:

Shifting role

As with almost any security solution, the bottom line for CASBs is all about protecting the data — without detracting from users’ experience, and thus eroding productivity.  This is especially important within the cloud. CASBs began by closing glaring security gaps created by the rapid  adoption of mobile devices and cloud tools. Quite naturally, that role is now shifting and expanding.

Now that CASBs have been around for half a decade, companies are figuring out how to utilize them to reinforce specific silos within their IT and security teams. More enterprises are rethinking their internal processes, seeking a more centralized, convenient approach to securing web apps, Lakshmanan told me.

“At the end of the day, it is about business productivity and helping users get their job done,” he said. Enterprises are starting to understand that as they pursue velocity and scale,

MY TAKE: Why privacy regulations are a must for next-gen cars and trucks

By Byron V. Acohido

With wide deployment expected in the next decade, the driverless automobile landscape looks fraught – from road safety to data protection.

Driverless automobiles, long-haul trucks and military transport vehicles are on a fast track for wide deployment over the next five to 10 years. That much is clear.

Related: Security ramifications of autonomous transportation.

Vehicle manufacturers are all in, and innovation is racing forward. Meanwhile, captains of industry and political leaders are eager to reap the benefits of autonomous transportation.

The big pros: more efficient travel, less pollution, improved vehicle utilization and a leadership role for the United States in autonomous vehicle innovation. This is according to a 2017 report from The Center for the Study of the Presidency and Congress, a nonprofit and nonpartisan think tank.

Of course, allowing a computer to autonomously control powerful, fast-moving machines carrying fragile humans implies safety risks. However, the major safety concerns are clearly delineated and should be straightforward to address. And experts say vehicle travel actually should be much safer with a computer behind the wheel.

The stickier matter is how to address a slew of murky privacy concerns spinning out of the rise of driverless cars and trucks. State and federal regulators have begun shaping regulations to address both safety and privacy concerns, and industry standards are being hashed out as well. However, it’s anyone’s guess, at this point, what blend of rules and best practices will ultimately emerge.

“We should expect legislative requirements related to vehicle upkeep, including mechanical, electrical and software systems,” said Rusty Carter, vice president of product management at Arxan Technologies, a San Francisco–based supplier of application security systems.

When it comes to preserving the privacy of the occupants of driverless vehicles, however, the burden still rests with the individual.

“Consumers need to remain vigilant and exercise their rights to limit collection and use of any data that is collected,” said Elizabeth Rogers, a privacy and … more

MY TAKE: These 7 nation-state backed hacks have put us on the brink of a global cyber war

By Byron V. Acohido

Nation-state backed hacking collectives have been around at least as long as the Internet.

However, evidence that the ‘golden age’ of cyber espionage is upon us continues to accumulate as the first half of 2018 comes to a close.

Related podcast: Obsolescence is creeping into legacy security systems

What’s changed is that cyber spies are no longer content with digital intelligence gathering. Military operatives and intelligence units today routinely hack to knock down critical infrastructure, interfere with elections, and even to exact revenge on Hollywood studios.

Recently, one of the most powerful and notorious cyber spies on the planet, North Korean General Kim Yong Chol, stepped from obscurity into global celebrity status.

Last month President Trump invited the heretofore obscure General Kim into the White House for an impromptu state visit. For about two hours, Trump exchanged pleasantries with the man who orchestrated North Korea’s devastating hack of Sony Pictures in 2014, the aforementioned revenge caper. The tête-à-tête unfolded as Trump prepared for his summit in Singapore with General Kim’s boss, North Korean despot Kim Jong-un.

Rise of North Korea

It’s notable that, since the Sony Pictures hack, General Kim has steadily gotten more powerful and adept at the cyber spy game. Today he commands a cyber army, some 7,000 hackers and support staff strong, that has emerged as a potent and disruptive force. The Wall Street Journal recently reported that North Korea is cultivating elite hackers much like other countries train Olympic athletes.

Meanwhile, Iran-sponsored cyber operatives are making hay, as well. Trump’s decision

MY TAKE: Why Google is labeling websites ‘unsafe’ — what publishers need to do about it

By Byron V. Acohido

One of the things Google’s security honchos have long championed – for the most part out of the public spotlight  — is to make HTTPS Transport Layer Security (TLS) the de facto standard for preserving the integrity of commercial websites.

TLS and its predecessor, Secure Sockets Layer, (SSL), rely on digital certificates to validate that a website is really what it claims to be. In an environment where spoofed and booby-trapped websites have come to clutter the Internet, this is a vital function.

Related article: How the PKI ecosystem can secure IoT

TLS also leverages public key infrastructure (PKI) encryption to protect the data submitted by users at legit sites. Companies, known as Certificate Authorities (CAs,) play a pivotal role issuing TLS certificates and assisting website owners with implementation of PKI.

For the most part, this arrangement has worked very well, although, like anything else in security, it can be improved. On March 15, Google will take a bold step to strengthen TLS – it will advance the process of ending trust in hundreds of thousands of TLS certificates issued by Symantec, the former kingpin CA. With the release of the beta and stable versions of Chrome 66, Google will begin issuing “distrust” alerts to those who visit web sites using any Symantec-rooted certificates issued prior to June 1, 2016.

Engendering trust

Starting Thursday, March 15, this could play out as a rude awakening for web site publishers who haven’t been paying attention. However, the good news is that, thanks to the sudden — and remarkably smooth — handoff of Symantec’s digital certificate

MY TAKE: Necurs vs. Mirai – what ‘classic’ and ‘IoT’ botnets reveal about evolving cyber threats

By Byron V. Acohido

I’ve written about how botnets arose as the engine of cybercrime, and then evolved into the Swiss Army Knife of cybercrime. It  dawned on me very recently that botnets have now become the bellwether of cybercrime.

This epiphany came after checking in with top experts at Proofpoint, Forcepoint, Cloudflare and Corero — leading vendors that devote significant talent and resources to monitoring and analyzing botnets. I also spoke with SlashNext, a startup that specializes in detecting stealthy botnet activity.

Related article: Russian botnets ignite social media blitz

There’s much we can discern from the distinctive ebb and flow of botnet-borne malicious activity. ‘Classic’ botnets are comprised of vast numbers of infected PCs, servers and virtual computing nodules. One of particular note is called Necurs, a massive botnet-for-hire and the king of delivering phishing email attacks, ransomware campaigns and Banking Trojans.

Then there are any number of smaller, single-purpose botnets owned and operated by nation-state-backed hacking rings. The obvious example: the Russian botnet operators who orchestrated the wave of social media spoofing and propagandizing designed to influence political discourse and meddle in elections in the U.S. and all across Europe. the most recent example: Russian botnets hyped the hyped the #Releasethememo campaign on Twitter to lend credence to Rep. Devin Nunes’, R-Calif.,  secret ‘memo’ purportedly discrediting and disqualifying the FBI from investigating Russia’s meddling in the last U.S. election. That came after Russian botnets fueled wildly conflicting polling results during the 2016 presidential race, and fabricated 6.1 million Twitter followers for then-candidate Trump.

Meanwhile, a new generation of Internet of Things botnets has arrived on the scene. IoT botnets, like Mirai and Reaper, are comprised of infected home routers, surveillance cameras and other IoT devices. Monitoring the badness emanating from the likes of Necurs, Mirai and Reaper can tell us a lot about where cyber criminals’ attention is focused – and where it might turn next. “The … more

NEWS WRAP-UP: Walmart tracks customers’ facial expressions; teachers hacked; Asians seek cyber insurance

By Byron V. Acohido

Week ending Aug. 11. Walmart has filed a patent for video technology to track customers’ facial expressions as they shop, potentially allowing employees to address customer needs before they have to ask. The system would use video to scan for customers who are frustrated or unhappy if they can’t find a product or figure out pricing. The system also could see when a display or product pleases shoppers. According to the patent filing, Walmart says it’s easier to retain existing customers than acquire new ones. Walmart also will use the technology to analyze trends in shoppers’ purchase behavior over time, according to the patent filing. The system links customers’ facial expressions to their transaction data—meaning how much they’re spending and what they’re buying. Using biometric data collected from customers’ facial expressions, the retailer would link changes in mood to changes in spending. Walmart says this will help stores detect changes in a customer’s purchase habits due to dissatisfaction. If a sharp drop in spending is recorded after a customer is seen with a negative facial expression, the company would be able to better deal with the pain points that are driving away shoppers. Sources: TheStreet.com; USA Today; Business Insider; PSFK.com

Teachers get a hard lesson in data protection

Hundreds of current and former teachers in the St. Louis area, members of the Public School and Education Employee Retirement Systems of Missouri, were victims of an identity theft. Hackers obtained access to names, dates of birth, Social Security numbers and addresses, and attempted to use the information to access retirement funds and have them transferred. Some victims’ mailing addresses were changed. Source: Fox2Now, St. Louis

More Asian residents, companies might buy cyber insurance

Demand for cyber insurance from firms in China and elsewhere in Asia could soar, based on inquiries received after the WannaCry ransomware attack earlier this year, executives at American International Group said. The insurer saw … more

VIDEO: How phishers are coming after you — and what you should do about it

By Byron V. Acohido

The current cybersecurity climate makes it hard not to be cautious of phishing attacks. Forget reclaiming lost family fortunes or assisting Nigerian princes, today’s phishing scams are targeted, complex and incredibly prevalent.

It feels like a new, high-profile phishing attack is getting reported every other month. In May, Google Docs users were being targeted with malicious invitations to edit fictional documents. Before that, DocuSign users were sent bogus emails encouraging them to download a Microsoft Word document that installed malicious malware.

Related infographics: Phishers focus on smaller financial institutions

Despite increased awareness for these attacks and “I’d never fall for that” attitudes, Verizon’s 2017 Data Breach Investigations Report showed that 1 in 14 users fell for a phishing scam by clicking on an unidentified link or downloading a suspicious attachment.

I recently sat down with Edric Wyatt, a security analyst with CyberScout, to discuss the evolution of phishing attacks, what attackers are trying to achieve, and how organizations can effectively defend themselves. (Full disclosure: CyberScout underwrites ThirdCertainty.) Here are the key takeaways from our discussion:

Attacks have evolved. Attacks have become far more advanced in recent years. Rather than posing as Nigerian princes, attackers are creating hyper-targeted, hyper-relevant emails that leverage social engineering to encourage users to click. Attackers are spending longer researching organizations to try to get as much information as possible before sending out targeted emails. They know your name, your role and your title and tailor each attack to reflect this. So when you receive 1,000 emails a day, you won’t think twice about clicking one that “seems” normal.

Attacks are just one of many. If you are targeted with a phishing email, you might not be the primary focus. Attackers are targeting multiple individuals within an organization as part of a more advanced attack. The information that you provide by falling for the phishing email might not be the end goal. But anything you provide is … more