FIR B2B podcast #148: The Changing Landscape of B2B Discussion Groups

Posted on by
Reply

A new report on social media usage by the channel by Jay McBain of Forrester Research finds that the groups people use and the way they use them is changing amid a 13.2%, 490 million-user surge in social media use in 2020.

The report lists major tech channel groups that both managed service providers and channel managers should know about for each social network. McBain’s informal research found that Facebook Groups have replaced LinkedIn as the place to talk tech. He claims many LinkedIn groups have become ghost towns overrun by spam. Half of his respondents to his survey were disappointed with engagement levels on the platform.

The report prompted me to realize that he belonged to more than 50 groups and couldn’t remember the last time he posted — or even clicked on content on any of them. McBain has identified more than 40 FaceBook Groups that IT folks should take a closer look at. 

One of the more important lessons of this research is that social media groups aren’t an ad medium but a way to engage potential partners on a grassroots level. Too often we both have seen plenty of spam or vendor posts that don’t really encourage discussion. The speed at which channel firms have apparently abandoned LinkedIn groups shows how quickly attitudes can change if group members don’t believe their needs are being respected.

McBain also reviewed several other social networks, some of which we hadn’t heard of. Up-and-comers include the audio- and app-oriented Clubhouse and Discord, which was originally for gamers but which has broadened its scope. McBain rates Twitter the second most popular spot for tech content, even though it really doesn’t have the community engagement tools to match Facebook or LinkedIn. And he advises B2B companies to keep an eye on Reddit, which had 52 million daily active users worldwide at the end of 2020, up 44% year-over-year.

Although the report is aimed at technology channel companies, it’s a useful way for any B2B marketer to take a fresh look at the social groups you use to get your message across.

You can listen to our 14 min. podcast here:

Avast blog: How the National Guard trains its cyber soldiers

Posted on by
Reply

Earlier this month, I had the unique opportunity to observe the National Guard conduct its cybersecurity exercises at Cyber Shield 21. This is perhaps the largest training effort of its kind, with more than 800 people across the U.S. taking part. It uses a series of real-world threats to train its “cyber warriors”. For the first time, the Guard took advantage of a virtual cyber range that the Department of Defense developed with more than a dozen contractors. It was an interesting experience, and it busted a few of my long-held myths about our military and demonstrated the value of public-private partnerships.  It was inspiring to see so many dedicated men and women who are willing to give so much time to support this effort, year after year.

You can read my full report for Avast’s blog here.

CSOonline: Mitre’s D3FEND explained

Posted on by
Reply

Mitre has created the D3FEND matrix to explain terminology of defensive cybersecurity techniques and how they relate to offensive methods. It is a common language to help cyber defenders share strategies and methods. It is a companion project to the company’s ATT&CK framework.

The goal is to figure out if vendors are using different ways to try to solve the same problem, such as verifying a particular (and potentially malicious) code segment. D3FEND could help IT managers find functional overlap in their current security product portfolios and guide any changes in their investments in a particular functional area, as well to help make them better defensive decisions to project their cyber infrastructure.

You can read more about Mitre’s D3FEND and its promise here in a post for CSOonline.

Nok Nok blog: 10 Years Later – How Nok Nok Labs brought about a change in strong and passwordless authentication

Posted on by
Reply

Nok Nok Labs came into being, a decade ago and is having its’ moment in the spotlight. The company has seen the FIDO standards become adopted around the globe, in some cases with very large scalable deployments that involve millions of end users and sold more than 500M key pairs. Along with helping to assemble the beginnings of the FIDO Alliance, Nok Nok engineers were co-creators of this now well-established set of authentication standards and have continued to innovate (with 50 patents filed), integrate and improve upon them in the past decade.

They are now one of the leaders in providing passwordless authentication, which now signifies a bona fide market segment, all thanks to FIDO protocols which make it easier for companies to transition, deploy, and manage a more secure solution that is focused on stronger security and privacy.

You can read my post on Nok Nok’s blog here.

Avast blog: Understanding the Pegasus project

Posted on by
Reply

Earlier in July, a group of security researchers revealed that they had been working together to uncover a widespread surveillance of journalists, politicians, government officials, chief executives, and human rights activists. The tool of choice for these activities was the Israeli NSO Group’s Pegasus, a tool that can be deployed on Android and Apple smartphones with a great deal of stealth. In this blog post for Avast, I explain the collaboration, link to various media reports about what they found out, and ways that you can protect yourself — although the chances that you will become a target of this spyware are pretty slim.

Frontline, the PBS documentary, has put together a two part series on what the journalists working on the project found in January 2023.

Avast blog: Enhancing threat intelligence using STIX and TAXII standards

Posted on by
Reply

For many years, cybersecurity companies have invested in building sensor networks and detection capabilities to build a greater understanding of adversaries’ tactics, ever-changing techniques, and the threats posed to the world’s internet community.

One of the critical foundations of protecting all uses of the internet is for the security defenders to better understand what malicious activities look like and how to stop them. With that backstory of gaining greater insight, many security companies must not only understand their own data but also learn and share with others doing the same.

In my latest blog post for Avast, I take a closer look at two threat data sharing standards, STIX and TAXII.

It is 2021. Stop running your IT like it is 2019.

Posted on by
3

I had a moment to catch up with a friend of mine, Adam, who is an IT director for a DC-based global trade association. Adam and I go way back — so far back that I was present when we turned off a small IBM mainframe in favor of a Novell LAN back in 1995. Those were the days.: that machine had 16 MB RAM and 7.5 GB of disk. My watch has more than that.

Adam has been working remotely for the past 18 months, and actually had to manage to move his office to a new location and plan for the eventual return to the new place.

He told me that “working in the office is so 2019, it is time to start thinking of the future and assume that many people won’t be in their offices full-time. Why do you have to use a domain controller and a VPN when you should be preparing for a virtual environment, whether or not you actually need one?” Good questions.

He used the pandemic as an opportunity to throw some gas on technology changes that he wanted to make happen. “Only instead of taking five years, we managed to do this in a little over a year. The pandemic was a great accelerant to adopting new cloud-based technologies.”

His core IT stack is Microsoft-based, including five critical technologies: Teams, Azure AD, Defender ATP, Intune and Autopilot.

Early on, the focus was on Teams Chat and Video Conferencing as well as migrating an old fashioned file server to Teams/SharePoint. Before the pandemic, Adam was begging staff to abandon audio-conferencing and switch to Teams for internal and external scheduled calls. Then in March 2020 the association had its first remote all-hands meeting via Teams. Over 50 staff joined the call and it went flawlessly. After that first call Teams adoption soared. 

Adam then switched his focus to move the association’s endpoints to Azure Active Directory. In the future, Autopilot, for example, will make it easier to drop ship a new computer and have it onboarded without anyone from IT actually laying their hands on it. Think of it as touchless installation. “The potential is that we can deliver most of our apps without ever seeing the PC.” Remember when IT used disk imaging tools to set up new PCs? That has gone the way of those IBM mainframes.

“Before the pandemic, we did patch management of our endpoints based on the machine being in our office, where they could physically talk to the WSUS server. All of a sudden, that premise-based connection was severed. In the future, we hope to decommission our on-premises Domain Controllers and run all IT infrastructure in Azure AD. The only server left will be a NAS with 8TB of video, audio and photos. It is just too much to put into the cloud at this time.”

Migrating from Active Directory to Azure AD isn’t simple, and their MSP, DelCor, is helping with the back-end transition. Adam and his staff are touching each endpoint themselves. The goal is to make it easier to manage their endpoints, whether they are in an office or dispersed in the homes of staff worldwide. “Companies that still have their AD controllers in a closet someplace should put migrating to a cloud based directory system, whether Azure AD or some other flavor, on their roadmap.” 

For an MFA security solution, his MSP insisted on using Duo’s MFA. “It made their jobs – and mine – much easier, and much more secure.”

As Adam’s team migrates users to Azure AD and Defender ATP, the IT Team is getting better visibility into the threat assessment of each endpoint. “IT directors are in a war, and we have to be continually improving our infrastructure and security footprint. Let’s face it, the most dangerous virus is the one you don’t know about that has been living on your network for months.”

Adam is using the paid Defender ATP license and replacing his Trend Micro AV installation, so he can get a single management screen to see which of his users’ PCs are in need of security updates. “Gone are the days of Windows 10 being stuck in the 2019 release.”

Adam is just a microcosm of the sea changes that IT is going through these days. Whether you are returning to your office or have adopted some hybrid solution, you might want to take a look at what you can to manage more remote workers.

Linode blog: Guides to improving app security

Posted on by
Reply

I have written a series of blog posts to help developers improve their security posture.

Thanks to Covid challenges, there is a more complicated business environment and a higher collection of risks. Supply chains are more stressed, component transportation is more complex, and new software is needed to manage these changes. Businesses have more complex compliance requirements, which also ups the risk ante, especially if they run afoul of regulations or experience a data breach. Attackers are more clever at penetrating corporate networks with stealthier methods that often go without any detection for weeks or months.

Cybersecurity continues to be a challenge as adversaries come up with new and innovative ways to penetrate computer networks and steal data. One of the more popular attack methods is ransomware. There are tools to defend yourself against potential attack and techniques to strengthen your computer security posture. In this post, I describe how these attacks happen, what you can do to defend yourself and how to prevent future attacks.

The days where software developers wrote their application code in isolation of any security implications are over. Applications are exploited every minute of the day, thanks to the internet that connects them to any hacker around the planet. Application security doesn’t have to be overwhelming: there are dozens if not hundreds of tools to help you improve your security posture, prevent exploits, and reduce configuration errors that let bad actors gain unauthorized access to your network. In this post, I review the different kinds of appsec tools and best practices to improve your security posture.

Security starts with having a well-protected network. This means keeping intruders out, and continuously scanning for potential breaches and flagging attempted compromises. Sadly, there is no single product that will protect everything, but the good news is that over the years a number of specialized tools have been developed to help you protect your enterprise network. Your burden is to ensure that there are no gaps in between these various tools, and that you have covered all the important bases to keep your network secure and protect yourself against potential harm from cyber criminals. New security threats happen daily as attackers target your business, make use of inexpensive services designed to uncover weaknesses across your network or in the many online services that you use to run your business. In this post, I review the different types of tools, point out the typical vendors who supply them and why they are useful to protect your network.

As developers release their code more quickly, security threats have become more complex, more difficult to find, and more potent in their potential damage to your networks, your data, and your corporate reputation. Balancing these two megatrends isn’t easy. While developers are making an effort to improve the security of their code earlier in the software life cycle, what one blogger on Twilio has called “shifting left,” there is still plenty of room for improvement. In this guide, I describe what are some of the motivations needed to better protect your code.

Many developers are moving “left” towards the earliest possible moment in the application development life cycle to ensure the most secure code. This guide discusses ways to approach coding your app more critically. It also outlines some of the more common security weaknesses and coding errors that could lead to subsequent problems. In this post, I look at how SQL injection and cross-site scripting attacks happens and what you can do to prevent each of them.

Application security testing products come in two basic groups and you need more than one. The umbrella groups: testing and shielding. The former run various automated and manual tests on your code to identify security weaknesses. The application shielding products are used to harden your apps to make attacks more difficult to implement. These products go beyond the testing process and are used to be more proactive in your protection and flag bad spots as you write the code within your development environment. This guide delves into the differences between the tools and reviews and recommends a series of application security testing products.

 

 

Infosec Institute blog: How to design the best cybersecurity training program for your enterprise

Posted on by
Reply

One of the best ways to retain your staff is to invest in their further education and what is now called upskilling. But corporate skills training often has a hard time getting the respect that it deserves. Training budgets tend to be the first ones to be cut in any economic downturn and often don’t get fully funded even when the economy is improving. But training can also have a significant impact on an enterprise: it can increase the pool of available skills, help pave the way for a department to take on new challenges, improve morale and create a sense of purpose for workers.

In my blog post for the Infosec Institute, I look at how to determine the return on any training investment and how to design the right program that fits your particular needs, whether it uses public college-style courseware or a curriculum that you develop yourself.

 

Can AI help you get your next job?

Posted on by
2

There is an increasing number of AI-based tools that are being used in the hiring and HR process. I am not sure whether this is a benefit to job seekers and to the employment business. Certainly, there are plenty of horror stories, such as this selection from 2020’s most significant AI-based failures such as deepfake bots, biased predictions of pre-criminal intent, and so forth. (And this study by Pew is also worth reading.)

I would argue that AI has more of a PR than HR problem, with the mother lode being traced back to the Terminator movies and Minority Report, with Asimov’s Three Laws of Robotics thrown in for good measure. In a post that I did for Avast’s blog last fall, I examined some of the ethical and bias issues around AI. Part of the issue is that we still need to encode human judgment into some digital form. And people aren’t as consistent as machines — which sometimes is a useful thing. I will give you an example at the end of this post.

But let’s examine what is going on with HR-related AI. In a study done last year by HRExaminer, identified a dozen hiring-based AI tools, with half of them focusing on the recruiting function. I would urge you to examine this list and see if any of them are being used at your workplace, or as part of your own job search and hiring process.

One of the ones on the list is HiredScore, which offers an all-purpose HR solution using various AI methods to rank potential job candidates, recommend internal employees for open positions, and measure inclusion and diversity. That is a lot of places where the doomsday “Skynet” scenario of the machines taking over could happen, and is probably one of the few plot lines that Philip K. Dick never anticipated. Still, the company claims they have trained their machine learning algorithms with more than 25M resumes and twice as many job postings.

There are other niche products, such as Xref’s online reference checking or the testing prowess of TestGorilla. The latter offers a library of more than 135 “scientifically validated tests” for job-specific skills like coding or digital marketing, as well as more general skills like critical thinking. That one struck another nerve for me. The reason I put that phrase in quotes is because I can’t validate its claim.

As many of you who have followed my work have found out, my first job in publishing was working for PC Week when it was part of the Ziff Davis corporation. ZD had a rule that required every potential hire to submit to a personality test before getting a job offer. I have no recollection of the actual test questions all these years later, but obviously I passed and so began my writing career.

In the modern era, we now have vendors that use AI tools to help screen applicants.  I am not sure I would have passed these tests if ZD had them available back in the day. That doesn’t make me feel better about using AI to help assist in this process.

Let me give you a final example. When I went to visit my daughter last month, I was given a specific time period that I was allowed to enter Israel. Only it wasn’t specific: the approval was granted for “two weeks” but not starting from any specific time of day. I interpreted it one way. The German gate agents at Frankfort interpreted another way. Ultimately, the Israeli authorities at the airport agreed with my point of view and let me board my final flight. If a machine had screened me, I would have probably not been allowed to enter Israel.

In my post for Avast’s blog last year, I mention several issues surrounding bias: in the diversity of the programming team creating the algorithms, in understanding the difference between causation and correlation, and in interpreting the implied ethical standards of the actual algorithms themselves. These are all tricky issues, and made even more so when you are deciding on the fate of potential job applicants. Proceed with caution.