Last month the US DoJ unsealed this indictment of a North Korean spy Park Jin Hyok that they claim was behind the hacks against Sony and the creation and distribution of Wanna Cry. It is a 170+ page document that was written by Nathan Shields of the FBI’s LA office and shows the careful sequence of forensic analysis they used to figure out how various attacks were conducted. In this post for CSOonline, I talk about some of the implications for IT managers, based on the extensive details described in the indictment.
Properly testing your virtual infrastructure has been an issue almost since there were virtual VMs and AWS. Lately, the tool sets have gotten better. Part of the problem is that to adequately test your AWS installation, you need to know a lot about how it is constructed. CPUs can come and go, and storage blocks are created and destroyed in a blink of an eye. And as the number of AWS S3 data leaks rises, there have to better ways to protect things. Rhino Security and Amazon both offer tools to improve visibility into your AWS cloud environments, making it easier to find configuration errors and vulnerabilities.I write about Pacu and CloudGoat tools as well as various AWS services to test your VMs in my article from CSOonline here.
I have written for this excellent 20 year-old publication occasionally. My article in this issue is about fileless malware.
Malware authors have gotten more clever and sneaky over time to make their code more difficult to detect and prevent. One of the more worrying recent developments
goes under the name “fileless.” There is reason to worry because these kinds of attacks can do more damage and the malware can persist on your computers and networks for weeks or months until they are finally neutralized. Let’s talk about what this malware is and how to understand it better so we can try to stop it from entering our
networks to begin with. Usually, the goal of most malware is to leave something behind on one of your endpoints: one or more files that contain an executable program that can damage your computer, corral your PC as part of a botnet, or make copies of sensitive data and move them to an external repository. Over the years, various detection products have gotten better at finding these residues, as they are called, and blocking them.
You can read my article here, along with other fine pieces on the state of the Internet in this month’s edition.
In August 2018 I was in Nashville, covering the RSA Archer Summit customer annual conference. Here are my posts about the show:
- Mobility announcements wrap up. Archer has a new mobile product and partnered with SIs that integrate with its platform.
- An interview with David Walter, VP at RSA Archer, about their plans. (video clip)
- Why it is time to forget spreadsheets for risk management. You would be surprised where people use spreadsheets. Or maybe not.
- How to succeed at deploying Archer, some lessons learned from the field
- My thoughts on the next phase for Archer
When I asked RSA Archer VP David Walter who was their competition, he told me earnestly it was the simple spreadsheet. I believe him, especially after what I have seen what people do with spreadsheets over the years that I have been a tech reporter.
Dan Bricklin and Bob Frankston invented the electronic spreadsheet with VisiCalc for the Apple II in 1979. It wasn’t long after that when I began using it on an HP 85 running CPM to build mathematical models working at various jobs in DC. That was a sweet machine, with its three-inch monochrome monitor and all 8K of RAM. Then Lotus 1-2-3 and the IBM PC came along making spreadsheets the go-to general business tool.
It has surprising staying power, given the software has essentially had the same user interface for more than 30 years. In this post for the RSA blog, I talk about the drawbacks of spreadsheets and give four reasons why you want something better for integrated risk management
Phishing and email spam are the biggest opportunities for hackers to enter the network. If a single user clicks on some malicious email attachment, it can compromise an entire enterprise with ransomware, cryptojacking scripts, data leakages, or privilege escalation exploits. Despite making some progress, a trio of email security protocols has seen a rocky road of deployment in the past year. Going by their acronyms SPF, DKIM and DMARC, the three are difficult to configure and require careful study to understand how they inter-relate and complement each other with their protective features. The effort, however, is worth the investment in learning how to use them.
In this story for CSO Online, I explain the trio and how to get them setup properly across your email infrastructure. Spoiler alert: it isn’t easy and it will take some time.
The story has been updated and expanded since I first wrote about it earlier this year, to include some new surveys about the use of these protocols.
Organizations are becoming increasingly digital in their operations, products and services offerings, as well as with their business methods. This means they are introducing more technology into their environment. At the same time, they have shrunk their IT shops – in particular, their infosec teams – and have less visibility into their environment and operations. While they are trying to do more with fewer staff, they are also falling behind in terms of tracking potential security alerts and understanding how attackers enter their networks. Unfortunately, threats are more complex as criminals use a variety of paths such as web, email, mobile, cloud, and native Windows exploits to insert malware and steal a company’s data and funds.
In this post for RSA’s blog, I talk about how organizations have to become better at managing their digital risk through using more advanced security and information event management systems and adaptive authentication tools. Both of these use more continuous detection mechanisms to monitor network and user behaviors.
The world has changed significantly in the past two years, and so have the rules around assessing cyber security risk. A combination of greater digital business penetration, a wider array of risks, and bigger consequences of cyber threats have made the world of risk management both more complex and more important than ever. Sadly, word hasn’t yet gotten out that risk management is an essential part of today’s business operations. According to this PwC study cited by Silicon Republic, 40 percent of Irish companies are failing to do any risk assessments whatsoever.
If you want to get on board, read my article in CSOonline. I interview several people who show how things have changed and how IT can do these kinds of assessments properly.
In just a few years,a lot has happened in the Cloud Access Security Broker (CASB) market.
Most of the main-line security vendors have purchased CASB solutions: Oracle (Palerra), IBM (Gravitant), Microsoft (Adallom), Forcepoint (Skyfence), Proofpoint (FireLayers), Symantec (Skycure) and McAfee (Skyhigh Networks). The three independent vendors still standing include CipherCloud, Netskope, and Bitglass. The market has matured, although this is a matter of degree since even the longest-running vendors have only been selling products for a few years. It has also evolved to the point where many analysts feel CASB will be just as important in the near future just as firewalls once were back in the day when PCs were being bought by the truckloads. Gartner predicts that by 2020, more enterprises will use CASBs than not, which represents a big jump from the 10% that used them at the end of 2017.
Four things also helped the CASB cause: First was its quick learning curve by security personnel. Second was that they became more inclusive in terms of applications support. Third was the beginnings of a managed service provider business, and finally, multimode operation has become more prevalent.
In this story for CSOonline, I talk about what are these products, why enterprises are motivated to purchase and deploy them, what features you should look for that are appropriate for your network. what are your decision points in the purchase process, and links to many of the major CASB vendors.
Cris Thomas, who also goes by the pseudonym Space Rogue, is the global strategy lead at IBM X-Force Red. I recently spoke with him to discuss his work as a penetration testing specialist, his role as a cybersecurity activist in the late 1990s. In 1998, Thomas and other members of attacker think tank L0pht Heavy Industries testified to Congress. L0pht is infamous for developing a series of hacking tools, such as Windows NT password crackers and a website called Hacker News Network. The white-hat hacking group also took on numerous consulting projects over the years and was recently back in DC to talk about what has changed, and what hasn’t, in terms of infosec. My interview with Thomas can be found in IBM’s Security Intelligence blog.