Home Podcasts Videos Guest Posts Q&A My Take Bio Contact



PODCAST: Tech advances arrive to help secure legacy industrials control

By Byron V. Acohido

Many critical infrastructure systems, such as those that control the electric grid, oil and gas refineries, and transportation, are now getting linked to the internet. That makes them easier to manage and maintain, but also could put them in the line of fire for cyber attacks.

I recently discussed the issues involved in upgrading and protecting these critical industrial control systems with Patrick McBride, chief marketing officer at Claroty, a startup that intends to secure the operational technology networks that run companies’ infrastructure systems. A few big takeaways from our conversation:

When industrial systems were built, sometimes decades ago, no one considered the need for digital protections. “The systems were never designed, especially 10, 15, 20 years ago, with cybersecurity in mind,” McBride told me. Their primary design goals were the safety of the workers and the resilience of the systems, he said. “Security wasn’t even an afterthought. It wasn’t a thought.”

Related story: Threat of cyber attack on critical infrastructure is real, present danger

Now, a new class of tools is coming online to help monitor these legacy systems. Using behavior analysis and anomaly detection, they are designed to catch intruders early in the attack life cycle. “Monitoring technology is going play a huge part in this environment,” McBride said.

Mishmash of systems leaves exposures

Big industrial plants are careful about what they put on their networks, but some are putting wireless and other access points on systems as time-saving techniques to gather data more efficiently.

“You’ve got a whole set of overwhelming business value from pulling data out of those plant systems and being able to provide that information back to the executive,” McBride said.

When organizations began to recognize the need for cybersecurity, some traditional IT security vendors repurposed existing technology, McBride said.That didn’t work particularly well, because in the industrial control systems, the networks speak to other kinds of protocols.

For example, … more

PODCAST: Why your browser presents a big risk

By Byron V. Acohido

While many organizations have set up defenses for malware that could come in through email, the browsers we use to access the internet might be of equal or greater risk.

I spoke with Lance Cottrell, Ntrepid’s chief scientist, about browser security—or lack of security—and what can be done to protect devices and networks. Some takeaways:

Living with insecure browsers

No one can really opt out of using the web, Cottrell says. “It’s integral to everything we do all the time. But at the same time, it is, because of its capabilities, uniquely vulnerable out of all the applications that we use.”

The real challenge is maintaining functionality and security at the same time.

“The browser itself, the actual thing that renders the pages, is always going to be insecure; it’s just too complicated to lock down,” he says. Major browsers will exhibit a couple of hundred major vulnerabilities each year.

Protective bubble

Most of the threats hitting organizations right now are getting in via the browser, Cottrell says. “It seems to be the real weak point in most of the security structures that companies are putting in place, because it is the hardest thing to protect.”

With hundreds of graphical elements and pieces coming through simultaneously, a security system monitoring a digital perimeter has milliseconds to decide whether a file is safe and whether to let it through.

Ntrepid’s Passages tool is deployed like a browser, installed on a desktop, running as a virtual machine. “It’s inside its own little bubble, and nothing can get out,” he says. If malware tries to infect or exploit the browser, it doesn’t affect your files or network.

Dealing with abundant access

Attackers are constantly innovating and coming up with new ways of building tools to bypass detection systems, Cottrell says. “It’s a complicated multifaceted problem. I think you’ll never see just one single silver bullet that will kill … more

INFOGRAPHIC: How humans can be a company’s most important firewall

By Rodika Tollefson

Lack of resources is one of the top barriers preventing small- and medium-size businesses from implementing cybersecurity training for employees. But smaller organizations have several advantages when it comes to training—and a much smaller training scope could have a bigger impact on preventing a data breach.

INFOGRAPHIC: How cybersecurity training is falling short

There’s no question that SMBs are vulnerable. Of 16,401 IT and IT security practitioners at small- and medium-size businesses surveyed by Ponemon Institute in 2016, 55 percent had experienced a cyber attack at their organization in the past 12 months. The study, sponsored by Keeper Security, also found that 50 percent had a data breach involving customer and employee information in the same period.

“SMBs are starting to realize they need to do awareness training as a standard best practice to make sure the bad guys don’t get in,” says Stu Sjouwerman, founder and CEO of security-awareness training company KnowBe4. “[Training is] a fast-growing trend.”

Growing awareness of problem

KnowBe4’s own growth supports this notion. The company, whose platform also offers simulated phishing attacks, saw 260 percent year-over-year growth in the first quarter of 2017, and similar growth in 2016. A big portion of business is coming from smaller companies.

The “human firewall,” as Sjouwerman calls it, adds a layer of security in defending against threats. Yet, despite the growing interest, businesses of all sizes are still trying to catch up, according to a resent survey from ESET, a vendor of internet security software.

Of the more than 400 individuals surveyed by ESET, 33 percent said they had not received any form of cybsersecurity training at work.

“[That] is worrying because we know it only takes one person who’s a weak link in security awareness to compromise the organization,” says Stephen Cobb, senior security researcher at ESET.

Refresher courses necessary

The number is better than five years ago, when a similar ESET survey found that … more

PODCAST: Former White House CIO — companies need cyber defense strategy

By Byron V. Acohido

Theresa Payton honed her cybersecurity skills as the White House’s first female chief information officer, under President George W. Bush. Payton is now president and CEO of cybersecurity consulting company Fortalice Solutions. I had the chance to interview her at the recent Enfuse 2017 cybersecurity conference in Las Vegas.

We discussed how digital attacks have increased, what strategies embattled organizations should embrace and why über-competitive tech security vendors need to learn to share threat intelligence more readily. Here are a few top takeaways:

DIY hacking increases When Payton was at the White House, she says cyber criminals and terrorists had to have skill and talent to break into digital systems. Now, with emerging technologies, “it’s never been easier and inexpensive to actually create mayhem.” All the old-school security problems from years past are still issues, and new ones are being added. Criminals can outsource cyber attacks, or learn how to do it on a YouTube video.

“It used to be sort of cyber criminal syndicates, and state-sponsored crime, but it was really hard for just the average evildoer to break in and do cyber criminal activities,” she says. “Now, it’s never been easier.”

Seeking new approaches Payton says the security community needs to pay more attention to how people use cyber solutions, instead of focusing only on their creation and design. “We need to start designing for the human, vs. telling the human to conform to the technology.”

She also believes that sharing intelligence helps strengthen everyone’s defenses, something that a highly competitive industry is reluctant to do. “Some of that true actionable intelligence—‘I just got hit, and this is how they did it, and this is what I need to share with other people so they’re not victims’—that’s not happening in real time as actionable intelligence, and that’s what we have to fix,” she says.

Closing the gender gap “We need everybody—we need male, female, we need minorities—we need … more

PODCAST: Why small- and mid-sized businesses should strongly consider using an MSSP

By Byron V. Acohido

How Armor got started stands out. Founder and CEO Chris Drake was serving as a paratrooper in the U.S. Army’s 82nd Airborne Division based out of Fort Bragg, North Carolina, when he was selected to build some of the Army’s first private and secure websites.

After his military service, Drake started a marketing and web development company focused on securing critical data and systems for commercial websites. One day a well-known poultry company came to Drake for help responding to a major security breach around the holiday season, a breach that impacted its customers at a particularly bad time.

Filling a need

Drake couldn’t find a provider that offered a level of security he felt the poultry company really needed, so he set out to develop a purpose-built secure cloud hosting platform. That technology now is at the heart of a managed security service Armor provides for some 1,200 clients in 45 countries.

I recently spoke with Wayne Reynolds, Armor’s vice president of security operations, who outlined for me how Armor’s sweet spot has turned into helping organizations add a robust layer of security to cloud infrastructure services.

Small- and medium-size businesses, in particular, are increasingly relying on network infrastructure services residing in the internet cloud—supplied as a pay as you go service by the likes of Amazon, Google and Microsoft Azure.

“We take what the cloud service providers give you as a base offering, and we put it on steroids, specifically around a security play,” Reynolds says. “We will deploy anti-virus solutions for you, we will deploy file integrity monitoring, we will capture all those logs from those firewalls, or from the endpoints themselves, and analyze them and tell you what’s going on. We will also proactively go back in and try to put preventive measures in place.”

Patch was a priority

As an example of how focused Armor is on security, the vendor recognized that a Windows security … more

VIDEO: Why the rising use of biometric authentication is driving states to regulate privacy

By Byron V. Acohido

Using biometrics to verify one’s identity is no longer something you’d expect to see only in a Hollywood depiction of a dystopian future. Biometric identification has been in practical use for a while now, and the technology is getting more sophisticated every day.

As you might expect, privacy concerns have arisen along the way. And now the legal ramifications are getting more complicated.

Washington state last month passed House Bill 1493: pioneering legislation forbidding businesses from obtaining or selling biometric information without the consent of the individual. Gov. Jay Inslee is expected any day to sign the new law, which is directed at concerns about the use of biometric identifiers to commit identity fraud.

I recently sat down with Robert Capps, vice president of business development at NuData, to discuss these developments. Based in Vancouver, British Columbia, NuData supplies systems that help ecommerce companies and banks detect and prevent online identity fraud. It does this by studying nuances of how an individual interacts with his or her computing device, such as how he or she types on, touches and even holds his or her computing device. Here are a few takeaways from our conversation:

Biometric identifiers defined. These are unique physical or behavioral characteristics of individuals, including fingerprints, retinal scans, voiceprints, facial recognition, and even the distinctive way a person walks and moves. Heartbeats can even be used to authenticate users for access not just to secure locations but also in a wide variety of digital services.

Usage becoming commonplace. It’s no longer that unusual for online services to request data referring to your physical traits in lieu of just a username and password. And government agencies are increasingly using biometric identifying technologies to keep places, like airports, secure.

“They’ll use facial recognition, gait analysis—how you walk,” Capps says. “These data points are also used in places like casinos looking for cheats and criminals walking into those facilities. … more

PODCAST: Putting machine learning to work ferreting out data anomalies

By Byron V. Acohido

Machine learning has been a staple of our consumer-driven economy for some time now.

When you buy something on Amazon or watch something on Netflix or even pick up groceries at your local supermarket, the data generated by that transaction is invariably collected, stored, analyzed and acted upon.

Machines, no surprise, are perfectly suited to digesting mountains of data, observing our patterns of consumption, and creating profiles of our behaviors that help companies better market their goods and services to us.

Yet it’s only been in the past few years that machine learning, aka data mining, aka artificial intelligence, has been brought to bear on helping companies defend their business networks.

I spoke with Shehzad Merchant, chief technology officer at Gigamon, at the RSA 2017 cybersecurity conference. Gigamon is a Silicon Valley-based supplier of network visibility and traffic monitoring technology. A few takeaways:

Machines vs. humans. There is so much data flowing into business networks that figuring out what’s legit vs. malicious is a daunting task. This trend is unfolding even as the volume of breach attempts remain on a steadily rising curve. It turns out that cyber criminals, too, are using machine learning to boost their attacks. Think about everything arriving in the inboxes of an organization with 500 or 5,000 employees, add in all data depositories and all the business application depositories, plus all support services; that’s where attackers are probing and stealing.

Understanding legitimate behaviors. To catch up on the defensive side, companies can turn to machine learning, as well. Machines are suited to assembling detailed profiles of how employees, partners and third-party vendors normally access and use data on a daily basis. It’s not much different than how Amazon, Google and Facebook profile consumers’ online behaviors for commercial purposes. “You have to apply machine learning technologies because there is so much data to assimilate,” Merchant says.

Identifying suspicious behaviors. The flip side … more