Category: Best Practices

The pace and extent of digital transformation that global enterprise organizations have undergone cannot be overstated.

Related: The criticality of ‘attack surface management’

Massive global macro-economic shifts have fundamentally changed the way companies operate. Remote work already had an impact on IT strategy and the shift to cloud, including hybrid cloud, well before the onset of Covid 19.

Over the past two years, this trend has greatly accelerated, and working practices have been transformed for many workers and organizations.

Yet, with all these changes, the specter of security breaches remains high. This explains the rise and popularity of Zero Trust as a framework for securing networks in these new realities as an effective tool to drive cybersecurity initiatives within the entire enterprise.

Fundamentally, Zero Trust is based on not trusting anyone or anything on your network by default and using least required privilege concepts. Every access attempt by any entity must be validated throughout the network to ensure no unauthorized entity is moving vertically into or laterally within the network undetected.

At the same time, digital resilience has arisen as a top priority for enterprises across all sectors, especially as cyber threats continue to accelerate. Ensuring the maximum uptime and network and application availability is critical to digital business.

Now is an ideal time to explore enterprise perceptions about the future. To gain these insights, A10 Networks surveyed 2,425 senior application and network professionals from across ten regions around the globe. Not surprisingly, there were high levels of concern about digital resiliency, with a strong focus on business continuity.

Four top resiliency trends surfaced in the findings, including: digital resilience is a top priority; cyberthreats are accelerating; private cloud is the preferred environment; and Zero Trust strategies are being implemented to shore up defenses.

Most importantly, all these forces are foundational to more remote and hybrid work as we enter a new phase of living with COVID-19. Additional key features of the enterprise IT landscape that we uncovered included the following:

Private clouds preferred

Some 23 percent of respondents have retained an on-premises environment, and this is unlikely to change for some organizations in the future. Private clouds were the preferred environment for 30 percent of respondents, while just under one quarter said their environment was in a public cloud with a similar percent in SaaS environments.

Nicholson

Looking forward, organizations expect to retain a similar split, with private clouds being the most popular in all regions apart from the U.S. and Eastern Europe, which favor public cloud. This is likely because private clouds give organizations more control over data. Organizations, such as financial services or government, deal with sensitive information and prefer a private cloud model with greater control over the security of applications, users, and data.

Strategy reassessment needed

Resilience has become a board-level discussion as senior leaders look to ensure that the business can cope with future disruption. Enterprise respondents said that digital transformation solutions, business continuity (both technically and organizationally), and stronger security requirements have all become paramount. This puts tremendous pressure on IT professionals to rethink their architectures and IT strategies to meet the challenge.

Asked to rate their concern about 11 different aspects of business resilience, nine out of 10 respondents expressed some level of concern about every issue. The top concerns were around the challenge of optimizing security tools to ensure competitive advantage, using IT resources in the cloud, and enabling remote access and hybrid working while ensuring that staff feel supported in whatever work style they wish to adopt.

Cyber threats impact

High among a broad array of issues is the loss of sensitive assets and data, followed by the disruptive impact of downtime or network lockdown. In response, AI and machine learning have entered mainstream adoption as proven technologies for automation, human error reduction, and increased efficacy.

Meanwhile, there has also been a shift to a Zero Trust security approach. Some 30 percent of enterprise organizations surveyed said that they had already adopted a Zero Trust model.

Looking to the future, the adoption of cybersecurity initiatives will remain high and continue to grow. The increased threat surface that developed under pandemic conditions will require a more pervasive adoption of the Zero Trust model.

Although the urgent demands of the pandemic have lessened, there is unlikely to be any less pressure for IT practitioners, whether in infrastructure or security. Enterprises will be dealing with the impact of these pandemic-related changes for years to come, along with the continued integration of newer technologies, strategies, and evolving standards.

Organizations must meet their multifaceted digital resiliency needs by continuing to invest in modern technologies that will support ongoing digital transformation initiatives while striking the balance between strong Zero Trust defense and operational agility.

About the essayist: Paul Nicholson is senior director, product marketing, at A10 Networks, a San Jose, Calif.-based supplier of security, cloud and application services. He has held technical and management positions at Intel, Pandesic and Secure Computing. 

Finally, Uncle Sam is compelling companies to take cybersecurity seriously.

Related: How the Middle East paved the way to CMMC

Cybersecurity Maturity Model Certification version 2.0 could  take effect as early as May 2023 mandating detailed audits of the cybersecurity practices of any company that hopes to do business with the Department of Defense.

Make no mistake, CMMC 2.0, which has been under development since 2017, represents a sea change. The DoD is going to require contractors up and down its supply chain to meet the cybersecurity best practices called out in the National Institute of Standards and Technology’s SP 800-171 framework.

I sat down with Elizabeth Jimenez, executive director of market development at NeoSystems, a Washington D.C.-based supplier of back-office management services, to discuss the prominent role managed security services providers (MSSPs) are sure to play as CMMC 2.0 rolls out. For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

Passing muster

CMMC 2.0 sets forth three levels of cybersecurity certification a company can gain in order to provide products or services to the DoD, all having to do with proving a certain set of cybersecurity controls and policies are in place.

Level 1, for instance, requires some 17 controls to protect information systems and limit access to authorized users. Meanwhile, Level 3, calls for several more tiers of protection specifically aimed at reducing the risk from Advanced Persistent Threats (APTs) in order to safeguard so-called Controlled Unclassified Information (CUI.)

In addition, every DoD contractor must conduct, at the very least, an annual self-assessment. Crucially, this includes accounting for the cybersecurity posture of third-party partners. In general, contractors must be prepared to divulge details about the people, technology, facilities and external providers — just about anything that intersects with their position in the supply chain. This includes cloud providers and managed services providers.

“It’s a milestone, for sure,” Jimenez told me. “All these controls need to be fulfilled from a compliance perspective and internal practices need to be put into place. This is all to attest that the contractor has a robust security posture, and, in the event of an audit, could pass muster.”

Auditable reviews

To get to square one under CMMC 2.0, a contractor needs to get a couple of very basic, yet widely overlooked, things done; those that handle controlled unclassified information, or CUI, must implement both a formal security management program and have an in place.

This comes down to reviewing IT systems, identifying sensitive assets, cataloguing all security tools and policies and, last but not least, implementing a reporting framework that can be audited. This seems very basic, yet it is something many organizations in the throes of digital transformation have left in disarray.

Jimenez

“Having both a security program and incident response plan in place is really important,” says Jimenez. “This should include continuous monitoring to highlight that the security environment is constantly being reviewed and refreshed with data that has an audit trail available for future reference.”

Doing basic best practices to pass an audit suggests doing the minimum. However, companies that view CMMC 2.0 as a kick-starter to stop procrastinating about cyber hygiene basics should reap greater benefits.

Performing auditable security reviews on a scheduled basis can provide critical insights not just to improve network security but also to smooth digital convergence.

“You can reconcile your current controls with your risk tolerance, and align your IT risk management programs with your security and business goals,” Jimenez observes.

Raising the bar

In short, CMMC 2.0 is the stick the federal government is using to hammer cybersecurity best practices into the defense department’s supply chain. In doing so, Uncle Sam, should, in the long run, raise the cybersecurity bar and cause fundamental best practices to spread across companies of all sizes and in all sectors.

This is much the way we got fire alarms and ceiling sprinklers in our buildings and seat belts and air bags in our cars. In getting us to a comparable level of safety in digital services, managed security services providers (MSSPs) seem destined to play a prominent role.

It was a natural progression for MSSPs to advance from supplying endpoint protection and email security to a full portfolio of monitoring and management services.  In a dynamic operating environment, rife with active threats, it makes perfect sense to have a trusted consultant assume the burden of nurturing specialized analysts and engineers and equipping them with top shelf tools.

Full-service MSSPs today focus on improving visibility of cyber assets, detecting intrusions, speeding up mitigation and efficiently patching vulnerabilities. This reduces the urgency for companies to have to recruit and retain in-house security teams.

Meeting a dire need

Thus, MSSPs have advanced rapidly over the past five years to meet a  need, a trend that only accelerated with the onset of Covid 19. The leading MSSPs today typically maintain crack teams of inhouse analysts and engineers myopically focused on understanding and mitigating emerging cyber threats.

They leverage leading-edge, cloud-centric security tools – often by hooking up with best-of-breed partners for vulnerability management, endpoint security and threat intelligence gathering. Many of these experts in the MSSP trenches helped develop NIST best practices — and continue to help refine them.

MSSPs are increasingly assuming a primary role in mid-sized enterprises for maintaining endpoint security, vulnerability patch management and even things like firewall management and configuration management.

NeoSystems, for its part, offers all these security services, in modular packages, with a focus on eliminating compliance hurdles for federal government contractors. It’s gaining a lot of traction with small businesses and mid-sized enterprises that can’t spare resources to suddenly infuse security into their networks, Jimenez told me.

CMMC 2.0, coming in May 2023, puts defense contractors’ feet to the fire – and it sends a signal to all companies. “It’s the first real, definitive step from the federal government saying this has to be in place, you must have a security posture and it has to be robust,” Jimenez says. “Once it really takes hold, it will be paramount for companies to step into line and make sure that they’re ready for an audit.”

Companies could have, and should have, embraced NIST’s cybersecurity best practices a decade ago. Hopefully, CMMC 2.0 will nudge them forward in the 2020s. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Network security has been radically altered, two-plus years into the global pandemic.

Related: Attack surface management’ rises to the fore

The new normal CISOs face today is something of a nightmare. They must take into account a widely scattered workforce and somehow comprehensively mitigate new and evolving cyber threats.

Criminal hacking collectives are thriving, more  than ever. Security teams are on a mission to push network defenses to the perimeter edges of an open, highly interconnected digital landscape; the defenders are under assault and running hard to stay one step ahead.

Managed Security Services Providers have been steadily evolving for two decades; they now seem poised to help large enterprises and, especially, small to mid-sized businesses manage their cybersecurity.

The global market for managed security services is estimated to be growing at a compound annual rate of 14 percent and should climb to $44 billion by 2026, up from $23 billion in 2021, says research firm MarketsandMarkets.

Jimenez

“Managed security service providers are rising to meet a need that’s clearly out there,” observes Elizabeth Jimenez, executive director of market development at NeoSystems, an MSP and systems integrator. “We can plug in parts or all of a complete stack of cutting-edge security technologies, and provide the expertise an organization requires to operate securely in today’s environment.”

MSSPs arrived on the scene some 17 years ago to help organizations cope with the rising complexity of their IT infrastructure. The focus in those early days was on compliance and device management. MSSPs have since broadened and advanced their services, a trend that continues as cloud migration gained momentum in the 2010s — and then accelerated with the onset of Covid 19.

Today, it’s feasible for an enterprise or SMB to outsource just about any facet of their security program — much the same as outsourcing payroll or human services functions.

I’ve a had a couple of deep discussions about this trend with NeoSystems. The company is based in Washington D.C. and one of its specialties is helping government contractors continuously monitor and manage their networks, systems and data. For more info, visit neosystemscorp.com.

A drill-down on MSSPs is coming tomorrow in a news analysis column and podcast. Stay tuned.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Web application attacks directed at organizations’ web and mail servers continue to take the lead in cybersecurity incidents.

Related: Damage caused by ‘business logic’ hacking

This is according to Verizon’s latest 2022 Data Breach Investigations Report (DBIR).

In the report’s findings, stolen credentials and exploited vulnerabilities are the top reasons for web breaches. This year, these were the top reasons for web breaches.

•A whopping 80 percent were due to stolen credentials (nearly a 30 percent increase since 2017!)

•Exploited vulnerabilities were the second leader at almost 20 percent

•Brute forcing passwords (10 percent) came in third

•Backdoors or C2 (10 percent) were the fourth runner-ups

Poor password practices are responsible for most incidents involving web applications and data breaches since 2009. Password security may seem like a simple solution for a huge problem, but it may be difficult to successfully implement in practice. Ignoring it, on the other hand, can lead to complications such as an unwarranted data breach.

Without strong, secure passwords or two-factor authentication (2FA) enabled in an organization or startup, it becomes easy for attackers to access stolen credentials on their web and email servers.

Consequently, sensitive data can become compromised, ending up in the wrong hands. In 2022, 69 percent of personal data and 67 percent of credentials became compromised in a web breach. This data strongly indicates that password management and 2FA are crucial for any organization or startup to become more secure from web attacks.

We’ve shared some helpful guidance on password security at Zigrin Security blog.

Shifting exposures

The landscape of the cyber domain is in flux. Money-motivated cybercriminals are no longer the main attackers on the web as a rise in nation-state attackers motivated by espionage comes in a close second for dominating web breaches.

Czarnecki

Moreover, 65 percent of web breaches are motivated by financial gains, and 31 percent are due to espionage motives. Both types of attacker’s target organizations, often those with weak credentials.

Strong password security for any organization or startup can avoid and reduce the number of attacks via default, shared, or stolen credentials on the web.

“From the chart, it is evident that many intrusions exploit the basic (mis)management of identity. Unauthorized access via default, shared, or stolen credentials constituted more than a third of the entire Hacking category and over half of all compromised records. It is particularly disconcerting that so many large breaches stem from the use of default and/or shared credentials, given the relative ease with which these attacks could be prevented.” (2009 DBIR page 17) 

It’s not just a web thing. It’s an e-mail thing too. Although web servers constitute nearly 100 percent of web breaches, 20 percent of mail servers have been compromised in web breaches recently.

Interestingly, 80 percent of mail servers became compromised due to stolen credentials too, and 30 percent were due to an exploit – a 27 percent jump from last year in 2021 when it was only 3 percent. Among those exploits, the most popular seem to target SQL injection vulnerabilities. Other reasons mail servers became breached are:

•Improperly constrained or misconfigured access control lists (ACLs)

•Authentication bypass

•Privilege escalation

•Brute forcing passwords

The need to guard identities

In conclusion, stolen credentials are the main threat and concern for an organization’s or startup’s infrastructure – primarily web servers and mail servers – that attackers frequently leverage for financial gain and espionage: stolen credentials were responsible for 80 percent of web and mail servers, a 30 percent increase since 2017.

Brute force remained near the top of the list, as well. That indicates that password management and 2FA are critical for organizations and startups to mitigate these threats, reducing web breaches to a great extent. Securing web and mail servers from exploitable vulnerabilities that attackers can leverage is just as important when the rise of web breaches increasingly makes organizations and startups more vulnerable.

For more details on how to secure your organization or startup from web attacks go to https://zigrin.com/services

About the essayist: Dawid Czarnecki CEO of Zigrin Security.  As has served as a senior penetration tester at NATO Cyber Security Centre and holds numerous cybersecurity certifications, including OSCP, GIAC Certified Incident Handler, and GIAC Certified Web Application Defender (GWEB.) ?He is also a member of the GIAC Advisory Board. 

Short-handed cybersecurity teams face a daunting challenge.

Related: ‘ASM’ is cybersecurity’s new centerpiece

In an intensely complex, highly dynamic operating environment, they must proactively mitigate myriad vulnerabilities and at the same time curtail the harm wrought by a relentless adversary: criminal hacking collectives.

In short, attack surface management has become the main tent pole of cybersecurity. A rock-solid, comprehensive battle plan has been painstakingly laid out, in the form of the NIST Cybersecurity Framework. And now advanced weaponry is arriving that leverages data analytics to tighten up systems and smother attacks.

Guest expert: Justin Fier, VP Tactical Risk and Response, Darktrace

One supplier in the thick of this development is Cambridge, UK-based Darktrace, a supplier of security systems designed to help companies“think like an attacker,’ says Justin Fier, Darktrace vice-president of tactical risk and response, whom I had the chance to visit with at Black Hat 2022.

We discussed how legacy, on-premises cybersecurity systems generate massive amounts of telemetry – data which is perfectly suited for high-scale, automated data analytics. This is why it makes so much sense for artificial intelligence, generally, to be brought to bear in attack surface management.

Darktrace’s AI solutions, for instance, can help companies rein in API exposures,  defuse shadow IT,  protect their supply chain and even boost DevSecOps, Fier told me. For a full drill down on our conversation, please give the accompanying podcast a listen.

What’s going to happen as more of these advanced, AI-infused cybersecurity weapons get into the mix on the side of the good guys? I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors w

Migrating to and utilizing cloud environments – public, hybrid, or multi – is a source of real investment and positive change for businesses. Cloud is the powerhouse that drives digital organizations.

Related: Cloud security frameworks take hold

Gartner predicts that spending on public cloud alone is set to top $500 billion in 2022 – a 20% growth over last year. But often overlooked in the migration process is the significance of a company’s embedded security measures.

For cloud migration programs to succeed in both the short and long-term, organizations must have an established cloud security policy to guide operations in the cloud, identify and mitigate vulnerabilities, and defend against cyberattacks – before a single byte is migrated.

But where should you begin? Following these steps will help you lay the foundation for a secure and sustainable cloud strategy.

•Design with security first. Although moving to the cloud should follow a standardized approach, the order of operations is often prioritized in favor of rapid results, not security. When security becomes an afterthought, best practices are overlooked, mistakes are made, and vulnerabilities are introduced that can result in significant risk, cost and breaks later.

By considering security first (not a detail to be added on later) and fully grasping cloud technology and risk exposure, your organization can ensure that the cloud architecture is secure before any data is migrated off-premises. It may slow the start but designing with security-first in mind can save you a lot of trouble down the road. For example, companies must plan to secure the perimeter with access protocols and controls – something that is very hard to do once systems are in use.

•Avoid using the same security measures as you do on-premises. Security controls will be a major aspect of your cloud security policy. While it’s essential to consider the security measures you use on-premises – don’t simply replicate them in the cloud. Instead, assess the security controls of your cloud vendor, specifically their identity and access management offerings – both of which increase security and convenience, if done right.

•Adopt a layered approach. A multi-layered defense is an essential component of any winning cloud cybersecurity posture. From the simplest protections like anti-virus, multi-factor authentication, patch management software, and employee security awareness training to the most advanced features like SIEM and conditional access, adding layers provides a vital safety net should something fall through the cracks.

As the business grows and new threats emerge, you can evolve and layer in additional controls as needed. The trick is not to go tool-crazy. Visibility into your cloud security posture is critical, but if it takes an army to sift through dashboards and alerts, things can quickly become unmanageable. Layer, but ensure good integrations of security information across your controls for full-stack observability.

•Know where your data resides – and what’s most critical. Knowing where your cloud data is stored (especially your most sensitive data) can help inform your security policies and meet compliance obligations, such as keeping data within domestic borders. As you craft your cloud security policy, ask your provider where your data is located geographically and if it is likely to be moved around different data centers to increase latency, meet SLAs, or mitigate data loss.

Schoener

What controls are in place to protect data as it moves? Also, prioritize what kinds of data is most important. By identifying the “crown jewels” in your data, you’ll be able to make better decisions on tools, time and talent regarding your security program. After all, if you don’t know what or where your most sensitive is stored, you can’t protect it.

•Revisit your policy often. At a minimum, plan to review your cloud security policy annually. However, if you plan several digital transformation projects or operate in an agile environment where applications are developed or updated rapidly, such as two-week sprints, consider tying your policy review to your rate of change. This will also likely be a compliance related need as regulations – such as the new proposed SEC rules – take shape.

•Make it sustainable. A cloud security policy can help keep cloud data protected and improve your ability to respond to threats quickly. But these measures must also be sustainable. You can’t reap the benefits of the cloud if you don’t make security a priority from the start. And for that you must cultivate a security-first mindset to migrations and future digital transformation.

About the essayist: Steve Schoener is Chief Technology Officer,  at ECI. Prior to ECI, he was head of IT for DW Investment Management in New York; he also previously was at UBS Investment Bank as an associate director. Schoener holds a computer science degree from State University of New York at Albany.

The identity management market has grown to $13 billion and counting. While intuition would tell you enterprises have identity under control, that is far from reality.

Related: Taking a zero-trust approach to access management

Current events, such as the global pandemic and ‘The Great Resignation,’ which have accelerated cloud adoption, remote working environments, and the number of business applications and systems in use has complicated matters.

As a result, new solutions and features to address identity challenges have emerged. In a sense, this is a positive trend: change makers are innovating and trying to stay ahead of imminent threats.

On the other hand, there’s a good deal of snake oil on the market, making it hard for organizations to realize the value of their tech investments. Last, and perhaps most significant, many solutions don’t work together harmoniously, making it hard for employees to get work done.

When you consider these points, it’s understandable why businesses end up with too many solutions to effectively manage, or simply default to manual, inefficient processes to address identity- and security-related tasks. But for progress to happen, we must first get to the root of why this is happening.

New research from Gradient Flow’s “2022 Identity Management Survey” aims to do this. From the findings, here are five ways leaders can improve their approach to identity management and security.

•Take stock of vendor relationships. A majority (54 percent of survey respondents with IT job functions indicated that they work with several vendors for security functions including identity governance, risk, compliance, single sign-on, PAM, and security operations.

Shaw

It’s reasonable that businesses will work with multiple vendors to address specific security issues. However, leaders would be wise to consider where they can scale back or consolidate. A good first step is to explore new features within existing tech systems in place.

•Reduce unnecessary applications and systems. Using 10 or more business applications weekly is the norm for approximately a quarter of survey respondents. Remote work (think video conferencing and cloud migrations) has only exacerbated the number of systems employees frequent.

Yet over 40% of knowledge workers queried expect a high productivity boost from using fewer applications or systems. Leaders must find ways to streamline tasks or boost functionality to help reduce context-switching’s effect on productivity.

•Prioritize user experience. User experience (UX) was the top challenge across most segments surveyed. Nearly half of respondents indicated that identity solutions need to provide better interfaces and allow people to work productively and securely. Jumping on new tech systems is not the solution.

Rather, leaders should extend functionality within systems employees are already familiar with. This is likely a reason that 47 percent of respondents use IT Service Management (ITSM) or workforce management platforms to govern things like permissions and entitlements. This approach requires no training and frees up IT teams for more important projects.

•Reduce management time. For all segments surveyed, granting, and removing access took a few hours. That’s valuable time lost for onboarding new employees and too much time for your sensitive data to be vulnerable with those on their way out. In terms of identity tasks, this one is fairly cut and dry, and as such, should be automated when possible.

This also gives organizations real-time visibility into who is coming and going, and who does and doesn’t have access to certain company systems and assets in the case of an audit.

•Take AI hype with a grain of salt. In the vein of automation, artificial intelligence (AI) has been heavily hyped up in the technology world, but it may be too early to see the benefits in identity management. While two-thirds of respondents cited using AI, less than a third yielded moderate to high benefits for their efforts.

However, ITSM can help with this, as it provides organizations with the quantity and quality of data needed—that most are lacking—to execute successful AI and machine learning initiatives.

We still have a long way to go to optimize identity management and security, but understanding the triumphs, challenges, tools, and practices to approach it in a more strategic, beneficial way is helpful. With knowledge comes power, and with this research, we have the power to implement better approaches for identity management and beyond.

About the essayist. Jackson Shaw is chief strategy officer at Clear Skye, an Identity Governance and Administration (IGA) software company focused on enterprise identity access and risk management.

What is it about the elderly that makes them such attractive targets for cybercriminals? A variety of factors play a role.

Related: The coming of bio-digital twins

Unlike many younger users online, they may have accumulated savings over their lives — and those nest eggs are a major target for hackers. Now add psychological variables to the mix of assets worth stealing.

Perhaps elderly folks who haven’t spent a lot of time online are easier to deceive. And, let’s be honest, the deceptive writing phishing assaults and other cyber threats today employ are skilled enough to fool even the most trained, internet-savvy experts.

Ever present threats

Some of our elderly may be concerned that any hint of weakness will convince their relatives that they can no longer live alone. Thus hackers rely on them not revealing they’ve been duped. That said, here are what I consider to be the Top 5 online threats seniors face today:

•Computer tech support scams. These scams take advantage of seniors’ lack of computer and cybersecurity knowledge. A pop-up message or blank screen typically appears on a computer or phone, informing you that your system has been compromised and requires repair.

When you contact the support number for assistance, the scammer may ask for remote access to your computer and payment to repair it. Once they get remote access, fraudsters hack confidential details of older adults and scam them. According to the Federal Trade Commission (FTC), seniors lost $500 each on computer tech assistance scams in 2018.

•Internet and email fraud. While surfing the Internet is a valuable skill at any age, some older persons have a slower adoption rate, making them ideal candidates for automated Internet scams common on the web and in email applications.

Pop-up browser windows imitating virus-scanning software will trick users into installing either a false anti-virus program (at a high fee) or an actual virus that will give scammers access to whatever information is on the user’s computer. Seniors are especially vulnerable to such traps since they are inexperienced with the less obvious components of web browsing.

Phishing emails and messages may appear from a company you’re familiar with or trust, and they can appear to be from a credit card company or a bank. Phishing emails may ask for personal information like a log-in or Social Security number to authenticate your account, or they may urge you to share your credit card payment details. Then they steal your personal and financial information using that information.

•Identity-theft. Identity theft can happen online, over the phone, or without the victim’s knowledge by stealing the victim’s information. A criminal exploiting someone’s medical or insurance details to make fraudulent claims is known as medical identity theft.

They can either use the data to charge the services or steal the cash. In each case, the victim is liable for thousands of dollars. Because the scammer’s health records are linked to the victims’ information, it may not be easy to qualify for insurance in the future.

Scams involving the Social Security Administration aren’t new, but they’re becoming more active and dangerous. In this type of attack, fraudsters inform the victim that their Social Security number has been used fraudulently and threaten to put them in jail if they do not comply with specific requests. If they successfully obtain the victim’s PII, they will be able to steal their Social Security benefits.

•Romance Scam. Online platforms are an excellent place for many seniors to connect and interact with new people. However, cybercriminals use this as a playground, and they use these online portals to play with the emotions of older adults.

Solomon

An elderly victim is duped into believing they have a trusting relationship with the actor in this crime. The perpetrator, who may pose as the victim’s grandson or love interest, takes advantage of this connection to persuade the victim to share financial information, give money, purchase expensive presents, or unwittingly launder money. This enormously horrific cybercrime primarily targets older women and freshly widowed individuals.

•Debt relief scams. Seniors often worry about their debts, and fraudsters take advantage of that. They create fake websites to provide debt settlement services. They ask seniors to give their financial details and pay upfront fees.

Be aware, be prepared

Don’t be frightened or humiliated to tell someone you trust if you feel you’ve been a scam victim. You are not the only one, and resources are available to assist you. Doing nothing will aggravate the situation. Keep a list of phone numbers and services ready, such as your local police department, your bank, and Adult Protective Services. They will help you out.

About the essayist: Lyle Solomon has extensive legal experience as well as in-depth knowledge and experience in consumer finance and writing. He has been a member of the California State Bar since 2003. He graduated from the University of the Pacific’s McGeorge School of Law in Sacramento, California, in 1998, and currently works for the Oak View Law Group in California as a Principal Attorney.

Writing a code can be compared to writing a letter.

Related: Political apps promote division

When we write a letter, we write it in the language we speak — and the one that the recipient understands. When writing a code, the developer does it in a language that the computer understands, that is, a programing language.  With this language, the developer describes a program scenario that determines what the program is required to do, and under what circumstances.

If we make mistakes or typos in the text of the letter, its content becomes distorted. Our intentions or requests can get misinterpreted. The same thing happens when the developer makes errors in the code, resulting in inadvertent vulnerabilities.

Then the operating scenarios of the system become different from those originally intended by the software developer. As a result, the system can be brought into a non-standard condition, which was not provided for by the software developer. Thus, an attacker can manipulate these non-standard conditions for their own purposes.

As an example, let’s take SQL injection, one of the most well-known methods of hacking online applications. Suppose we have an online service, an online bank, for instance. We enter our login and password to sign in.  In a SQL injection attack the intruder inserts malicious code into the lines that are sent to the server for analysis and execution. With a user account, the attacker can bring the system into an abnormal condition and get access to other users’ accounts.

Of course, the developer never intended for the system to be used in such a way. Yet when writing the code, the developer made mistakes that led to the vulnerabilities which made such abuse possible.

More code, more risk

Chernov

Information systems are becoming more complex, therefore, the amount of code is increasing as well. A new mobile app, for instance, requires as many lines of code as a 15-year old Linux kernel. At the same time, nowadays developers seldom write code from scratch. They put in the ready-made code pieces, i.e. microservices assembled in software containers,  and then add 10 to 20 percent more to create the new app.

In turn, the larger the amount of code, the higher the risk of errors that will lead to vulnerabilities. To prove it, I’ll tell you about an interesting case. We have tested a thousand popular mobile apps on a set of parameters, compliance with which, according to our estimates, determines the security of the application.

It turned out that the average security level is 2.2 points out of the maximum 5. The only thing that saves the apps from massive attacks is that exploiting vulnerabilities in mobile applications without going deep into their server part is quite expensive and time-consuming. That’s why not all attackers are ready to do this.

Continuing the analogy of writing texts, in the past, when an author wrote a book or a journalist prepared a newspaper article, their texts used to be necessarily proofread by a copy editor, a person who checked for errors and inconsistencies. Nowadays, copy editors still exist, yet their job has become optional.

The role of automation

The fact of the matter is that people have learned to partially computerize this job, inlining automatic checks into computer programs to detect errors and typos. These automatic checks have gradually become more complex and in-depth. Now the special software checks style and semantics, as well as spelling.

The same thing happened to code writing.  We have got quite smart systems such as program code analyzers that can detect inconsistencies, vulnerabilities, and breaches in the written code.

They can be used in two modes depending on the amount of code. If the amount of the developed code is small, you can run the check in manual way. If we are talking about multi-level code development involving hundreds of developers, and the amount of code written is tens of thousands of lines per day, it is much more effective to run secure development processes (DevSecOps, Secure SDLC) with a code analyzer as their core.

If to explain the mechanism of such processes through the above analogy, imagine a whole workgroup of correctors. They have a hierarchy and algorithms defining the sequence correctors comply with when proofreading, the requirements a text should meet, and the cases when a text must be sent to be revised. The same is true for secure development processes and software before its release.

This is the world of software vulnerabilities we live in today. It requires awareness and diligence to keep secure.

About the essayist: Dan Chernov is CTO of DerSecur which supplies DerScanner, a static app code analyzer capable of identifying vulnerabilities and undocumented features in Google Android, Apple iOS, and Apple macOS.

The zero trust approach to enterprise security is well on its way to mainstream adoption. This is a very good thing.

Related: Covid 19 ruses used in email attacks

At RSA Conference 2022, which takes place next week in San Francisco, advanced technologies to help companies implement zero trust principals will be in the spotlight. Lots of innovation has come down the pike with respect to imbuing zero trust into two pillars of security operations: connectivity and authentication.

However, there’s a third pillar of zero trust that hasn’t gotten quite as much attention: directly defending data itself, whether it be at the coding level or in business files circulating in a highly interconnected digital ecosystem. I had a chance to discuss the latter with Ravi Srinivasan, CEO of  Tel Aviv-based Votiro which launched in 2010 and has grown to  .

Votiro has established itself as a leading supplier of advanced technology to cleanse weaponized files. It started with cleansing attachments and weblinks sent via email and has expanded to sanitizing files flowing into data lakes and circulating in file shares. For a full drill down on our discussion, please give the accompanying podcast a listen. Here are key takeaways.

Digital fuel

Votiro’s new cloud services fit as a pillar of zero trust that is now getting more attention: directly protecting digital content in of itself. Zero trust, put simply, means eliminating implicit trust. Much has been done with connectivity and authentication. By contrast, comparatively little attention has been paid to applying zero trust directly to data and databases, Srinivasan observes. But that needs to change, he says. Here’s his argument:

Companies are competing to deliver innovative digital services faster and more flexibly than ever. Digital content creation is flourishing with intellectual property, financial records, marketing plans and legal documents circulating within a deeply interconnected digital ecosystem.

Digital content has become the liquid fuel of digital commerce—and much of it now flows into and out of massive data lakes supplied by Amazon Web Services, Microsoft Azure and Google Cloud. This transition happened rapidly, with scant attention paid to applying zero trust principles to digital content.

However, a surge of high-profile ransomware attacks and supply chain breaches has made company leaders very nervous. “I speak to a lot of security leaders around the world, and one of their biggest fears is the rapid rise of implementing data lakes and the fear that the data lake will turn into a data swamp,” Srinivasan says.

Votiro’s technology provides a means to sanitize weaponized files at all of the points where threat actors are now trying to insert them. It does this by permitting only known good files into a network, while at the same time  extracting unknown and untrusted elements for analysis. Votiro refined this service, cleansing weaponized attachments and web links sent via email, and has extended this service to cleansing files as they flow into a data lake and as they circulate in file shares. 

Exploiting fresh gaps

As agile, cloud-centric business communications has taken center stage, cyber criminals quite naturally have turned their full attention to inserting weaponized files wherever it’s easiest for them to do so, Srinivasan observes. As always, the criminals follow the data, he says.

Srinivasan

“The trend that we’re seeing is that more than 30 percent of the content flowing into data lakes is from untrusted sources,” he says. “It’s documents, PDFs, CSV files, Excel files, images, lots of unstructured data; we track 150 different file types . . . we’re seeing evasive objects embedded in those files designed to propagate downstream within the enterprise.”

This is the dark side of digital transformation. Traditionally, business applications tapped into databases kept on servers in a temperature-controlled clean room — at company headquarters. These legacy databases were siloed and well-protected; there was one door in and one door out.

Data – i.e. coding and content — today fly around intricately connected virtual servers running in private clouds and public clouds. As part of this very complex, highly distributed architecture, unstructured data flows from myriad sources into and back out of partner networks, cloud file shares and data lakes. This in-flow and out-flow happens via custom-coded APIs configured by who knows whom.

Votiro’s cleansing scans work via an API that attaches to each channel of content flowing into a data lake. This cleansing process is shedding light on the fresh security gaps cyber criminals have discovered – and have begun exploiting, Srinivasan says.

Evolving attacks

He told me about this recent example: an attacker was able to slip malicious code into a zip file sent from an attorney to a banking client in a very advanced way. The attacker managed to insert attack code into a zip file contained in a password-protected email message – one that the banker was expecting to receive from the attorney.

At a fundamental level, this attacker was able to exploit gaps in the convoluted matrix of interconnected resources the bank and law firm now rely on to conduct a routine online transaction. “Bad actors are constantly evolving their techniques to compromise the organization’s business services,” Srinivasan says.

Closing these fresh gaps requires applying zero trust principles to the connectivity layer, the authentication layer — and the content layer, he says. “What we’re doing is to deliver security as a service that works with the existing security investments companies have made,”  Srinivasan  says. “We integrate with existing edge security and data protection capabilities as that final step of delivering safe content to users and applications at all times.”

It’s encouraging that zero trust is gaining material traction at multiple layers. There’s a lot more ground to cover. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)