Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Q&A: The troubling implications of normalizing encryption backdoors — for government use

By Byron V. Acohido

Should law enforcement and military officials have access to a digital backdoor enabling them to bypass any and all types of encryption that exist today?

We know how Vladmir Putin, Xi Jinping and Kim Jung-un  would answer: “Of course!”

Related: Nation-state hacks suggest cyber war is underway

The disturbing thing is that in North America and Europe more and more arguments are being raised in support of creating and maintaining encryption backdoors for government use. Advocates claim such access is needed to strengthen national security and hinder terrorism.

But now a contingent of technology industry leaders has begun pushing back. These technologists are in in full agreement with privacy and civil rights advocates who argue that this is a terrible idea

They assert that the risk of encryption backdoors ultimately being used by criminals, or worse than that, by a dictator to support a totalitarian regime, far outweighs any incremental security benefits. I had an invigorating discussion with Jeff Hudson, CEO of Venafi, about this at Black Hat USA 2018.

Venafi is the leading provider of machine identity protection. Machine to machine connection and communication needs to be authenticated  to access systems, so this technology is where the rubber meets the road, with respect to this debate. For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and space:

LW: What’s wrong with granting governments the ability to break encryption?

Venafi: It has been established over a long period of time that the minute you put a backdoor in, and you think it’s secure, it almost immediately will fall into the wrong hands. Because it’s there, the bad guys will get to it. This makes backdoors the worst possible things for security.

The government wants to be able to surveil network traffic and They want  backdoors so they can see everything. If they can see all the traffic all the time, they can just sit back and surveil everything. …more

MY TAKE: Poorly protected local government networks cast shadow on midterm elections

By Byron V. Acohido

In March 2018, the city of Atlanta fell victim to a ransomware attack that shut down its computer network. City agencies were unable to collect payment. Police departments had to handwrite reports. Years of data disappeared.

Related: Political propaganda escalates in U.S.

The attack also brought cybersecurity to the local level. It’s easy to think of it as a problem the federal government must address or something that enterprises deal with, but cybersecurity has to be addressed closer to home, as well.

I spoke to A.N. Ananth, CEO of EventTracker, a Netsurion company, about this at Black Hat USA 2018. His company supplies a co-managed SIEM service to mid-sized and large enterprises, including local government agencies.

EventTracker has a bird’s eye view; its unified security information and event management (SIEM) platform includes – behavior analytics, threat detection and response, honeynet deception, intrusion detection and vulnerability assessment – all of which are coupled with their SOC for a co-managed solution. For a drill down on our discussion, give the accompanying podcast a listen. Here are key takeaways:

Local risks

Security of local and state government agencies takes on a higher level of urgency as we get closer to the midterm elections.

“State and local governments are not immune to the digital transformation so their dependence on IT is as high as it’s ever been,” says Ananth. “Consequently, the security of these kinds of systems has become paramount.”

If all politics are local, elections are even more so. According to the National Conference of State Legislatures, security for elections is in the hands of local election administrators, overseen by the state’s chief election official, but protection has been lacking.

During 2016, 39 states were hacked. At least one state saw an attempt to delete voter rolls; …more

MY TAKE: Here’s how diversity can strengthen cybersecurity — at many levels

By Byron V. Acohido

Of the many cybersecurity executives I’ve interviewed, Keenan Skelly’s career path may be the most distinctive. Skelly started out as a U.S. Army Explosive Ordnance Disposal (EOD) Technician. “I was on the EOD team that was actually assigned to the White House during 9/11, so I got to see our national response framework from a very high level,” she says.

Today, Skelly is Vice President of Global Partnerships and Security Evangelist at Circadence®, a distinctive security vendor, in its own right.

Related: How ‘gamification’ makes training stick

Circadence got started in the 1990s as a publisher of one of the earliest massively multiplayer online games. It adapted its gaming systems to help the U.S. military carry out training exercises for real life cyber warfare. That led to a transition into what it is today: a leading supplier of immersive “gamification” training modules designed to keep cyber protection teams in government, military, and corporate entities on their toes.

I met with Skelly at Black Hat USA 2018 and we had a thoughtful discussion about a couple of prominent cybersecurity training issues: bringing diversity into AI systems and closing the cybersecurity skills gap. For a drill down, please listen to the accompanying podcast. Here are key takeaways:

Diversifying AI

Discussions are underway in the technology sector about how Artificial Intelligence could someday eliminate bias in the workplace, and thus engender a more meritocratic workplace

“We’re starting to see Artificial Intelligence and machine learning in just about every space and every tool,” Skelly observes.

Diversity in emerging AI-infused security systems – or, more specifically, the lack of it – is a rising concern. Here’s why: The experts with the knowledge to tweak the algorithms for automated detection systems, at this moment, comprise a very narrow talent pool. The concern is that this could constrain the development of broadly effective security-focused AI.

“The problem is that if you don’t have a diverse group of people training the Artificial Intelligence, …more

MY TAKE: Can Hollywood’s highly effective ‘source-code’ security tools help make IoT safe?

By Byron V. Acohido

Over the past couple of decades, some amazing advances in locking down software code have quietly unfolded in, of all places, Hollywood.

Related: HBO hack spurs cyber insurance market

Makes sense, though. Digital media and entertainment giants like Netflix, Amazon, Hulu, HBO, ESPN, Sony, and Disney are obsessive about protecting their turf. These Tinsel Town powerhouses retain armies of investigators and lawyers engaged in a never-ending war to keep piracy and subscription fraud in check.

And over the years they’ve also financed security breakthroughs – at the source-code level. These security breakthroughs have not received much mainstream attention. What they have done is proven to be wickedly effective at tracking digital assets and preserving digital rights.

I recently had the chance to meet with Mark Hearn and John O’Connor, of Irdeto, a 50-year-old software security and media technology company based in Amsterdam that has been a leading supplier of source code tracking and fingerprinting systems for big media companies.

We met at Black Hat USA 2018, where Hearn and O’Connor, came bearing a message about how these technologies, so heavily relied on by Hollywood, could play a starring role in shoring up the foundational  layers of digital transformation — at the source code level.

For a drill down on our discussion please listen to the accompanying podcast. Here are the big takeaways:

Making it too expensive

Irdeto’s suite of products helps set-top box manufacturers protect high-value content; its technology also is used by live sports broadcasters to deter hackers from siphoning off pay-for-view sporting events.

Irdeto’s Cloakware technology is a key component in these technologies. …more

NEW TECH: Critical Start applies ‘zero-trust’ security model to managed security services

By Byron V. Acohido

All companies today are exposed to intense cyber-attacks. And yet the vast majority simply do not have the capability to effectively defend their networks.

That’s where managed security services providers, or MSSPs, come in. MSSPs monitor and manage cybersecurity systems as a contracted service. This can include spam filtering, malware detection, firewalls upkeep, vulnerability management and more.

Related: Delivering useful intel to MSSPs

Companies are gravitating to MSSPs in a big way. The global market for managed security services is expected to rise to $48 billion by 2023, up from $24 billion in 2018, according to ReportLinker. That’s a hefty compound annual growth rate of 14 percent.

But not all MSSPs are created equal. And, in fact, it can sometimes be a challenge for a company to find a good fit with a MSSP.

Critical Start, a new MSSP on the scene, is striving to advance the tradition MSSP model. I had the chance to visit with Jordan Mauriello, Critical Start’s Chief Technology Officer, at Black Hat 2018. He told me an interesting tale about his role in helping launch Advanced Threat Analytics, the underlying technology for Critical Start’s MSSP service.

For a full drill down, please listen to the accompanying podcast. Here are the key takeaways:

Rethinking the platform

Five years ago, Mauriello was working at a large global credit bureau, managing the credit monitoring giant’s in-house Security Operations Center. He went shopping for a MSSP to come in and help to reinforce certain security functions. Try as he might, Mauriello couldn’t find precisely what he was looking for.

In 2014, Mauriello joined Critical Start, Inc., a Dallas-based value-added reseller. …more

MY TAKE: The amazing ways hackers manipulate ‘runtime’ to disguise deep network breaches

By Byron V. Acohido

There is a concept in computing, called runtime, that is so essential and occurs so ubiquitously that it has long been taken for granted.

Now cyber criminals have begun to leverage this heretofore innocuous component of computing to insinuate themselves deep inside of company networks.

Related: The coming wave of ‘microcode’ attacks

They’ve figured out how to manipulate applications while in runtime and execute powerful and stealthy attacks that bypass conventional security tools.

This is a big leap forward for elite threat actors, who have long targeted static files, storage, and executable code, either at rest on disk or in transit. What they’re doing is intricately technical. But it’s happening on an increasing basis in the Internet wild  to exploit vulnerabilities, spread ransomware, steal valuable data and to usurp control of industrial plants.

I asked Willy Leichter, vice president of marketing at Virsec, a supplier of data security systems, to dissect how runtime is essentially being weaponized to support advanced network compromises. We met at Black Hat USA 2018. For a full drill down, please listen to the accompanying podcast of our conversation. Here are key takeaways:

Runtime defined

Runtime refers to the period of time between opening a software program and quitting, or closing, it.  During runtime, pieces of the application get loaded into the RAM (random access memory) of the computing device’s CPU (central processing unit) allowing the app to do its thing.

Runtime occurs continually in our digital world. It comes into play any time software applications get executed “on premises” in a company network and across any mobile app or cloud-delivered service. This includes when you use email, a productivity tool, a mobile app, social media, or an Internet of Things device.

Here’s the rub: threat actors have discovered how to slip benign-looking snippets of data into application servers, that then get transformed into malicious code during runtime. …more

Q&A: How emulating attacks in a live environment can more pervasively protect complex networks

By Byron V. Acohido

Most large enterprises today can point to multi-millions of dollars expended over the past two decades erecting “layered defenses” to protect their digital systems.

Yet catastrophic network breaches continue apace. Turns out there’s a downside to “defense in depth.”

Related: Obsolecense creeps into legacy systems

There’s no doubt that monitoring and continually updating all parts of a multi-tiered security system is a must-do best practice. But it has also become a delicate balancing act. Tweaking one system can open fresh, unforeseen security holes in another.

Spirent Communications, an 82-year-old British supplier of network performance testing equipment, recently decided to branch into cybersecurity services by tackling this dilemma head on.

Spirent pivoted into security testing two years ago with the launch of its CyberFlood security and application performance testing platform. And at Black Hat USA 2018, the company unveiled a new CyberFlood functionality that makes it possible for an enterprise to emulate a real-world attack in a live environment.

Spirent refers to this as “data breach emulation,’’ something David DeSanto, Spirent’s threat research director, told me is designed to give companies a great advantage; it makes it possible to see precisely how the latest ransomware or crypto mining malware would impact a specific network, with all of its quirky complexity.

Here are excerpts of our full conversation, edited for clarity and length:

LW: How did Spirent come to pivot from network performance testing to security?

DeSanto: When you think about it, security and performance are usually hooked at the hip. For our customers it often comes down to having to make a decision, ‘Do I want the performance or do I want the security?’ . . . …more