Dark Reading: Corporations With Cyber Governance Create Almost 4X More Value

Public corporations have mostly ignored SEC regs published years ago for improving cybersecurity governance. And while the requirements can be difficult to satisfy, companies that have made the effort created nearly four times their shareholder value compared to those that haven’t. That’s the conclusion of a new survey jointly conducted by Bitsight and Diligent Institute, entitled “Cybersecurity, Audit, and the Board.”  According to the Bitsight report, having separate board committees focused on specialized risk and audit compliance produces the best outcomes. 

You can read my analysis of this report for Dark Reading here.

Dark Reading: Cloud Email Filtering Bypass Attack Works 80% of the Time

A majority of enterprises that employ cloud-based email spam filtering services are potentially at risk, thanks to a rampant tendency to misconfigure them.

Computer scientists have uncovered a shockingly prevalent misconfiguration in popular enterprise cloud-based email spam filtering services, along with an exploit for taking advantage of it. The findings reveal that organizations are far more open to email-borne cyber threats than they know, and will be presented at a conference in May. My post for Dark Reading explains the situation.

Red Cross Volunteer Gives Back as Service to Armed Forces Resiliency Volunteer

There aren’t too many people who have become modern models for dolls produced by the American Girl company, let alone women who have had a long volunteer career with the American Red Cross. But Dorinda Nicholson – the real-life archetype behind the Nanea Mitchell doll – is very much a true story of grit, determination, and turning her survivor’s story into one of exceptional service wherever she goes. I recently wrote a profile of her for our local chapter blog.

Dark Reading: NIST’s Vuln Database Downshifts, Prompting Questions About Its Future

Since 2005, the National Vulnerability Database (NVD) has been posting details about the hundreds of daily common vulnerabilities and exposures (CVEs) discovered by security researchers from around the globe. But last month, the critical government-sponsored database went from being an essential tool to a nearly dark destination. That is when any details in the NVD have been omitted, details that make the vulnerability data useful to enterprise security managers and to the numerous vulnerability management tools that can help prevent potential damages from attackers. My story in Dark Reading tells this sad tale.

Dark Reading: 5 Ways CISOs Can Navigate Their New Business Role

CISOs can successfully make their business operations more secure and play a larger role in the organization’s overall strategy, but there are pitfalls to avoid.

According to Forrester’s recent security program recommendations report, “the eyes of the world are on CISOs — but not in a good way. There is now a long list of sacrificial CISOs who have either been fired or left due to disagreements with their firms.”

Navigating what comes next isn’t easy, but in my post today for Dark Reading are five takeaways from Forrester’s analysis that might help identify some pathways to success.

Dark Reading: Typosquatting Wave Shows No Signs of Abating

A spate of recent typosquatting attacks shows the scourge of this type of attack is still very much with us, even after decades of cyber defender experience with it.

Ever since the Internet became a commercial entity, hackers have been using it to impersonate businesses through a variety of clever means. And one of the most enduring of these exploits is the practice of typosquatting — i.e., using look-alike websites and domain names to lend legitimacy to social engineering efforts. In my latest post for Dark Reading, I talk about the recent series of attacks, why they continue to persist, and ways that enterprise security managers can try to prevent them from happening, although the fight isn’t an easy one.


Dark Reading: NSA’s Zero-Trust Guidelines Focus on Segmentation

Zero trust architectures are essential protective measures for the modern enterprise. The latest NSA guidance provides detailed recommendations on how to implement the networking angle of these measures.

As more workloads shift to the cloud by businesses, there is more need to adopt zero trust computing strategies. But the notion of “untrusted until verified” is still slow to catch on, although in some areas of the world, such as in the United Arab Emirates, zero trust adoption is accelerating.

To try to bridge the gap between desire and implementation and also provide a more concrete roadmap towards zero trust adoption, the US National Security Agency has been publishing a series of guidelines over the past few years, covering device protection and user access. The latest one was released this week concerning network security.

My story on what this means for zero trust is in Dark Reading today, and it can be found here.



Dark Reading: How CISA Fights Cyber Threats During Election Primary Season

When US election integrity and security took center stage as a political football after the 2020 Presidential race, the Cybersecurity and Infrastructure Security Agency (CISA) is doing what it can to dispel security concerns around this year’s trip to the polls.

CISA, along with several other organizations, has beefed up various cybersecurity support resources for elections in general, including more programs for state and local elections officials, and for volunteer poll workers. In my post for Dark Reading today, I describe some of these efforts and explain the unique combination of cyber and physical security needs to ensure our democracy continues with free and fair elections.

Dark Reading: Biometrics Regulation Heats Up, Portending Compliance Headaches

This year might be a boon for biometric privacy legislation. The topic is heating up and lies at the intersection of four trends: increasing artificial intelligence (AI)-based threats, growing biometric usage by businesses, anticipated new state-level privacy legislation, and a new executive order issued by President Biden this week that includes biometric privacy protections.

But things could backfire: A growing thicket of privacy laws regulating biometrics is aimed at protecting consumers amid increasing cloud breaches and AI-created deepfakes. But for businesses that handle biometric data, staying compliant is easier said than done. I explore the issues surrounding implementing and regulating biometrics in a post for Dark Reading today.

CSOonline: How to strengthen your Kubernetes defenses

Kubernetes-focused attacks are on the rise. Here is an overview of the current threats and best practices for securing your clusters. The runaway success of Kubernetes adoption by enterprise software developers has created motivation for attackers to target these installations with specifically designed exploits that leverage its popularity. Attackers have become better at hiding their malware, avoiding the almost trivial security controls, and using common techniques such as privilege escalation and lateral network movement to spread their exploits across enterprise networks. While methods for enforcing Kubernetes security best practices exist, they aren’t universally well known and require specialized knowledge, tools, and tactics that are very different from securing ordinary cloud and virtual machine use cases.

In this post for CSO, I examine the threat landscape, what exploits security vendors are detecting, and ways that enterprises can better harden their Kubernetes installations and defend themselves.examine the threat landscape, what exploits security vendors are detecting, and ways that enterprises can better harden their Kubernetes installations and defend themselves.