Category: For technologists

To get network protection where it needs to be, legacy cybersecurity vendors have begun reconstituting traditional security toolsets.

The overarching goal is to try to derive a superset of very dynamic, much more tightly integrated security platforms that we’ll very much need, going forward.

Related: The rise of security platforms

This development has gained quite a bit of steam over the past couple of years with established vendors of vulnerability management (VM,) endpoint detection and response (EDR,) and identity and access management (IAM) solutions in the vanguard.

And this trend is accelerating as 2023 gets underway. DigiCert’s launch today of Trust Lifecycle Manager, is a case in point. I had the chance to get briefed about this all-new platform, which provides a means for companies to comprehensively manage their Public Key Infrastructure (PKI) implementations along with the associated digital certificates.

I visited with Brian Trzupek, DigiCert’s senior vice president of product. As a leader of digital trust, DigiCert is best known as a Certificate Authority (CA) and a supplier of services to manage PKI. We drilled down on why getting a much better handle on PKI has become vital in a massively interconnected operating environment. DigiCert’s new solution is designed to “unify PKI services, public trust issuance and CA-agnostic certificate lifecycle management,” he told me.

Here are the main takeaways from our discussion:

PKI sprawl

Where would we be without PKI, the framework used to issue and manage digital certificates? We’ve come to rely on PKI to validate and authenticate all connections on websites and mobile apps – as well as all of the internal IT activity, company-to-company, that supports the digital services we now take for granted.

PKI is robust and ubiquitous; and it’s destined to serve that same essential role — as a linchpin validation and authentication mechanism – the further we progress into massively interconnected, highly interoperable digital services.

First, however, PKI sprawl must be mitigated, Trzupek argues. The problem looks something like this, he says: In today’s operating environment, PKI payloads arrive moment-to-moment from myriad sources: to and from web portals and mobile apps; in between cloud vs. on-premises IT infrastructure; up and down the software development supply chain. What’s more, digital certificates can get issued by different CAs, or by components manufacturers, or even internally by the enterprise itself.

Trzupek

“You’ve got this big, dynamic spaghetti of stuff coming into the network and interacting, using PKI to authenticate and there is very little the enterprise actually controls,” Trzupek observes. “Often times, the company doesn’t even realize all of these PKI interactions are taking place until something breaks and there’s an outage.”

Outages and attacks

DigiCert’s newest service, Trust Lifecycle Manager, tackles this connections chaos head on, by establishing a hub into which all PKI validation routines can get inventoried and continually managed.

The reduced risk of a major outage caused by an expiring digital certificate alone should grab attention. Just ask Epic Games. An expired certificate triggered an outage that caused Fortnite, its cash-cow video game, to go dark for several hours.

And then there’s the risk of ransomware purveyors or a nation state-backed spy flushing out and exploiting a weak seam in an obscure PKI connection, instigating a nightmare scenario. Just ask SolarWinds.

The SolarWinds attackers, believed to be Russian-backed, had to have subverted PKI at multiple levels. They were able to gain control of the build process that SolarWinds used to create and automatically issue software updates to its bread-and-butter Orion network management tool. This enabled the attackers to subsequently breach the networks of 18,000 Orion users.

PKI outages and attacks happen much more often than gets publicly disclosed, Trzupek says. The fundamental reason, he says, is the non-existence, at this point in time, of a practical way to compile a comprehensive PKI inventory across a typical enterprise.

“The guy who’s running identity access management is different than the guy in charge of encryption or the guy running DevOps,” he says. “And they’re not talking to each other . . . the encryption guys might be well-versed in PKI management policy, but the DevOps guys probably aren’t –and even if they were, they’re focused on getting code out and moving workloads a fast as possible.”

Taking a platform approach

With Trust Lifecyle Manager, DigiCert is making a lane change from a product company to a platform company. This new offering is something truly unique – a comprehensive service designed to foster centralized monitoring and management of all digital certificates throughout an enterprise. To start, DigiCert is partnering with Microsoft Azure, Amazon Web Services and Google Cloud to integrate PKI telemetry generated by those top-tier cloud infrastructure providers.

On the horizon, Trust Lifecycle Manager will be able to receive and process PKI-related telemetry originating from just about any private or public source, Tzupek told me.

“We already have about 100 integrations and later this year we’ll be opening up publicly so that anybody can come in and ride on top of the system,”  Trzupek says.

By leveraging APIs, DigiCert intends to make it possible to “glue in without any help from us,” he says. “The idea is to create a centralized hub where you can see all those digital trust assets across the environment, regardless of where they are.”

The Internet of Everything lies ahead — and brims with promise. A radical new approach, supported by bold new security platforms, coming at it from several angles, must take hold. That’s how we’ll be able to protect company networks, and preserve individual privacy, in a massively interconnected, highly interoperable digital world.

I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

As the world becomes more digital and connected, it is no surprise that data privacy and security is a growing concern for small to medium sized businesses — SMBs.

Related: GDPR sets new course for data privacy

Large corporations tend to have the resources to deal with compliance issues. However, SMBs have can struggle with the expense and execution of complying with data security laws in many countries.

Organizations with 500 or fewer employees have many positive attributes, such as their ability to make fast decisions and avoid bureaucracy that can slow down larger enterprises. But this same characteristic can also be a disadvantage, as SMBs often lack the resources and expertise to keep up with complex regulations.

Let’s look at some of the challenges faced by SMBs in today’s data privacy landscape.

Scarce resources

It’s often difficult for small businesses to invest significantly in data privacy compliance or security measures because they don’t have large budgets. In fact, many SMBs have to choose between investing in new technology and making payroll. This can make it difficult for them to keep up with the latest security measures and technologies that could protect their data or prevent a breach.

Damodaran

An SMB may not have the time or resources to properly implement the robust security policies and procedures needed to comply with numerous regulations. That means there will likely be gaps in their data protection measures that could leave them vulnerable to cyberattacks.

It should be no surprise that data security regulations are on the rise. There is increasing regulatory pressure on SMBs to protect their employees’ and customers’ sensitive data. For instance, any direct contact with European suppliers, partners or customers requires taking steps towards complying with GDPR regulations.

DPIA starting point

A  Data Privacy Impact Assessment, or DPIA, is a formal assessment of the privacy risks of your data processing activities. The purpose of conducting a DPIA is to identify and assess the potential impact of these risks on individuals’ rights and freedoms from your proposed processing operations.

A DPIA requires a thorough review of any personal data collected and stored, including who specifically controls the data and who has access at any given time. It also takes into consideration the reasons why the data was collected in the first place, and examines the reasons why personal data is stored; in short it examines  numerous parameters related to collecting and holding personal data.

Paths to compliance

By performing this type of assessment, businesses can better understand their responsibilities for protecting personal information, as well as assess their ability to do so. This should naturally lead to an SMB putting plans in motion  to achieve compliance —  by embracing robust cyber hygiene policies and procedures.

There are many kinds of tools and services that can help any SMB down this paths. The core idea is to help the company continually improve how it monitors  data flow and trains staff to be alert to cyber threats in order to identify suspicious network  activity — before it becomes a problem.

Data protection is an ongoing process. DPIAs can get an SMB off to a good start. But maintaining a security posture that not just meets compliance but effectively protects the organization over the long run is a never ending task. It’s important to continually assess security posture and take corrective action when necessary.

Neumetric helps organizations perform DPIAs as well as numerous other types of cybersecurity and cyber risk assessments, in addition to security awareness training for employees. Our services revolve around helping organizations achieve security compliances and certifications such as EU GDPR Compliance.

About the essayist: Bipin Damodaran is a Certified Ethical Hacker and a member of the security team at Neumetric, a cybersecurity vendor that helps organisations bolster  their information security by creating a secure  operating environment.

 

In golf there’s a popular saying: play the course, not your opponent.

Related: How ‘CAASM’ closes gaps

In an enterprise, it’s the same rule. All areas of an organization need to be free to “play their own game.”

And  when malware, ransomware, or other cyber threats get in the way, the focus shifts from forward progress to focused co-operation. A security strategy should clear obstacles and enable  every part of a business operation to run smoothly.

Smarter security is the rising tide that lifts all ships. As all parts of an organization overlap with security, an increase in one allows benefits in others.

Departments such as support, manufacturing, design, services, and delivery are enhanced by smart security measures, which allay distracting setbacks and increase the overall inertia. This leads to revenue gains and positive customer outcomes.

What constitutes “smarter security?” Smarter security to me broadly refers to relentlessly focusing on fundamentals while maturing the program, making sure your risk posture aligns with your business strategy.

Complexity challenge

The complexity that has abounded in the past few years has left us more connected and data-driven than ever before. Business initiatives demand faster, more efficient outcomes and technology responds. However, security – the often overlooked and undervalued visitor – is struggling to communicate across the table.

When it comes down to it, C-level goals and CISO initiatives are not all that misaligned. We all want fast, powerful, capable tools that can launch our business into the future with its best foot forward. And we all want to avoid breaches and PR failures in the process.

However, enterprises often experience a disconnect between business objectives and security guidelines. It is in this disconnect that cybercriminals find opportunity.

Reffkin

The attack surface is expanding relentlessly and exponentially, while security initiatives aren’t ingrained into every department’s daily operation. The need for reset and oversight is so great that a new class of technology is emerging to give organizations a better grip on the digital sprawl that’s come to define modern-day enterprise architecture.

Gartner refers to it as “CAASM,” or cyber asset attack surface management. The concept of focusing on your attack surface is a good place to start if struggling to find where to begin.

This smarter form of security fills a glaring gap in today’s solution-saturated market; strategy, and the strategy that can only come from getting a full view of the course.

Automated offense

Smart security also means doing more with less so the company as a whole can run lean. This means secure file transfer solutions, so you don’t waste time with slow encrypting protocols. It means anti-phishing tools so your teams can open emails without needless hesitation or risk.

It also means offensive security measures and vulnerability management so your team can fix problems before they can be exploited and derail operations.

Automating the security tasks of an organization – or hiring out when necessary – keeps those basic hygiene concerns out of mind and allows a business to perform at its best. When done right, a smarter security strategy is unseen.

As I’ve mentioned before, the issue of security is essentially a problem-solving one. These are not security problems for security’s sake. They are fundamentally business problems that rely on security to solve them.

How do we innovate and stay ahead of the competition without our speed backfiring and creating more bugs? How do we take time to manage vulnerabilities in our CRM when we’ve promised 24/7 customer care that relies on it? How can we accomplish our CEO’s vision for full process automation when we’re still transitioning to the cloud – and are unfamiliar with the security terrain?

Smarter security measures mean more subtle, intuitive, predictive solutions that can grease the wheels for whatever a fast-thinking enterprise can come up with next.

Sometimes the issue is resources. Part of problem-solving is examining the trouble spot from all angles. Managed solutions can help. Data Loss Prevention can lift the strain of vigilance and increase security in the workflow.

The overall trend is this: technology, progress, and change are driving the business objectives of today, and “smarter security” solutions are ones that can keep up, stay out of the way, and enable all aspects of a business to perform at their top level.

About the essayist: Chris Reffkin is chief information security officer at cybersecurity software and services provider Fortra. He has deep experience implementing and overseeing security strategy for a myriad of top-tier organizations.

The 2020s are already tumultuous.

Related: The Holy Grail of ‘digital resiliency’

Individuals are experiencing everything from extraordinary political and social upheaval to war on the European continent to the reemergence of infectious diseases to extreme weather events.

Against this unsettling backdrop, citizens, consumers, employees, and partners will look to organizations that they trust for stability and positive long-term relationships.

Not every organization knows how to cultivate trust, however, or that it’s even possible to accomplish. As a result, in 2023, specific industries that normally experience healthy levels of trust will see major declines in trust that will take years to repair. Others will buck historical trends just to simply maintain their current trust levels.

Organizations should take into account the following predictions as they plot out the next steps of their trust journey in the year ahead:

•Trust in consumer technology will decline by 15 percent.

Over the past three years, technology has proven critical to consumers’ daily lives — from remote working and home-schooling to entertainment and e-commerce. Technology firms experienced unprecedented popularity because of this.

This honeymoon is coming to an end, however; expect to see trust in consumer technology companies declining by 15 percent in 2023. Regulatory crackdowns on poor privacy practices, continued supply chain issues, and ongoing challenges in retaining talent will all impact consumers’ sentiments negatively.

When consumers trust a brand less, they also lose trust in other businesses associated with it. This is the time for firms to map their value chain, assess trust fluctuation across their ecosystem, and be ready to act to safeguard trust.

•Half of firms will use AI for employee monitoring — battering employer trust.

Iannopollo

Forrester finds that around the world, employees trust their employer more than their colleagues. For example, 60 percent of US employees trust their colleagues while 64 percent trust their employer. Expect this trend to invert by the end of 2023 as employers overstep their bounds with the use of AI to monitor work-from-home productivity.

For those that choose to collect personal information from employees to measure performance, the data is grim. In 2022, Forrester finds that 56 percent of employees whose employer collects their personal information to measure performance are likely to actively look for a new opportunity at a new organization in the next year — 14 percentage points higher than the average.

Firms seeking to lead in employee experience must eliminate outdated notions of “time spent” and instead focus on outcome-based performance measurement.

•Banks will lose consumer trust in a period of economic turmoil.

In 2022, consumer trust in banks fell for the first time in several years. Additionally, Forrester data reveals that only 54 percent of US consumers believe their bank exhibits the trait of empathy.

As the economy continues to flash warning signals, consumers’ ire and resentment toward their bank will make it even harder to earn trust. Because of this, trust will decline for most banks.

To maintain consumer trust in 2023, banks must lead with empathy and take a data-driven approach to earning trust with concrete, targeted steps that can help them navigate the cost-of-living crisis.

•People’s trust in government will increase in the US.

Trust falls when governments are no longer able to create a better future for their people. In 2023, the US will buck historical trends that saw trust shrinking by building on dependability as a core lever of trust, as well as by investing heavily in such other key trust levers as accountability, competency, and transparency. For example, President Biden’s Management Agenda is doubling down on the combined power of customer and employee experience.

•Three-quarters of Californians will have asked firms to stop selling their data by the end of 2023.

Privacy continues to be a critical consumer value. According to Forrester, 47 percent of Californian online adults have exercised their CCPA right to ask companies to stop selling their data, while 30 percent have asked companies to delete their data.

As the privacy discussion takes center stage in the US over the next 12 months — especially given the potential for new federal legislation and the enforcement of existing state-level legislation — consumers’ privacy activism will continue to grow.

Now is the time for organizations to shore up their privacy and data protection programs and require that all new products, services, and experiences are private by design.

Companies understand that trust will be critical in the next 12 months and more so than ever before. Companies must develop a deliberate strategy to ensure that they gain and safeguard trust with their customers, employees, and partners.

Measuring trust in their brands, engaging line-of-business owners and other leaders to identify key initiatives (with regional variations as necessary), and setting a realistic time frame are all fundamental steps that they must take to get started on this important journey.

About the essayist: Enza Iannopollo is a principal analyst on Forrester’s security and risk team and a Certified Information Privacy Professional (CIPP/E). Her research focuses on compliance with data protection rules, privacy as a competitive differentiator, ethics, and risk management.

Cybercrime is a big business. And like any other large industry, specialization has emerged.

Related: IABs fuel ransomware surge

As data becomes more valuable, criminals can profit more from stealing, selling or holding it for ransom, leading to a massive black market of information.

Initial access brokers (IABs) play an increasingly central role in this cyber underworld. IABs specialize in finding vulnerable targets and sell their details to other cybercriminals.

They search for weak points and perform the challenging, technically demanding work of breaking past an organization’s security, then offer access to the victim to the highest bidder.

IABs on the rise

IABs can gain this access through many different means. In some cases, they find vulnerable third parties that provide ways into larger targets, which is how hackers infiltrated the Red Cross in 2021.

In others, they try brute forcing their way through a company’s security; and sometimes, they’re malicious insiders who already have access to sensitive files.

Regardless of the specifics, the outcome is the same. IABs perform the difficult first few steps of breaking into a target’s systems, allowing other well-paying cybercriminals an easy way in to do whatever they want.

IABs aren’t necessarily a new threat, but they’ve seen tremendous growth over the past few years. Cybersecurity firm Positive Technologies found 88 new IAB sales on dark web marketplaces in the first quarter of 2020, compared to just three in all of 2017.

Amos

The rise of IABs corresponds with the increase in digital transformation. Early in the COVID-19 pandemic, companies started implementing digital tools at an unprecedented pace. Digital resources became increasingly critical for businesses, and targeting them became a more profitable type of crime, leading to a surge in demand for IABs.

IABs’ ease of access helped spur this growth. With an IAB, cybercriminals don’t need advanced technical knowledge or skills to pull off a successful attack. That makes them the ideal solution for new, inexperienced hackers trying to profit from this wave of digitization.

Ransomware correlation

This uptick in IAB activity has several far-reaching impacts on cybersecurity. Reliable security is becoming increasingly important to investors, requiring businesses to meet high standards to secure investment and new partnerships.

Because IABs can make it easier to breach a company’s security, their rise could make meeting those expectations harder, creating more demand for expert cybersecurity services.

As IABs continue to grow, so will ransomware. Ransomware is already the fastest-growing type of cybercrime, and IABs make it more accessible to novice criminals. It’s far easier to steal and encrypt sensitive data when someone else manages the first and hardest step in the breach process. Consequently, security professionals should prepare for an uptick in ransomware threats.

Mitigating IABs

Businesses should also focus on practices that mitigate IAB-related risks amid this rising threat. These include:

•Using multifactor authentication (MFA) on all accounts.

•Monitoring the dark web for IAB listings.

•Restricting access permissions to minimize insider threats.

•Keeping all software, especially VPNs, up to date.

General cybersecurity best practices like using strong passwords and offering regular security training will also help. While this trend is concerning, these widely recommended steps are still effective.

As the data revolution continues and cybercrime grows, IABs will become all the more prominent. Recognizing these threats early is the first step in addressing them. Once businesses know what to watch out for, they can make the best decisions about defending themselves, even with risks as pressing as IABs.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

There is much that can be gleaned from helping companies identify and manage their critical vulnerabilities 24X7.

Related: The case for proactive pentests

Based on insights from our team of elite security researchers here at Bugcrowd, these are three trends gaining steam as 2022 comes to a close – trends that I expect to command much attention in 2023.

Continuous pentesting

For years, penetration testing has played an important role in regulatory compliance and audit requirements for security organizations. However, a longtime challenge with pentesting has been the “point-in-time” nature of the tests.

At some pre-defined period-of-time, the test is completed against the then-current version of the application and a report is delivered. The challenge is that application development has changed significantly in recent years; often by the time a pentest is completed and the report is delivered, the information is already out of date due to changes in the application.

Over the coming year, we will see an accelerating shift from traditional pentesting to more PenTesting-as-a-Service (PTaaS). Rather than point-in-time assessments, organizations are leveraging pentesting as an important tool in their risk and security program, rather than a necessary-evil to maintain compliance with internal or external requirements.

By completing incremental testing on the application, security organizations can gain current and ongoing visibility into the security posture of the application as the smaller scope allows for faster testing turnaround. This enables security organizations to receive real-time information into the current security posture of the application, network, or infrastructure.

Gerry

It’s important to remember that every change to a network or application, whether a major release or incremental release, represents an opportunity for new vulnerabilities to be introduced. Security organizations must maintain the ability to gain real-time visibility into their current posture – both from a risk governance perspective and from a compliance perspective.

Security vendor consolidation

The rapid expansion of new security products has led to many organizations purchasing the “latest and greatest” without having a strong integration plan in place. Without a clear deployment and integration plan, even the best security product will go underutilized.

For the past few years, the industry has seen an incredible amount of M&A consolidation. As a result, security organizations are looking internally for ways to leverage existing tool sets or upgrade existing tool sets versus adding to their ever-growing technology stack.

This growing need for security vendor consolidation will continue to be driven by both the cost of the security products and the limited internal resources to effectively operate the products.

Narrowing the talent gap

Attracting strong candidates has always been a core part of any business, and, like all businesses, finding senior talent, whether in cybersecurity or another function, requires a combination of attractive compensation, career growth, flexibility to work anywhere, and a mission that employees want to support.

It’s also important to find talent from non-traditional and diverse backgrounds, provide them with the necessary training and enablement, pay them well with additional equity incentives, and empower them to do what needs to be done.

For years, we’ve been led to believe there is a significant gap between the number of open jobs and qualified candidates to fill those jobs. While this is partially true, it doesn’t provide a true view into the current state of the market.

Employers need to take a more active approach to recruiting from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals, who, with the right training, have incredibly high potential.

Additionally, this provides the opportunity for folks from diverse backgrounds, who otherwise wouldn’t be able to receive formal training, to break into the cybersecurity industry providing income, career and wealth-creation opportunities that they otherwise may not have access to.

Organizations need to continue to expand their recruiting pool, account for the bias that can currently exist in cyber-recruiting, and provide in-depth training via apprenticeships, internships, and on-the-job training, to help create the next generation of cyber-talent.

About the essayist: Dave Gerry is CEO of Bugcrowd, which supplies a security platform that combines contextual intelligence with actionable skills from elite security researchers to help organizations identify and fix critical vulnerabilities before attackers exploit them.

It’s all too easy to take for granted the amazing digital services we have at our fingertips today.

Related: Will Matter 1.0 ignite the ‘Internet of Everything’

Yet, as 2022 ends, trust in digital services is a tenuous thing. A recent survey highlights the fact that company leaders now understand that digital trust isn’t nearly what it needs to be. And the same poll also affirms that consumers will avoid patronizing companies they perceive as lacking digital trust.

DigiCert’s 2022 State of Digital Trust Survey polled 1,000 IT professional and 400 consumers and found that lack of digital trust can drive away customers and materially impact a company’s bottom line

“It’s clear that digital trust is required for organizations to instill confidence in their customers, employees and partners,” Avesta Hojjati, DigiCert’s vice president of Research and Development, told me. “Digital trust is the foundation for securing our connected world.”

I recently had the chance to visit with Hojjati. We conversed about why digital trust has become an important component of bringing the next iteration of spectacular Internet services to full fruition. And we touched on what needs to happen to raise the bar of digital trust. Here are a few key takeaways from our evocative discussion:

Vigilance required

As 2022 comes to a close, connectivity is exploding. This portends many more digital wonders to come. Yet threat actors continue to breach corporate networks with impunity. And now, finally, digital trust is commanding attention.

One hundred percent of the IT pros who participated in DigiCert’s survey acknowledged the importance of gaining and keeping digital trust. The backdrop is an operating environment is which their organizations’ network attack surface is scaling up. What’s more, 99 percent of the IT pros said they believed their customers would switch to a competitor should they lose trust in the enterprise’s digital security.

Meanwhile, more than half, some 57 percent, of consumers polled by DigiCert acknowledged that they’ve experienced cybersecurity issues such as account takeovers, password exposure and payment card fraud. And nearly half, 47 percent, said they’ve stopped doing business with a company after losing trust in that company’s digital security.

Consumers aren’t blind; they’ve become wary of companies that lack online vigilance. Some 84 percent said they would consider not patronizing a company that fails to manage digital trust, with 57 percent saying switching to a more trustworthy provider would be likely.

“Consumers understand what digital trust is and they’re making it a requirement for any entity they’re dealing with to protect their data and their online accounts,” Hojjati says. “If they find that’s not the case, consumers have no problem switching to another vendor.”

Baked-in security

So how did we get here? Over the past decade, digital transformation has advanced rapidly – and even more so post Covid 19. In this environment, companies chased after the operational efficiencies – without duly considering security. And as this shift to reliance on cloud-infrastructure and remote workers accelerated, no one accounted for the fresh pathways left wide open to malicious hackers.

Hojjati

“Enterprises were slow to acknowledge that digital trust was missing,” Hojjati observes. “We dove too quickly into making everything digitalized, but we didn’t realize that this superfast inter-operability and hyper interconnectivity absolutely requires a foundation of trust.”

Digital trust has emerged as a must-have; without it confidence in online business processes are destined to erode. At a macro level, this means security must somehow get deeply baked into leading-edge IT architectures. Systemic changes need to be agreed upon and universally adopted. Smart, adaptable, automated security needs to be infused into the ephemeral, highly distributed and cloud-centric digital infrastructure that will take us forward.

At a micro level, company leaders and captains of industry must arise as champions and stewards of digital trust, Hojjati argues, not only for their own internal employees and operations, but also for their customers, partners and extended communities.

Infusing digital trust

Moving forward, digital trust must become a cornerstone of security. One core technology for providing digital trust is the public key infrastructure (PKI), or more precisely, advanced implementations of PKI. As a prominent supplier of PKI services and digital certificate lifecycle management systems for companies worldwide, DigiCert brings this skin into the game. PKI is the framework by which digital certificates get issued to authenticate the identity of users and devices; and it is also the plumbing for encrypting data that moves across the public Internet.

PKI already is deeply engrained in the legacy Internet; companies use it to certify and secure many types of digital connections coming into, as well as inside of, their private networks.

Because PKI is ubiquitous and time-tested it is well-suited to be a leading technology used for infusing digital trust into the next iteration modern networks designed to handle massive interconnectivity and support vast interoperability. This is the working premise espoused by DigiCert and other security experts.

“Modern digital systems simply could not exist without trusted operations, processes and connections,” Hojjati says. “They require integrity, authentication, trusted identity and encryption.”

Public awareness, not to mention public demand for improved security, is an important catalyst. Consumer preference for digital services they can fully trust should remind  industry and company leaders to stay focused on doing what needs to get done.

Indeed, industry consensus is being shaped around new sets of standards needed to replace the outdated protocols and policies that gave us the legacy Internet. This heavy lifting is being undertaken by a number of industry forums far out of the public eye.

Refreshed standards

One milestone advance achieved by this effort is Matter 1.0 – the new home automation connectivity standard rolling out this holiday season. There are high hopes that Matter will blossom into the lingua franca for the Internet of Things.

For its part, DigiCert continues to be a prominent participant in the public-private consortia developing and refining a fresh portfolio of security standards needed to engrain digital trust. This includes new security protocols not just for digital certificates but for all things to do with smart buildings, smart transportation systems and smart infrastructure, as well.

As the details get hammered out, it would be wise for companies and industry sectors to jump on board the digital trust band wagon, the sooner the better. And if fear of losing customers adds to their motivation, then so be it.

“Digital trust by design is something company decision makers have to consider,” Hojjati says. “They need to make digital trust a strategic imperative.”

DigiCert recommends assigning a senior executive with explicit duties to support digital trust. One way to do this might be to create the role of  “digital trust officer,” Hojjati says. A DTO could focus on mitigating exposures spinning out of an ever-expanding attack surface; in other words, implementing advanced security systems and procedures on premises, for remote workers and up and down the supply chain, he says.

Clearly new rules of the road like this are needed. Encouragingly, they’re coming. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

The Internet of Everything (IoE) is on the near horizon.

Related: Raising the bar for smart homes

Our reliance on artificially intelligent software is deepening, signaling an era, just ahead, of great leaps forward for humankind.

We would not be at this juncture without corresponding advances on the hardware side of the house. For instance, very visibly over the past decade, Internet of Things (IoT) computing devices and sensors have become embedded everywhere.

Not as noticeably, but perhaps even more crucially, big advances have been made in semiconductors, the chips that route electrical current in everything from our phones and laptops to automobile components and industrial plant controls.

I recently visited with Thomas Rosteck, Division President of Connected Secure Systems (CSS) at Infineon Technologies, a global semiconductor manufacturer based in Neubiberg, Germany. We discussed how the Internet of Things, to date, has been all about enabling humans to leverage smart devices for personal convenience.

“What has changed in just the past year is that things are now starting to talk to other things,” Rosteck observes. “Smart devices and IoT systems are beginning to interconnect with each other and this is only going to continue.”

This ascension to the next level of connectivity is underscored by Matter 1.0, the new home automation connectivity standard rolling out this holiday season. Matter paves the way for not just more Internet-connected gadgetry; it makes possible a new tier of highly interoperable digital systems providing amazing services that are highly secure and that intrinsically preserve individual privacy.

For a full drill down on our evocative discussion please watch the accompanying videocast. Here are the main takeaways:

Dispersing electricity

Strictly speaking, a semiconductor is any crystalline solid that resists the flow of electricity in a distinctive way. We call them microchips or just chips and they are the building blocks of diodes, transistors and integrated circuits – the components that direct electrical current to carry out processing routines.

Semiconductors are the hardware components that make up the nervous system of each and every smart device — from tiny sensors to sprawling cloud servers and everything in between. Rosteck outlined how advanced semiconductors will be indispensable in two broad areas going forward: power modules and microcontrollers. Both come into play across the breadth of IoT and, even more so, with respect to IoE.

Rosteck

For instance, semiconductor power modules enable the generation, transmission and consumption of electricity in everything from the control room of a modern industrial plant to the timer on your smart coffee grinder.

Power modules must continue to advance; energy consumption of big digital systems must continue to become more and more efficient to support the smart commercial buildings and transportation systems of the near future, Rosteck says.

With power modules circulating electricity very efficiently at a macro level, advanced microcontrollers can grab the spotlight. These are the unseen chipsets that carry out discreet tasks, such as activating your smart auto’s proximity sensors and rear view camera or controlling your smart home’s thermostat and garage door opener.

Microcontrollers are, in essence, mini computing engines; today they serve mainly as the knobs and flip switches of IoT; going forward they’ll evolve into sophisticated controls that make complex decisions, autonomously, as part of new IoE systems.

Energy at the edges

How microcontrollers distribute energy is a very big deal. Innovation in the semiconductor industry is focused on finding smarter ways to disperse tiny bursts of electricity to a sprawling galaxy of IoT devices and new IoE systems. Energy needs to be dispersed very efficiently, in just the right measure, to support the machine intelligence routines increasingly taking place at the cloud edge, Rosteck explained.

“When I transport energy or when I consume energy, I must do this efficiently, meaning not wasting energy by ‘turning it on its head,’ but turning energy into what I really want to use it for,” he says.

Rosteck described for me a smart home of the near future. It would be equipped with array of Internet-connected devices that work in concert to optimize energy consumption. Unseen and unnoticed by the resident, interconnected systems would be capable of correlating real-time weather data, traffic patterns and the resident’s work schedule and then calculate the precise amount of energy needed on a given day, or even hour of the day.

Such smart homes could become the norm in the era of IoE. This would lead to an optimum blending of private and public sources of energy. Individual consumers could tap solar energy from their roof tops, public utilities would supply power from legacy power plants as well as from new renewable energy operations.

The result: energy conservation would advance significantly. It’s notable that technologists and social scientists are discussing how to leverage interconnected digital infrastructure, i.e. the Internet of Everything, to foster similar “greater good” scenarios in other arenas. This includes mainstreaming autonomous transportation systems, perhaps even redistributing wealth more equitably across the planet.

Baking in security

First, however, two things need to radically change: digital systems must be able to interconnect much more seamlessly than is possible at this moment; and cybersecurity needs to rise to a much higher level. And this is where Matter 1.0 comes into play.

To start, any Matter-compliant smart home device will be able to interoperate with whatever virtual assistant the resident might have. Making it possible for a consumer to use Amazon AlexaGoogle Assistant,  Apple HomeKit or Samsung SmartThings  to operate all types of Matter-compliant devices is a giant step in convenience — and a small step toward a much greater good. Work has commenced on future iterations of Matter that will make IoT systems in commercial buildings and healthcare facilities much more interoperable than is the case today.

Cybersecurity remains a major obstacle that must be dealt with. Interconnected systems that can easily be hacked, of course, would be untenable. Thus, Matter sets forth an extensive process for issuing a “device attestation certificate” for each Matter-compliant device. This process revolves around extending the tried-and-true Public Key Infrastructure framework and associated Digital Certificates that assure website authenticity and carry out encryption across the legacy Internet.

That said, Matter is a new kind of tech standard. The standards that allowed the legacy Internet to blossom commercially – protocols skewed toward open and anonymous access — also doomed networks to be endlessly vulnerable to breaches. By stark contrast, Matter requires robust security of our next generation of interconnected devices and systems to be deeply secure from day one.

“If you bake a cake, you can’t change the flavor of the cake once it’s finished baking. It’s the same with standards, you must think about security from the beginning,” Rosteck says. “Matter is the first standard that I know of that accounted for security in the beginning.”

Indeed, when Google, Amazon, Apple and Samsung convened three years ago to draw up Matter, one of the very first moves the tech giants championed was to set up a security work group, Rosteck says. This is how security got baked in from the start. And the result is that the Matter standard is poised to foster a quickening of hardware and software advances that will take us to the next level of connectivity — securely.

There’s still a long way to go. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Over the years, bad actors have started getting more creative with their methods of attack – from pretending to be a family member or co-worker to offering fortunes and free cruises.

Related: Deploying employees as human sensors

Recent research from our team revealed that while consumers are being exposed to these kinds of attacks (31 percent of respondents reported they received these types of messages multiple times a day), they continue to disregard cyber safety guidelines.

This neglect is not only a threat to personal data, but also a threat to corporate security. As we continue to live a majority of our lives online, there are many ways that both consumers and enterprises can better protect themselves against hackers.

According to our survey, the majority of consumers (77 percent) are confident they can identify, and report suspected malicious cyber activity despite general apathy toward proactively securing their devices and personal data.

Confidence gap

This overconfidence is cause for concern for many cybersecurity professionals as humans are the number one reason for breaches (how many of your passwords are qwerty or 1234five?). When it comes to protecting themselves and their devices, few are practicing the basics:

•Only 21 percent use email security software

•Only 33 percent consistently use two-factor authentication (2FA)

•Only 28 percent don’t use repeated passwords•Only 20 percent use a password manager

The gap between confidence in oneself when it comes to cybersecurity hygiene and actual implementation of protection against cybersecurity threats leaves much room for bad actors to execute successful malware and ransomware attacks.

Blurred lines

Guntrip

The hybrid workforce is here to stay, along with the blurring of work and home. Most people have work email, files, messages and more on personal devices, and use corporate devices to shop or stream content (our research says 56 percent of consumers engage in personal activity on a work device). This, combined with expanding attack surfaces due to the infinite number of networks being used by employees, has created the perfect storm.

Bad actors today enact Highly Evasive Adaptive Threat (HEAT) attacks with more frequency and success. Enterprises are scrambling to find better and more effective ways to secure their data and decrease the number of breaches occurring.

But since many employees are apathetic toward implementing security practices and prevention methods, it becomes a more and more daunting task for cyber professionals.

While cyber experts cannot save everyone from ransomware or other forms of threats, there are plenty of preventative ways for both consumers and enterprises to try and stop attacks before they occur.

Both consumers and enterprises can better protect themselves by:

•Enabling 2FA

•Using strong passwords (random combinations of letters and numbers are best) and storing them securely in a password manager

•Not using repeated passwords

•Reporting suspicious communications

•Installing security software and ensuring all your devices are running the latest software

•Backing up = files to a cloud or offline location regularly

•Not responding to, clicking on links or opening/downloading attachments from any number or email you don’t know (we promise your CEO isn’t really texting you about how your bonus will be paid via gift card you can download by clicking on that weird looking link)

What needs to get done

For corporations, additional steps that should be taken include:

•Having cloud security that spans web and email to prevent ransomware and other attacks

•Setting up systems to require 2FA for all employees

•Ensuring employees review security protocols as part of training and development

•Enforcing strong password requirements for email and other applications

Bad actors are not going away anytime soon, and we can predict that in 2023, we’ll see even more threats and attacks than in years past. Still, there are many ways that consumers and enterprises can protect their data and educate one another on the very real threat that these invisible enemies are. The more awareness raised about cybercrime and malicious activity, the more we can do to try and prevent attacks from occurring before it’s too late.

 About the essayist: Mark Guntrip is senior director of cybersecurity strategy at Menlo Security, a Mountain View, Calif.-based web security vendor that provides secure, cloud-based internet isolation.

Much more effective authentication is needed to help protect our digital environment – and make user sessions smoother and much more secure.

Related: Why FIDO champions passwordless systems

Consider that some 80 percent of hacking-related breaches occur because of weak or reused passwords, and that over 90 percent of consumers continue to re-use their intrinsically weak passwords.

Underscoring this trend,  Uber was recently hacked — through its authentication system. Let’s be clear, users want a better authentication experience, one that is more secure, accurate and easier to use.

The best possible answer is coming from biometrics-based passwordless, continuous authentication.

Gaining traction

Passwordless, continuous authentication is on track to become the dominant authentication mechanism in one to two years.

Continuous authentication is a means to verify and validate user identity —  not just once, but nonstop throughout an entire online session. This is accomplished by constantly measuring the probability that an individual user is who he or she claims to be; a variety of behavioral patterns sensed in real time and machine learning get leveraged to do this.

Passwordless, continuous authentication addresses the dire need for higher and better security. Cyber attacks continue to grow in sophistication, and ransomware attacks are only the tip of the iceberg. Compromised credentials represent the most usual way attackers penetrate networks. That simply is not tolerable, going forward.

Schei

With a market and a society ready to go for it, passwordless authentication expansion is about to accelerate. In fact,  demand for passwordless systems is expected to grow 15 percent per annum – topping $5.5 billion by 2032. It’s no surprise that passwordless authentication is at the core of Gartner’s report on emerging technologies and trends for 2022.

Invisible security

Authentication systems that leverage machine learning and biometric technology are now ready to replace legacy password-centric technologies. Machine learning can be applied to facial recognition data, for example, to provide an invisible security layer, with no actions required from the user.

This invisible authentication is very difficult to hack. This is because it relies on biometric features that can’t be shared. Widely adopted from healthcare to law enforcement, it  can deliver secure, accurate authentication even when the user is wearing a mask; it prevents unauthorized access that can now be done by compromising devices we use as a second factor of authentication.

In industries such as banking, healthcare and law enforcement, where employees work under pressure to handle sensitive information, cybersecurity and productivity often contradict each other.

Password-based multi-factor authentication (MFA) systems, for instance, require constantly logging in and out of user sessions; employees waste working time, and can even suffer from MFA fatigue. These inefficiencies can open the gate to cyber attacks.

By contrast, passwordless, continuous authentication affords a double gain for companies: cybersecurity is materially improved, while authentication friction gets erased. This improves daily productivity, not to mention employees’ happiness.

Continuous vigilance

Current authentication tools focus on single sign on. This means that the authentication mechanism confirms the user at the beginning of the session but offers no guarantees during a user session.

One opportunity attackers seek out is when an authenticated user leaves the device unattended. Up to 95 percent of cyberthreats are successful because of a human error, including unattended sessions or visual hacking incidents, such as shoulder surfing.

This lack of extended security cannot be addressed through legacy sign-on authentication tools such as Microsoft Hello, that  rely on one-time image authentication.

Fortunately, there’s a growing trend towards passwordless, continuous authentication

One touchless delivery model is through face recognition, and a good example is the core  functionality built into GuacamoleID, supplied by Hummingbird.AI.  GuacamoleID uses sophisticated vision AI to recognize and secure user sessions, thus enabling touchless automated access to computers for security, privacy and compliance in law enforcement, healthcare and financial services.

Passwordless, continuous authentication improves the user experience by making it frictionless – and it materially boosts security by ensuring that there’s always the right person behind the device.

About the Author: Nima Schei,  is the founder and CEO of Hummingbirds AI, a supplier of technology that leveraging artificial intelligence to automate access to computers through face matching.