ESG just published a new research report titled, Cybersecurity Analytics and Operations in Transition, based upon a survey of 412 cybersecurity and IT professionals working at large mid-market (i.e. 500 to 999 employees) and enterprise (i.e. more than 1,000 employees) organizations in North America and Western Europe (note:  I am an ESG employee). 

The data is quite interesting to say the least so look for lots of blogs from me over the next few weeks on a myriad of security operations topics we covered in this project.  Furthermore, my esteemed colleague Doug Cahill and I are hosting a webinar this Wednesday, July 19, feel free to attend, more details can be found here. 

To read this article in full or to leave a comment, please click here

“AI is a fundamental, existential risk for human civilization,” Tesla and Space X CEO Elon Musk said at the National Governors Association summer meeting. He doesn’t think people “fully appreciate that.” AI and a possible robot apocalypse is just one topic covered by Musk, and we’ll get back to that; but since a Tesla is “like a laptop on wheels,” Musk also talked about his top cybersecurity concern: a fleet-wide hack of Teslas.

“I think one of the biggest risks for autonomous vehicles is somebody achieving a fleet-wide hack,” Musk said in response to a question from North Dakota Governor Doug Burgum. “In principle, if somebody was able to hack, say, all of the autonomous Teslas, they could, say—I mean just as a prank—they could say like ‘send them all to Rhode Island’ from across the United States. And that would be like, well OK, that would be the end of Tesla. And there would be a lot of angry people in Rhode Island, that’s for sure.”

To read this article in full or to leave a comment, please click here

Here's a device any gamer or video enthusiast may want to have on hand. Connect a game console, DVD, or any video source to this gadget via its HDMI input, and with the push of a button it captures and saves the video stream to any attached USB flash drive, with no PC required. Advanced hardware H.264 encoding captures your live gameplay or video playback in 1080p Full HD, while keeping the file size low and capturing speeds high. Averaging 4 out of 5 stars on Amazon from over 170 customers (read reviews), the gadget's $129.99 list price has been reduced 23% to $99.99. With the unit you'll get a free 16gb USB stick to get you started (enough for several hours of video). See the discounted cloner box now on Amazon.

To read this article in full or to leave a comment, please click here

For extreme conditions, this phone pouch features a simple snap and lock design that easily keeps out water, snow, dust, sand, and dirt, without hindering use of touch-screen or camera. It fits all large smartphones up to 6 inches, as well as your cash, documents, credit cards, or any similar sized items you need safe from the elements while outdoors. The 2-pack's typical list price of $16.99 has been reduced 47% right now to $8.99. See this deal on Amazon.

To read this article in full or to leave a comment, please click here

 As the Internet and Digital Economy have grown up, the humble Firewall has continued to serve as their go-to security appliance. In this first of a two-part series, we will examine how, in spite of the evolution of the Firewall through a number of shapes, functions, and roles, it remains the security foundation for implementing the strategic pillars of Segmentation, Access Control, and Real-time analytics/action now and into the future.

Change is a fact of life; what doesn’t change usually withers and dies. This is true for both the biological and the digital world. Generally, we make leaps forward because of one or more of the following: 

To read this article in full or to leave a comment, please click here

I recently wrote an article for CSOonline about the security of IoT.  Although primarily about the use of the MQTT protocol, it applies to general security considerations of IoT connectivity.  I received one strong rebuttal by an IBM developer, claiming that I overstated the risk.  I welcome any professional feedback on my positions on any security challenge.  Since this rebuttal was in Twitter, I decided to respond here where I have more than 140 words available.

Summary of argument

First, the OASIS standard MQTT protocol is not secure by itself.  Any implementation requires TLS or other means to secure sessions.  Further, it does not require devices to authenticate to servers.  Does this make all implementations of MQTT unsafe?  No.  Are there many organizations using MQTT or other messaging protocol unsecurely?  Yes.  A Google search provides many examples, so I won’t try to list them here.

To read this article in full or to leave a comment, please click here

Hoover’s List

The FBI’s ‘Ten Most Wanted List’ was born in 1950, after a conversation between legendary Director J. Edgar Hoover and William Kinsey Hutchinson, the editor in chief of what became United Press International.  A published article the year before detailing Hoover’s most wanted ‘bad guys’ garnered so much positive publicity the Bureau created the list in response.

Contrary to popular legend, the list is not ranked.  As fugitives are caught, die, or their charges are dropped, they move up and down the list.  (Disappointingly, there isn’t really a ‘Number One on the FBI’s Most Wanted List’.)  And for nearly five decades that’s how the program worked. 

To read this article in full or to leave a comment, please click here

Most people do not understand gamification, and inevitably vendors and people misuse the term and overuse it inappropriately. Gamification is essentially rewarding people for exhibiting a desired behavior. It is not merely creating a game for people to play, nor making training a game.

There are four required characteristics of a gamification program:

1. A defined goal with defined rewards
2. Well established rules on how to achieve the goal and rewards
3. Feedback as to where people stand in achieving the goals.
4. Voluntary participation

Pokemon Go demonstrates all of these traits and demonstrates what you should be looking for when vendors or your staff describe their gamification efforts.

To read this article in full or to leave a comment, please click here

Retail sales and truck driving are two of the most common jobs in America. They are also jobs that may eventually be automated. That's why David Delmar, executive director and founder of Resilient Coders, said, "Coding is the new blue-collar job."

Accepting that reality, though, means that a lot has to change about how we educate kids. Yet, "For most states and school districts, the notion of computer science for every student is a relatively new and unexplored topic," according to Code.org. 

Even though there are currently 530,472 open computing jobs nationwide, only 42,969 computer science students graduated into the workforce last year.

To read this article in full or to leave a comment, please click here

When it comes to hiring, enterprise security teams can use all of the help that they can rally. When hiring entry-level talent, that’s not as easy as it may seem — many times because entry-level applicants don’t do everything they could to help their cause.

For years a dearth of young professionals interested in cybersecurity has existed, but that could be changing for the better. This is both good news and bad news for cybersecurity job seekers. While the competition for these positions will be heating up (bad news), the good news (for job applicants, anyway) is that number of openings remains vast. According to the Global Information Security Workforce Study, the cybersecurity talent skills shortage remains stark. By 2022, there will be a 1.8 million worker shortage – a 20 percent increase since 2015, this Frost & Sullivan for the Center for Cyber Safety and Education survey predicts.

To read this article in full or to leave a comment, please click here

The White House more or less doxed citizens, who took the time to submit feedback to the Presidential Advisory Commission on Election Integrity, by publishing 112 pages (pdf) of public comments without first redacting any personal information; some of the emailed comments were outraged, some commenters dropped f-bombs, one sent goatse, but they were published in full, including those that showed citizens’ “email addresses, home addresses and phone numbers.”

To read this article in full or to leave a comment, please click here

Last month Citi Private Bank released a white paper focused on the growing cybersecurity threat and its relevance to Family Offices. The white paper surveyed information security experts in and outside of Citi to provide a comprehensive guide on a topic of high interest to Family Offices. The full white paper can be accessed on the Citi Private Bank website here. 

To read this article in full or to leave a comment, please click here

Big data, as its proponents have been saying for nearly a decade now, can bring big benefits: advertisements focused on what you actually want to buy, smart cars that can help you avoid collisions or call for an ambulance if you happen to get in one anyway, wearable or implantable devices that can monitor your health and notify your doctor if something is going wrong. 

It can also lead to big privacy problems. By now it is glaringly obvious that when people generate thousands of data points every day — where they go, who they communicate with, what they read and write, what they buy, what they eat, what they watch, how much they exercise, how much they sleep and more — they are vulnerable to exposure in ways unimaginable a generation ago. 

To read this article in full or to leave a comment, please click here

This sport camera is a budget-friendly alternative to GoPro. It averages 4.5 out of 5 stars from over 230 reviewers on Amazon, where Its list price of $100 is currently discounted 37% to just $64. Designed to be used for biking, hiking, diving, swimming, surfing, or anywhere else you could use a rugged, waterproof camera. The camera provides 4K/25FPS, 2.7K/30FPS, 1080P/60FPS, 1080P/30FPS and 720P/120FPS video resolution. Comes with a wireless remote, and 2 rechargeable batteries that provide up to 90 minutes of continuous filming each. See this deal on Amazon.

To read this article in full or to leave a comment, please click here

The short answer to the question posed in the headline is 'everyone': Every small business, midsized company, enterprise, and organization is fair game, especially in light of the recent WannaCry and Petya attacks (though the latter was an atypical ransomware example).

The long answer is more complicated. Your vulnerability to a ransomware attack can depend upon how attractive your data is to criminal hackers, how critical it is that you respond quickly to a ransom demand, how vulnerable your security is, and how vigorously you keep employees trained about phishing emails, among other factors.

To read this article in full or to leave a comment, please click here

The prevalence of automation is everywhere in our modern, tech-first culture and continuously on the rise — with good reason. Cybersecurity experts see vast amounts of data and countless attempted breaches, becoming literally overwhelmed and specifically because of two challenges: (1) effectively finding attacks hidden among billions of daily security events, (2) efficiently responding to those attacks in a timely manner.

These challenges are not being addressed and, in most SOCs, decades-old tools are used to do only a partial job. These tools are simple, rules-based systems and fundamentally limited in capabilities. For those testing new techniques, automation is consistently used at the wrong times and in the wrong ways. This leads to a rise in breaches and millions of unfilled security analyst positions.

To read this article in full or to leave a comment, please click here

The insecure implementation of the MQTT (Message Queue Telemetry Transport) protocol, an Oasis standard for IoT communication, by many IoT product vendors is contributing to the high risk of IoT devices on enterprise and home networks.  Although TLS is recommended by the Cloud Security Alliance for secure communication with MQTT, most vendors appear to ignore transport security, making all communication open and available.  Further, authentication is often ignored.

To read this article in full or to leave a comment, please click here

Chances are you’ve seen a similar image over the past several months.  Either on internal systems (hopefully not) or within the countless blogs, news stories and industry journals that bombard us every day with ominous warnings and dire consequences.  It is, of course, ransomware. And while it (and media coverage of it) has dominated the cybersecurity world for the last several years, it’s not new.  Also, not new are the fundamental security building-blocks necessary to mitigate its impact or the fact that it represents a cyber risk.

What does seem new is the incredible amount of singular focus on these incidents around the ‘cyber watercooler’ that drowned out the broader discussion of the underlying principles comprising a solid cyber security program.  In addition, the tenor of the cyber risk discussion has seemingly changed as well, from an enterprise-level conversation to a single-point conversation.  Neither of these trends are positive.

To read this article in full or to leave a comment, please click here

With the latest advancements in automation and AI, many CISOs are recognizing the potential for automation to transform security operations. Given the way many technology vendors hype their solutions, you could be forgiven for thinking humans should be removed from security flows to the greatest extent possible. But, you would be wrong!

On the contrary, security analysts are not only an important part of the security process, they are THE most important part. So, when you think of automation, you should think of it not as a way of replacing security analysts, but rather as a way of empowering them to do more of what they do best. This is an important distinction.

To read this article in full or to leave a comment, please click here

Traditional authentication solutions require a trade-off between security and usability, often deployed with a “one-size-fits-most” strategy. But today there’s a whole lot more at stake, so enterprises need more to effectively protect critical applications when delivering access in a world without boundaries. That “more” comes by way of risk mitigation.

By applying a risk-based approach to your authentication strategy with identity assurance, you can go beyond simple authentication approaches. You can deliver both security and convenience without sacrifice. Risk-based identity assurance is transforming multi-factor authentication from a simple yes/no decision or step-up process by adding intelligence to the decision of which access is granted in which situations.

To read this article in full or to leave a comment, please click here

This 3 port USB 3.0 hub converts any 9.5mm & 7mm 2.5-Inch SATA HDD/SSD into an external hard drive for ultimate mobility and convenience. Setup is tool free and easy to install and disassemble.  A built-in foam pad protects the hard disk. This device features automatic sleep and spin-down, and goes into sleep mode automatically after 10 minutes in idle state. Currently receiving 4.5 out of 5 stars on Amazon (read reviews), it's discounted by 48% down to just $21.99,  See it on Amazon.

To read this article in full or to leave a comment, please click here

Anker's highly rated SoundCore Bluetooth speaker's typical list price of $79.99 has been discounted 66% today to just $26.99 on Amazon, where it averages 4.6 out of 5 stars from over 7,500 reviewers (76% rate the full 5 stars: read reviews here). It features rich sound, a generous 24 hours of play time (500 continuous songs without needing a charge), Bluetooth 4.0 66-foot wireless range and a worry-free 18 month warranty. This deal is good for today only (7/13), so see it now on Amazon.

To read this article in full or to leave a comment, please click here

The cybersecurity talent shortage keeps getting worse. According to Cybersecurity Ventures, the cost of cybercrime will double from $3 trillion globally in 2015 to $6 trillion by 2021. Meanwhile, the number of open cybersecurity jobs will increase from 1 million in 2016 to 1.5 million by 2019.

Meanwhile, the scale and damage of the attacks continues to increase. According to Juniper Research, 2.8 billion customer data records are expected to be stolen this year, increasing to 5 billion by 2022. The total cost of ransomware attacks alone is estimated to reach $5 billion this year, according to Cybersecurity Ventures, up from $325 million in 2015.

To read this article in full or to leave a comment, please click here

Malware. Data theft. Ransomware. Everyone wants to know who was behind the latest audacious attack. Several attempts have been made over the years to use linguistics to identify perpetrators, but when it comes to attribution, there are limitations to using this method.

Linguistic analysis came up recently when analysts at intelligence firm Flashpoint said there was a Chinese link with the WannaCry ransomware. Much of the security research up till then had pointed to North Korean ties, as the attacks reused infrastructure components associated with the shadowy Lazarus Group. Before that, a Taia Global report suggested the The Shadow Brokers’ manifesto was actually written by a native English speaker, despite the broken English. Linguistic analysis also was used to suggest that Guccifer 2.0, who released documents stolen from the Democratic National Committee, was likely not Romanian as claimed. Back in 2014, Taia Global said linguistic clues pointed the Sony breach to Russian actors, and not the North Koreans as the United States government had claimed.

To read this article in full or to leave a comment, please click here

Data breaches happen daily, in too many places at once to keep count, take today's news of another Verizon breach that exposed the personal data of 6 million customers and a somewhat less dire breach at 14 Trump hotels. But what constitutes a huge breach versus a small one? CSO compiled a list of 15 of the biggest or most significant breaches of the 21^st century.

This list is based not necessarily on the number of records compromised, but on how much risk or damage the breach caused for companies, insurers and users or account holders. In some cases, passwords and other information were well protected by encryption, so a password reset eliminated the bulk of the risk.

To read this article in full or to leave a comment, please click here

Creating and distributing digital content has never been easier. But ensuring the secure delivery of that digital content? Now that’s another story.

One important chapter of that story is the need to manage digital content so that it goes not only to the people authorized to access it, but also only to approved geographic or specific market locations. Content licensees may be prohibited from distributing the content to certain regions, countries, or even localities, and can lose their licensing rights or face regulatory or legal consequences if they fail to meet those obligations.

The need to control geographic distribution of content is rising with the staggering growth of digital content itself. Consider:

To read this article in full or to leave a comment, please click here

Media panic du jour

National media has caused quite a self-generated sensation by splashing headlines that the U.S. Nuclear Power subsector has been hacked.  Without context or understanding the media has created another “the sky is falling” cyber event.  There’s a great difference between nuclear operational networks being compromised and somebody clicking a phishing email and infecting the front office, so let’s immediately set the record straight.  It was the front office.

To read this article in full or to leave a comment, please click here

High-performance teams rely on defined processes. Sometimes these are called playbooks.

Turns out disciplined attackers use playbooks, too.

Rick Howard (LinkedIn, Twitter) suggests that knowledge might be the key to a different way to improve and automate security. A 23-year military veteran, Howard is the chief security officer for Palo Alto Networks where he continues to build out the Unit 42 Threat Intelligence Team, supports the company’s product lines and is a respected thought leader and company evangelist in the cybersecurity community space. He has a vast background in several different areas of InfoSec, ranging from experiences within both the public and private sectors.

To read this article in full or to leave a comment, please click here