Home Podcasts Videos Guest Posts Q&A My Take Bio Contact



NEWS WRAP-UP: Walmart tracks customers’ facial expressions; teachers hacked; Asians seek cyber insurance

By Byron V. Acohido

Week ending Aug. 11. Walmart has filed a patent for video technology to track customers’ facial expressions as they shop, potentially allowing employees to address customer needs before they have to ask. The system would use video to scan for customers who are frustrated or unhappy if they can’t find a product or figure out pricing. The system also could see when a display or product pleases shoppers. According to the patent filing, Walmart says it’s easier to retain existing customers than acquire new ones. Walmart also will use the technology to analyze trends in shoppers’ purchase behavior over time, according to the patent filing. The system links customers’ facial expressions to their transaction data—meaning how much they’re spending and what they’re buying. Using biometric data collected from customers’ facial expressions, the retailer would link changes in mood to changes in spending. Walmart says this will help stores detect changes in a customer’s purchase habits due to dissatisfaction. If a sharp drop in spending is recorded after a customer is seen with a negative facial expression, the company would be able to better deal with the pain points that are driving away shoppers. Sources: TheStreet.com; USA Today; Business Insider; PSFK.com

Teachers get a hard lesson in data protection

Hundreds of current and former teachers in the St. Louis area, members of the Public School and Education Employee Retirement Systems of Missouri, were victims of an identity theft. Hackers obtained access to names, dates of birth, Social Security numbers and addresses, and attempted to use the information to access retirement funds and have them transferred. Some victims’ mailing addresses were changed. Source: Fox2Now, St. Louis

More Asian residents, companies might buy cyber insurance

Demand for cyber insurance from firms in China and elsewhere in Asia could soar, based on inquiries received after the WannaCry ransomware attack earlier this year, executives at American International Group said. The insurer saw … more

VIDEO: How phishers are coming after you — and what you should do about it

By Byron V. Acohido

The current cybersecurity climate makes it hard not to be cautious of phishing attacks. Forget reclaiming lost family fortunes or assisting Nigerian princes, today’s phishing scams are targeted, complex and incredibly prevalent.

It feels like a new, high-profile phishing attack is getting reported every other month. In May, Google Docs users were being targeted with malicious invitations to edit fictional documents. Before that, DocuSign users were sent bogus emails encouraging them to download a Microsoft Word document that installed malicious malware.

Related infographics: Phishers focus on smaller financial institutions

Despite increased awareness for these attacks and “I’d never fall for that” attitudes, Verizon’s 2017 Data Breach Investigations Report showed that 1 in 14 users fell for a phishing scam by clicking on an unidentified link or downloading a suspicious attachment.

I recently sat down with Edric Wyatt, a security analyst with CyberScout, to discuss the evolution of phishing attacks, what attackers are trying to achieve, and how organizations can effectively defend themselves. (Full disclosure: CyberScout underwrites ThirdCertainty.) Here are the key takeaways from our discussion:

Attacks have evolved. Attacks have become far more advanced in recent years. Rather than posing as Nigerian princes, attackers are creating hyper-targeted, hyper-relevant emails that leverage social engineering to encourage users to click. Attackers are spending longer researching organizations to try to get as much information as possible before sending out targeted emails. They know your name, your role and your title and tailor each attack to reflect this. So when you receive 1,000 emails a day, you won’t think twice about clicking one that “seems” normal.

Attacks are just one of many. If you are targeted with a phishing email, you might not be the primary focus. Attackers are targeting multiple individuals within an organization as part of a more advanced attack. The information that you provide by falling for the phishing email might not be the end goal. But anything you provide is … more

GUEST ESSAY: 6 ways to use a ‘secure code review’ to engrain security during software development

By Amit Ashbel

An application or update is days, or possibly just hours away, from release and you’ve been working hard to ensure that security tools and processes are integrated throughout the development process. You believe you’ve followed all the steps and your app is ready to go, right?

Wrong. You have one more step in the security process before you can give the green light: a secure code review.

Related podcast: How application security testing can dovetail into ‘DevOps’

If you’re wondering what a secure code review is, it’s the process organizations go through to identify and fix potentially risky security vulnerabilities in the late and final stages of development. They serve as a final step to ensure your code is safe and that all the dependencies and controls of the application are secured and functional. Here are six fundamentals to onboarding secure software.

Run through a checklist. This may seem obvious, but keeping the review process consistent is extremely important. When conducting manual code reviews, make sure all reviewers are working off of the same comprehensive checklist. Enforce time constraints as well as mandatory breaks for manual code reviewers. It’s important to ensure the reviewers are at their sharpest, especially when looking at high-value applications.

Keep things positive. It’s easy to single out developers for mistakes. However, if you want to build a positive security culture, it’s important to refrain from playing the blame game; this only serves to deepen the gap between security and development. Use your findings to help guide your security education and awareness programs, using mistakes as a jumping off point to spotlight what developers should be looking out for.

Rely on a mix of humans and tools. Tools aren’t armed with the mind of a human, and therefore can’t detect issues in the logic of code and the risk to the organization if such a flaw is left unfixed. Thus, a mix of static analysis testing … more

PODCAST: Dell SecureWorks discloses how faked personas fuel targeted attacks

By Byron V. Acohido

In the wake of phishing attacks involving Google Docs and DocuSign, corporate awareness of socially engineered cybersecurity threats is at an all-time high. Naturally, this has led to an increase in employee training and awareness.

This kind of action couldn’t be more necessary. According to Software Advice, 39 percent of employees admitted to opening emails they suspected might be fraudulent. And only 36 percent felt they were very confident in recognizing and resisting phishing attacks.

While increased awareness of corporate-based phishing attempts is vital, so, too, is awareness of phishing attempts that start in an employee’s personal environment before transitioning into the company. This is what happened in the curious case of Mia Ash.

I recently was joined by Allison Wikoff, senior researcher and intelligence analyst for Dell SecureWorks Counter Threat Unit, at Black Hat 2017 in Las Vegas. With the conference proceedings as a suitable backdrop, we discussed this recent social media-based phishing scam from Iranian hacker group Cobalt Gypsy. Here are the key takeaways from our discussion.

Who is Mia Ash? Mia Ash was a supposed London-based photographer with social media profiles on LinkedIn and Twitter. In reality, it was a fake persona created by Cobalt Gypsy, an Iran-based hacker group that largely focuses on the oil industry. Mia Ash was the second step of a two-step attack program. Cobalt Gypsy initially tried to phish via a Word document attached to an email. When this failed, Mia Ash reached out to individual employees.

Personal phishing in a corporate environment. Using Mia Ash’s profile on LinkedIn, Cobalt Gypsy was able to find key staffers who were likely to have elevated access to company data. By targeting them specifically and initiating “harmless” conversations, the hacker group eventually was able to persuade employees to take a photography survey and open it on the corporate server. Surprise, surprise, the survey contained a Pupy RAT (Pupy is an open-source remote administration tool) … more

NEW TECH: InnoSec supplies platform to measure, manage emergent cybersecurity risks

By Byron V. Acohido

Serial entrepreneur and cybersecurity expert M. Ariel Evans is positioning her latest start-up to revolutionize the way insurance companies assess and price policies against cyber threats and how businesses protect themselves against cyber breaches.

An Israeli-American residing in Tel Aviv, Evans is now chief executive officer of InnoSec, a company that analyzes and manages risk from a cyber perspective. InnoSec’s cyber-risk management application, branded STORM, generates data to help companies manage cybersecurity risks and to allow insurance companies to measure prospective policyholders’ risk and price policies appropriately.

Related video: Cyber insurance market bridges gap between tangible, intangible assets

“There’s a huge need to be able to understand the relationship between cyber risk, cyber insurance and risk tolerance, and to quantify it in a way that organizations can understand, and allow them to have this very insightful information,” Evans says.

In the event of a major breach—such as the massive 2013 attack that cost retailer Target more than $200 million, or the recent worldwide WannaCry ransomware cryptoworm—cybersecurity insurance enables organizations to collect claims that help recover costs and remediate damage.

Huge growth potential

Although a tiny share of the $505.8 billion U.S. insurance market, the cybersecurity insurance sector is poised to go from negligible to nascent. Globally, the segment generates about $3 billion to $4 billion in premiums annually, according to global insurance company Allianz, an amount the company projects will grow to $20 billion by 2025, which would make it among the industry’s fastest-growing sectors.

As for the sector’s growth potential, in its third biannual survey of the market, the Council of Insurance Agents & Brokers found that:

• Only 29 percent of respondents’ clients had purchased any form of cyber coverage.

• But of those, 22 percent had purchased cyber insurance for the first time in the past six months.

• 40 percent had increased their coverage in the past six months.

• 70 percent had standalone policies.

While … more

GUEST ESSAY: Why neutralizing insider threats should be a much higher priority

By Thomas Jones

As we have seen in the headlines, insider threats are a constant challenge for government agencies. But the problem comes with one silver lining. Each time a successful insider threat strikes, it pushes agencies to bolster their cybersecurity programs.

The National Industrial Security Program Operating Manual (NISPOM) Change 2 is an example of just that. Released by the U.S. Department of Defense in May 2016, NISPOM Change 2 mandates federal contractors implement an insider threat program. One key requirement went into effect on May 31, mandating contractors hold insider threat employee awareness training for all cleared employees before being granted access to classified information and annually thereafter.

The requirement is a positive step in tackling the insider threat problem. The training includes a section on consequences for breaking the rules, using real world examples of insiders who have faced prison time and hefty fines, such as Pvt. Bradley Manning being convicted and sentenced to serve a 35-year sentence at the maximum-security U.S. Disciplinary Barracks at Fort Leavenworth.

Related infographic: How training can translate into a ‘human firewall’

It also educates employees on common behavior patterns that may indicate an insider is about to turn, such as frequent trips outside the United States or working strange hours. Finally, the training explains who to contact if an employee identifies a potential insider threat.

One drawback to the mandate is that it requires contractors to conduct training only once a year. In addition to spending 25-plus years working in the federal government, I also majored in psychology at Towson University. One lesson I learned is that if you want the human mind to retain a lot of information, it must be broken down into smaller chunks and exposed to the data frequently. Security awareness training of any kind should include 7- to 10-minute sessions that focus on specific policies violated.

Test employees’ awareness

For example, if a contract employee innocently sent private government … more

GUEST ESSAY: What you should know about how ‘unstructured data’ exposes your operations

By Erik Brown

Recent high-profile photo hacks have made headlines. In March, internet hackers targeted celebrities including Miley Cyrus, Emma Watson and Amanda Seyfried, among others, resulting in the leak of intimate photos that were posted on sites such as 4chan and Reddit. Similarly, back in 2014 hacker Ryan Collins exposed nude photos and videos of several celebrities after obtaining them from iCloud accounts.

But celebrities aren’t the only ones vulnerable to hackers. Imagine if your organization’s C-level executives had sensitive information stored in their email or documents. Hackers could obtain proprietary information, causing financial nightmares and damaging your organization’s reputation.

Related Q&A: High net worth individual face focused attacks

Many enterprises fail to properly secure their email and documents from attacks, thinking that firewalls and traditional security solutions are sufficient. But without a security solution in place, the entire organization can be at risk if just one employee falls victim to a phishing attack. Some 91 percent of phishing hacks lead to content breaches that can snowball, causing you, your contacts, and their contacts exponential harm.

What can be done to mitigate the possibility of data breaches?

Unstructured data

Each day millions of corporate and government email users worldwide have candid conversations over email—whether between employees, supply chain partners or other external participants—sharing information that often is proprietary and mission-critical. And the volume of data in emails and documents is doubling each year.

This collaboration is crucial for today’s businesses, but maintaining privacy standards and document security can be challenging. To ensure productivity through collaboration, expedite projects and make timely decisions, employees are sharing unstructured data both inside and outside the firewall. Yet once the information is outside the firewall, it may not be protected. By establishing a secure environment that protects content inside and outside the organization, all parties can communicate freely via digital channels.

Rights management

There is an expected level of trust between you and your internal and … more