Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Videos

 

Q&A: All-powerful developers begin steering to the promise land of automated security

By Byron V. Acohido

Software developers have become the masters of the digital universe.

Related: GraphQL APIs pose new risks

Companies in the throes of digital transformation are in hot pursuit of agile software and this has elevated developers to the top of the food chain in computing.

There is an argument to be made that agility-minded developers, in fact, are in a terrific position to champion the rearchitecting of Enterprise security that’s sure to play out over the next few years — much more so than methodical, status-quo-minded security engineers.

With Black Hat USA 2021 reconvening in Las Vegas this week, I had a deep discussion about this with Himanshu Dwivedi, founder and chief executive officer, and Doug Dooley, chief operating officer, of Data Theorem, a Palo Alto, CA-based supplier of a SaaS security platform to help companies secure their APIs and modern applications.

For a full drill down on this evocative conversation discussion please view the accompanying video. Here are the highlights, edited for clarity and length:

LW:  Bad actors today are seeking out APIs that they can manipulate, and then they follow the data flow to a weakly protected asset. Can you frame how we got here?

Dwivedi: So 20 years ago, as a hacker, I’d go see where a company registered its IP. I’d do an ARIN Whois look-up. I’d profile their network and build an attack tree. Fast forward 20 years and everything is in the cloud. Everything is in Amazon Web Services, Google Cloud Platform or Microsoft Azure and I can’t tell where anything is hosted based solely on IP registration.

So as a hacker today, I’m no longer looking for a cross-site scripting issue of some website since I can only attack one person at a time with that. I’m looking at the client, which could be an IoT device, or a mobile app or a single page web app (SPA) or it could be an … more

Q&A: The drivers behind the stark rise — and security implications — of ‘memory attacks’

By Byron V. Acohido

A distinctive class of hacking is rising to the fore and is being leveraged by threat actors to carry out deep, highly resilient intrusions of well-defended company networks.

Related: Memory hacking becomes a go-to tactic

These attacks are referred to in the security community as “fileless attacks” or “memory attacks.” The latter conveys a more precise picture: memory hacking refers to a broad set of practices, which can include fileless attacks, that constitute this go-deep form of network break-ins.

I had the chance at RSA 2019 to discuss memory hacking with Willy Leichter, vice president of marketing, and Shauntinez Jakab, director of product marketing, at Virsec, a San Jose-based supplier of advanced application security and memory protection technologies.

They walked me through how threat actors are cleverly slipping snippets of malicious code past perimeter defenses and then executing their payloads  – undetected while applications are live, running in process memory.

For a long time, memory hacking was the exclusive province of nation-state backed operatives. But over the past couple of years, memory attacks have come into regular use by common cybercriminals. Garden-variety threat actors are now leveraging memory hacking tools and techniques to gain footholds, move laterally and achieve persistence deep inside well-defended networks.

For a comprehensive drill down, please view the accompanying YouTube video of my full interview with Leichter and Jakab at RSA 2019’s broadcast alley. Here are excerpts, edited for clarity and length:

LW: Can you frame this new class of hacking?

NEW TECH: Cequence Security launches platform to shield apps, APIs from malicious botnets

By Byron V. Acohido

Cyber criminals are deploying the very latest in automated weaponry, namely botnets, to financially plunder corporate networks.

The attackers have a vast, pliable attack surface to bombard: essentially all of the externally-facing web apps, mobile apps and API services that organizations are increasingly embracing, in order to stay in step with digital transformation.

Related: The ‘Golden Age’ of cyber espionage is upon us

The nonstop intensity of these attacks is vividly illustrated by the fact that malicious bot communications now account for one-third of total Internet traffic. Cybersecurity vendors, of course, have been responding. Established web application firewall  (WAF) suppliers like Imperva, F5 and Akamai are hustling to strengthen their respective platforms. And innovation is percolating among newer entrants, like PerimeterX, Shape Security and Signal Sciences.

This week a new entrant in this field, Cequence Security, formally launched what it describes as a “game-changing” application security platform. I had the chance to sit down with CEO Larry Link to discuss what Cequence is up to, and why it believes it can help enterprises detect and mitigate bot attacks, without unduly disrupting the speed and flexibility they’d like to extract from digital-centric operations. Here are takeaways from our discussion:

The botnet problem

According to Gemalto’s Breach Level Index, 3.3 billion data records were compromised worldwide in the first half of 2018 – a 72 percent rise in the number of lost, stolen or compromised records reported in the first six months of 2017. Vulnerable online apps and services factored in as a primary target of automated botnet attacks. This activity can be seen at any moment of any day by examining the volume of malicious botnet traffic moving across the Internet.

A bot is a computing nodule with a small bit of coding that causes it to obey instructions from a command and control server.

MY TAKE: The way forward, despite overwhelming cyber threats

By Byron V. Acohido

NEW YORK CITY – Cyber Connect 2017 cybersecurity summit that just wrapped up at the beautiful Grand Hyatt located adjacent to Grand Central Station here in the Big Apple. I got the chance to be on the other side of the interview, sitting down with John Furrier and David Vellante, co-hosts of The Cube. We did it live; here’s the recorded stream.

VIDEO: Tempered Networks introduces ‘identity-based networking’

By Byron V. Acohido

Tempered Networks got its start by taking a unique approach toward locking down the industrial control systems (ICS) used at the Boeing Co.’s airplane manufacturing plants.

The problem Boeing was trying to solve at the time turns out to be much the same as the puzzle organizations of all types face today: How do you ingrain security into complex hybrid networks without completely throwing out legacy systems.

Striking that balance in the age of cloud computing and the Internet of Everything is crucial to empowering employees to securely and productively leverage modern IT systems. “Security is great, but business has to run,” says Marc Kaplan, vice president of security architecture and services at Seattle-based Tempered Networks.

ICS technologies predate the internet. So those used in manufacturing plants, utility plants and transportation systems remain a huge security challenge. The rising dominance of cloud computing and mobile devices to run modern-day networks has exposed ICS controls, in particular, to threat actors.

Boeing, for instance, found it challenging to assure security of its industrial controls while also maintaining a high pace of jetliner production. “They had to find a way to identify and separate systems from each other,” Kaplan says. The solution came in the form of an innovative protocol—called HIP, host identity protocol—developed by Ericsson and sponsored by Boeing and the U.S. Navy.

Stability and security

“Essentially, it’s an overlay, so an environment can keep running the systems it ran before,” he says. It’s an identity-based network, an architecture that “rides above” an established system, without changing fundamental system attributes.

Related article: Critical infrastructure attacks remain clear and present danger

It was an important breakthrough, since most industries are reluctant to make wholesale changes to legacy systems that are working. In today’s banking sector, for example, “these systems run very old code, and for good reason,” Kaplan says. “They’re very stable; the upgrading is a high risk.

Marc Kaplan, Tempered Networks vice … more

VIDEO: Why the NIST framework is so fundamental to network security

By Byron V. Acohido

Put aside the cyber threats, which continue to worsen. All any company decision-maker needs to do is pay heed to the intensifying regulatory environment to understand that network security has become a mission-critical operational issue.

Consider that the Colorado Division of Securities is implementing 90 pages of new rules to clarify what financial “broker-dealers” and investment advisers must do in order to protect information stored electronically.

That’s on top of the New York State Department of Financial Services enforcing new cybersecurity rules for financial services firms that wish to do business in the Empire State. And, of course, Europe is rolling out new privacy rules known as the General Data Protection Regulation, which will affect more than 4,000 U.S. companies doing business in Europe, including many small and midsize businesses.

And let’s not overlook looming compliance standards covering data privacy and security, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) .

I recently sat down with Edric Wyatt, security analyst at CyberScout to discuss the first step any organization—of any size and in any sector—can take to become more security mature: Get cozy with the National Institute of Standards and Technology’s risk management framework set forth in its NIST 800 series of documents. (Full disclosure: CyberScout underwrites ThirdCertainty.) Here are a few takeaways from our discussion:

NIST is foundational. NIST 800 is composed of Uncle Sam’s own computer security policies, procedures and guidelines, which have been widely implemented in the Department of Homeland Security, the Department of Defense and most big federal agencies. New York state’s new rules for financial firms incorporate the NIST framework, and the U.S. Food and Drug Administration, likewise, refers to the NIST framework in guidance for medical device manufactures.

NIST is proactive. Derived from extensive public and private research, NIST 800 exists as a public service. It lays out cost-effective, proactive steps … more

VIDEO: Why the rising use of biometric authentication is driving states to regulate privacy

By Byron V. Acohido

Using biometrics to verify one’s identity is no longer something you’d expect to see only in a Hollywood depiction of a dystopian future. Biometric identification has been in practical use for a while now, and the technology is getting more sophisticated every day.

As you might expect, privacy concerns have arisen along the way. And now the legal ramifications are getting more complicated.

Washington state last month passed House Bill 1493: pioneering legislation forbidding businesses from obtaining or selling biometric information without the consent of the individual. Gov. Jay Inslee is expected any day to sign the new law, which is directed at concerns about the use of biometric identifiers to commit identity fraud.

I recently sat down with Robert Capps, vice president of business development at NuData, to discuss these developments. Based in Vancouver, British Columbia, NuData supplies systems that help ecommerce companies and banks detect and prevent online identity fraud. It does this by studying nuances of how an individual interacts with his or her computing device, such as how he or she types on, touches and even holds his or her computing device. Here are a few takeaways from our conversation:

Biometric identifiers defined. These are unique physical or behavioral characteristics of individuals, including fingerprints, retinal scans, voiceprints, facial recognition, and even the distinctive way a person walks and moves. Heartbeats can even be used to authenticate users for access not just to secure locations but also in a wide variety of digital services.

Usage becoming commonplace. It’s no longer that unusual for online services to request data referring to your physical traits in lieu of just a username and password. And government agencies are increasingly using biometric identifying technologies to keep places, like airports, secure.

“They’ll use facial recognition, gait analysis—how you walk,” Capps says. “These data points are also used in places like casinos looking for cheats and criminals walking into those facilities. … more