Nok Nok blog: 10 Years Later – How Nok Nok Labs brought about a change in strong and passwordless authentication

Nok Nok Labs came into being, a decade ago and is having its’ moment in the spotlight. The company has seen the FIDO standards become adopted around the globe, in some cases with very large scalable deployments that involve millions of end users and sold more than 500M key pairs. Along with helping to assemble the beginnings of the FIDO Alliance, Nok Nok engineers were co-creators of this now well-established set of authentication standards and have continued to innovate (with 50 patents filed), integrate and improve upon them in the past decade.

They are now one of the leaders in providing passwordless authentication, which now signifies a bona fide market segment, all thanks to FIDO protocols which make it easier for companies to transition, deploy, and manage a more secure solution that is focused on stronger security and privacy.

You can read my post on Nok Nok’s blog here.

Avast blog: Understanding the Pegasus project

Earlier in July, a group of security researchers revealed that they had been working together to uncover a widespread surveillance of journalists, politicians, government officials, chief executives, and human rights activists. The tool of choice for these activities was the Israeli NSO Group’s Pegasus, a tool that can be deployed on Android and Apple smartphones with a great deal of stealth. In this blog post for Avast, I explain the collaboration, link to various media reports about what they found out, and ways that you can protect yourself — although the chances that you will become a target of this spyware are pretty slim.

Avast blog: Enhancing threat intelligence using STIX and TAXII standards

For many years, cybersecurity companies have invested in building sensor networks and detection capabilities to build a greater understanding of adversaries’ tactics, ever-changing techniques, and the threats posed to the world’s internet community.

One of the critical foundations of protecting all uses of the internet is for the security defenders to better understand what malicious activities look like and how to stop them. With that backstory of gaining greater insight, many security companies must not only understand their own data but also learn and share with others doing the same.

In my latest blog post for Avast, I take a closer look at two threat data sharing standards, STIX and TAXII.

It is 2021. Stop running your IT like it is 2019.

I had a moment to catch up with a friend of mine, Adam, who is an IT director for a DC-based global trade association. Adam and I go way back — so far back that I was present when we turned off a small IBM mainframe in favor of a Novell LAN back in 1995. Those were the days.: that machine had 16 MB RAM and 7.5 GB of disk. My watch has more than that.

Adam has been working remotely for the past 18 months, and actually had to manage to move his office to a new location and plan for the eventual return to the new place.

He told me that “working in the office is so 2019, it is time to start thinking of the future and assume that many people won’t be in their offices full-time. Why do you have to use a domain controller and a VPN when you should be preparing for a virtual environment, whether or not you actually need one?” Good questions.

He used the pandemic as an opportunity to throw some gas on technology changes that he wanted to make happen. “Only instead of taking five years, we managed to do this in a little over a year. The pandemic was a great accelerant to adopting new cloud-based technologies.”

His core IT stack is Microsoft-based, including five critical technologies: Teams, Azure AD, Defender ATP, Intune and Autopilot.

Early on, the focus was on Teams Chat and Video Conferencing as well as migrating an old fashioned file server to Teams/SharePoint. Before the pandemic, Adam was begging staff to abandon audio-conferencing and switch to Teams for internal and external scheduled calls. Then in March 2020 the association had its first remote all-hands meeting via Teams. Over 50 staff joined the call and it went flawlessly. After that first call Teams adoption soared. 

Adam then switched his focus to move the association’s endpoints to Azure Active Directory. In the future, Autopilot, for example, will make it easier to drop ship a new computer and have it onboarded without anyone from IT actually laying their hands on it. Think of it as touchless installation. “The potential is that we can deliver most of our apps without ever seeing the PC.” Remember when IT used disk imaging tools to set up new PCs? That has gone the way of those IBM mainframes.

“Before the pandemic, we did patch management of our endpoints based on the machine being in our office, where they could physically talk to the WSUS server. All of a sudden, that premise-based connection was severed. In the future, we hope to decommission our on-premises Domain Controllers and run all IT infrastructure in Azure AD. The only server left will be a NAS with 8TB of video, audio and photos. It is just too much to put into the cloud at this time.”

Migrating from Active Directory to Azure AD isn’t simple, and their MSP, DelCor, is helping with the back-end transition. Adam and his staff are touching each endpoint themselves. The goal is to make it easier to manage their endpoints, whether they are in an office or dispersed in the homes of staff worldwide. “Companies that still have their AD controllers in a closet someplace should put migrating to a cloud based directory system, whether Azure AD or some other flavor, on their roadmap.” 

For an MFA security solution, his MSP insisted on using Duo’s MFA. “It made their jobs – and mine – much easier, and much more secure.”

As Adam’s team migrates users to Azure AD and Defender ATP, the IT Team is getting better visibility into the threat assessment of each endpoint. “IT directors are in a war, and we have to be continually improving our infrastructure and security footprint. Let’s face it, the most dangerous virus is the one you don’t know about that has been living on your network for months.”

Adam is using the paid Defender ATP license and replacing his Trend Micro AV installation, so he can get a single management screen to see which of his users’ PCs are in need of security updates. “Gone are the days of Windows 10 being stuck in the 2019 release.”

Adam is just a microcosm of the sea changes that IT is going through these days. Whether you are returning to your office or have adopted some hybrid solution, you might want to take a look at what you can to manage more remote workers.

Linode blog: Three app security guides

I have written a series of blog posts to help developers improve their security posture.

As developers release their code more quickly, security threats have become more complex, more difficult to find, and more potent in their potential damage to your networks, your data, and your corporate reputation. Balancing these two megatrends isn’t easy. While developers are making an effort to improve the security of their code earlier in the software life cycle, what one blogger on Twilio has called “shifting left,” there is still plenty of room for improvement. In this guide, I describe what are some of the motivations needed to better protect your code.

Many developers are moving “left” towards the earliest possible moment in the application development life cycle to ensure the most secure code. This guide discusses ways to approach coding your app more critically. It also outlines some of the more common security weaknesses and coding errors that could lead to subsequent problems. In this post, I look at how SQL injection and cross-site scripting attacks happens and what you can do to prevent each of them.

Application security testing products come in two basic groups and you need more than one. The umbrella groups: testing and shielding. The former run various automated and manual tests on your code to identify security weaknesses. The application shielding products are used to harden your apps to make attacks more difficult to implement. These products go beyond the testing process and are used to be more proactive in your protection and flag bad spots as you write the code within your development environment. This guide delves into the differences between the tools and reviews and recommends a series of application security testing products.



Infosec Institute blog: How to design the best cybersecurity training program for your enterprise

One of the best ways to retain your staff is to invest in their further education and what is now called upskilling. But corporate skills training often has a hard time getting the respect that it deserves. Training budgets tend to be the first ones to be cut in any economic downturn and often don’t get fully funded even when the economy is improving. But training can also have a significant impact on an enterprise: it can increase the pool of available skills, help pave the way for a department to take on new challenges, improve morale and create a sense of purpose for workers.

In my blog post for the Infosec Institute, I look at how to determine the return on any training investment and how to design the right program that fits your particular needs, whether it uses public college-style courseware or a curriculum that you develop yourself.


Avast blog: It ain’t easy to remove your personal data from the brokers

I tried to remove my own data recently and found it to be a very frustrating online rabbit hole. You will find either task to be nearly impossible and, sadly, this is by intent and by design: They charge by the gigabyte and aren’t paid for being accurate. And you don’t pay them anything, so you aren’t really the customer; you are just the unwilling victim. 

Note: these brokers are the legitimate side of selling your data, and not to be confused with the dark web illegal side, such as the recent scraping of 700M LinkedIn users. FIghting that is for another post.

I started out my own quest by submitting removal requests for my data to three places: Epsilon, Experian, and Intelius. I picked these somewhat at random, but the trio gives you a good idea of what you are in for. My journey through this looking glass is chronicled for my latest blog post for Avast here.

Avast blog: Fighting unpredictable existential threats

Earlier in June, CogX Festival brought together representatives from business and government to discuss innovation. I watched a panel session on dealing with unpredictable existential threats. The panelists included Robert Hercock, the Chief Research Scientist at BT Security, Clarissa Rios Rojas, a research associate at the University of Cambridge’s Centre for the Study of Existential Risk, and Avast CISO Jaya Baloo. Rojas and her colleagues spend a lot of time looking at a wide range of global risks that could lead to human extinction and other dire circumstances. You can watch the session here and can read my synopsis of the conference session on Avast’s blog here.

CSOonline: CSPMs explained

Every week brings another report of someone leaving an unsecured online storage container filled with sensitive customer data. Thanks to an increasing number of unintentional cloud configuration mistakes and an increasing importance of cloud infrastructure, we need tools that can find and fix these unintentional errors. That is where cloud security posture management (CSPM) tools come into play. These combine threat intelligence, detection, and remediation that work across complex collections of cloud-based applications. You can see a few of them above.

I discuss the importance of CSPMs and what you need to know to evaluate one of them for your particular circumstances in my CSOonline post.


Avast blog: Reimagining staffing in the cybersecurity industry

Since 1967, ISACA has been providing a centralized source of information and guidance within the IT governance and control field. ISACA’s State of Cybersecurity 2021, Part 1 report contains the organization’s update on its workforce development efforts. This is the seventh year that ISACA has surveyed its membership, and the report is based on more than 3,600 respondents from 120 countries, with more than half of them saying their primary jobs are directly in the field.

In spite of the Covid-19 pandemic, overall cybersecurity spending has dropped, which seems counterintuitive but continues to be a trend that ISACA has been documenting for several years.

You can read my analysis of their report here on Avast’s blog.