Thanksgiving is nearly upon us. And as we think about giving thanks, I remember when 11 years ago I put together a speech that somewhat tongue-in-cheek gave thanks to Bill Gates (and by extension) Microsoft for creating the entire IT support industry. This was around the time that he retired from corporate life at Microsoft.

My speech took the tack that if it wasn’t for leaky Windows OS’s and its APIs, many of us would be out of a job because everything would just work better. Well, obviously there are many vendors who would share some of the blame besides Microsoft. And truthfully Windows gets more than its share of attention because it is found on so many desktops and running so many servers of our collective infrastructure.

Let’s extend things into the present and talk about what we in the modern-day IT world have to give thanks for. Certainly, things have evolved in the past decade, and mostly for the better: endpoints have a lot better protection and are a lot less leaky than your average Windows XP desktop of yesteryear. We have more secure productivity tools, and most can operate from the cloud with a variety of desktop, laptop and mobile devices. We have better security automation, detection and remediation methods too. We also can be more mobile and obtain an Internet or Wifi signal in more remote places, making our jobs easier as we move around the planet. All of these are things to be thankful for, and many of us (myself included) often take these for granted.

What about looking forward? If I look at the predictions that I made a year ago, most of them have withstood the test of time.

Let’s start off with my biggest fail from 2018. I totally blew the call for cryptomining attacks trending upwards. At least I wasn’t alone, and other December 2018 predictions also had this trend mentioned in their lists. However, the exact opposite actually happened, and numerous reports showed a decline in cryptomining during 2019. One reasonable cause was the shuttering of the Coinhive operation in March. I am glad that this happened, and the lower rate of these attacks is another thing to be thankful for!

As I predicted, a number of good things have been happening on the authentication front in the past year. As I touched on in my post last month, a number of the single sign-on vendors’ multi-factor authentication (MFA) products have seen significant improvement. This includes better FIDO integration and better smartphone authentication tools. For example, RSA has its SecurID Access product that combines MFA and risk-based authentication methods. All of these items are things we can be thankful for, and hopefully more security managers will implement MFA in the coming months across their networks and applications.

Ransomware continues to be a threat, as I mentioned in my blog post last December and as concluded in the latest RSA fraud report here. Sadly, criminals continue to latch on to ransoms as a very profitable source of funds. This year we saw the development of new ransomware vectors into the software supply chain, with the Sodinokibi malware milking more than 20 different local Texas government IT operations thanks to a vulnerability in a managed endpoint service. The latest report shows this malware has made more than $4.5M in ill-gotten gains, by tracking specific Bitcoin deposits of the criminals.

Clearly we have made some significant progress in the past year, and even in the past decade.  But with all these innovations comes new risks too. Criminals aren’t just standing still, and figuring out new ways to breech our defenses. And there are still thousands of infosec jobs that go unfilled, as skilled security analysts remain in demand. Hopefully, that will be that we can do something about in the coming year.

For many IT managers, being cyber aware is a hard thing to pin down. Does this mean that you (really) understand the various potential threat modes that can put your organization at risk? Or that you have some form of regularly scheduled cyber security awareness training happening? Or that you have multiple threat detection and response tools in operation to protect your endpoints? If you have been reading my columns, you know that the best answer is that there is some combination of all three of these elements.

Let’s put this in context, because it is once again time to highlight that October is Cyber Awareness month. Last year I wrote about how security awareness has to be “celebrated” every day, not just in October. Let’s look at some of my recommendations from that blog post and see how far we have come – or not.

My post mentioned four major themes to improve security awareness:

• More comprehensive adoption of multi-factor authentication (MFA) tools and methods,
• Ensuring better backups to thwart ransomware and other attacks,
• Paying more attention to cloud data server configuration, and
• Doing continuous security awareness training.

Sadly, all four of these suggestions are still needed, and many of the past year’s breaches happened because of one or more of them were neglected. There are some bright spots: MFA projects seem to be happening with greater frequency. Single sign-on tools are improving their MFA support, documentation and overall integration making it easier for corporate security developers to add these methods to their own apps. And security awareness training seems to be on the rise as well, with many companies implementing more regular assessments to motivate users to be more careful. This is good, because the bad guys are constantly upping their own game to try to trip us up and force their way into our networks.

But there are also problem areas that have arisen in the past year that bear mention. While ransomware continues to plague many companies, the way that attackers are getting to delivery their ransom attacks is troubling. The news over the past year has shown increased targeting by bad actors. This happens in several ways, including:

• Looking for customers of a single VAR (such as what happened with many local Texas governments),
• Finding those targets who are using a common software supplier (such as what happened with takeovers of disused Github projects), and
• Injecting code into scripts used in other software (such as these Magecart attacks with the ecommerce code used by college campus bookstores).

For these cases, a single exploit caused multiple attacks because of the common software used by their customers. This means that better backups aren’t enough anymore: you also must secure your software supply chain and treat any external software supplier as a potential source of a threat.

This means you need to think about whether your existing security tools can catch such exploits, and if not, what protective measures you can put into place that can. For example, do you have a subresource registry to verify the integrity of your source code? Or do you have a policy to host as many of your third-party scripts on your own servers rather than on any of your suppliers’ servers? Both are worth investigating.

Part of the problem is that attackers are getting more determined: we’ve seen evidence (such as what happened this past year at British Airways) where they have tried multiple entry points and adjusted their methods to find a way inside a targeted network. But a big part of why attackers succeed is because we have very complex technologies in place with multiple failure points. Some of these points are known and protected, but many aren’t. This is why security awareness is a constant battle. Standing still is admitting defeat. So the title of this post isn’t as rhetorical as you might think. Chances are you aren’t as aware as you think you should be, and hopefully I have given you a few ideas to improve.

Analysts predict that the multi-factor authentication (MFA) market will continue to grow, fed by the demand for more secure digital payments and rising threats, phishing attacks and massive breaches of large collections of passwords. This growth is also motivating MFA vendors to add new factor methods (such as some of the newer hardware tokens shown here) and make their products easier to integrate with custom corporate and public SaaS applications. That is the good news.

The bad news is twofold, and you can read my latest update for CSOonline on MFA trends here to find out more about how this market has evolved.

One of the things that I like about our hyperconnected world is how easy it is to virtually attend just about any tech conference. Most conferences today have streamed or recorded sessions that are well indexed and of high enough quality. Today’s post is about a session at the RSA Singapore conference in July. Before I talk about that, let me discuss why I think Singapore is so important for IT security professionals.

I have been interested in the island nation since I gave a talk there more than 20 years ago. Back then I saw the beginnings of where the country could go with playing a key role in IT. My audience had folks who spoke more than a dozen different languages and who came from almost as many nearby countries. Since then, Singapore has invested big-time in its IT development, particular with respect to smart city technologies: this is its fifth year of a series of major investments that include improving commutes, digital payments and secure identities. This year, the country will spend more than an additional US$1B in new smart city enhancements.

Part of these expenditures is in how the country has taken a page from the Israeli playbook. The nation has created various cybersecurity programs that are coming from a number of directions. For example, this summer it launched its third bug bounty program to improve its various digital services. And the government has helped to encourage startups with the incubator Innovation Cybersecurity Ecosystem@Block71, a partnership between the government, private investors and its National University. These government initiatives have encouraged others: in the past year, both BT and Cisco have opened up offices there to conduct research and support their southeast Asian customers.

Let’s turn to the RSA conference session that was led by President Rohit Ghai and covered issues on smart cities, privacy, and digital transformation by three panelists:

• Vishal Salvi, the CISO for InfoSys, a private cybersecurity consultancy based in India,
• Aswami Ariffin, Sr. Vice President of the Malaysian Cybersecurity Responsive Services Division, and
• Andrew Woodward, the Executive Dean at the School of Science at Edith Cowan University in Perth Australia

This panel is typical of the role that Singapore plays in that part of the world. It shows the diversity of nationalities and stakeholders that have to be assembled for successful cybersecurity solutions. If you watch the recorded video, you will first hear this panel express their concern about the cybersecurity toll that companies doing business in smart cities will have to deal with. Aswami Ariffin thinks that “we are opening the cyber floodgates with smart city implementations. We have to better understand the risks involved and make sure we have the right solutions.” He suggests that businesses look to partner and work collaboratively with government and communicate with the right stakeholders. Vishal Salvi pointed out that different industries have different cybersecurity implications when it comes to smart cities, both in terms of data risk and operations. “This could change conversations for their boards of directors, both in terms of basic cyber hygiene and infrastructure protection.”

When it comes to dealing with digital disruption, Andrew Woodward was concerned that many companies are still conducting business as it was done decades ago. “For many, their approach is still with a pre-digital mindset when it comes to risk management, with the justification that we have always done it a certain way.” Salvi mentioned that cybersecurity has always been behind IT innovation, particularly in the financial sector. “Now we have the sharing economy and connected cars where change happens in weeks, not months. This rate of change is putting pressure on CISOs and business owners to embed security while and where this change is happening. We have to provide agile solutions to support that transformation.” Ariffin gave his perspective for the appropriate role of government: “We don’t want to force businesses to create any white elephant projects. Our goal is to try to help private businesses over security hurdles and to educate them about other risks besides cybersecurity, such as with their operations and following regulations.” The Malaysian government has its Intelligence, Incidence and Investigation program as one of these activities.

Salvi mentions that cybersecurity should be front and center and set the foundation for any digital transformation future activities. But the price of doing nothing is also an issue. “Failing to do any digital transformation is the largest risk. You are looking at rapidly changing the foundations of your business models. We have to embed security in everything.”

Part of this challenge is when we empower users to take control over their data, it creates issues for security managers to protect this data and control appropriate access. “There is a tension between security and privacy, at some point we need a better balance,” said Salvi. “Eventually, the world will adopt better rights management and more common encryption methods.” Woodward said that this creates an “interesting tension with the drive to increase cybersecurity through regulation but we also want users to take control and be custodians of their own data.” This complicates how breach laws will be enacted and enforced, for example.

Given the dearth of qualified cybersecurity professionals worldwide, academia is rising to meeting these challenges by changing the way they are educating future cybersecurity workers. “The key is be able to work together with industry and government to address the right problems,” said Woodward. They have also reworked their curriculum and have created more online classes, even at the master’s level. “It isn’t one job for life anymore. We call them ‘conversion classes’ and they are designed for workers to become cybersecurity professionals in mid-career. Nowadays, students want on-demand classes with content-rich media and don’t want to attend lectures. It is all about reskilling and upskilling. We want our students to have hands-on experience when they graduate, so they are ready to join the workforce.” His reach goes beyond the traditional four-year degree too. “We have programs for elementary school students to get them to think about cybersecurity as a career.”

This panel could have taken place just about anywhere on the planet: cybersecurity challenges and solutions are truly universal.