I love watching TED Talks. The conference, which covers technology, entertainment, and design, was founded by Ricky Wurman in 1984 and has spawned a cottage industry featuring some of the greatest speakers in the world. I attended a TED Talk when it was still an annual event. I was also fortunate to meet Wurman when he was producing his Access city guides, an interesting mix of travelogue and design.
- More comprehensive adoption of multi-factor authentication (MFA) tools and methods
- Ensuring better backups to thwart ransomware and other attacks
- Paying more attention to cloud data server configuration
- Doing continuous security awareness training
For this year’s post, I re-examine each of these areas, chart progress and trends, and offer a few new suggestions. Attackers have gotten more determined and targeted and software supply chains have become more porous and insecure. What is clear is that security awareness remains a constant battle. Standing still is admitting defeat. Chances are you aren’t as aware as you think you should be, and hopefully I have given you a few ideas to improve.
Analysts predict that the multi-factor authentication (MFA) market will continue to grow, fed by the demand for more secure digital payments and rising threats, phishing attacks and massive breaches of large collections of passwords. This growth is also motivating MFA vendors to add new factor methods (such as some of the newer hardware tokens shown here) and make their products easier to integrate with custom corporate and public SaaS applications. That is the good news.
The bad news is twofold, and you can read my latest update for CSOonline on MFA trends here to find out more about how this market has evolved.
I have updated my review of top email encryption tools for CSOonline/Network World this week. Most of the vendors have broadened the scope of their products to include anti-phishing, anti-spam and DLP. I last looked at these tools a few years ago, and have seen them evolve:
- HPE/Voltage SecureMail is now part of Micro Focus, part of an acquisition of other HPE software products
- Virtru Pro has extended its product with new features and integrations
- Inky no longer focuses on an endpoint encryption client and has instead moved into anti-phishing
- Zix Gateway rebranded and widened its offerings
- Symantec Email Security.cloud has added integrations
In my post today, I talk about recent trends in encryption and more details about each of these five products.
One of the things that I like about our hyper-connected world is how easy it is to virtually attend just about any tech conference. Alongside most major conferences you can also find a number of interesting ancillary events. Some of these, much like the official conference sessions, are recorded for viewing later. Today’s post is about one such ancillary event, hosted by RSA – the company, not the conference. Before I talk about some of the challenges about running smart city infrastructures, let me discuss why I think Singapore is so important for IT security professionals.
For MSSPs, offering security operations centers as a services can be a very profitable proposition — enough to offset the high cost of staffing and software. Given that a recent ESG survey showed 53% of enterprise IT pros have “a problematic shortage” of cybersecurity skills at their organizations, demand for SOC expertise is strong.
In this webinar, I will explain how MSPs and MSSPs can approach this opportunity from a variety of directions, such as combining managed security event, threat detection and endpoint security. I’ll look at what services are required and how they can be packaged, what the existing marketplace looks like, and the best vendors to partner with. (reg. req.)
During the webinar, I also mention a Ponemon study that has some additional data about SOC usage and the problems with retaining trained staffers, one of the many reasons why companies are looking to outsource their SOCs.
You probably won’t expect a series on appropriate use of technology to appear on the English Al Jazeera channel, but that is what I am going to tell you about in today’s post. I have been watching a lot more of their news coverage, looking for a place to obtain some “other” news than the continuing political fascination that our American stations offer up these days. So check out the series, entitled All Hail The Algorithm, where you can find links to the five episodes here.
The series is the work of Ali Rae, a British producer for the channel. She travels the world in search of algorithms that have gotten out of hand. While some episodes are a bit uneven, she does a great job of interviewing primary sources including researchers, tech vendor representatives, and rights and privacy advocates to present a very interesting hour or so of TV.
The first episode is all about trusting the decisions encoded in algorithms. Rae highlights the Australian welfare system and how its algorithm disputed payments made over many years. Computers automatically sent dunning letters to thousands of citizens, called robo-debt.
The second episode, which focuses on Facebook’s abuses, is the weakest, and most of you have probably already read enough about troll farms which have harvested likes and retweets.
The third episode covers the abuse of social media bot networks and how bad actors, under the pay of various political parties, are flooding these networks with incendiary posts that literally enflame passions and have caused all sorts of trouble around the world. This one struck home for me: we have seen (to coin a phrase) the growth of intolerance of people on both sides – both liberals and conservatives – to try to block freedom of expression. Many of the resulting demonstrations and protests are generated by social media ads and misrepresentative posts.
The fourth episode is about the potential abuse of biometrics. The vast majority of British schoolchildren now have their biometric data recorded for easier access to their lunches and libraries. And the UN is using biometrics to make it easier for refugees to access food and money supplies in the camps. The issue here is that once you give up your biometric data, you have no control over how it is used, and more importantly, abused. While the UN representative interviewed in this episode says they are trying hard to prevent security breaches, it is only a matter of time. Actually, last week’s Biostar 2 breach is a good example of how this could go horribly wrong. Millions of users of their “smart locks” now have their biometric data leaked online, something they can’t easily change unlike a password or a PIN. As Rae points out, the biometrics tech is being developed faster than any regulatory efforts, and the lack of transparency by the biometric vendors is alarming.
The last episode is about UI designers, privacy policies, tracking cookies and informed consent. Again, for many of you, this has been covered extensively but Rae interviews a couple of sources that have a few new things to say.
Overall, I learned a few new things from the series and think it is worth your time to watch all of them. Take a gander at what Rae has put together and feel free to share your comments here.
Security expert Lesley Carhart tweeted last month, “If you’re a CEO, CFO, or CIO, you’re directly responsible for the caliber of cybersecurity at your company.” During the recent RSA conference in Singapore, RSA’s CTO, Dr. Zulfikar Ramzan, described several different C-level executives who could have direct responsibility for some portion of your security infrastructure: CEO, CIO, CSO (or CISO), CTO, and the Chief Data Officer (CDO). If three is a crowd, then this is a herd. Or maybe a pod, I never really learned those plural descriptors. And that is just the top management layer: for a large corporation, there could be dozens of middle managers that handle the various security components.
From the IT folks I have interviewed over the years, this seems sadly all too typical. And that is a major problem, because it is easy to pass the buck (or the token or packet) from one department to the next.
You can read my blog post for RSA here about how to try to collaborate and jointly own your security apparatus.
Those of you in tech have probably used or heard of Citrix. The company has been around for decades and sells a variety of products, including remote desktops and network security. It is ironic that they experienced a security breach across their internal corporate network: the breach began last October and was only discovered in March. A series of internal business documents were stolen as a result of this breach. Think about that for a moment: if a network security company can’t detect hackers living inside their network for months, how can mere mortals do it?
The company recently concluded its investigation and to its credit has been very transparent about its process. They hired FireEye to analyze its logs and have since updated their endpoint protection with its product. This post describes what Citrix is doing to tighten its security, and how it has put together a committee to help govern security going forward. That is great. The post concludes by saying, “we live in a dynamic threat environment that requires a culture of continuous improvement.” Very true.
But what I want to call your attention to is how this breach initially happened, and that is through an attack called password spraying. This is a very simple attack: you start with a list of login IDs and pair them with a series of common passwords until you find a pair that works. The link above has suggestions of how to use common tools to help determine your own exposure, and if you are new to this term you should spend some time learning more about it.
But even if you aren’t part of a corporate IT department, it is high time for you to change your own personal password policy. It is likely that you are using a common password somewhere across your many logins. This isn’t the first time I have made this recommendation. But if a IT vendor that sells security products can get attacked, it means that anyone is vulnerable. And if your password can be easily found (such as in Troy Hunt’s HIBP database), then you need to be concerned. And you need to start by using a password manager and change your passwords to something complex and unique enough. Now. Today.
I have been reviewing single sign-on (SSO) tools for nearly seven years, and in my latest review for CSOonline, I identify some key trends and take a look at the progress of products from Cisco/Duo, Idaptive, ManageEngine, MicroFocus/NetIQ, Okta, OneLogin, PerfectCloud, Ping Identity and RSA. You can see the product summary chart here.
If you have yet to implement any SSO or identity management tool, or are looking to upgrade, this roundup of SSO tools will serve as a primer on where you want to take things. Given today’s threat landscape, you need to up your password game by trying to rid your users of the nasty habit of reusing their old standby passwords.
I also look at five different IT strategies to improve your password and login security, the role of smartphone authentication apps, and what is happening with FIDO.