Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

MY TAKE: Here’s why identities are the true firewalls, especially as digital transformation unfolds

By Byron V. Acohido

Was it really that long ago that company networks were comprised of a straightforward cluster of servers, data bases, applications and user devices corralled largely on premises?

Related article: Taking a ‘zero-trust’ approach to authentication

In today’s digitally transformed environment, companies must monitor and defend systems housed on-premises and in overlapping public and private clouds. And they must account for employees, partners and customers using their smartphones to log in from Timbuktu.

This presents a convoluted matrix to access the company network —  and an acute exposure going largely unaddressed in many organizations. Massive data breaches continue to occur because companies caught up in the swirl of digital transformation continue to unwittingly authenticate threat actors — and allow them to take a dive deep into mission-critical systems.

The good news is that the identity management space is chock full of strong vendors innovating at a furious pace. I sat down with Mark Foust, Chief Product Evangelist at Optimal IdM, a leading supplier of Identity Access Management (IAM) systems, to get a better sense of what’s unfolding.

We discussed the leading-edge solutions being designed to help companies make much more precise judgements about each and every user trying to access sensitive assets. For a full drill down, please listen to the accompanying podcast. Here are the key takeaways:

Fresh vectors

Here’s the rub: accelerated use of cloud services, DevOps, software containers and microservices may be giving companies amazing agility and scalability; but they’ve also created a vast new attack surface, rife with fresh attack vectors. …more

MY TAKE: How the lack of API security translates into ‘digital transformation’ security holes

By Byron V. Acohido

If you’re not familiar with how Facebook, Twitter and YouTube make it so easy for you and me to easily access cool content they’ve collected and stored behind their respective firewalls, then you might think “API” is a trendy type of beer.

In fact, API stands for Application Programming Interface, the indispensable technology that makes it possible for software applications to exchange data across the Internet.

Related: Cross-site scripting threat heats up

APIs have been a cornerstone of our digital economy from the start. Without them, social media and software-as-a-service, as we’ve come to know them, wouldn’t exist. And today APIs are empowering companies to speed up complex software development projects – as part of digital transformation.

In short, APIs have emerged and endured as the linchpin of social media, cloud services and mobile computing; and they will remain pivotal as the Internet of Things expands.

However, just like every other tech breakthrough that rose rapidly to ubiquitous use, APIs have a gaping downside: intrinsic lack of security. I recently had a chance to discuss the vulnerable state of APIs with Tim Arvanites co-founder and chief technology officer of AAPI, a security startup which helps companies lock down their APIs. For a drill down on our conversation, please listen to the accompanying podcast. Here are a few big picture takeaways: …more

Companies need CASBs now more than ever — to help secure ‘digital transformation’

By Byron V. Acohido

When I first wrote about Cloud Access Security Brokers in 2015, so-called CASBs were attracting venture capital by the truckloads — and winning stunning customer testimonials.

CASBs (pronounced caz-bees) originally sought to resolve a fast rising security nightmare: Shadow IT.

Related podcast: Web gateways emerge as crucial defense layer

Striving to be productive, well-intentioned employees raced out to subscribe to cloud-enabled storage services, collaboration suites and project management tools. These hustlers were unwilling to slog through lugubrious IT onboarding processes in order to get their hands on the latest, greatest software-as-a-service tools.

But these early-adopter employees were also blissfully ignorant about how Shadow IT exposed sensitive business data in new and novel ways.

Thus, CASBs arrived on the scene to help companies monitor and manage Shadow IT. And they were so successful at, so quickly, that six of nine CASBs got gobbled up in a spectacular feeding frenzy.

CASBs new role

Ever see the video of dolphins gorging on a bait ball? In about a two year span, Microsoft acquired Adallom; Oracle purchased Palerra; Proofpoint grabbed FireLayers; McAfee nabbed Skyhigh Networks; Forcepoint acquired Skyfence from Imperva, which had bought that CASB earlier; and Blue Coat Systems bought Perspecsys, just before Blue Coat itself was swallowed up by Symantec.

I recently had a chance to speak at length with Anthony James, chief marketing officer for CipherCloud, one of the three CASBs still operating as a standalone independent. The other two are Netskope and Bitglass.

…more

How ‘digital transformation’ gave birth to a new breed of criminal: ‘machine-identity thieves’

By Byron V. Acohido

There’s a new breed of identity thief at work plundering consumers and companies.

However, these fraudsters don’t really care about snatching up your credentials or mine. By now, your personal information and mine has been hacked multiple times and is readily on sale in the Dark Web. This has long been true of the vast majority of Americans.

Related article: 7 hacks signaling a coming global cyber war

The identities most sought after by cyber criminals today are those associated with machines. This is because the digital wizardry driving modern society relies heavily on machine-to-machine communications. And guess what? No one is really watching authentication and privileged access, with respect to those machines very closely.

It’s my belief that every consumer and every company will very soon come to realize that a new breed of criminal – machine-identity thieves – will soon become all-powerful, and not in a good way. Here’s why:

Fresh attack surface

 If you haven’t heard, we are undergoing “digital transformation.” Digital advances are coming at us fast and furious. Consumers have begun accustomed to conveniently accessing clever services delivered by  a sprawling matrix of machines, and not just traditional computer servers.

The machines enabling digital transformation include virtual instances of computers created and maintained in the Internet cloud, as well as myriad instances of software “microservices” and “containers” that come and go as part of the dynamic processes that make all of this happen.

Each machine must continually communicate with countless other machines. And as the number of machines has skyrocketed, so has the volume of machine identities. From a criminal’s perspective, each machine represents an opportunity to slip into the mix and take control. And each machine identity represents a key to get in the door.

 Machine-identity capers

The creation of this vast new attack surface isn’t just theoretical. It’s tangible and threat actors are on the move. “Hackers are stealing machine identities, and using them in attacks, and it’s happening more and more,” says Jeff Hudson, CEO of security supplier Venafi. …more

GUEST ESSAY: Theft of MQ-9 Reaper docs highlights need to better protect ‘high-value assets’

By Sherban Naum

The discovery of sensitive U.S. military information for sale on the Dark Web for a nominal sum, in and of itself, is unfortunate and unremarkable.

However, details of the underlying hack, ferreted out and shared by researchers of the Insikt Group, an arm of the security research firm Recorded Future, are most welcomed. They help frame wider questions, and pave the way for improved best practices.

Here is what is known thus far: Team members of the Insikt Group encountered an English-speaking hacker who jumped on a Dark Web forum to pitch the sale of MQ-9 Reaper UAV docs for $150 to $200. The hacker/salesman also had other unclassified military intelligence for sale: an M1 Abrams tank maintenance manual, a tank platoon training course, a crew survival course, documentation on improvised explosive device (IED) mitigation tactics; he even claimed to have access to footage from a MQ-1 Predator drone.

The Insikt Group determined that the hacker/seller must have accessed a Netgear router with misconfigured FTP login credentials. This raises wider questions about data security best practices, not to mention the wider contractor support community. …more

Q&A: Here’s why it has become vital for companies to deter ‘machine-identity thieves’

By Byron V. Acohido

We’re undergoing digital transformation, ladies and gentlemen. And we’re in a nascent phase where clever advances are blossoming even as unprecedented data breaches arise in parallel.

The latest example of this dichotomy comes from Timehop, a service that enables social media users to plug into their past. On Sunday, Timehop shared details about how a hacker got into their network, conducted several reconnaissance forays, and then moved swiftly on July 4th to pilfer personal information for 21 million Timehop users, including their social media “access tokens.”

Related article: How DevOps contributed to the Uber hack

Much like the recent hacks of Uber and Tesla, the Timehop caper revolved around the attackers manipulating admin credentials and maneuvering extensively through Timehop’s cloud environment.

I recently had a fascinating conversation with Jeff Hudson, CEO of Venafi, about why we are currently in a situation where criminally motivated actors are proving to be every bit as innovative as legitimate businesses, when it comes to leveraging cloud services, and developing breakthrough uses of mobile computing and the Internet of things.

Venafi is a leading supplier of machine identity protection; it helps companies secure authentication and privileged access to key components of critical systems. As such, Hudson argues persuasively that the root of the matter comes down to the need for organizations to keep a much closer account of access logons and encryption keys. And they must do this, not just for human users, but especially for machine-to-machine communications.

For a drill down on our conversation, please listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW: Can you frame what’s going on with identities when it comes to digital transformation? …more

MY TAKE: These 7 nation-state backed hacks have put us on the brink of a global cyber war

By Byron V. Acohido

Nation-state backed hacking collectives have been around at least as long as the Internet.

However, evidence that the ‘golden age’ of cyber espionage is upon us continues to accumulate as the first half of 2018 comes to a close.

Related podcast: Obsolescence is creeping into legacy security systems

What’s changed is that cyber spies are no longer content with digital intelligence gathering. Military operatives and intelligence units today routinely hack to knock down critical infrastructure, interfere with elections, and even to exact revenge on Hollywood studios.

Recently, one of the most powerful and notorious cyber spies on the planet, North Korean General Kim Yong Chol, stepped from obscurity into global celebrity status.

Last month President Trump invited the heretofore obscure General Kim into the White House for an impromptu state visit. For about two hours, Trump exchanged pleasantries with the man who orchestrated North Korea’s devastating hack of Sony Pictures in 2014, the aforementioned revenge caper. The tête-à-tête unfolded as Trump prepared for his summit in Singapore with General Kim’s boss, North Korean despot Kim Jong-un.

Rise of North Korea

It’s notable that, since the Sony Pictures hack, General Kim has steadily gotten more powerful and adept at the cyber spy game. Today he commands a cyber army, some 7,000 hackers and support staff strong, that has emerged as a potent and disruptive force. The Wall Street Journal recently reported that North Korea is cultivating elite hackers much like other countries train Olympic athletes.

Meanwhile, Iran-sponsored cyber operatives are making hay, as well. Trump’s decision …more