Dark Reading: NIST’s Vuln Database Downshifts, Prompting Questions About Its Future

Posted on by
Reply

Since 2005, the National Vulnerability Database (NVD) has been posting details about the hundreds of daily common vulnerabilities and exposures (CVEs) discovered by security researchers from around the globe. But last month, the critical government-sponsored database went from being an essential tool to a nearly dark destination. That is when any details in the NVD have been omitted, details that make the vulnerability data useful to enterprise security managers and to the numerous vulnerability management tools that can help prevent potential damages from attackers. My story in Dark Reading tells this sad tale.

A voyage of personal discovery set in the high Sierra town of Cerro Gordo

Posted on by
1

 

One of my guilty pleasures has been watching the videos of Brent Underwood, a 30-something dreamer who for the past four years has been living in the high Sierra ghost town of Cerro Gordo and filming a series of videos for his YouTube Channel. There is now a book that he wrote about his experiences.

I am a big fan of what he is doing, not that I would want to uproot my very comfortable life in St. Louis and move to a place where there is hardly any running water, where you are at the mercy of massive weather systems that can flood or block a torturous eight-mile dirt road for days at a time. A place that is a study in contrasts: at one point, the town’s mines were responsible for creating great wealth in extracting silver, zinc and lead deposits, yet like Ozymadius, very little remains of the town apart from numerous abandoned buildings and lots of memories of the thousands of its former inhabitants.

What resonates with me about Underwood’s personal journey is that he is very honest and articulate about his experiences. The book captures more of his philosophies and musings about human nature. These don’t really come across in the video episodes, which usually center on various construction challenges or averting near-disasters as he is snowed in, flooded out, or at the mercy of contractors that decide to not show up for a promised work session.

Some of these events have been heart-breaking. The old American Hotel, once a centerpiece of the town, burned down at the height of the Covid pandemic. Rebuilding it has required immense quantities of concrete, steel, lumber and water that needed to be trucked up that dirt mountain road and put in place with dozens of volunteers who came to help out the effort. The floods that hit Death Valley also took out the town’s access road not once but twice in quick succession, as the road follows what is normally a dry wash through the mountains and was transformed into a raging river. And the town’s main water source is a creaky Rube Goldberg collection of antique spare parts that is connected 700 feet below ground inside one of the mine’s tunnels. Any one of these things would have sent a normal person heading back down the mountain to seek some less challenging life, but Underwood persists in his quest to bring the town into the modern era.

Underwood often gives himself various challenges: how to operate a backhoe, how to refine silver from the raw ore-bearing rocks he digs out of his mine, how to build a deck from scrap 140-year old wood that has been exposed to the elements, learning how to create a successful video series. “Mastery comes from learning a variety of skill sets and combining them in a way nobody else can,” he writes in his book, which is a theme that I realize I also live my own, somewhat less-frantic life. “I was learning what I loved and learning how to make a living doing that.”

One of the main characters in the book is an elder named Tip who has a great deal of knowledge of local lore and takes Underwood under his wing and share his perspective. Along the way, Tip helps him unlock many of the secrets of the town and its environs, and helps him learn more about himself in the process. Their relationship is astounding, given that many of the  lessons learned happen on the steep cliff sides of the Sierras and hundreds of feet underground as they try to navigate the century-old caverns and tunnels.

Tip is taciturn and dying of cancer but his Jedi wisdom seems to be delivered to Underwood at just the right moments that can be appreciated and where he can learn some important lessons. But unlike the plot lines of numerous movies, this is real life, wrought large at 8000 feet.

Dark Reading: 5 Ways CISOs Can Navigate Their New Business Role

Posted on by
Reply

CISOs can successfully make their business operations more secure and play a larger role in the organization’s overall strategy, but there are pitfalls to avoid.

According to Forrester’s recent security program recommendations report, “the eyes of the world are on CISOs — but not in a good way. There is now a long list of sacrificial CISOs who have either been fired or left due to disagreements with their firms.”

Navigating what comes next isn’t easy, but in my post today for Dark Reading are five takeaways from Forrester’s analysis that might help identify some pathways to success.

Forget TikTok bans. Think about connected Chinese cars.

Posted on by
7

This week our Congress is crafting legislation to remove TikTok from our lives. It is as misplaced as Nancy Reagan’s “Just Say No to Drugs” campaign — and perhaps as empty a gesture. Yes, there are real issues with all that social media metadata ending up on some Chinese hard drive, and the notion that ByteDance can separate its US operations and clouds from Chinese ones shows how little our lawmakers understand technology.

Instead, I would like you to think about the following companies: Nio, Inceptio, XPeng and Zeekr. Ever heard of any of them? They are all major Chinese EV companies, and all of them pose a much bigger threat to our data privacy and national security than TikTok. By way of reference, China has hundreds of car makers, and they are all obligated to transmit real-time data to their government. Now they want to sell them here and are doing road tests.

Last fall, another bipartisan group of lawmakers sent letters to these and other Chinese EV makers, wanting to get more transparency about the data they collect on their cars . I haven’t seen the responses, but guess the truthful answer is “we collect a lot of stuff that we aren’t going to tell you about, and we have to share it with the CCP.”

Last week, the Commerce Department issued its own request and asked for public comments as part of its role to consider its own series of regulations. The department is investigating the risks of EV and other connected vehicles on national security and potential supply chain impacts of these technologies. Interestingly, it is finally acting on a Trump Executive Order. Another bipartisan effort. The document linked above asks for a lot of details about obvious data collection methods. If I were running a Chinese car company,  I would think about designing systems that would be less obvious. One of the things these Chinese car makers are quickly learning is how to become better software companies, thanks to the Tesla business model. (Tesla also makes and sells its cars in China BTW.)

While there are hundreds of millions of TikTok US users, some of whom are adults, the threat from car metadata is much more pernicious, especially when it could be paired with phone location data from passengers sitting in the same vehicle. What they both have in common is that all this data is being collected without the user’s knowledge, consent, or understanding who is actually collecting it.

Those phones have been recording our movements for quite some time, without any help from China. There are so many stories about tracking the jogging routes of US service members at foreign military bases, or tracking a spouse’s movements, or figuring out where CIA employees stop for lunchtime assignations near Langley, etc. But that pales in comparison to what a bunch of CPUs and scanners sitting under the hood can accomplish on their own.

Remember war driving? That term referred to someone in a car with a Wifi scanner who could hack into a nearby open network. That seems so quaint now that a car could be doing all the work without the need for an actual human occupant. I guess I will go back to watching a few Taylor vids on TikTok, at least until the app is removed by Congress. In the meantime, you might want to review your own location services settings on your phones.

Dark Reading: Typosquatting Wave Shows No Signs of Abating

Posted on by
Reply

A spate of recent typosquatting attacks shows the scourge of this type of attack is still very much with us, even after decades of cyber defender experience with it.

Ever since the Internet became a commercial entity, hackers have been using it to impersonate businesses through a variety of clever means. And one of the most enduring of these exploits is the practice of typosquatting — i.e., using look-alike websites and domain names to lend legitimacy to social engineering efforts. In my latest post for Dark Reading, I talk about the recent series of attacks, why they continue to persist, and ways that enterprise security managers can try to prevent them from happening, although the fight isn’t an easy one.

 

Dark Reading: NSA’s Zero-Trust Guidelines Focus on Segmentation

Posted on by
Reply

Zero trust architectures are essential protective measures for the modern enterprise. The latest NSA guidance provides detailed recommendations on how to implement the networking angle of these measures.

As more workloads shift to the cloud by businesses, there is more need to adopt zero trust computing strategies. But the notion of “untrusted until verified” is still slow to catch on, although in some areas of the world, such as in the United Arab Emirates, zero trust adoption is accelerating.

To try to bridge the gap between desire and implementation and also provide a more concrete roadmap towards zero trust adoption, the US National Security Agency has been publishing a series of guidelines over the past few years, covering device protection and user access. The latest one was released this week concerning network security.

My story on what this means for zero trust is in Dark Reading today, and it can be found here.

 

 

Dark Reading: How CISA Fights Cyber Threats During Election Primary Season

Posted on by
Reply

When US election integrity and security took center stage as a political football after the 2020 Presidential race, the Cybersecurity and Infrastructure Security Agency (CISA) is doing what it can to dispel security concerns around this year’s trip to the polls.

CISA, along with several other organizations, has beefed up various cybersecurity support resources for elections in general, including more programs for state and local elections officials, and for volunteer poll workers. In my post for Dark Reading today, I describe some of these efforts and explain the unique combination of cyber and physical security needs to ensure our democracy continues with free and fair elections.

When it Comes to Cybersecurity Practice, Don’t Be Okta.

Posted on by
1

I have written about Okta for many years, back when they were an upstart single-sign-on security vendor coming of age in the era of cloud access and identity. By way of perspective, back in 2012 (when I wrote that first Network World review when I gave them high marks for their product), most of Okta’s competitors offered on-premises servers and the cloud was more of a curiosity than a sure bet. Seems very quaint by today’s standards, when the cloud is a foregone conclusion.

However, you can count me now as one of their detractors. This is why my hed says when it comes to cybersec practice, don’t be Okta.

Let’s look at the timeline over the past couple of years. During 2022 alone, they experienced a phishing attack, another major breach, and had their GitHub source code stolen. Then last year they saw two separate supply chain attacks that affected most of their customers, along with leaked healthcare data on almost five thousand of their employees. And last fall yet another attack on MGM and Caesars resorts was blamed on a flaw in their software. It is almost too hard to keep track, and I can’t guarantee that I got all of them.

Some of these attacks were due to clever social engineering, which is embarrassing for a cybersec company to fall into. Now, all of us can have some sympathy over being so compromised, and I know I have almost fallen for this trick, particularly when it comes in the form of a rando text message that asks how I am doing or something that appears innocent. But still: Don’t Be Okta. Spend less time multitasking, particularly when you are on your phone, and focus on every message, email, and communication that you receive to ensure that you aren’t about to play into some hacker’s hands. Pay attention!

Some of these attacks were due to bugs in how Okta set up their software supply chain, or poor identity provisioning, or a combination of things. Okta’s CSO David Bradbury was interviewed over the weekend and promised to do better, rolling out various security controls in an announcement last week. That’s great, but why has it taken so long?

One weakness that was repeatedly exploited by attackers was Okta’s lack of attention when it came to provisioning admin-level users. They are now making MFA required for all customer admin consoles. They are also requiring passwordless access for all internal employees. It has taken them, what 15 years and multiple hacks to figure this out? Neither of these things are heavy lifts, yet I still talk to many folks who should know better who have resisted implementing these tools to protect their personal account logins. Don’t Be Okta!

How about better and more transparent breach reporting? Some of those supply chain attacks took months to figure out the depth, nature, and cause — and then for Okta to properly notify its customers. As an example, the September attack was initially estimated to impact one percent of its customers, before being revised to 100%. Oopsie. That doesn’t bode well for having a trusted relationship with your customers. The EU requires breach notification in two days. Was someone asleep or was management at fault for taking its sweet time getting the word out?

Buried in all the good cheery messaging from last week was this little tidbit: “As more features are rolled out in early access mode, the company intends to turn the controls deemed most beneficial on by default.” Ruh-oh. Turn them all on by default, right now! You want security by design?

Bradbury ironically admitted that security has never been a value historically for the company, and claims that almost half of their engineers are now working on security, apart from an actual security team. Just adding bodies isn’t necessarily the right move. Everyone needs to be focused on security, so I ask what are the other half of the devs doing that gives them a pass?

This isn’t the way forward. Don’t Be Okta! Take a closer look at your own security practices, and ensure that you have learned from their mistakes.

Dark Reading: Biometrics Regulation Heats Up, Portending Compliance Headaches

Posted on by
Reply

This year might be a boon for biometric privacy legislation. The topic is heating up and lies at the intersection of four trends: increasing artificial intelligence (AI)-based threats, growing biometric usage by businesses, anticipated new state-level privacy legislation, and a new executive order issued by President Biden this week that includes biometric privacy protections.

But things could backfire: A growing thicket of privacy laws regulating biometrics is aimed at protecting consumers amid increasing cloud breaches and AI-created deepfakes. But for businesses that handle biometric data, staying compliant is easier said than done. I explore the issues surrounding implementing and regulating biometrics in a post for Dark Reading today.

The coming dark times for tech won’t be anything like the 2000s

Posted on by
3
My former colleague Dave Vellante has written a nice comparison of the current tech  contraction with the dot-com-bust of 2000. He makes interesting points about several factors, such as the roles played by Netscape and OpenAI as innovators and Nvidia and Cisco as major players, the stock market bubbles, and risks and rewards along the way. However, he is missing one critical element: the population of tech workers has been shrinking and the pace of the layoffs is increasing. And the way people were laid off now and then has some big differences.
Granted, back in 1999-2000 there were fewer overall tech workers, (as an example, Microsoft went from around 40k in its 2000 staff to 200k today, Amazon grew from a few thousand to >1M) and many of the tech companies were small, in some cases very small. The big difference then and now was the pace of the layoffs. Back then, they happened quickly. But now tech co’s have been laying off workers since the pandemic, but in big numbers by comparison.
In the past few years there have been several rounds of layoffs at Spotify, ByteDance, Amazon, Twillio, LinkedIn, SecureWorks, Microsoft, Meta, and Twitter which added tens of thousands to the unemployment lines. And sure, there are plenty of startups that even got their series A’s that went under in the past couple of years — that is to be expected. But the contemporary situations are from established companies that are having their first serious contractions.
Will some of these folks start their own companies? Sure. But tens of thousands? Not so sure.
But part of the problem — perhaps most of the problem, apart from the lowering business demand in the tech sector — is the way we all are returning to work in the spaces previously known as our offices. Back when we were in the midst of the pandemic, remote work took on new relevance and meaning, and caught on quickly around the world in many different ways, some good and some bad. Take Slack for example: they went 100% to remote work back in 2020. Other tech companies were less enthusiastic, such as Google. And what I have seen is these less enthusiastic companies were some of the first to revoke home-working policies and mandate people to return to one of their offices.
Early on in the pandemic, I put together this pod with my partner Paul Gillin about some things to consider for the newly minted home worker. Those were more practical suggestions on what equipment to purchase and how to best secure your home. For a somewhat different treatment, I wrote this blog for Avast on how to craft equitable policies to encourage and evaluate home workers. Those pieces seem rather quaint now, and they assumed that once all this remote stuff was unleashed, we would stay that way.
That is not the case anymore. Four years later, many tech workers are told to return to their offices. And the changes are confusing as companies try to adjust and populate their expensive downtown real estate. This makes no sense to me, and the latest dictums from Dell (for example) are guaranteed to have them lose more people, which could be the hidden reason for them. It is almost that we forgot the productivity gains during Covid when people worked from home. Or companies were eager to see their workforce sitting in those awful bullpens where everyone was on headsets.
The return to the office says one thing about tech: they have done a lousy job at developing middle managers, who are insecure about handling underlings that they can’t see or be physically nearby. It really is a shame: all this remote access tooling that has been developed over the decades, and the one group of companies that you would think would figure this out are the first in line to recall their staffs.
Also gone from today’s tech offices are some of the lavish benefits that were put in place to attract talent. Anyone getting free massages, catered meals and taking yoga classes these days? It would be an interesting cohort for some research project.
Finally, there is my own cohort — tech journalists, who are being laid off once again in this latest cycle. The difference between now and 20-some years ago was we had printed magazines that were supported by millions in ad revenues to pay the way. Then the web wiped out that business model and giants such as PC Week and Infoworld went scrambling. Some of the large tech-oriented websites such as Vice have shut down, and I am sure more will follow.
Yes, AI is exciting, and there is a lot of work being done — even by humans — in the field. But it requires real capital and real brainpower, and not just sock puppets and a cute dot com name. Or at least, I hope so. And building a trust with your remote employees: the best ones will eventually migrate to companies with more liberal remote policies.