Author: bacohido

For a couple of decades now, the web browser has endured in workplace settings as the primary employee-to-Internet interface. It’s really just assumed to be a given that a browser built for consumers is an acceptable application for employees to use to work.

And despite advances, like sandboxing, browser isolation and secure gateways, the core architecture of web browsers has remained all-too vulnerable to malicious attacks.

There was a lot of buzz at Black Hat USA 2023 about advanced “enterprise browsers.” I visited with Uy Huynh, vice president of solutions engineering at Island.io, to discuss this. For a full drill down please give the accompanying podcast a listen.

Built on the Chromium open source code, Island’s Enterprise Browser recognizes the identity and considers the role of each user—be it an employee, contractor, or HR personnel. This granular visibility aids in rapid onboarding while also bolstering security protocols, Huynh explained.

This can serve as a “last mile” checkpoint to curtail Shadow IT; in particular, the exploding popularity of generative AI.

Guest expert: Uy Huynh, VP of solutions engineering, Island.io

Island’s solution prevents sensitive data from slipping out from a web browser into services like ChatGPT, or through downloads, screen shots, printing or copy/paste.

“With generative AI, you could inadvertently be placing your intellectual property or other sensitive information into large language models that anyone can access,” Huynh warns.

Meanwhile, a specific alert can be communicated to the user, enhancing awareness training, and reinforcing compliance.

“In essence, what we’re trying to do is to offer enterprises granular control over their browser environment,” Huynh says.

Anything that can improve security while preserving a high-quality user experience has a place in networks, going forward. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

The threat of bad actors hacking into airplane systems mid-flight has become a major concern for airlines and operators worldwide.

Related: Pushing the fly-by-wire envelope

This is especially true because systems are more interconnected and use more complex commercial software than ever before, meaning a vulnerability in one system could lead to a malicious actor gaining access to more important systems.

Here’s what you should know about the risks, what aviation is doing to address those risks, and how to overcome them.

It is difficult to deny that cyberthreats are a risk to planes. Back in 2015, a security researcher decided to make that very point when he claimed to have hacked a plane, accessed the thrust system, and made it fly higher than intended.

Thankfully, the incident ended safely (or perhaps was unproven), but it clearly highlighted a need for stiffer security measures, particularly as all experts agree avionics system complexity and growing use of onboard software updates increases cyber-security risks .

Risks delineated

Still, there have been many other incidents since. In 2019, a cybersecurity firm demonstrated security risks that could allow an attacker to disrupt engine readings and altitude on an aircraft. There was another warning from the U.S. Government Accountability Office in 2020 about increasing risk due to connected aircraft technology developments.

More recently, there were seven noteworthy attacks on airlines in just one month last year. And those incidents may only be increasing. This is why aviation has recently mandated all new aviation systems comply with DO-326A (called ED-202A in Europe), which is a required standard all new aircraft and systems follow.

There are three factors that I could see presenting an even greater risk going forward. Number one is increasingly connected systems; number two is onboard Wi-Fi; and number three is the use of commercial software, including artificial intelligence in aircraft.

Hilderman

Many components and systems within an aircraft can exchange data and communicate with each other or with the external internet. Unfortunately, the interconnectivity of systems creates potential entry points for cyber threats, as a vulnerability in one component could provide an avenue for unauthorized access or malicious activities throughout the aircraft’s network.

One increasingly common measure, which is partially effective at mitigating connected system risk is “AFDX” (Aviation Full Duplex Ethernet), which is specialized hardware/software communication hardware and software protocols that minimize vulnerabilities. AFDX improves security through compliance with the aforementioned DO-326A and also DO-178C.

Software gaps

Similarly, the availability of onboard Wi-Fi services has become increasingly common in commercial aircraft so passengers can stay connected to the internet even during a long flight. However, onboard Wi-Fi networks, if not adequately secured, can provide a gateway for cyber attackers.

So watch out for weak encryption protocols, insufficient network segregation, or insecure user authentication mechanisms. Measures like network segmentation, intrusion detection systems, and frequent security updates can help airlines ensure Wi-Fi doesn’t put the flight at risk.

And finally, just imagine how much more dangerous a hack becomes once a plane uses regular consumer software for entertainment, scheduling, tracking maintenance records, or is controlled through artificial intelligence and there’s limited or no oversight from a human pilot in the cockpit.

While this isn’t necessarily a big issue today since completely pilotless aircraft won’t be taking flight for a good while yet, such a hack could enable bad actors to control or potentially even bring down a plane.

Fortunately, there are ways to address the risks. You may have noticed that you haven’t heard of a plane that’s been taken over during flight by a successful hack in the past few years, despite the fact that airlines are common targets of attacks.

Level of mitigation

It is safe to say you won’t hear of a plane crashing due to a cyber attack in the near future either. That doesn’t mean there aren’t cyberthreats out there. It just means that, up to now, cybersecurity engineers and safety regulations have been remarkably successful at staying ahead of threats.

For example, as noted previously there’s the ED-202A guidelines in Europe and DO-326A in the U.S., collectively known as the “Airworthiness Security Process Specification.” While these standards were first published in 2010, they have since been updated for newer threats and became the only Acceptable Means of Compliance (AMC) for airborne avionics systems in 2018 and now mandatory since 2022.

This means that all avionics engineers had to ensure software on board planes was compliant and carefully tested for vulnerabilities and safety risks per DO-326A or ED-202A, no excuses, no alternatives.

In addition, the International Civil Aviation Organization published the Aviation Cybersecurity Strategy in 2019, offering recommended cyber attack prevention and response procedures. And to this day, authorities continue to update cybersecurity regulations and safety testing.

So regulatory authorities are doing their part, and airlines have been working to follow suit. Some companies have been known to reward anyone who can discover and report a possible vulnerability in certain ground systems, websites, or scheduling systems. American Airlines also has a cybersecurity and data security training program for all team members.

There are plenty of good examples to follow for beefing up security, and thanks to the strong regulatory guidelines, you can be reasonably confident that your plane won’t get taken over by a hacker during your next flight.

About the essayist: Vance Hilderman, CEO of AFuzion, is a renowned aviation expert with extensive experience in engineering reports and safety-critical compliance. Vance would be happy to provide a non-promotional article on the cyber security risks facing airlines today and strategies to ensure safety in commercial aircraft.

API security has arisen as a cornerstone of securing massively interconnected cloud applications.

At Black Hat USA 2023, I had a great discussion about API security with Data Theorem COO Doug Dooley and Applovin CISO Jeremiah Kung. For a full drill down, please give the accompanying podcast a listen.

As a fast-rising mobile ad network going toe-to-toe with Google and Facebook, Applovin has been acquiring advanced security tools and shaping new practices to manage its API exposures. Kung described for me how Data Theorem’s API Secure is proving to be a vital weapon in Applovin’s security arsenal.

APIs have become the “lifeblood” of apps and thus a prime target for cyber criminals, Kung says. AppLovin has learned that it must mitigate API exposures from multiple angles, he told me.

Robust API security has become table stakes – for cloud-native companies like AppLovin as well as for legacy enterprises stepping up their cloud plays, Dooley argues.

Guest experts: Doug Dooley, COO, Data Theorem; Jeremiah Kung, CISO, Applovin

“The moment you go cloud, the number of attack surfaces explodes and there’s really no way to stop it, because it’s like trying to stop innovation,” Dooley says. “As long as you let feature development happen with modern techniques of cloud services and third-party software suppliers, you’re going to have more APIs than you even realize you have embedded and exposed throughout your application stacks.”

Securing APIs is even more vital as generative AI takes center stage, giving attackers one more powerful tool to scale up their campaigns. Yes,  AI is bolstering hacking techniques; but it can also strengthen defensive capabilities by security teams, programs, and products Dooley observes.

The arms race is just warming up, folks. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Tel Aviv, Israel, Aug. 24, 2023 – Cypago announced the release of its Cyber GRC Automation (CGA) platform today, revolutionizing the GRC space by bridging the gap between management, security, and operations teams. This announcement follows the company’s $13M in total funding led by Entrée Capital, Axon Ventures, and Jump Capital, including prominent angel investors such as Ariel Maislos, Prof. Ehud Weinstein, and Ofir Shalvi.

As the frontrunner in GRC, the company was founded by Arik Solomon, a former EY executive and Yahav Peri, a former officer in the IDF Intelligence Corps and a cybersecurity expert. Cypago’s CGA platform is designed to enable organizations to automate and streamline the increasingly unwieldy Governance, Risk, and Compliance (GRC) processes that organizations need to maintain.

The growing number of cybersecurity regulations designed to keep business and customer data protected have created an onslaught of standards and certifications that companies struggle to keep up with. In 2022, more than 40 US states introduced 250 bills focused on cybersecurity alone, and this number will only increase over time, especially as the White House continues to outline its vision for a cybersecurity implementation plan.

The revolutionary Cypago Cyber GRC Automation (CGA) platform combines SaaS architecture and advanced analysis and correlation engines, GenAI, and NLP-based automation, delivering complete coverage across all security frameworks and IT environments, including cloud-based and on-premises systems. Cypago CGA increases security and GRC maturity through intuitive cross-functional workflows. The Cypago CGA platform offers hundreds of out-of-the-box automation templates for frameworks such as NIST CSF, NIST 800-53, SOC 2, and ISO 27001, as well as the ability to implement custom frameworks.

Furthermore, the Cypago CGA platform offers customizable no-code automated workflows for evidence collection, continuous control monitoring, gap discovery, and mitigation, leveraging easy integrations to existing tech stacks for centralized visibility, management, and enforcement of IT and security requirements. This enables GRC management, security, and operations teams to reduce operational friction and enhance the Cyber GRC program efficiently, all while reinforcing trust with their customers and stakeholders.

Soloman

“Traditionally, running cyber GRC processes has been a manual, fragmented, and time-consuming process,” said Arik Solomon, Co-Founder & CEO of Cypago. “As the risk of cyber threats continues to rise, the volume and complexity of security-related GRC obligations grow, adding to the burden over time. This diverts valuable attention from cybersecurity teams, which should be focused on enhancing their business’ security. Non-compliance with GRC mandates can result in costly fines, erode customer trust, and even major data breaches. We’re excited to lead the way in cyber GRC automation, saving organizations countless hours of manual work, improving collaboration with adjacent teams and stakeholders, and allowing them to focus on their core strengths.”

“The Cypago CGA platform is transforming the way companies approach GRC processes,” said Adi Gozes, a partner at Entrée Capital. “By automating and streamlining the implementation of security standards, Cypago liberates enterprises from the cumbersome and resource-intensive nature of these processes, paving the way for a safer future where GRC requirements transcend mere checkbox compliance. We are delighted to be partnering with Cypago as they drive forward improvements in GRC practices, ensuring organizations can navigate the complex landscape of compliance with ease and confidence.”

Cypago is already helping leading companies like Check Point, Hippo, Operative, MTX, and Trigo navigate the choppy waters of GRC processes.

“Cypago simplified and streamlined our compliance process. We are able to stay up-to-date with the latest regulations thanks to its powerful integration capabilities,” said Itay Semel, Head of Security & Compliance at Check Point.

With the closing of its recent funding round, Cypago will grow its R&D and product teams and expand its go-to-market team as it further develops its presence in North America and the EU.

For more information about Cypago, visit https://cypago.com/.

About Cypago: Cypago’s revolutionary SaaS-based Cyber GRC Automation (CGA) platform redefines the three lines model by eliminating friction and bridging the gap between management, security, and operations. It transforms GRC initiatives into automated processes, enabling in-depth visibility, streamlining enforcement, and significantly reducing overall costs. The platform leverages innovative technologies, including advanced analysis and correlation engines, GenAI, and NLP models, designed to support any security framework in any IT environment, both in the cloud and on-premises. Cypago was founded in 2020 by tech leaders and cybersecurity veterans with decades of combined experience in the development, operations, and commercialization of cybersecurity solutions. For more information, visit https://cypago.com/

Uncategorized

Fremont, Calif., Aug. 22, 2023 — AVer Information Inc. USA, the award-winning provider of video collaboration and education solutions, announces a technology collaboration with Nureva to streamline hybrid meeting room connectivity.

The plug-and-play hybrid meeting bundles include AVer’s CAM550, a 4K dual lens PTZ camera, and Nureva’s HDL300 audio system, an integrated microphone and speaker bar.

Harvell

“We are incredibly excited to deliver a best-in-class conference solution with our partner, Nureva,” said Carl Harvell, US director of product for enterprise for AVer USA. “We’ve paired the CAM550 with a high-quality solution from Nureva to create a complete package for customers to easily and efficiently deploy, configure and manage connectivity in medium-to-large-sized meeting rooms. Together, we’re creating a unified collaboration experience for business meeting spaces and remote offices.”

AVer’s CAM550 equips two 4K lenses to capture a complete room view with wide-angle clarity. The first PTZ camera with 12X optical zoom (24X total zoom) to frame meeting participants, the CAM550 boasts an AI lens for automated PTZ functionality to deliver a full view of meeting attendees and seamlessly detect meeting newcomers.

The CAM550 includes a secondary AI lens designed to capture and automatically re-frame meeting participants moving in and around the room. The CAM550 boasts built-in AI gesture recognition to operate the camera; meanwhile, it eliminates common touchpoints to increase meeting safety. Meeting participants can easily control the camera through AI functionality by holding up one finger on either side of the face.

Knowlton

“We are excited to collaborate with AVer to support seamless collaboration for hybrid meeting environments,” said Nancy Knowlton, President and CEO for Nureva. This hybrid room-ready bundle will deliver the simplified user experience our mutual customers are asking for.”

Nureva’s HDL300 and AVer’s CAM550 offer seamless connectivity for a hybrid-room-ready solution. AVer’s technology collaboration will provide users with another layer of seamless technology to increase meeting efficiency and participant engagement. AVer’s solutions establish a safe collaboration culture in any organization and increase productivity and engagement for all meeting attendees, even the remote ones.

To learn more about AVer Information Inc. USA, please visit averusa.com.

About AVer Information: Founded in 2008, AVer is an award-winning provider of education technology and video collaboration camera solutions that improve productivity and enrich learning. From accelerating learning in the classroom to increasing competitive advantage for businesses, AVer solutions leverage the power of technology to help people connect with one another to achieve great things.

 AVer’s product portfolio includes professional-grade artificial intelligence-enabled auto-tracking cameras, Zoom and Microsoft Teams Certified enterprise-grade USB cameras, document cameras, and mobile device charging solutions. AVer strives to provide industry-leading service and support that exceeds customer expectations. AVer is deeply committed to the community and the environment, and it employs stringent green processes. Learn more at averusa.com, and follow AVer on LinkedIn at @AVerUSA.

Media contact: Morgan Lawrence, APR, Director of Communications. THE rAVe Agency, Mobile: (419) 631-8052, Email: morgan@theraveagency.com

Uncategorized

Boston, Mass, Aug. 22, 2023 – airSlate, a leader in document workflow automation solutions, today announced the launch of QuickStart in collaboration with partner Forthright Technology Providers, a leading provider of user-centric IT solutions and services. The comprehensive package, available at a fixed price, combines airSlate’s automation tools, including customizable workflows and built-in eSignatures, with Forthright’s professional services, enabling organizations to streamline business processes and eliminate complexity.

QuickStart’s launch coincides with companies increasingly adopting the idea of digital transformation to remain competitive. airSlate’s document automation tools help organizations fast-track their digital transformation efforts, significantly improve their efficiency, productivity, and compliance, reduce their reliance on manual labor, and allow employees to focus on meaningful work. The QuickStart program’s fixed price offers a cost-effective way for businesses of all sizes to “quick-start” their automation journey without the complexity, uncertainty of the steps required and additional expenses.

“Forthright is a trusted partner for many organizations looking to adopt IT solutions to streamline business processes and improve end-user experience,” said Steve Zoberg, CRO of Forthright. “We are excited to partner with airSlate and provide compelling solutions to companies looking to improve their business productivity and efficiency through the implementation of document workflow automation solutions.”

Herring

“The QuickStart package enables businesses to choose from pre-built workflows for HR, digital sales, and vendor onboarding or create customized workflows for their specific needs, empowering businesses to optimize their processes and achieve standardization,” said Shawn Herring, CMO of airSlate. “We look forward to partnering with Forthright to jumpstart workflow automation projects for SMBs & mid-sized companies across industries.”

Also included in the package are up to five automation bots, built-in legally binding eSignatures, unlimited document processing and storage, and various advanced features, making QuickStart an ideal solution for businesses looking to increase productivity and compliance while reducing costs.

QuickStart services are available now, starting at $4,500. For more information, visit here. For more information on airSlate, visit www.airslate.com or follow the company on its social media channels: FacebookLinkedIn, and Twitter.

About airSlate: airSlate is a global SaaS technology company that serves over a hundred million users worldwide with its document workflow and automation solutions. The company’s PDF editing, eSignature workflow, and business process automation solutions empower users to digitally transform their businesses to run faster and easier. airSlatepdfFillersignNow
USLegal, and DocHub make up the company’s portfolio of award-winning products. airSlate is backed by leading venture capitalists and corporate investors including General Catalyst, Morgan Stanley Expansion Capital, HighSage Ventures, UiPath Ventures and GSquared.

About Forthright: Forthright is a leading industry provider of IT consulting, engineering, and managed services firm founded in 1996 with a strong focus on providing clients with the best end user experience available. Forthright’s approach to IT is one founded in expertise, best practices, and a commitment to honesty, integrity and providing the best value to clients. We help businesses leverage technology to optimize, automate, and secure their business operations with a modern IT environment that moves them further in their digital journey.  

Media contact: Priti Khare, Sr. Director of Content and Communications, pr@airslate.com 

Uncategorized

Phone number spoofing involves manipulating caller ID displays to mimic legitimate phone numbers, giving scammers a deceptive veil of authenticity.

Related: The rise of ‘SMS toll fraud’

The Bank of America scam serves as a prime example of how criminals exploit this technique. These scammers impersonate Bank of America representatives, using the genuine bank’s phone number (+18004321000) to gain trust and deceive their targets.

Victims of the Bank of America scam have shared their experiences, shedding light on the deceptive tactics employed by these fraudsters. One common approach involves a caller with an Indian accent posing as a Bank of America representative. They may claim that a new credit card or checking account has been opened in the victim’s name, providing specific details such as addresses and alleged deposits to sound convincing.

Scam tactic exposed

Nicolas Girard shared his experience with the Bank of America scam. He received a call claiming a new checking account was opened in his name, complete with his correct address and a $5,000 deposit. To verify their authenticity, Nicolas asked for proof, but the scammers insisted he Google the Bank of America number.

Suspicious, he trusted his instincts and called the bank directly. Genuine representatives confirmed it was a scam, with no new accounts linked to his social security number. Research unveiled the widespread practice of spoofing the Bank of America number.

Nicolas took immediate action, freezing his credit accounts to protect himself. His story serves as a reminder to stay vigilant against phone scams, ensuring our financial well-being and personal security.

Scope of the threat

Grant

Based on monthly search requests and statistics from 2023, it is evident that a significant number of individuals, almost 600 views per month with an estimate of over 6,000 searches in 2023 alone, have encountered the spoofed Bank of America phone number, +18004321000. This statistic alone highlights the alarming and widespread nature of this scam. It serves as a stark reminder of the importance of raising awareness about phone number spoofing and its potential risks.

It is crucial to be aware of the red flags associated with phone scams like the Bank of America scam. Victims have reported several warning signs, such as unsolicited calls, requests for sensitive information, and high-pressure tactics. Recognizing these indicators can help individuals protect themselves from falling victim to such scams.

To combat phone harassment and protect against scams like the Bank of America scam, the tellows caller ID app offers valuable features. This app provides reverse phone number lookup, allowing users to identify potential scammers or suspicious callers. With a vast database of reported numbers and user feedback, the app provides essential information to help individuals make informed decisions about answering or blocking calls.

Practical protection

To safeguard yourself from falling victim to phone number spoofing scams, consider the following preventive measures:

•Verify Caller Authenticity: Independently contact your bank using official contact information to verify the legitimacy of any calls claiming to be from financial institutions.

•Be Wary of Sharing Personal Information: Never share sensitive information, such as account numbers or Social Security numbers, over the phone unless you initiated the call and are confident in the caller’s identity.

•Install tellows Caller ID App: Use the tellows caller ID app to identify potential scam calls and protect yourself from phone harassment. The app’s reverse phone number lookup feature provides insights into caller reputation and user-reported experiences.

By using the tellows app, users can identify and block unwanted and potentially scam calls. With its extensive global database and user-generated ratings, tellows provides insights into caller identities and their reputation. This empowers users to make informed decisions about answering or blocking calls, saving them time and frustration.

Phone number spoofing poses a growing threat. Stay vigilant and informed to protect against such fraud.

About the essayist: Richard Grant is a country content manager at tellows. He is responsible for overseeing the content strategy, user-generated ratings and data management for a specific country. Richard’s expertise in call identification and spam detection contributes to tellows’ mission of empowering individuals to avoid annoying and potentially fraudulent calls.

Tel Aviv,  Israel, Aug. 17, 2023 — Cynomi, the leading AI-powered virtual Chief Information Security Officer (vCISO) platform vendor for Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs) and consulting firms, has published the results of its first annual report, “The State of the Virtual CISO 2023”. The report, conducted by Global Surveys on behalf of Cynomi, reveals critical insights into MSPs and MSSPs’ recent shift towards vCISO services.

The key highlight of the report is the fact that the number of vCISO service providers is set to increase by 480% between now and the end of next year, from 19% to 86% of MSPs and MSSPs in North America. Of the current 19% that provide vCISO services, just one quarter offered vCISO services prior to 2022. This demonstrates the significant trend of adoption over the last two years that shows no signs of slowing down.

The frequency of cyberattacks is on the rise, and hackers are continually targeting smaller businesses. Despite this, most small and mid-size companies cannot afford to hire a dedicated security professional to safeguard their IT assets full-time. Instead, they are increasingly turning to vCISO services, offered by rising numbers of MSPs and MSSPs. These services give SMBs access to external cybersecurity experts at a fraction of the cost of hiring an in-house CISO.

Cynomi’s report, based on survey responses from 200 Directors, VPs and C-Suite executives at MSPs/MSSPs in the U.S. and Canada, highlights the growing SMB need for the broad cyber support vCISO services provide, and how MSPs and MSSPs are moving quickly to respond to this demand. Of those not currently offering vCISO services, 84% have said they intend to do so by the end of 2024 and most of the others plan to do so at some point.

Indeed, just one percent of the 200 MSPs and MSSPs surveyed said they do not currently have any plans to offer vCISO services. Prior to 2022, only 5% of MSPs and MSSPs were offering vCISO services. Since then, the number of providers offering this service has grown consistently, with 8% in 2022, 28% in 2023, and a projected 45% in 2024 – further evidence of the segment’s accelerating momentum.

Primor

“Our inaugural report on the State of the Virtual CISO industry clearly shows that vCISO services are building strong momentum as one of the fastest-growing cybersecurity segments on offer,” said David Primor, co-founder and CEO of Cynomi. “More SMBs want this. The vast majority of MSPs and MSSPs will be offering vCISO services by the end of next year, and those that don’t risk being left behind.”

MSPs and MSSPs stated a number of reasons for their desire to offer vCISO services, with more than 40% of respondents anticipating increased revenue and higher margins, in addition to easy upsell of other cybersecurity services. By offering vCISO services, 33% of respondents also anticipate enhanced client engagement.

Many of these companies also envision challenges along the way: 40% of them are worried by limited in-house security or compliance knowledge, and 33% by a lack of skilled cybersecurity personnel. However, vCISO platforms negate these concerns.

“Since we started offering vCISO services last year, we have helped many businesses understand and shore up their security posture in a very cost-effective way,” said Cliff Janzen, VP Security , rSolutions Corporation. “As a vCISO provider, we have become more involved with our customers’ strategic planning and reporting to their top management, while improving client engagement and satisfaction. They’re reassured to know they can turn to us in all matters relating to their cybersecurity needs without breaking the bank. On our end, too, the costs were lower than anticipated; it was great to add these new services through a vCISO platform to be a force multiplier for our existing team.”

Cynomi has created a comprehensive and regularly updated directory of leading vCISO service providers for SMBs to find a trusted security partner. The directory provides thorough details on the specific services offered by each vCISO provider, as well as the technology platforms they use to guide and implement their security strategies.

As the leading vCISO platform provider for MSPs and MSSPs, Cynomi intends to conduct a recurring study on the growing momentum of the vCISO role each year.

To view the full report: https://www.cynomi.com/state-of-the-vciso-2023/

About Cynomi: Cynomi’s AI-driven platform empowers MSSPs, MSPs and consultancies to offer vCISO services to SMBs at scale and to provide them with proactive cyber resilience. Combining proprietary AI algorithms with CISO-level knowledge and expertise, Cynomi’s platform streamlines the vCISO’s work while automating manual time-consuming tasks like risk assessment, compliance readiness, cyber posture reporting, the creation of tailored security policies and remediation plans, as well as task management optimization.   

Cynomi helps partners overcome the cybersecurity skill gap and scale their business, allowing them to offer new services, upsell, and increase revenues, while reducing operational costs.   Established in 2020 with the vision that every company deserves a CISO, and with a channel-only approach, Cynomi now serves more than 50 partners worldwide.  

To learn more about Cynomi’s solution for MSPs, MSSPs, and cyber consultancies visit www.cynomi.com    

Media contact: Rotem Shemesh, Cynomi VP of Marketing, rotem@cynomi.com

Uncategorized

Social media giants have long held too much power over our digital identities.

Related: Google, Facebook promote third-party snooping

Today, no one is immune to these giants’ vicious cycle of collecting personal data, selling it to advertisers, and manipulating users with data metrics. By making people feel like mere products- this exploitative digital environment further encourages a bubble of distrust amongst social media users.

With numerous incidents to cite, tech behemoths have time and again proven their inadequacy to securely handle their user’s digital identity and data.

In recent years, Meta (previously Facebook) has faced a number of fines for violating user privacy. In 2019, the company was ordered to pay a record-breaking $5 billion penalty by the Federal Trade Commission (FTC) for violating consumers’ privacy rights.

The fine was the largest ever imposed on a social media company for privacy violations. Last month, again, Meta was penalized for more than €1.2bn (£1bn) and ordered to suspend data transfers to the US by an Irish regulator for its handling of user information. This hefty penalty set a record for a breach of the EU’s general data protection regulations (GDPR).

But these incidents aren’t limited to only the giants like Facebook. Even newer social networking sites like Clubhouse have allegedly had trouble protecting data of millions of users in recent times.

That’s why there is a need for more comprehensive solutions addressing challenges of user control, privacy, and data security at their core.

Decentralizing identities

Decentralized identities are a newer approach that can help solve the issues at hand. A user can create their own decentralized identity that is controlled by a secret seed phrase and not reliant on a centralized platform for that identity to exist.

A user can then connect this decentralized identity to encrypted decentralized storage to store their personal data. The data gets distributed across multiple nodes as opposed to getting stored in a central database. This direct shift of centralized authority to a decentralized landscape has several unique and necessary advantages.

Were

Firstly, it enables individuals to take complete control over their data. Users can choose where their personal information should be used and rightfully have the power to revoke that access at any time. Secondly, it adds two critical layers of security, making it comparatively tricky for hackers to steal.

For instance, to hack decentralized end-to-end encrypted data, a hacker must compromise multiple nodes on the storage network to gain access to the data. They must also compromise the user’s mobile device to access their seed phrase or perform some other type of sophisticated social engineering hack to obtain the secret seed phrase directly from the users. These steps are incredibly labor-intensive and extremely difficult and at great cost.

This radically changes the “economics” of hacking to all but eliminate the likelihoodof stealing user data. A hacker must go through the time and effort to hack multiple systems and devices to obtain the secret data of one person, rather than compromising a single system to obtain the data of millions of users.

Thirdly, it can drastically enhance and improve the user experience. Take into account the tedious tasks of creating and managing usernames and passwords for different services across all platforms. This often tempts users to reuse their old credentials.

Decentralized identity allows users to use their decentralized ID for signing in across multiple platforms, providing a better user experience. Future enhancements to decentralized single sign on will provide cryptographic proofs relating to the application being connected to, eliminating many “phishing” type of attacks.

To power all this, interoperability plays a critical role in decentralized identity systems built on open standards, such as the DID-Core standard. It promotes cross-functionality between diverse systems and platforms, meaning users get to use their decentralized identities to access a wide range of applications without going through the trouble of creating a new account for each service. Building on this idea, decentralized social identities have a massive potential to reshape the social media landscape

Social media use case

By prioritizing user ownership, privacy, and interoperability – decentralized social identities change the way we interact online. Take, for instance, a scenario where a self-owned cryptographic identity puts the control back in the users’ hands, as opposed to being controlled by a centralized entity like Facebook or Twitter. Or think of a system where your social media accounts and email are certified by a blockchain-based decentralized social identity service for secure identity verification.

This transformation is driven by self-sovereignty and interoperability, which give users control over their data and allow them to own, manage, and use it across all web platforms – Users have a single, trusted source of digital identity, which changes how they build trust, establish themselves, and cultivate their reputation on social media.

With time, more and more user-centric initiatives like Verida are smartly pushing the boundaries of decentralized social media by adopting a privacy-by-design approach and offering a full-stack development framework to help create privacy-focused applications. With the user being an important link, it fundamentally changes the power dynamics seen in traditional social media platforms.

The good news is – these efforts are not just limited to decentralized social identities concerning social media. They work as a part of a broader vision of Web3-enabled applications, striving to make messaging, personal data storage, and single sign-in a commonplace occurrence.

Web2 to Web3

Notably, Web2 and Web3’s current landscape has stark fundamental differences. While Web2 is associated with sharing, Web3 emphasizes ownership. In the current iteration, Web2 users have tools (non-data-privacy compliant ) allowing them to display where they are sharing their activities and identity, but Web3, however, is yet to provide a robust solution to simply aggregate, share, and prove these existing social identities.

Solutions like Verida One allow users to import, verify, and link their Web2 identities and metadata to Web3 dApps. This bridge now paves the way for a user-controlled, privacy-focused social media landscape.

With the bitter experiences of history and promising technology of the future, changing the current social media landscape is a critical step to enhance the trust and security of our online interactions. However, it can only be achieved if you start reclaiming control over data and demanding better from companies that profit off users’ private information.

The time has come to reject the status quo and push for a future where privacy is considered a right and not a privilege. Every social media user’s agenda should be a revolution to hold tech giants accountable for their actions.

With newer transparent technologies hitting the market, users should feel more empowered to see an alternative way out.

About the essayist: Chris Were is CEO of Verida. The Australian based tech entrepreneur has spent more than 20 years developing innovative software solutions – most recently Verida, a decentralised, self-sovereign data network.

LAS VEGAS – Just when we appeared to be on the verge of materially shrinking the attack surface, along comes an unpredictable, potentially explosive wild card: generative AI.

Related: Can ‘CNAPP’ do it all?

Unsurprisingly, generative AI was in the spotlight at Black Hat USA 2023, which returned to its full pre-Covid grandeur here last week.

Maria Markstedter, founder of Azeria Labs, set the tone in her opening keynote address. Artificial intelligence has been in commercial use for many decades; Markstedter recounted why this potent iteration of AI is causing so much fuss, just now.

Generative AI makes use of a large language model (LLM) – an advanced algorithm that applies deep learning techniques to massive data sets. The popular service, ChatGPT, is based on OpenAI’s LLM, which taps into everything available across the Internet through 2021, plus anything a user cares to feed into it. Generative AI ingests it all, then applies algorithms to understand, generate and predict new content – in text-based summaries that any literate human can grasp.

I spoke to technologists, hackers, marketers, company founders, researchers, academics, publicists and fellow journalists about the promise and pitfalls of commoditizing AI in this fashion. I came away with a much better understanding of the disruption/transformation that is gaining momentum, with respect to privacy and cybersecurity.

Shadow IT on steroids

Generative AI, in point of fact, has, for the moment, dramatically accelerated attack surface expansion. I spoke with Casey Ellis, founder of Bugcrowd, which supplies crowd-sourced vulnerability testing, all about this. We discussed how elite hacking collectives already are finding ways to use it as a force multiplier, streamlining repetitive tasks and enabling them to scale up their intricate, multi-staged attacks.

Huynh

What’s more, generative AI has exacerbated the longstanding problem of well-intentioned employees unwittingly creating dangerous new exposures, especially in hybrid and multi-cloud networks. I spoke with Uy Huynh, vice president of solutions engineering at Island.io, about how generative AI has quickly become like BYOD and Shadow IT on steroids. Island supplies an advanced web browser security solution.

“The days of localized data loss is over,” says Huynh. “With ChatGPT, when you post sensitive content as part of a query, it subsequently makes its way to OpenAI, the underlying LLM. Every piece of information becomes a part of the model’s vast knowledge base. This unintentional leakage can have dire consequences, as sensitive information can thereafter be accessed through the right prompts.”

Of course, the good guys aren’t asleep at the wheel. Another theme that stood out at Black Hat: security innovators are, at this moment, creating and testing new ways to leverage generative AI – as a force multiplier – for their respective security specialties.

Threat intelligence vendor Cybersixgill for instance launched Cybersixgill IQ at Black Hat. This new service feeds vast data sets of threat intel into a customized LLM tuned to generate answers to nuanced security questions.

The idea is to shrink the time analysts spend sifting through data, says Brad Liggett, director of global sales engineering. Cybersixgill’s researchers, for instance, are finding they can quickly gain insights they might have missed or taken much longer to uncover.

This all really boils down to intuitive questioning of generative AI by clever human experts. Bugcrowds’ stable of independent white hat hackers, for instance, are probing for the edges of the envelope, striving to determine where usefulness ends and inaccuracy kicks in, Ellis told me.

Defense-in-depth redux

I also spoke just ahead of the conference with Horizon3.ai, Syxsense and Trustle – and we touched on how they are factoring in generative AI; for a deeper dive, please give a listen to my podcasts discussions with each. At the conference, I had deep conversations with experts from Bugcrowd, Island.io, Traceable.ai, Data Theorem, Sonar and Flexxon; stay tuned for upcoming Last Watchdog podcasts with each.

Generative AI is sure to rivet everyone’s attention for some time to come. When it comes to cybersecurity, Markstedter, the keynote presenter, astutely observed how generative AI is on track to  match the original iPhone’s adoption trajectory: massive popularity followed by an extended period of companies scrambling to gain security equilibrium.

Markstedter

“Do you remember the first version of the iPhone? It was so insecure — everything was running as root. It was riddled with critical bugs. It lacked exploit mitigations or sandboxing,” she said. “That didn’t stop us from pushing out the functionality and for businesses to become part of that ecosystem.”

Cybersecurity is undergoing a tectonic shift, folks. To get us where we need to be, traditional, perimeter-centric IT defenses need to be reconstituted and security services delivery models need to be reshaped. A new tier of overlapping, interoperable, highly automated security platforms are taking shape. Defense-in-depth remains a mantra, but one that is morphing into something altogether new.

Automation and interoperability must take over and several new security layers must coalesce and interweave to address attack surface expansion. Generative AI has come along as a two-edged sword, accelerating attack surface expansion, but also stirring cybersecurity innovation. In short, the arms race has taken on a critical new dimension.

Cutting against the grain

Nayyar

A few off-the-cuff discussions I had on the exhibits floor at Black Hat resonated. One was with Saryu Nayyar, CEO of Gurucul, supplier of a unified security and risk analysis solution. Gurucul, too, launched a “generative AI assistant” at Black Hat and has been in the vanguard of another major trend: competing to shape the multi-faceted security platforms we’ll need to carry us forward.

“We’ve always had a vision, right from the beginning, of suppling a unified, open platform,” Nayyar told me. “Our data ingestion framework supports over one thousand-plus integrations. . . Our biggest differentiator is our threat content. We use machine learning, and we have a large research team producing threat content that’s all use-case driven, content that can be used for proactive response and proactive risk reduction.”

I also had a fascinating chat with Jonathan Desrocher and Ian Amit, co-founders of Gomboc.ai, which emerged from stealth at Black Hat with a $5 million seed funding round and a strikingly unique solution. With generative AI all the rage, Gomboc is tapping into what Amit and Desrocher characterized as the polar opposite – “deterministic AI.”

Gomboc’s innovation appears to be a simplified way to drag-and-drop robust security policy onto cloud IT resources, such as AWS processing and storage. Instead of using generative AI to guess, based on information about the feature sets it can see, determinisitic AI runs through a series of predetermined checks, then applies reasoning to conclude whether a cloud asset is securely configured; it either is, or it isn’t, Desrocher told me.

Baked-in security

“It’s deterministic and it also changes the focus of what you’re modeling,” he says. “Do you model past behavior and try to extract rules to predict the future? Or are you actually modeling the problem domain to understand the physics of how it works, so that you can predict the future based on the laws of nature, if you will.”

Fresh out of stealth mode, Gomboc has a ways to go to prove it can gain traction. Amit and Desrocher, of course, have high hopes to make a big difference.

Here’s what Amit told me: “Over the medium term, we’re going to change the way that security is being managed for cloud infrastructure. And in the long term, we’re going to change the way that cloud infrastructure, in general, is being managed . . . our policy engine can also be applied to performance, cost and resilience so that DevOps won’t need to inundate themselves with those intricacies of finding the correct parameters to make things run correctly. Security is going to be baked into the way you deploy your architecture.”

Along these same lines, I had a deep conversation with Camellia Chan, co-founder and CEO of Flexxon, a Singapore-based hardware vendor that’s also cutting against the grain. Chan walked me through how Flexxon has won partnerships with Lenovo, HP and other OEMs to embed Flexxon solid state memory drives in new laptops. Branded “X-Phy,” these advanced SSDs contain AI-infused mechanisms that provide a last line security check, she told me. A full drill down is coming in my podcast discussion with Chan, so stay tuned.

The transformation progresses. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)