Home Podcasts Videos Guest Posts Q&A My Take Bio Contact



VIDEO: How phishers are coming after you — and what you should do about it

By Byron V. Acohido

The current cybersecurity climate makes it hard not to be cautious of phishing attacks. Forget reclaiming lost family fortunes or assisting Nigerian princes, today’s phishing scams are targeted, complex and incredibly prevalent.

It feels like a new, high-profile phishing attack is getting reported every other month. In May, Google Docs users were being targeted with malicious invitations to edit fictional documents. Before that, DocuSign users were sent bogus emails encouraging them to download a Microsoft Word document that installed malicious malware.

Related infographics: Phishers focus on smaller financial institutions

Despite increased awareness for these attacks and “I’d never fall for that” attitudes, Verizon’s 2017 Data Breach Investigations Report showed that 1 in 14 users fell for a phishing scam by clicking on an unidentified link or downloading a suspicious attachment.

I recently sat down with Edric Wyatt, a security analyst with CyberScout, to discuss the evolution of phishing attacks, what attackers are trying to achieve, and how organizations can effectively defend themselves. (Full disclosure: CyberScout underwrites ThirdCertainty.) Here are the key takeaways from our discussion:

Attacks have evolved. Attacks have become far more advanced in recent years. Rather than posing as Nigerian princes, attackers are creating hyper-targeted, hyper-relevant emails that leverage social engineering to encourage users to click. Attackers are spending longer researching organizations to try to get as much information as possible before sending out targeted emails. They know your name, your role and your title and tailor each attack to reflect this. So when you receive 1,000 emails a day, you won’t think twice about clicking one that “seems” normal.

Attacks are just one of many. If you are targeted with a phishing email, you might not be the primary focus. Attackers are targeting multiple individuals within an organization as part of a more advanced attack. The information that you provide by falling for the phishing email might not be the end goal. But anything you provide is … more

GUEST ESSAY: 6 ways to use a ‘secure code review’ to engrain security during software development

By Amit Ashbel

An application or update is days, or possibly just hours away, from release and you’ve been working hard to ensure that security tools and processes are integrated throughout the development process. You believe you’ve followed all the steps and your app is ready to go, right?

Wrong. You have one more step in the security process before you can give the green light: a secure code review.

Related podcast: How application security testing can dovetail into ‘DevOps’

If you’re wondering what a secure code review is, it’s the process organizations go through to identify and fix potentially risky security vulnerabilities in the late and final stages of development. They serve as a final step to ensure your code is safe and that all the dependencies and controls of the application are secured and functional. Here are six fundamentals to onboarding secure software.

Run through a checklist. This may seem obvious, but keeping the review process consistent is extremely important. When conducting manual code reviews, make sure all reviewers are working off of the same comprehensive checklist. Enforce time constraints as well as mandatory breaks for manual code reviewers. It’s important to ensure the reviewers are at their sharpest, especially when looking at high-value applications.

Keep things positive. It’s easy to single out developers for mistakes. However, if you want to build a positive security culture, it’s important to refrain from playing the blame game; this only serves to deepen the gap between security and development. Use your findings to help guide your security education and awareness programs, using mistakes as a jumping off point to spotlight what developers should be looking out for.

Rely on a mix of humans and tools. Tools aren’t armed with the mind of a human, and therefore can’t detect issues in the logic of code and the risk to the organization if such a flaw is left unfixed. Thus, a mix of static analysis testing … more

PODCAST: Dell SecureWorks discloses how faked personas fuel targeted attacks

By Byron V. Acohido

In the wake of phishing attacks involving Google Docs and DocuSign, corporate awareness of socially engineered cybersecurity threats is at an all-time high. Naturally, this has led to an increase in employee training and awareness.

This kind of action couldn’t be more necessary. According to Software Advice, 39 percent of employees admitted to opening emails they suspected might be fraudulent. And only 36 percent felt they were very confident in recognizing and resisting phishing attacks.

While increased awareness of corporate-based phishing attempts is vital, so, too, is awareness of phishing attempts that start in an employee’s personal environment before transitioning into the company. This is what happened in the curious case of Mia Ash.

I recently was joined by Allison Wikoff, senior researcher and intelligence analyst for Dell SecureWorks Counter Threat Unit, at Black Hat 2017 in Las Vegas. With the conference proceedings as a suitable backdrop, we discussed this recent social media-based phishing scam from Iranian hacker group Cobalt Gypsy. Here are the key takeaways from our discussion.

Who is Mia Ash? Mia Ash was a supposed London-based photographer with social media profiles on LinkedIn and Twitter. In reality, it was a fake persona created by Cobalt Gypsy, an Iran-based hacker group that largely focuses on the oil industry. Mia Ash was the second step of a two-step attack program. Cobalt Gypsy initially tried to phish via a Word document attached to an email. When this failed, Mia Ash reached out to individual employees.

Personal phishing in a corporate environment. Using Mia Ash’s profile on LinkedIn, Cobalt Gypsy was able to find key staffers who were likely to have elevated access to company data. By targeting them specifically and initiating “harmless” conversations, the hacker group eventually was able to persuade employees to take a photography survey and open it on the corporate server. Surprise, surprise, the survey contained a Pupy RAT (Pupy is an open-source remote administration tool) … more

NEW TECH: InnoSec supplies platform to measure, manage emergent cybersecurity risks

By Byron V. Acohido

Serial entrepreneur and cybersecurity expert M. Ariel Evans is positioning her latest start-up to revolutionize the way insurance companies assess and price policies against cyber threats and how businesses protect themselves against cyber breaches.

An Israeli-American residing in Tel Aviv, Evans is now chief executive officer of InnoSec, a company that analyzes and manages risk from a cyber perspective. InnoSec’s cyber-risk management application, branded STORM, generates data to help companies manage cybersecurity risks and to allow insurance companies to measure prospective policyholders’ risk and price policies appropriately.

Related video: Cyber insurance market bridges gap between tangible, intangible assets

“There’s a huge need to be able to understand the relationship between cyber risk, cyber insurance and risk tolerance, and to quantify it in a way that organizations can understand, and allow them to have this very insightful information,” Evans says.

In the event of a major breach—such as the massive 2013 attack that cost retailer Target more than $200 million, or the recent worldwide WannaCry ransomware cryptoworm—cybersecurity insurance enables organizations to collect claims that help recover costs and remediate damage.

Huge growth potential

Although a tiny share of the $505.8 billion U.S. insurance market, the cybersecurity insurance sector is poised to go from negligible to nascent. Globally, the segment generates about $3 billion to $4 billion in premiums annually, according to global insurance company Allianz, an amount the company projects will grow to $20 billion by 2025, which would make it among the industry’s fastest-growing sectors.

As for the sector’s growth potential, in its third biannual survey of the market, the Council of Insurance Agents & Brokers found that:

• Only 29 percent of respondents’ clients had purchased any form of cyber coverage.

• But of those, 22 percent had purchased cyber insurance for the first time in the past six months.

• 40 percent had increased their coverage in the past six months.

• 70 percent had standalone policies.

While … more

GUEST ESSAY: Why neutralizing insider threats should be a much higher priority

By Thomas Jones

As we have seen in the headlines, insider threats are a constant challenge for government agencies. But the problem comes with one silver lining. Each time a successful insider threat strikes, it pushes agencies to bolster their cybersecurity programs.

The National Industrial Security Program Operating Manual (NISPOM) Change 2 is an example of just that. Released by the U.S. Department of Defense in May 2016, NISPOM Change 2 mandates federal contractors implement an insider threat program. One key requirement went into effect on May 31, mandating contractors hold insider threat employee awareness training for all cleared employees before being granted access to classified information and annually thereafter.

The requirement is a positive step in tackling the insider threat problem. The training includes a section on consequences for breaking the rules, using real world examples of insiders who have faced prison time and hefty fines, such as Pvt. Bradley Manning being convicted and sentenced to serve a 35-year sentence at the maximum-security U.S. Disciplinary Barracks at Fort Leavenworth.

Related infographic: How training can translate into a ‘human firewall’

It also educates employees on common behavior patterns that may indicate an insider is about to turn, such as frequent trips outside the United States or working strange hours. Finally, the training explains who to contact if an employee identifies a potential insider threat.

One drawback to the mandate is that it requires contractors to conduct training only once a year. In addition to spending 25-plus years working in the federal government, I also majored in psychology at Towson University. One lesson I learned is that if you want the human mind to retain a lot of information, it must be broken down into smaller chunks and exposed to the data frequently. Security awareness training of any kind should include 7- to 10-minute sessions that focus on specific policies violated.

Test employees’ awareness

For example, if a contract employee innocently sent private government … more

GUEST ESSAY: What you should know about how ‘unstructured data’ exposes your operations

By Erik Brown

Recent high-profile photo hacks have made headlines. In March, internet hackers targeted celebrities including Miley Cyrus, Emma Watson and Amanda Seyfried, among others, resulting in the leak of intimate photos that were posted on sites such as 4chan and Reddit. Similarly, back in 2014 hacker Ryan Collins exposed nude photos and videos of several celebrities after obtaining them from iCloud accounts.

But celebrities aren’t the only ones vulnerable to hackers. Imagine if your organization’s C-level executives had sensitive information stored in their email or documents. Hackers could obtain proprietary information, causing financial nightmares and damaging your organization’s reputation.

Related Q&A: High net worth individual face focused attacks

Many enterprises fail to properly secure their email and documents from attacks, thinking that firewalls and traditional security solutions are sufficient. But without a security solution in place, the entire organization can be at risk if just one employee falls victim to a phishing attack. Some 91 percent of phishing hacks lead to content breaches that can snowball, causing you, your contacts, and their contacts exponential harm.

What can be done to mitigate the possibility of data breaches?

Unstructured data

Each day millions of corporate and government email users worldwide have candid conversations over email—whether between employees, supply chain partners or other external participants—sharing information that often is proprietary and mission-critical. And the volume of data in emails and documents is doubling each year.

This collaboration is crucial for today’s businesses, but maintaining privacy standards and document security can be challenging. To ensure productivity through collaboration, expedite projects and make timely decisions, employees are sharing unstructured data both inside and outside the firewall. Yet once the information is outside the firewall, it may not be protected. By establishing a secure environment that protects content inside and outside the organization, all parties can communicate freely via digital channels.

Rights management

There is an expected level of trust between you and your internal and … more

PODCAST: Tech advances arrive to help secure legacy industrials control

By Byron V. Acohido

Many critical infrastructure systems, such as those that control the electric grid, oil and gas refineries, and transportation, are now getting linked to the internet. That makes them easier to manage and maintain, but also could put them in the line of fire for cyber attacks.

I recently discussed the issues involved in upgrading and protecting these critical industrial control systems with Patrick McBride, chief marketing officer at Claroty, a startup that intends to secure the operational technology networks that run companies’ infrastructure systems. A few big takeaways from our conversation:

When industrial systems were built, sometimes decades ago, no one considered the need for digital protections. “The systems were never designed, especially 10, 15, 20 years ago, with cybersecurity in mind,” McBride told me. Their primary design goals were the safety of the workers and the resilience of the systems, he said. “Security wasn’t even an afterthought. It wasn’t a thought.”

Related story: Threat of cyber attack on critical infrastructure is real, present danger

Now, a new class of tools is coming online to help monitor these legacy systems. Using behavior analysis and anomaly detection, they are designed to catch intruders early in the attack life cycle. “Monitoring technology is going play a huge part in this environment,” McBride said.

Mishmash of systems leaves exposures

Big industrial plants are careful about what they put on their networks, but some are putting wireless and other access points on systems as time-saving techniques to gather data more efficiently.

“You’ve got a whole set of overwhelming business value from pulling data out of those plant systems and being able to provide that information back to the executive,” McBride said.

When organizations began to recognize the need for cybersecurity, some traditional IT security vendors repurposed existing technology, McBride said.That didn’t work particularly well, because in the industrial control systems, the networks speak to other kinds of protocols.

For example, … more