Category Archives: Published work

SearchSecurity: Emerging security threats you are up against now

Posted on by
Reply

Blended threats and improvements to man-in-the-middle exploit kits have made malware more available to a wider audience of less-skilled cybercriminals. These bad actors can now launch drive-by attacks with just a few mouse clicks. At the same time, increases in state-sponsored hacking and the growing complexity of keeping modern browser plug-ins up to date have made the number of threats facing the enterprise network more numerous, sophisticated and pernicious. And even that old chestnut of social engineering has been made easier, thanks to the popularity of social networks that enable criminals to pose as co-workers or friends, mistakenly build trust and use that trust to steal credentials and assets from the unwitting.

You can read my post on SearchSecurity here on these and other trends in the threat landscape.

Network World review of Carbon Black and Cylance

Posted on by
1

Most of us know by now that traditional anti-virus doesn’t work, or at least doesn’t work well enough to be the sole line of defense against potential endpoint exploits. Last year Symantec SVP Brian Dye told the WSJ that traditional AV only catches 45% of malware, and many security professionals think the number is even lower. These days, most enterprises need more, or at least want an endpoint product that can actual prevent zero-day infections and exploits from happening and be more proactive.

CB tor exit node bahviourWe looked at two relatively new protective products, Carbon Black (now owned by Bit9, with a screen shot shown above) and Cylance Protect (with a screenshot of its threat analysis shown below). Both are designed to approach securing your endpoints from a different and more complete perspective. To be effective, a modern endpoint security tool needs to be both a gatherer and a hunter: being able to find a needle in the proverbial haystack, when you don’t even know what the needle looks like. That is where this new breed of tools comes into play.

cy threat detailsYou can read the review published today here.

Does Your SOC Belong in the Smithsonian?

Posted on by
1

The Security Operations Center (SOC) may be going the way of the dodo bird as security professionals outsource their protection to managed and cloud services. While many large organizations still have SOCs, smaller enterprises are finding that new technologies and better security architectures lessen the need to assemble large teams. This combination can make an IT team more proactive in protecting their infrastructure even without having a formal operations center.

Outsourcing the Security Operations Center

Many organizations are finding that they don’t really need a SOC, and instead have outsourced its function to cloud or hosting providers. Running these operations centers can be costly, both in terms of employing staff members with a high level of experience available 24/7 and with purchasing all the various tools that have to be maintained and monitored.

“Mostly, we still see them in very large organizations,” said John Joyner, director of product development at Arkansas-based managed services provider Clearpointe. “A large enterprise needs a big security analysis team that can actively engage in fighting incidents and security issues. But smaller organizations can avoid this if they have implemented a cloud-based architecture and liberally employ encryption and protection technologies.” Additionally, they should rely on their hosting partners as a first line of defense against attackers.

Changing the SOC Pyramid With the Times

Joyner feels the security pyramid made popular by the SANS Institute and others isn’t really relevant to as many companies anymore. “We shouldn’t have to worry about this if we have built our systems correctly. While it is true that a denial-of-service attack can bring down a public website, an organization doesn’t have to host that website internally. Instead, they should move it to a cloud provider and let them handle the necessary security,” he said. “It makes more sense to put [our customer-facing websites in the cloud] than to run them on our own networks.” They do this with many of their customers’ websites, and because they are a Microsoft partner, use Azure as their cloud provider.

Joyner feels that today’s enterprises should harden their security infrastructure, perhaps by using network access controls or application-based security, which would make them that much more difficult to penetrate. “Why should anyone waste resources when there are so many great alternatives available?” he asked. “Certainly, for backups and disaster recovery, the cloud offers some solid and very secure solutions. But you don’t need a SOC for these functions.”

He talks about using “thoughtful applications architecture” — now there is a term that I like — and making sure that you can compartmentalize your various apps so when you do get penetrated the threat can be better contained, or better yet, alter your infrastructure so it doesn’t matter if you are penetrated. “We can replace most of our sensitive data so its capture doesn’t reveal anything.”

PC Magazine: Self-service business intelligence tools

Posted on by
Reply

When most people think of business intelligence (BI) tools, they first think of using a spreadsheet for their data analysis and graphing needs. While Excel has been around for decades and is used by millions in this fashion, they aren’t always suitable tools for BI kinds of tasks. Up until very recently, BI was mostly for specialists. The tools were hard to operate and required knowledge akin to database administrators. But that has changed, and lately the market has made it easier for normal folks to use them, under what is now being called “self-serve BI.”

domo sample cardsI look at five of the leading BI tools for PC Magazine, and you can read my review here of these products: Domo (an example shown here), Qlik Sense Enterprise, Clearify’s Qqube, Tableau Software’s Desktop (which received my Editor;s Choice award), and Zoho Reports. All of them are better than using Excel for BI purposes.

(NB: since I wrote the original review in 2015, my colleague Pam Baker has revised and expanded the review with newer versions of the tools.)

Giving thanks to my mentors

Posted on by
4

Next week is the 20th anniversary of these essays. I wanted to take the time today to thank the various people that have guided my career, advise me and help advance my career in tech journalism. I have to start out with one of my first bosses, a man who taught me how to write and convinced me that I could become a writer, Grant Thompson. Grant and I were working at the time for a non-profit organization called the Conservation Foundation in Washington, D.C. I came there to help the organization build mathematical models for energy and environmental policy analysis, but came away from that job learning how to write. Little did I know how that would shape my career, and for all the countless hours that Grant spent marking up my drafts and teaching me my craft, I am forever grateful.

Several years later, I was working in IT for a large insurance company based in downtown LA called Transamerica Occidental Life. We had built one of the first end user computing departments to support a massive rollout of PCs. It was a great job, and I worked with Bob Zucker, Mark Will and Mike Storms there. All of them taught me to examine how people used technology in their jobs. This context would also be important to my subsequent career.

From Transamerica, I went on to work at PC Week (now eWeek) at my first editorial position. That was a dream job and I wrote about how I was hired here. I was hired by Mike Edelhart, who was a long-time Ziff Davis veteran and taught me how to become a great manager. PC Week was a massively talented organization and I learned from some of the best people in the tech journalism field, including Sam Whitmore, John Dodge, Paul Bonner, Peter Coffee, Gail Shaffer and Rob O’Regan, just to name a few.

Edelhart and I would write a book together, a book that was never published because we picked the wrong horse (OS/2) in an operating systems race that was eventually won by Microsoft WIndows. But years later I was ready to write another book when Marshall Rose asked me to collaborate with him on a book on corporate email in the late 1990s. Marshall is another brilliant man who invented the core Internet email protocols while in his early 20s. Writing a book with him was another life-changing experience for me.

After PC Week I went on to build my first publication from scratch, Network Computing. I worked for Al Perlman, and came to CMP at a time when it was starting many titles in an era when tech journalism was flourishing. I had the great fortune to learn from Mike Azzara, who was running another pub called Unix Today. Perlman went on to start many publications at CMP and elsewhere, and taught me a lot about startups.

Network Computing is still around, although online rather than in print. The team that I created from that publication has gone on to accomplish some great things, and many of those people are still in the tech community. I had the great fortune to hire Barry Gerber as my technical editor: Barry wrote articles for me at PC Week, and we would go on to work together at Tom’s Hardware, where he remained when I left there ten years ago. Barry taught me how to build and operate a test lab, and also how to be a better boss.

Over the years as a freelancer, I have had the good fortune to work for some of the best editors in the tech business, including Jackie Gavron, Rachel Parker, Jodie Naze, Neal Weinberg, Jennifer Bosavage and Stewart Alsop. Before Stewart became a VC, he was the editor at Infoworld in the early 1990s and gave me the assignment of writing a column by traveling to different businesses around North America and upgrading their networks over the weekend. These editors polished my prose and made me a better writer and it has been a blast to work for them.

Thanks everyone, including many others that I haven’t mentioned here. Next week I will write about some of the significant events that I have covered over my career and link back to some memorable columns.

Time to secure your website with an SSL EV certificate

Posted on by
3

This post is going to be a bit more technical than the most, but I will try to keep it as simple as I can. Last month I wrote about how domain owners can mask their identity by purchasing extra-cost private domain services. Today I want to talk about the opposite: where domain owners want to prove who they really are by making use of special encrypted certificates, called Secure Sockets Layer Extended Validation or SSL EV certs. It is something whose time has finally come.

One of the many problems with the average website is that you don’t necessarily know if the server you are browsing is for real or not. Scammers do this all the time when they send you a phished email: they copy the “real” site’s images and page design for say your local bank, and then try to trick you to login using their scammy page, where they capture your credentials and then steal your money. Rinse and repeat several million times and even if just a few folks take the bait, they can grab some significant coin.

So along came the SSL certificate many years to try to solve this problem. They did, for a while, until the scammers figured out a way to spoof the certificates and make it look like they came from the “real” site operator. So the certificate issuers and several other interested parties got together and formed two efforts:

First was a standards body where they would up the ante for how certs were vetted, to make sure that the real owner was who they say they were. This involves checking the domain ownership and making sure there actually is a Real Corporation (or some other trackable entity) behind the Internet registration. Now there are three different levels of certs that are available: the regular, old-school cert called domain validated (DV), a medium grade one called organization validated, and the most stringent of them all, the EV cert. Only the EV cert will turn the URL address bar of your browser green, showing you that you are connecting on the real site. Steve Gibson has a nice explanation on his site of how this works under the covers and how it is tamper-proof, at least so far.

That is nice and welcomed, but the second effort is also interesting, and that is a non-profit corporation is just getting ready to issue their own SSL certs for free. Called the Let’s Encrypt Project, they have begun with a few test accounts and will be ramping up over the next couple of months. The cost is nice — some of the issuing authorities such as Thawte and Digicert charge $300 per year for their SSL EV certs, and GoDaddy has recently discounted their SSL EV certs to $100 per year. (Wikipedia has a more complete list of those vendors that offer the EV certs.) But the real issue is that installing the certs is a multi-step process that requires some care. If you don’t do it very often (and why would you), it is easy to mess up. The Let’s Encrypt certs are supposedly easier to install.

One downside is the free Let’s Encrypt certs aren’t EV-class ones: they are just the old school DV low-level certs. So if you are serious about your certs and want that nice green label in your browser, you still have to buy one. But at least the issue has been raised, and one of the reasons why I am writing about this arcane topic today. If you own a domain and are doing ecommerce from it, look into getting at least the free certs when they are available or pay for one of the EV models.

SecurityIntelligence.com: Securing the nonprofit

Posted on by
Reply

Running an IT security department in a nonprofit or charitable agency is very different from what’s found in a typical for-profit corporation. I spoke to David Goodman, who has held CIO jobs in a variety of nonprofits and is now the CIO-in-residence for the international benefit company NetHope. In his universe, Goodman rarely sees the kinds of regulatory and compliance structures and level of security that are commonplace in the average bank or even a local business.

You can read my post for SecurityIntelligence.com here.

SearchSecurity.com: Five ways CIOs tackle hybrid cloud security

Posted on by
Reply

As CIOs adopt hybrid-cloud strategies, some quickly learn that these environments need new kinds of security models or, at least, contexts in which to apply existing controls and security technologies. Most organizations also find that their environments are not as simple as a pure private plus public cloud. Legacy on-premises systems and SaaS applications come into play.

You can read my article in SearchSecurity here as I interview several CIOs and what they are doing to protect their hybrid cloud deployments.

Authentication for the next generation

Posted on by
Reply

mobileThe new “my way” work style and the demand for on-the-go access to any service from any device and virtually any location requires that you bring your best encryption game with you when you’re on the move. This is especially true for the group of people often labeled Gen Y, or 20-somethings. Why? Because they are so digitally native and so used living their lives with instant access to their money, their friends, really anything that they do. As they are so steeped in technology, they tend to forget that there are lots of folks online who want to steal their identities, empty their bank accounts, and cause other havoc with their digital lives. But Gen Y is also more likely to use mobile banking than their elders, and more likely to go elsewhere if banks do not offer the mobile services they desire.

For a white paper for Vasco, I wrote about the challenges around providing better and more native authentication technologies for Gen Y and indeed, all users.

Defaulting to transparency

Posted on by
1

I came across an interesting series of blog posts from employees at the company called Buffer. They make an app that allows you to concurrently post to various social media accounts. (I know, a crowded market space). What caught my attention was the use of the term “defaulting to transparency” — meaning that the corporate credo is to be as open as possible in all of its operations. I first thought, they can’t be serious. But they are and they do practice what they preach and so should you.

buff1Buffer shares its formula for calculating every employee’s salary, and even publishes and updates the spreadsheet showing you who makes what. All of their SaaS metrics are public (see the dashboard at right). While the company is private, they share which investor paid for what piece of equity, the number of customers, what their annual revenues are, and so forth. That is pretty impressive.

Transparency isn’t a new thing: Google has had its transparency report since 2010, and even links to other companies’ reports here. But that is mainly how they respond to subpoenas and other government requests for information, although there is a great report showing you how much of Gmail is encrypted to other providers. But what Buffer and others are doing is a more personal nature, more directly tied to their corporate ethos and culture. They use transparency as an asset to recruit and retain the best people working for them all over the world. Another example of their transparent culture: emails between two or more staffers get cc’ed to a special departmental group inbox, where anyone can examine their content. Each employee gets a Jawbone fitness monitor and the results are available for anyone to see how you literally live your life, including how much sleep you get every night. They have other tools that allow anyone to track other kinds of progress reports on a daily basis too.

Certainly, they aren’t alone in doing this. I asked my friend Gabe Lozano, the CEO of Lockerdome, what he thought of these ideas. He is fully on board. He told me, “In terms of transparency models, there is no one size fits all for any organization. We have found that transparency drives accountability, which drives results.” They have set up a series of reporting processes that gets communicated through a regular morning stand-up meeting (meaning no one has time to sit down, which moves things along) and a weekly meeting where written reports and product demos are shared with everyone.

The co-founder of Buffer said this a few years ago in a post: “Transparency isn’t all rainbows and unicorns. It was actually incredibly nerve-wracking to make the company more transparent. Before we made all salaries public knowledge in the company, I was terrified.” But he got over that, and now, “the power of transparency is that it drives us to be better—to create a company that’s both great and good.” You can’t argue with that.

While I wish more companies were as transparent as Buffer and Lockerdome, you can’t force it, especially if you have a CEO who isn’t a believer or who has problems with trust issues. But it certainly is a worthwhile goal.