Home Podcasts Videos Guest Posts Q&A My Take Bio Contact

MY TAKE: Account hijackers follow small banks, credit unions over to mobile banking apps

By Byron V. Acohido

As long as cyber attacks continue, financial institutions will remain a prime target, for obvious reasons.

Related: OneSpan’s rebranding launch

Outside of giants JP Morgan, Bank of America, Citigroup, Wells Fargo and U.S. Bancorp, the remainder of the more than 10,000 U.S. firms are comprised of community banks and regional credit unions.

These smaller institutions, much like the giants, are hustling to expand mobile banking services. Yet, they are much less well equipped to detect and repel cyber attackers, who are relentlessly seeking out and exploiting the fresh attack vectors spinning out of expansion of mobile banking.

I had the chance at RSA 2019 to discuss this war of attrition with Will LaSala, director of security services and security evangelist at OneSpan, a Chicago-based provider of anti-fraud, e-signature and digital identity solutions to 2,000 banks worldwide. The good news is that OneSpan and other security vendors are innovating to bring machine learning, data analytics and artificial intelligence to the front lines. For a drill down on our conversation, give a listen to the accompanying podcast. Key takeaways:

Shifting risks

We’ve seen a shift in bank fraud, especially for small banks and credit unions, over the past couple of years. In the not-so-distant past, banks dealt with online and account takeover fraud, where hackers stole passwords and used phishing scams to target specific individuals.

Now this fraud has moved into the mobile space because nearly every financial institution now has an app, changing the fraud landscape. Organizations like OneSpan now analyze bank fraud through the mobile app landscape through areas like social engineering attacks, screen captures, or changing SIM cards, LaSala told me. …more

MY TAKE: What ‘fake news’ really is: digital disinformation intended to disrupt, manipulate

By Byron V. Acohido

President Trump’s constant mislabeling of mainstream news reports he doesn’t appreciate as “fake news” has done much to muddle the accurate definition of this profound global force – and obscure the societal damage this rising phenomenon is precipitating.

Related: The scourge of ‘malvertising’

Fake news is the willful spreading of disinformation. Yes, much of political propaganda, as practiced down through the ages, fits that definition. But what’s different, as we approach the close of the second decade of the 21st century, is that it is now possible to pull the trigger on highly-targeted, globally-distributed disinformation campaigns – by leveraging behavior profiling tools and social media platforms.

Like seemingly everything else these days, this is a complex issue, and it takes effort to decipher the bottom line. Here are three things it is vital for every concerned citizen to grasp about disinformation campaigns in the digital age.

Fake news is scaling.

There are plenty of factual articles  about how “fake news” influenced the 2016 U.S. presidential election. What many citizens still don’t realize is that this was just one of the major elections jarred by this potent variant of disinformation spreading. This includes England’s Brexit vote and very recent cases in Brazil and India, where disinformation campaigns fueled some tragic outcomes.

In the 2016 US elections, Russia targeted Facebook users to receive incendiary ads and bogus stories, and used botnets to facilitate intelligence gathering and distribution. And human  “supersharers” – mostly Republican women older than the average Twitter user – got into the act, as well, Tweeting stories from ideological websites at a furious daily pace, according to a study by Northeastern University in Boston.

Meanwhile, in January 2016, during the heat of the presidential contest, some 39 percent Trump’s Twitter followers were faked.  A tally by Twitter Audit showed Candidate Trump with 22.7 million Twitter followers – 16.6 million real, and 6.1 million fabricated.

Fast forward to Brazil’s presidential election last October. WhatsApp was flooded with fake news about both of the leading candidates. And in India’s national elections, which are underway right now, disinformation has stoked emotions tied to India’s conflict with Pakistan over Kashmir. …more

MY TAKE: How ‘CASBs’ are evolving to close the security gaps arising from digital transformation

By Byron V. Acohido

The Cloud Access Security Broker (CASB) space is maturing to keep pace with digital transformation.

Related: CASBs needed now, more than ever

Caz-bees first took shape as a cottage industry circa 2013 to 2014 in response to a cry for help from companies reeling from new Shadow IT exposures: the risk created by early-adopter employees, quite often the CEO, insisting on using the latest smartphone and Software-as-a-Services tools, without any shred of security vetting.

A wave of acquisitions absorbed a half-dozen early CASB startups. One company still actively innovating as an independent CASB is San Jose, CA-based security vendor CipherCloud. I had the chance to visit with CipherCloud CTO Sundaram Lakshmanan at RSA 2019.

We discussed how the basic notion of flowing all data coming into a company’s network — from whatever device or web app — through a cloud gateway for security scanning has become elemental. For a full drill down, give the accompanying podcast a listen. Here are the key takeaways:

Shifting role

As with almost any security solution, the bottom line for CASBs is all about protecting the data — without detracting from users’ experience, and thus eroding productivity.  This is especially important within the cloud. CASBs began by closing glaring security gaps created by the rapid  adoption of mobile devices and cloud tools. Quite naturally, that role is now shifting and expanding.

Now that CASBs have been around for half a decade, companies are figuring out how to utilize them to reinforce specific silos within their IT and security teams. More enterprises are rethinking their internal processes, seeking a more centralized, convenient approach to securing web apps, Lakshmanan told me.

“At the end of the day, it is about business productivity and helping users get their job done,” he said. Enterprises are starting to understand that as they pursue velocity and scale, …more

NEW TECH: CloudKnox takes aim at securing identity privileges for humans — and non-humans

By Byron V. Acohido

Companies are embracing hybrid cloud deployments like never before, mixing and matching on-premises IT systems with off-premises cloud services.

Related: Machine identities present wide open attack vector

To accomplish this, they must grant and manage access privileges to human identities: remote employees, third-party suppliers and far-flung customers.

Arguably even more vital is the granting of access privileges to thousands more non-human identities – the service accounts that connect modular coding components, like the microservices, software containers and APIs that make up the stretchable fabric of cloud services.

Without this provisioning of access privileges to human and non-human identities, hybrid cloud commerce  would not be possible. And yet, somehow, hybrid deployments have gained wide adoption without fully accounting for an entire new tier of identity risks.

This exposure extends from companies losing track of identities and overprovisioning privileges.  CloudKnox Security, a Sunnyvale, CA-based security vendor, launched last October, specifically to help companies more effectively manage human and non-human identity privileges in the brave new world of hybrid networks.

I had a chance at RSA 2019 to visit with company founder and CEO Balaji Parimi. For a drill down, give a listen to our full interview via the accompanying podcast. A few key takeaways:

Multiplying privileges

Remember the old problem of Microsoft shipping Windows server software with weak administrator passwords as the default? Take that systemic security weakness, put it on steroids, and you get a sense of the exposure lurking in identities today.

For instance, on the human side of things, Parimi informed me that there are 7,800 distinct privileges, or unique actions—granted to administrators across Amazon Web Services, Microsoft Azure, Google Cloud and VMware vSphere.

And then there are magnitudes of order more non-human identities to worry about. “With DevOps, when you check-in your code, it automatically gets built and created into production. All of this is done with a service account, …more

BEST PRACTICES: Rising complexities of provisioning identities has pushed ‘IGA’ to the fore

Identity governance and administration, or IGA, has suddenly become a front-burner matter at many enterprises.

Related: Identity governance issues in the age of digital transformation

This is, in large part, because the complexity of business networks continues to escalate at a time when compliance mandates are intensifying. I had the chance at RSA 2019 to visit with Mike Kiser, global strategist at SailPoint, an Austin, TX-based supplier of IGA services to discuss this.

SailPoint, which went public in November 2017, has grown to more than 1000 employees in 30 locations. Its customer base is comprised of eight of the top 15 banks, four of the top six healthcare insurance and managed care providers, nine of the top 15 property and casualty insurance providers, five of the top 13 pharmaceutical companies, and 11 of the largest 15 federal agencies.

The identity challenges these large organizations are wrestling with can be instructive to organizations of all sizes and in all verticals – any entity that is participating in the global supply chain. For a full drill down of our conversation, give a listen to the accompanying podcast. Here are a few of the key takeaways:

Identity’s moment

Traditional concepts of putting up perimeter defenses to protect on-premise systems have gone out the window. Companies today routinely use a combination of on-premise and cloud-supplied infrastructure. Meanwhile, employees, partners, suppliers and customers are using their smartphones to gain access.

In this digitally transformed environment, maintaining perimeter defenses still has a place. Yet,  most breaches today can be traced back to a compromised identity, or misuse of an authorized identity. …more

Q&A: How cybersecurity has become a primal battleground for AI one-upsmanship

By Byron V. Acohido

A discussion of how – and why – adversaries are using artificial intelligence to juice up malicious activities
When antivirus (AV) software first arrived in the late 1980s, the science of combating computer viruses was very straightforward.

AV kept close track of known malicious files, and then quarantined or deleted any known malware that had managed to embed itself on the protected computing device. At its core, AV still does that today.

Threat actors, of course, responded by engaging AV vendors in what has turned out to be a decades-long contest of one-upmanship. They quickened their pace of creating sprawling families of malware, putting AV vendors in an endless chase to identify, and blacklist, new malware variants as quickly as possible.

What began as a game of checkers, quickly advanced to chess and then to 3D chess. That brings us to today, where AV vendors and malware distributors are engaged in a 3D chess match — infused by artificial intelligence, or AI.

I recently visited with Rajarshi Gupta, head of AI at Avast, who gave me a breakdown of how threat actors, today, are leveraging AI to support their malicious activities. Here are excerpts of our discussion, edited for clarity and length.

LW: Can you frame how AI has come into play dealing with adversaries?

Gupta: We’ve really pushed the frontiers of AI in the last decade in things like video, scene-understanding, natural language processing and even driverless cars. But, if you think about it, security is the only domain where we have to deal with a true adversary. It’s the only domain where someone who is very smart, and who has every economic incentive, can use the best tools available, including AI. To combat this, we need to utilize the best tools, and use them better than the dark side. That’s why we’re seeing the security industry continuously adopt more and more AI techniques to do battle with the black hats.

LW: And, conversely, AI is being increasingly leveraged by the attackers?

Gupta: Yes. There’s really nothing new in the basic cat and mouse chase that’s been taking place for 30 years. It’s just that both sides are now using AI to improve their respective games.

LW: Can you walk me through an illustration? …more

MY TAKE: Why DDoS weapons will proliferate with the expansion of IoT and the coming of 5G

By Byron V. Acohido

A couple of high-profile distributed denial-of-service (DDoS) attacks will surely go down in history as watershed events – each for different reasons.

Related: IoT botnets now available for economical DDoS blasts

In March 2013, several impossibly massive waves of nuisance requests – peaking as high as  300 gigabytes per second—swamped Spamhaus, knocking the anti-spam organization off line for extended periods.

Three years later, October 2016, a DDoS attack, dubbed Mirai, topped 600 gigabytes per second while taking aim at the website of cybersecurity journalist Brian Krebs. His blog, Krebs on Security, was knocked down alright.

The author of Mirai used a sledgehammer to kill a fly: the DDoS bombardment was so large that it also wiped out Dyn, a UK-based internet performance vendor. And since Dyn routed traffic, not just to Krebs’ blog, but also to Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit and PayPal, those popular websites were offline for some 12 hours, frustrating millions.

I mentioned these attacks now because the cyber weaponry deployed in each of those attacks actually remain in high use today. That’s the upshot of a recent state-of-DDoS Weapons report from A10 Networks, a San Jose, CA-based supplier of advanced DDoS detection and mitigation systems.

I had the chance at RSA 2019 to discuss the wider implications with Don Shin, A10 Networks’ senior product marketing manager. For a full drill down, give a listen to the accompanying podcast. Here are the key takeaways:

Reflective attacks

DDoS attacks aren’t going to go away anytime soon. They are easier than ever to spin up; very powerful DDoS tools and for-hire services are widely available to anyone with modest technical skills – weaponry that is still very effective.

The Spamhaus attacker, for instance, noticed that there were literally millions of domain name system (DNS) resolvers that remained wide open all over the internet. DNS resolvers were the early building blocks of the internet: they resolved a domain names, such as spamhaus.org, to a specific IP address.

This threat actor figured out how to route requests to legitimate DNS resolvers in such a way that those servers would reflect and amplify responses to the targeted website — more than 50 times, swamping the site.

Today, the potential for so-called DNS reflective attacks has become pervasive. A10 Networks’ report found 6.3 million open DNS resolvers in position and available to be leveraged by anyone in a similar DDoS attack. …more