Loading...

Follow The Last Watchdog on Feedspot

Continue with Google
Continue with Facebook
or

Valid

When Facebook founder Mark Zuckerberg infamously declared that privacy “is no longer a social norm” in 2010, he was merely parroting a corporate imperative that Google had long since established. That same year, then-Google CEO Eric Schmidt publicly admitted that Google’s privacy policy was to “get right up to the creepy line and not cross it.”

Related: Mark Zuckerberg’s intolerable business model.

We now know, of course, they weren’t kidding. Facebook’s pivotal role in the Cambridge Analytica scandal and Google getting fined $57 million last week by the French for violating Europe’s privacy rules are just two of myriad examples demonstrating how the American tech titans live by those credos.

But what if companies chose to respect an individual’s right to privacy, especially when he or she goes online? What if consumers could use search engines, patronize social media, peruse news and entertainment sites and use other internet-enabled services without abdicating all of their rights? What if companies stopped treating consumers as wellsprings of behavioral data – data to be voraciously mined and then sold to the highest bidder?

With Jan. 28 earmarked as Data Privacy Day —  an annual international privacy awareness campaign — these are reasonable questions to ask. These are ponderings that have been debated by captains of industry, government regulators, and consumer advocates in Europe and North America for the past decade and a half.

Privacy as good business

Cisco’s Chief Privacy Officer, Michelle Dennedy, for instance, has laid out well-reasoned rationale for companies to begin respecting privacy as part of their business model in a number of  interviews I’ve had with her. “Our research shows a correlation between good privacy practices and good business practices,” Dennedy told me in late 2017. “More mature privacy policies and practices are good for business because they lead to trust in the brand and an improvement to the bottom line.”

At long last, we have a finely drawn roadmap for companies to follow. To coincide with Data Privacy Day, the Internet Society has released a new Privacy Code of Conduct and is calling on all companies with an internet presence to adhere to specific best practices. This is coming from an august body. The Internet Society’s founders include tech icons Vint Cerf and Bob Kahn, considered the “Fathers of the Internet,” and numbers has more than 95,000 members worldwide, including leading computer scientists and engineers and renowned public interest advocates.

“It shouldn’t take legislation to motivate companies to re-examine what they do with personal data,” says Christine Runnegar, Senior Director of Internet Trust at The Internet Society. “Many companies have extraordinary access to individuals’ personal data and access to that kind of information should not be taken for granted. We want companies to handle data responsibly. A Privacy Code of Conduct is a start to rebuilding trust online by putting concrete safeguards in place to protect personal information.”

Privacy Code of Conduct

You can judge the efficacy of The Internet Society’s newly-minted protocols for yourself. Here are excerpts:

•Adopt the mantle of data stewardship. Companies should act as custodians of users’ personal data – protecting the data, not only as a business necessity, but also on behalf of the individuals themselves.

•Be accountable. Companies should be transparent about their privacy practices, adhere to their privacy policies and demonstrate that they are doing what they say. They should establish clear safeguards for handling personal data.

Stop using user consent to excuse bad practices. Companies should not rely on user consent to justify the legitimacy of their data handling practices . . . Users should not be asked to agree to data sharing practices that are unreasonable or unfair.

Provide user-friendly privacy information. Companies should give users ‘in time’ information about how their personal data is being collected, used and shared. The information should be relevant, straightforward, concise and easy to understand.

•Give users as much control of their privacy as possible. Users should be able to see, simply and clearly, when and how their data is being used. Companies should give users easy-to-use privacy controls and make privacy the default, not an optional extra.

•Respect the context in which personal data was shared. Companies should confine the use of personal data to the context in which it was collected. They should not allow unauthorized or unwarranted secondary uses of personal data.

Protect ‘anonymized’ data as if it were personal data. Companies should apply basic privacy protections to ‘anonymized’ data to mitigate potential harm if the data is later re-identified or used to single out particular individuals.

Encourage privacy researchers to highlight privacy weaknesses, risks or violations. Companies should invite independent privacy experts to audit new services and features as they are being developed. As much as possible, the results of those audits should be made publicly available.

Set privacy standards above and beyond what the law requires. Companies should set the next generation of privacy standards. For example, they could consider how to extend privacy protections to the personal data of non-users that has been uploaded by users.

Some sweeping changes need to be made for digital services to be as safe and trustworthy as they ought to be. Kudos to the Internet Society for articulating these notions. Let’s hope discussion leads to action.

But what do you think about a privacy code of conduct? Join the conversation with Avast on Facebook and Twitter.

Talk soon.

(This column originally appeared on  Avast Blog.)

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Back in 2004, when I co-wrote this USA TODAY cover story about spam-spreading botnets, I recall advising my editor to expect cybersecurity to be a headline-grabbing topic for a year or two more, tops.

Related:  A primer on machine-identity exposures

I was wrong. Each year over the past decade-and-a-half, a cause-and-effect pattern has spread more pervasively into the fabric of modern society. Each and every major advance of Internet-centric commerce – from e-tailing and email, to social media and mobile computing, and now on to the Internet of Things – has translated into an exponential expansion of the attack surface available to cybercriminals.

And malicious hackers have taken full advantage – whether they are motivated by criminal profits, backed by nation-state operatives, or simply desirous of bragging rights. Year-in and year-out, criminal innovation has far outpaced the effort on the part of companies and governments to defend their business networks, as well as to preserve the sanctity of our private data.

Shock-immune public

2018 was no exception. The year closed out with Starwood Properties, parent of the Marriott hotel chain, disclosing it lost personal data for 500 million patrons in a breach that lasted some  four years. Disclosures of huge data breaches no longer shock the public. Over the years, massive data losses have been reported by Equifax, Yahoo, Target, Anthem, Premera Blue Cross, Sony Pictures, Sony PlayStation, Home Depot, Deloitte, JP Morgan Chase, CitiBank and the U.S. Office of Personnel Management, just to name a few.

Meanwhile, we learned last year that stolen data might be the least of our worries. We witnessed Facebook CEO Mark Zuckerberg apologize to Congress for making behavioral data for 87 million Facebook users accessible to British consultancy Cambridge Analytica, which then used this sensitive information to manipulate  U.S. voters into supporting Donald Trump.

Speaking of America’s president, with Trump dominating mainstream news coverage, most folks took little notice of a tectonic shift of the cyber landscape. In 2018, as businesses raced to mix and match cloud-services delivered by the likes of Amazon Web Services, Microsoft Azure and Google Cloud, unforeseen gaps in classic network security systems began to turn up. And sure enough, enterprising cybercriminals wasted no time taking advantage.

Hackers got deep into Uber’s AWS platform. They did this by somehow obtaining, then using the AWS login credentials of one of Uber’s software developers, who left those credentials accessible on GitHub. ‘Git’ is a system for controlling the latest version of software programs; GitHub is an online repository where developers upload code for peer reviews and such.

The wider context? Imagine the degree to which Uber uses software to tie into services hosted by Amazon, Google, Facebook, Twitter, iPhone and Android. Uber is a prime example of an Internet-centric enterprise comprised of a collection of tools and services hosted by myriad partners. Think about how frenetic the software development process must be to keep Uber humming. Imagine all of the fresh attack vectors.

Cutting-edge malware

The direction this is heading is not good. A report from insurance underwriting giant Lloyd’s of London and risk modeling consultancy, Air Worldwide, showed how a three-day outage of the top cloud services providers would cause $15 billion in damage to the U.S. economy. Such a scenario would devastate small- and mid-sized businesses reliant on cloud services.

Meanwhile, after presumably enjoying a restful holiday, the best and brightest malicious hackers are diving into 2019 with renewed verve. A cutting-edge information stealer, dubbed Vidar, is designed to relay stolen data back to a botnet command-and-control server, just as the botnets I wrote about in 2004 did. Vidar, however, can identify browser and computer specifications at a granular level. This makes Vidar capable of stealing cryptocurrencies from digital wallets.

There is also a new type of attack aimed at the hardware level of targeted computers, instead of the software application level. The “Meltdown” and “Spectre” exploits paved the way for so-called “microcode hacks” in early 2018. And as 2019 commences, a new iteration, referred to as “page cache attacks,” presents an insidious new way for attackers to bypass security systems and place phishing windows deep inside of legitimate applications.

Hahad

“This attack class presents a significantly lower complexity barrier than previous hardware-based attacks and can easily be put into practice by threat actors, both nation-state as well as cyber gangs,” says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “There is not much that an end user can currently do to protect themselves against this type of attack, except to not run any software from a shady source, even if it does not raise any antivirus flag.”

Shared burden

Vidar and microcode hacking are two grains of sand on the beachhead of 2019 cyber threats. Conjuring a full summary of cyber exposures would be daunting. Clearly, there’s no turning the clock back on our Internet-centric digital lives. It is going to be a long while before the Pandora’s box of technical and societal problems we’ve opened gets resolved.

The good news is that an unparalleled acceleration of research has commenced in next-gen network architectures, including distributed databases, advanced encryption, datafication and artificial intelligence. What’s more, key industry standards-setting bodies and government regulators are well aware of what’s at stake. And they’ve begun a plodding march toward consensus standards and protocols.

But it will take some years to sort this all out. For the foreseeable future, the burden lies on each individual – each consumer, each employee, each company owner, each senior exec, each board director — to stay informed and to practice wise security and privacy habits.

I’ll do my part to keep the discussion going. Talk soon.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(This column originally appeared on  Avast Blog.)

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Assuring the privacy and security of sensitive data, and then actually monetizing that data, — ethically and efficiently — has turned out to be the defining challenge of digital transformation.

Today a very interesting effort to address this complex dilemma is arising from the ferment, out of the UK. It’s called Project Furnace, an all-new open source software development platform.

Related: The need to fold ‘SecOps’ into ‘DevOps’

I had the chance to sit down with Furnace Ignite’s co-founders: John Blamire, chief operating officer, and Danny Waite, chief technology officer,  for a pre-launch briefing.

They walked me through how Project Furnace began as a quest to improve the output of SIEM (security information and event management) systems.

However, beyond improving legacy appproachs to network security, Blamire and Waite explained why they firmly believe Furnace could ultimately accelerate the design and implementation of all smart software — the next generation of apps destined to run everything from our shopping experiences to our driverless cars and our smart homes and cities. Here are takeaways from our meeting:

DX context

Furnace, in essence, seeks to aid and abet digital transformation, or DX, the ongoing digitization of essentially all human endeavors into a machine-readable format that can be automatically acted upon. DX is the wider context, here, in the sense that DX is made possible because of the rise of “datafication” — the processes by which we’ve come to rapaciously collect and store mind-boggling amounts of data from web forms, social media, mobile apps, surveillance cameras, IoT sensors and the like.

In 2016, Waite was assigned the task of coming up with a much better way to extract actionable threat intelligence from the legacy SIEM systems that have anchored network defenses at many  enterprises for the past decade and a half.

Over the past few years, the effectiveness of SIEMs has lagged behind the rising complexity of business networks. In short, due to the rise of DX, enterprises today find themselves scrambling to deal with a glaring shortage of experienced security analysts needed to make sense of data pouring into a typical SIEM from dozens of security products, such as firewalls, endpoint protection and threat hunting systems.

Waite

Waite kept hitting brick walls — until inspiration hit him to try blending the core attributes of two leading-edge trends: serverless computing and GitOps. Think of serverless computing as yet another, nuanced iteration of cloud services. It allows software developers to build and test new applications without having to first provision and then maintain servers on which to do so, thereby avoiding hefty infrastructure provisioning expenses.

And GitOps is a way for software developers and IT operations specialists to more efficiently keep track of changes made in the latest iteration of an application that’s under development. They do this directly within the code itself, instead of having to rely on a third-party management console or a dashboard, which adds complexity and can slow down development.

Catering to personas

Without getting any deeper into the technical weeds, my understanding of Furnace is that it is a new type of cloud-based software development platform that leverages the best attributes of both serverless computing and GitOps. It does this in a way that should be irresistible for company software developers, and their compatriots on the operations side of the house, to try out.

Once Furnace begins to achieve some grassroots traction in “DevOps,” then security analysts will presumably be incentivized to jump on board, too. These security experts are currently burdened with endless management tasks, spinning out of SIEMS; they, too, will start using Furnace to do things such as improve their threat models. Here’s how Waite puts it:

“We’ve created a set of constructs that come together for those three personas, the dev guys, the ops guys and the security guys to use to build applications that can ingest large amounts of data, process it, enrich it, store it and then, most importantly, act upon it. So in a very lightweight, efficient and effective manner, they are able to tap into all of the benefits of serverless computing and GitOps.

“We talk about Furnace as a platform, but it’s also a framework, in which developers, or anybody who wants to, can add intelligence to the platform. The formats, templates and guidelines are fully open, by default, and we’ve set them so that anyone can actually add functionality.

“Furnace is also language agnostic, so the framework gets out of the way. We’re not trying to stipulate that a developer or a security guy has to write things in a certain way. It doesn’t ask people to set up huge environments; it doesn’t ask people to learn loads of different DevOps constructs.

“You create a template application in seconds and start building your own modules.You’re able to start creating value within your data, literally within minutes, and that is the bold step-change that we’re talking about.”

Wider horizons

As Furnace achieves credibility at the grassroots level, its capacity to foster software development flexibility and innovation much quicker and cheaper than current approaches will rise to the fore, John Blamire added. He says this will help to assuage skepticism on the part of company officials who control the purse strings – and who are quite naturally adverse to steering away from the huge investments they’ve made over the past decade in SIEM-centric defenses.

Says Blamire: “Imagine one day in walks one of your development guys who’s heard of this thing called Furnace, and he goes over to the Ops manager and says, ‘I’ve just found this thing, it costs nothing to run, it’s cloud enabled, there’s a whole bunch of applications we can plug into it, very quickly, and we can run this in parallel with our current tool.’

Blamire

“And then the Ops manager turns around and says, ‘Well that’s all well and good, but how much is this thing going to cost me to provision and to build up the infrastructure around it?’ And the dev guy goes, ‘Nothing. It’s serverless, it’s language agnostic, so we can use our native coding skills, and we can actually reduce the infrastructure required to do this.’ ”

While the idea for Furnace comes from a security perspective, and early adopters are expected to come from the SIEM community, Blamire envisions much wider horizons. He believes Furnace could conceivably help unclog complexity choke-points that today hinder the development of any type of software designed to extract value from large data streams.

Related: Uber hack illustrates ripe DevOps attack vectors

“Ultimately, you may be looking at data streams from a security point of view, but you may also want to look at facility management – at all the devices in a highly connected building. Or you may also want to better understand the organic components of your business, such as the flow of people in and out of your facility,” Blamire says. “Furnace provides a way to bring in all of this data, from some of the same sources, not just for security, but for use in a number of different ways . . . Suddenly, you can get all of the benefits of serverless computing, straight away.”

Can Furnace truly streamline the convoluted steps companies today must take to make datafication pay off? We’ll see. It would be a good thing if it can achieve most of what its founders envision. In concept, Furnace fits hand-in-glove with the broader notion of baking security deep inside of the coming generation of smart apps. And that’s a good thing, indeed.

Acohido

(Editor’s note: Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.)

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

The moment we’ve all feared has finally come to pass. When government agencies and international intelligence groups pooled together resources to gather user data, the VPN’s encryption seemed like the light at the end of the tunnel.

Related: California enacts pioneering privacy law

However, it looks like things are starting to break apart now that Australia has passed the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018”. On the 6th of December 2018, a law that is a direct attack on internet users’ privacy was agreed to by both the House of Representatives and the Senate.

The amendment forces all companies, even VPN providers, to collect and give away confidential user data if the police demand it. All telecoms companies will have to build tools in order to bypass their own encryption.

If suspicions appear that a crime has been or will be committed by one of their users, the law enforcement agencies are in their right to demand access to user messages and private data.

This Orwellian Thought Police is to be the judge, jury, and executioner in a digital world that shelters our personal lives and secrets. All the things we’d like to keep hidden from others. You know, this revolutionary idea called “privacy” Anyone?

Tech companies all over the world are unsure how this can be achieved without installing backdoors into their own security systems. These vulnerabilities are just like a stack of powder kegs ready to blow up at any moment. This is because anyone with knowledge of their existence could theoretically use those security holes to gain access to the user data.

Patru

Any company unwilling to comply with this decision will be fined regardless of their motives. The penalty can go up to AU$10 million or US$7.3 million. Moreover, any individual who refuses to hand over data suspected to be linked to criminal activities can even face jail time.

While the Australian government has stated that this law is needed to fight against terrorism and organized crime, security experts believe that this will lead to even more cyber-attacks and a steady rise in cyber-crime, with good reasons as well.

This shakes the very foundations upon which Internet security and VPN end-to-end encryption are built. It’s a giant leap backward in terms of privacy and anonymity, but also in terms of countering cyber-crime.

Joshua Lund, one of the developers of Signal, an end-to-end encrypted messaging app, has said that “the end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don’t even have access to who is messaging whom.”

Australia has now become the first Western nation to ban encryption. You can’t stop but think of Saudi Arabia or China, countries where cyber-crime reaches alarming rates, and the abuse of citizens’ privacy rights has been legalized for some time.

I believe this to be a pivotal moment that will decide the future of digital communications, and also of privacy and anonymity. If this decision isn’t met with enough resistance, then the other countries in the Five Eyes Alliance might follow as well.

There was a time when privacy was considered to be sacred. To overcome this concept, Australia has chosen to redefine the boundaries of privacy.  An ingenious sleight of hand that fools no one.

About the essayist: Bogdan Patru – analyst at VPNTeacher, a site dedicated to providing unbiased cyber security and data privacy information and support.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

We’re just a month and change into the new year, and already there have been two notable developments underscoring the fact that some big privacy and civil liberties questions need to be addressed before continuing the wide-scale deployment of advanced facial recognition systems.

This week civil liberties groups in Europe won the right to challenge the UK’s bulk surveillance activities in the The Grand Chamber of the European Court of Human Rights.

Related: Snowden on unrestrained surveillance

“The surveillance regime the UK government has built seriously undermines our freedom,” Megan Golding, a lawyer speaking for privacy advocates, stated. “Spying on vast numbers of people without suspicion of wrongdoing violates everyone’s right to privacy and can never be lawful.”

That development followed bold remarks made by none other than Microsoft CEO Satya Nadella just a few weeks earlier at the World Economic Forum in Davos, Switzerland.

Nadella expressed deep concern about facial recognition, or FR, being used for intrusive surveillance and said he welcomed any regulation that helps the marketplace “not be a race to the bottom.”

Ubiquitous surveillance

You may not have noticed, but there has been a flurry of breakthroughs in biometric technology, led by some leapfrog advances in facial recognition systems over the past couple of years. Now facial recognition appears to be on the verge of blossoming commercially, with security use-cases paving the way.

Last November,  SureID, a fingerprint services vendor based in Portland, Ore., announced a partnership with Robbie.AI, a Boston-based developer of a facial recognition system designed to be widely deployed on low-end cameras.

The partners aim to combine fingerprint and facial data to more effectively authenticate employees in workplace settings. And their grander vision is to help establish a nationwide biometric database in which a hybrid facial ID/fingerprint can be used for things such as fraud-proofing retail transactions, or, say, taking a self-driving vehicle for a spin.

However, the push back by European privacy advocates and Nadella’s call for regulation highlights the privacy and civil liberties conundrums advanced surveillance technologies poses. It’s a healthy thing that a captain of industry can see this. These are weighty issues over which we waged two World Wars last century.

Always-on sensors have become ubiquitous to the point of being largely unnoticed in this century. But advanced FR systems introduce a critical nuance. Here’s how Jay Stanley, senior policy analyst for the American Civil Liberties Union, described it for me:

“Right now everybody knows that when you walk down the street you’re recorded by a lot of video cameras, and that the video will just sit on some hard drive somewhere and nothing really happens to it unless something dramatic goes down. The ultimate concern with this technology is that we’ll end up in a surveillance society where your I.D. is your face, and everybody is checking on you at every moment, monitoring you.”

It’s now commonplace for high-resolution video cams to feed endless streams of image data into increasingly intelligent data mining software. Along with this comes the rising potential for abuse of the technology. “We’re talking about an enormously powerful surveillance capability that no government has ever had in the history of humanity,” Stanley says.

These privacy and civil liberties questions need to be resolved for the greater good, to set a baseline for ethically tapping the benefits of this advanced technology.

Advanced use cases

Some of the most interesting advances are unfolding in the area of identifying individuals acting naturally in front of a surveillance camera. Robbie.AI, for instance, is honing a system tuned to recognized human emotion.

“Your face provides strong biometric cues, even if you dye your hair,” says Karen Marquez, Robie.AI’s chief executive officer. “Iris and retina are somewhat intrusive alternatives, as you need to place yourself close to the sensors, and that’s not a natural.”

Another example comes from Seattle-based tech company RealNetworks, where Mike Vance, senior director of product management, has received dozens of recent queries from K-12 schools across the nation seeking to participate in RealNetworks’ Secure, Accurate Facial Recognition (SAFR) program.

SAFR was rolled out with little fanfare at two Seattle pilot schools about a year ago, in early 2017. It combines commodity video surveillance cameras and PCs with facial recognition software supplied by RealNetworks. The system instantly recognizes teachers, administrators and parents. It open security doors for them and alerts security officers whenever a surveillance camera catches sight of an unauthorized adult on school property.

“The level of accuracy that we, and others, have been able to achieve far surpasses what was possible three years ago,” says Vance. “We can now tell you whether or not somebody who’s in front of a camera is who they’re asserting to be. We can find them out of millions of people in a database in a fraction of a second.”

Robie.AI and RealNetworks are by no means alone pushing facial ID systems into the commercial market. Google, Apple, Facebook and Microsoft have poured vast resources into theoretical research in the related fields of artificial intelligence, image recognition and face analysis. And the tech giants have openly shared key findings intending to accelerate the entire field.

Next-gen FR

The first generation of facial recognition systems actually have been in wide use for years at airports and border crossings, used primarily by border control officers and law enforcement agencies to catch criminals and deter terrorists. Their use for security access in other public settings, such as schools and workplaces, appear to be part of a natural progression.

RealNetwork’s system, for instance, derives from the streaming technology it pioneered for media players in the 1990s, combined with images amassed via its RealTimes free app that let’s users build photo slideshows. Customers photos and videos were used, with their permission, to train RealNetworks’ facial recognition engine, which maps 1,600 data points for each face.

SAFR is tuned to identify people walking past a video cam who aren’t looking squarely at the lens. It can delineate a variety of skin tones and distinguish nuances based on gender, age and geography.

“The algorithm that we’ve developed really relates back to our expertise from the 1990s of being able to scan video,” Vance explains. “We were able to operate in extreme conditions back then, with not a lot of bandwidth to work with . . . we developed technologies to pick the right image out of a stream of video to compare against a database.”

It is become much clearer how facial ID systems hold the potential to be used much more routinely in secure access and law enforcement scenarios. And as public acceptance spreads, biometric innovations, pivoting off of facial IDs, are likely to utilized in retailing,  public transportation and even healthcare, to do things like support a patient’s pain management routine and even detect genetic diseases.

The partnering of SureID and Robbie.AI embodies the path many experts believe lies ahead for commercial uses of the coming generation of facial recognition technologies. By integrating Robbie.AI’s leading-edge facial ID technology with SureID’s network of fingerprinting kiosks, now used to authenticate employees, the partners are taking aim at a sky high goal, Marquez says.

They hope to supply the building blocks for a nationwide biometrics gathering system — one that can be widely shared to support broad consumer-focused initiatives, much as the tech giants shared results of their theoretical studies.

“This partnership can be a huge first step in developing holistic human biometric solutions that can protect us all against spoofing, impersonation, fraud and cybercrime,” she says. “This includes everything from replacing logins, passwords and registration codes to responding to customer issues the moment they occur.”

Secure credentialing

Marquez

Marquez envisions a hybrid facial ID/fingerprinting system capable of alerting victims, in real time, as they are being targeted online by fraudsters. Other obvious use cases would be to provide real-time authentication to access autonomous vehicles or to control IoT devices in a smart home.

“Facial recognition and fingerprinting technologies have been around for years and if used correctly they are more secure than any written credential,” she says.

With wider commercial use comes the potential for those in power to abuse the technology. And privacy advocates need to look no further than China to see the slippery slope unfolding.

China’s President Xi Jinping has been moving aggressively to possess moment-to-moment surveillance and assessment capability over Chinese citizens. China has rolled out a national surveillance network comprised of 200 million cameras, roughly four times the number in the U.S., and plans to have 300 million cameras in place by 2020, according to the New York Times.

China says it is using this surveillance net to track down criminals and scofflaws, including jay walkers, whose punishment is to have their faces displayed on giant outdoor digital screens alongside lists of names of people who don’t pay their bills.

Marquez, the Robbie.AI chief executive, agrees that well-defined limits are in order. “Companies must lead the process by being transparent,” she says. “Facial recognition by itself can be a major advancement in data analysis and consumer protection in so many areas. Understanding the benefits and defining a framework for respecting civil rights is essential.”

(Editor’s note: Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.)

Acohido

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Some chilling hard evidence has surfaced illustrating where stolen personal information ultimately ends up, once it has flowed through the nether reaches of the cyber underground.

Wired magazine reported this week on findings by independent security researchers who have been tracking the wide open availability of a massive cache of some 2.2 billion stolen usernames, passwords and other personal data.

Related: Massive Marriott breach closes out 2018

Ever wonder where the tens of millions of consumer records stolen from Marriott, Yahoo, Equifax, Dropbox, Linked In,  Target, Home Depot, Sony, Anthem, Premera Blue Cross, Uber and literally thousands of other organizations that have sustained major network breaches ends up?

This data gets collected and circulated in data bases that the thieves initially attempt to sell for big profits on the dark web, as reported by Motherboard. The work of these researchers shows how, at the end of the day, much of the stolen personal data eventually spills over into the open Internet, where it is free for the taking by  anyone with a modicum of computer skills.

Credential stuffing

The clear and present risk to the average consumer or small business owner is that his or here stolen account credentials will surface in one or more credential stuffing campaigns. This is where criminals deploy botnets to automate the injection of surreptitiously obtained usernames and password pairs until they gain fraudulent access to a targeted account. And once they do, they swiftly try to gain access to accounts on other popular services.

Reddit earlier this month acknowledged that credential stuffers locked down a “large group of accounts.” The social news aggregation site informed the victims that would need to reset their passwords to regain access, and, notably, advised them to choose strong, unique passwords.

Murdoch

“This leak creates risks mainly for customers who re-used passwords across multiple accounts,” observes Dr. Steven Murdoch, principal research fellow, at the epartment of computer science, University College London’s Department of Computer Science. “Companies should monitor news of password leaks, like this one, and deactivate passwords of their customers who have re-used a password from another account which was breached.”

Murdoch also advises organizations to “implement additional controls on top of passwords, such as detection of suspicious behavior. Two-factor authentication, or even better, FIDO/U2F.”

Third-party risks

For small businesses that make a living as third-party suppliers of services and goods to larger first-party organizations, managing authentication is of the utmost importance, says Tom Garrubba, senior director at Shared Assessments, a Santa Fe, NM-based intel-sharing and training consortium focused on third-party risks.

For small businesses that make a living as third-party suppliers of services and goods to larger first-party organizations, this can be very damaging, says Tom Garrubba, senior director at Shared Assessments, a Santa Fe, NM-based intel-sharing and training consortium focused on third-party risks.

Garrubba

“We don’t know all of the sources of these breached records, the importance of a healthy third- party risk management program that includes continuous monitoring and effective threat management over your organization’s data becomes even more crucial than ever,” Garrubba says.

Given the ocean of account logon credentials in circulation, Garrubba observes that it is vital for companies to fully understand, and continuously monitor, the risk postures of all suppliers and partners, which means the third-party suppliers need to make this a high priority, as well.

“This will ensure that both outsourcers,  and their full network of service providers and other third parties with whom they share data, are all fulfilling their security and privacy expectations laid out in their contracts,” Garrubba says.

Path of least resistance

Wider, more consistent use of multi-factor authentication by first-party and third-party entities also has become a vital best practice, says Frederik Mennes, a senior security strategist at OneSpan, a Chicago-based supplier of authentication technology to 2,000 banks worldwide.

Mennes

“Companies should remember that easy targets will continue to be exploited first, because cybercrime follows the path of least resistance,” Mennes says. “Applying multi-factor authentication may stop an attacker as the attacker might go after only users that have not enabled stronger authentication. “

One of the best things small companies can do is require all of their employees to use a password manager, which significantly reduces your exposure to criminal specialists tapping into the ocean of stolen credentials to orchestrate credential stuffing campaigns, aimed at exploiting vulnerable supply chains.

We all need to reduce our digital footprints to make ourselves – and the organizations we work for – less of a target.

Jones

“Some believe that many of the records within this breach may be outdated and basically worthless; but one man’s trash is another man’s treasure,” says Franklyn Jones, chief marketing officer at Cequence Security. “So some bad actor will likely acquire these credentials for pocket change, then launch a bot attack on other target sites to see what they can achieve.  And just like an episode of The Detectorists, they will likely come away with something of value.”

(Editor’s note: LW provides consulting services to some of the organizations included in our coverage.)

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

A report co-sponsored by Lloyd’s of London paints a chilling scenario for how a worldwide cyberattack could trigger economic losses of some $200 billion for companies and government agencies ill-equipped to deflect a very plausible ransomware attack designed to sweep across the globe.

Related: U.S. cyber foes exploit government shutdown

The Cyber Risk Management (CyRiM) project lays out in detail how a theoretical ransomware attack – dubbed the “Bashe” campaign – could improve upon the real life WannaCry and NotPetya ransomware worms that plagued thousands of organizations in 2017.

The exercise was commissioned by Lloyd’s of London, the Cambridge Centre for Risk Studies and the Nanyang Technological University in Singapore, among others. In their construct, the fictional cyber ring behind Bashe leverages lessons learned from missteps made in WannaCry and NotPetya, with the aim of making Bashe “the most infectious malware of all time.”

It should not be forgotten that WannaCry and NotPetya made use of some of the  69 cyber weapons stolen from the NSA and released publicly by a group known as Shadow Brokers. These weapons were designed by NSA software engineers to take advantage of heretofore undisclosed security vulnerabilities in Windows, Linux, IBM and other core operating systems and applications widely used in commerce and government.

EternalBlue pedigree

Keep in mind, globe-spanning ransomware worms are just one of endless ways the NSA weapons, often referred to as “EternalBlue,” could be leveraged. While the Lloyd’s study focuses on the ransomware scenario, it’s reasonable to believe threat actors of every stripe are developing other ways to utilize EternalBlue-class cyber weaponry.

This creates a responsibility for every organization to consider this report and assess what damage control might entail, says Darin Pendergraft, vice president of product marketing at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data.

“Damage control depends on the privilege level of the employee’s user account,” Pendergraft says. “Right now, it’s highly common to find that regular users have Administrative rights on their PCs.  This allows email viruses that are opened to run with Administrative privilege – allowing them to become highly aggressive and to infect hundreds of other PCs and to even spread outside the organization.”

Pendergraft points out that a “least privilege access model” (LPAM) can recognize that not all users need full administrative access on their work computers. “In fact, most don’t need it at all,” he says. “In the case of ransomware and many other types of malware, the more access a compromised user has, the greater the damage.”

Technology and guidance for achieving LPAM is readily available to  most organizations. “Maybe Lloyds’ findings will wake companies up to this,” Pendergraft says. “Right now, too many companies give users Administrative level permissions on their PCs – which is the digital equivalent of storing large quantities of gasoline in your family home. It’s just asking for trouble.”

(Editor’s note: LW provides consulting services to some of the organizations included in our coverage.)

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Late last year, Atrium Health disclosed it lost sensitive data for some 2.65 million patients when hackers gained unauthorized access to databases operated by a third-party billing vendor.

Turn the corner into 2019 and we find Citigroup, CapitalOne, Wells Fargo and HSBC Life Insurance among a host of firms hitting the crisis button after  their customers’ records turned up on a database of some 24 million financial and banking documents found parked on an Internet-accessible server — without so much as password protection. The culprit: lax practices of a third-party data and analytics contractor.

Related: Atrium Health breach highlights third-party risks

One might assume top-tier financial services firms and healthcare vendors would have solved third-party cyber exposures by now. But the truth of the matter is, companies of all sizes and in all sectors remain acutely vulnerable to attack vectors laid open by third-party contractors. And this continues to include enterprises that have poured a king’s ransom into hardening their first-party security posture.

What’s happening is that supply chains are becoming more intricate and far-flung the deeper we move into digital transformation and the Internet of Things. And opportunistic threat actors are proving adept as ever at sniffing out the weak-link third parties in any digital ecosystem.

Mike Jordan, senior director of the Shared Assessments Program, a Santa Fe, NM-based  intel-sharing and training consortium focused on third-party risks, points out that at least one of the banks that had data exposed in this latest huge data leak wasn’t even a customer of the allegedly culpable contractor.

“Hacked subcontractors or downstream service providers can harm companies that have no business relationship with each other,” Jordan told Last Watchdog. “Individuals can even be affected by parties with whom they have no explicit relationships, such as credit bureaus and data brokers.”

Uphill battle

Third-party cyber risks are likely to persist at the current scale for a while longer. According to a recent Ponemon Institute study, some 59% of companies experienced a third-party data breach in 2018, yet only 16% believe they are effectively mitigating third-party risk. There is impetus for change – beyond the fear of sustaining a major data breach. New York state’s Cybersecurity Requirements for Financial Services Companies, which took effect last March, includes provisions that require financial services companies to ensure the security of the systems used by their third-party suppliers.

And the comprehensive set of data-handling rules that Europe rolled out last year also calls out the need to address third-party risk. These include the new framework for commercial data exchange between the United States and the European Union, referred to as the EU-U.S. Privacy Shield, as well as the new EU privacy rules known as General Data Protection Regulation or GDPR.

However, even in the face of intensifying compliance requirements, large enterprises face an uphill battle trying to compel third-party contractors sprawled across overlapping supply chains to embrace secure data-handling best practices.

Jordan

I was cognizant of these complexities when I sat down with Mike Jordan to learn more about the member-driven Shared Assessments Program, which finds itself in a unique position to help stem the tide of rising third-party cyber risks – and one day, perhaps, even help to reverse it.

Shared Assessments was created in 2005 by five big banks and the Big Four accounting/consulting firms as a forum for deriving a standardized way to assess the risks of partnering with one other. The founding participants developed assessment regimes and tools, all having to do with measuring and assessing, essentially, third-party risks. It was a natural step to expand and evolve these protocols and tools, and to invite companies from other sectors to participate.

The program grew over the years into what it is today, a collaborative consortium of professionals from the banking, investing, insurance, healthcare, retail and telecom industries as well as academics and GRC (government, risk-management and compliance) specialists. Shared Management equips its members to lead their organizations – and their organizations’ partners — in mitigating third party IT security risks in several ways.

Advancing best practices

Members gain access to third-party IT security risk management best practices via case studies, surveys, whitepapers, webinars, meetings and conferences. And they can partake of comprehensive training programs that provide certification in third party IT security risk management.

Jordan told me the goal is to “get everybody together and advance the practice of third-party risk management. The focus is on understanding what is needed for effective third-party risk management, identifying it quickly, and coming up in with solutions from the membership.”

The consortium recently issued its 2019 Shared Assessments Third Party Risk Management Toolkit – an extensive set of tools and guides designed to serve as a roadmap to manage the full vendor assessment relationship life cycle.

The beauty of this toolkit is that it is informed by consortium members worldwide. This intelligence ecosystem, if you will, provides tips and tools to guide risk management practitioners at all phases, from  program planning, to building and capturing assessments, to bench-marking and ongoing program evaluation.

Take, for instance, the Vendor Risk Management Maturity Model, or VRMMM. This tool set is designed to evaluate third party risk assessment programs against a comprehensive set of best practices. It translates into an effective, consistent way to understand the major building blocks of any vendor risk management program.

Broken into eight categories, VRMMM covers more than 200 program elements that, in effect,  forms the basis of a well-run third party risk management program. And perhaps the very best thing about it is that it’s a free tool any company can use.

Another initiative of note is the Standardized Information Gathering (SIG) Questionnaire Tools.

The SIG employs a holistic set of industry best practices for gathering and assessing 18 critical risk domains and corresponding controls, including information technology, cybersecurity, privacy, resiliency and data security risks. It helps outsourcers gather “trust” components on third parties, in the form of succinct, scoped initial assessment information on a third party’s controls.

Model sharing

There’s no question that third-party risks at this moment present a vexing, potentially catastrophic exposure to any organization plugged into Internet-centric supply chains. That said, the work Shared Assessment has been doing gets down to the devil in the details. One benefit of bench-marking is the ability to track progress using a consistent index over an extending period of time.

Shared Assessments is putting the final touches on its fifth annual Vendor Risk Management Benchmark Study, based on real-world data generated by its members in 2018; findings are expected to be ready in a few weeks. Last year’s study, which looked at 2017 data, showed steady, incremental year-over-year gains, painting an overall encouraging picture.

Maturity levels in eight different vendor risk management categories contained in the VRMMM either held steady in 2017, or increased modestly, compared to 2016. That included five of eight categories improving in average maturity on a year-over-year basis. And numerous vendor risk activities within two categories – “vendor risk identification and analysis” and “skills and expertise” – posted major improvements.

The study also found that the engagement of board members with cybersecurity risks also increased in meaningful ways, though board members’ engagement with those same risks continued to lag behind cybersecurity awareness inside the organizations.

In today’s ultra-competitive business environment, what Shared Assessments is doing should be considered a model for how to share valuable knowledge for the greater good. Clearly the wide sharing of proven best practices and real-time threat intelligence must become much more commonplace.

When it comes to third-party risks, Shared Assessments is demonstrating how it can make a measurable difference deterring both malicious threat actors, as well as well intentioned employees who inadvertently create exposures.  Jordan put it well: “Our tools are basically just a very practical application of the thought leadership that takes place within the membership organization.”

(Editor’s note: LW has supplied consulting services to Shared Assessments.)

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Would you back out of a driveway without first buckling up, checking the rear view mirror and glancing behind to double check that the way is clear?

Consider that most of us spend more time navigating the Internet on our laptops and smartphones than we do behind the wheel of a car. Yet it’s my experience that most people don’t fully appreciate the profound risks they face online and all too many still do not practice simple behaviors that can dramatically reduce their chances of being victimized by malicious parties.

Related: Long run damage of 35-day government shutdown

Why we’re in the ‘Golden Age’ of cyber espionageThe fact is cyber criminals are expert at refining and carrying out phishing, malvertising and other tried-and-true ruses that gain them access to a targeted victim’s Internet-connected computing device. And the malware that subsequently gets installed continues to get more stealthy and capable with each advancing iteration.

This has become an engrained pattern in our modern digital world. A vivid illustration comes from Palo Alto Networks’ Unit 42 forensics team. Researchers recently flushed out a new variety of the Xbash family of malware tuned to seek out administrators’ rights and take control of Linux servers. This variant of Xbash is equipped to quietly uninstall any one of five popular types of cloud security protection and monitoring products used on such servers.

Targeting one device

The end game for this particular hacking ring is to install crypto currency mining routines on compromised Linux servers. But the larger point is that Xbash is just one of dozens of malware families circulating far and wide across the Internet. Xbash gets rolling by infecting one device, which then serves as the launch pad for deeper hacking forays limited only by the attacker’s initiative.

To be sure, it’s not as if the good guys aren’t also innovating. Worldwide spending on information security products and services rose to $114 billion in 2018, up from $102 billion in 2017, an increase of 12.4 percent, according to tech consultancy Gartner. Through the course of this year, Gartner forecasts that the infosec market will climb 9 percent  to $124 billion.

Yet, technology alone isn’t all that’s required. There is a distinct burden for each person using Internet services to help dampen cyber threats that are as diverse as they are dynamic. This includes consumers, employees, company owners, managers, senior executives and board members. Each of us have a responsibility to embrace best privacy and security practices. Here are three fundaments to get you, and others over whom you have influence, on the right path:

Use antivirus

Antivirus software, also known as antimalware, has come a long, long way since it was born in the late 1980’s to combat then nascent computer viruses during a time when a minority of families had a home computer. With each major advance of digital commerce – from the rise of e-tailing to cloud and mobile computing and now onto the Internet of Things – the cyber threats have morphed and the leading antivirus vendors have adjusted.

Traditional signature-based detection generally remains a core component of modern AV suites. But over the years the leading vendors have added behavioral and heuristic detection, sandbox isolation of suspicious code and real-time scanning for, and removal of, recent infections.

There is no good reason to get online without this fundamental level of device protection; it needs to be enabled and updated on PCs, laptops and smartphones. Selecting the AV suite that best fits your needs does take a modicum of research. But helpful reviews are plentiful, and the level of research required should take you no more than a couple of hours. The piece of mind, and actual protection you get, is worth it.

Use a password manager

It’s clear that we will continue to be reliant on usernames and passwords to access online services for some time to come. This means using strong passwords — and changing them frequently — will remain a vital best security practice.

The good news is that there is robust tool using – called a password manager – that significantly reduces your exposure to criminal specialists who poses a tangible threat to every Internet user:  credential stuffers.

Credential stuffing campaigns have become part of the fabric of the Internet. The perpetrators deploy botnets to automate the injection of surreptitiously obtained usernames and password pairs until they gain fraudulent access to a targeted account. And once they do, they swiftly try to gain access to accounts on other popular services.

Reddit earlier this month acknowledged that credential stuffers locked down a “large group of accounts.” The social news aggregation site informed the victims that would need to reset their passwords to regain access, and, notably, advised them to choose strong, unique passwords.

An all too common practice is for people to fall back on a few easy to remember passwords and use them everywhere they go online. This is one of the big reason credential stuffers thrive..

A good password manager ensures all of the passwords you rely on are strong and unique, and makes it easy and very secure for you to use them and even share them.

Passwords have advanced quite a bit in ease-of-use and functionality in the past couple of years and there are literally dozens of them to choose from. Everyone should be using one. Again, you’ll have to do some research to find the tool you prefer.

Secure your phone

Nearly 80 percent of Americans use smartphones, those fist-sized, powerful computing devices the dictate social and work lives. Yet, I’d argue that the majority of smartphone user do not fully appreciated the level of access to personal accounts, contacts, email and work systems enabled by our phones.

However, those with malicious intent certainly do. Cyber criminals are increasingly targeting the valuable personal information and account access stored on your phone. And let’s not forget human thieves, those who target your device for pilfering, or who find one you left on the seat of your mass transit or shared ride.

So lock your phone. At the very least, use a 4-digit PIN. This will keep thieves from easily accessing your contacts and apps. And patronize only the official app store. Google and Apple have invested a lot into securing their respective app stores. Apps from other sources can carry malware or spyware.

Finally, never forget that your phone’s connection can be accessed by parties that don’t have your best interest in mind. So shut off Bluetooth and Wi-Fi when you’re not using them. And be on the look out for email and text messages that appear to be a phishing ruse.

Yes, adopting better security habits requires giving up some convenience. But that’s the world we live in. For now, it’s a personal responsibility each person ought to take.

Acohido

(Editor’s note: Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.)

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

One profound consequence of Donald Trump’s shutdown of the federal government, now in day 33, is what a boon it is to US cyber adversaries. And moving forward, the long run ramifications are likely to be dire, indeed.

Related: Welcome to the ‘golden age’ of cyber espionage

With skeleton IT crews manning government networks, America’s adversaries — China, Russia, North Korea, Iran and others in Eastern Europe and the Middle East —  have seized the opportunity to dramatically step up both development and deployment of sophisticated cyberweapons targeting at federal systems, says Jeremy Samide, CEO of Stealthcare, supplier of a threat intelligence platform that tracks and predicts attack patterns.

For a full drill down on the stunning intelligence Samide shared with Last Watchdog, please listen to the accompanying podcast. In a nutshell, Trump’s government shutdown has lit a fire under nation-state backed cyber spies to accelerate the development and deployment of high-end cyberweapons designed to be slipped deep inside of hacked networks and stealthily exfiltrate sensitive data and/or remain at the ready to cripple control systems.

This spike in activity has been very methodical, Samide told Last Watchdog. Operatives are stepping up probes of vulnerable access points on the assumption that no one is guarding the playground, Samide says.  At the same time, they are also accelerating development of the latest iterations of weaponry of the class of Eternal Blue, the NSA’s top-shelf cyberweapon that was stolen, leaked and subsequently used to launch the highly invasive WannaCry and NotPetya worms.

The longer the Trump government shut down continues, the more time US cyber adversaries will have to design and deploy heavily-cloaked malware —  and embed this digital weaponry far and wide in federal business networks and in critical infrastructure systems, Samide says.

What’s more, the longer the government closure continues, the more likely it is that key IT staffers with cybersecuritiy experience will choose to move to the private sector where there is an acute skills shortage. Last Watchdog invited Greg Touhill President of Cyxtera Federal, and Bryson Bort, CEO of SCYTHE and Fellow at the National Security Institute, to join Samide in a roundtable discussion of the cybersecurity ramifications of the government shutdown. Here are excerpts of their observations edited for clarity and length:

Jeremy Samide, CEO of Stealthcare

“We are starting to see a significant increase in counter intelligence surveillance and reconnaissance efforts by primarily state-sponsored organizations.  It’s an opportunity test the tolerance, and make digital inquiries into these systems to see how far they can get because the reaction time is slower.

Samide

The agencies that are of interest would be some of your more logical agencies that are holding either national security information, or other personally identifiable information. But, really, anything is on the table for state sponsored activities. What we’re seeing is more commercial-grade, state-sponsored-grade malware being developed whose purpose is to be surreptitiously dropped into a system to exfiltrate data. We’re seeing more of that type of malware being developed — and being deployed.

The long-term effects are going to be serious. There’s going to be some attrition of government employees not coming back in key positions because they’ve taken positions elsewhere. And it’s going to be very difficult for whomever does come back to get on top of this. It’s going to be a daunting challenge to try go back 45 days or 60 days to actually figure out what happened and then open investigations and take remedial action. I highly doubt that will be done in a way that’s thorough enough.”

Greg Touhill, President of Cyxtera Federal

“Nation state actors represent the most dangerous threats and they remain persistent during government shutdowns. I expect there to be an increase in activity as threat actors look for vulnerabilities that are unmitigated during the shutdowns. I’m also concerned that criminal organizations will step up their reconnaissance and probes into sensitive government data stores given the impact the shutdown has on the Department of Justice and courts.

Touhill

Any department could be victim of an attack whether they are currently unfunded or not. That’s because many rely on shared services. So negative effects would be felt across departments and agencies. In addition, critical infrastructure operators work closely with the government. So an attack on critical infrastructure could result in serious impacts that affect every American citizen and business.

The short-term ramifications include a lack of skilled personnel, both government employees and contractors, in place to manage essential cyber defense activities like security operations, patching and incident response. In addition, vital planned system upgrades and the implementation of new security technologies will be delayed, which further weakens cyber defenses.

Despite the fielding of Security Event and Incident Management tools fielded by the government’s Continuous Diagnostics and Mitigation (CDM) program to fortify the cybersecurity of government networks and detect threats, if an alarm goes off and you don’t have skilled people on hand to respond immediately, then you expose data to high risk.

Long term, I am very concerned that the highly skilled cyber workforce supporting the US government (both government employees as well as the contractors that support them) is increasingly frustrated by this — and previous government shutdowns — and will migrate to private sector jobs in order to better provide for their families. Both government employees as well as the highly skilled contractors who support them are attracted to and dedicated to the mission.

While government employees have been ‘teased’ by earnest political leadership that they will receive back pay, government contractors are painfully aware that during the work stoppage, their companies will not be drawing revenue. Companies operating in the federal market are suffering huge losses trying to keep their highly-skilled cyber personnel on staff during this shutdown.

I suspect the long-run impact of this shutdown will be seen as more and more of the best highly-skilled cyber professionals will leave the public sector and take their mission expertise to the private sector.

Bryson Bort, CEO of SCYTHE

“The results will be invisible, but additive as this prolongs. For now, it’s simple things like NIST, who provides best practice guidance on cybersecurity, has their webpages down that host those documents. Patching is certainly going to be slower so if there are any serious and up patch requirements, then there could be a greater window than normal. The NCICC, the DHS watchfloor, is operating despite funding. But, in general, monitoring is probably not happening at 100 percent of usual operations which means that there is an increased chance that malicious activity may not be spotted.

Bort

The usual operators are likely involved: China, Iran, Russia and North Korea. But, I don’t think they will ‘attack.’ I do think this is a good opportunity to step up iterative campaigns to compromise, gather intelligence, and place something quiet for the future.

The biggest risk would be the IRS. The timing of the shutdown right as we move into tax season. In the past, there have been significant issues with fraud: there are several key entities who have figured out that there is a lot of money to be made.

Long run, morale, staffing, and recruiting just took a significant step back. When this finally ends, hopefully soon, there will be some number of staff who will have jumped to the private sector and they are not coming back.

Read Full Article

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview