Category: For technologists

Standards. Where would we be without them?

Universally accepted protocols give us confidence that our buildings, utilities, vehicles, food and medicines are uniformly safe and trustworthy. At this moment, we’re in dire need of implementing standards designed to make digital services as private and secure as they need to be.

Related: How matter addresses vulnerabilities of smart home devices

A breakthrough is about to happen with the roll out this fall of Matter, a new home automation connectivity standard backed by Amazon, Apple, Google, Comcast and others.

Matter is intended to be the lingua franca for the Internet of Things. It’s only a first step and there’s a long way to go. That said, Matter is an important stake in the ground. To get a full grasp on why Matter matters, I recently visited with Steve Hanna, distinguished engineer at Infineon Technologies, a global semiconductor manufacturer based in Neubiberg, Germany.

For a full drill down on our evocative discussion, please watch the accompanying videocast. Here are the main takeaways:

Great leap coming

We’ve only scratched the surface in terms of bringing advanced digital technologies to bear solving humankind’s most profound challenges. Data gathering, data analytics, machine learning and digital automation have advanced to the level where they could be leveraged to accomplish much greater things.

Climate change solutions, driverless vehicles and stupendous medical breakthroughs are close at hand. Likewise, it’s no longer the stuff of science fiction to imagine how advanced digital services could be directed at making water, food, health services and even economic stability readily available to every inhabitant of the planet.

However, before any of these great leaps forward can happen, organizations must achieve digital resiliency. The only way for digital innovation to achieve its full potential is if enterprises and small businesses alike embrace technologies and best practices that support agility, while at the same time choking off any unauthorized network access.

“The Internet of Things is a huge new platform for amazing innovation,” Hanna observes. “But none of it will happen if we don’t get cybersecurity right and people have confidence in the safety and security of every domain the Internet of Things will be present in, whether it’s smart homes, smart vehicles or smart cities.”

Interoperability needed

At present, it’s easier than ever for malicious hackers to breach business networks and gain a foothold from which to steal data, spread ransomware, disrupt infrastructure and attain long-run unauthorized access.

Hanna

This is the consequence of rapid migration to cloud-centric IT resources, a trend that has only accelerated as organizations come to rely more heavily on a remote workforce and a globally-scattered supply chain.

Today, processing power and data storage gets delivered virtually from Amazon Web Services (AWS), Microsoft Azure or Google Cloud, and communication and collaboration tools are supplied by dozens to hundreds of mobile and web apps. Modern digital services are the product of far-flung software code interconnecting dynamically. This has resulted in an exponential expansion of a network’s attack surface; every connection represents an attack vector that must be accounted for.

The problem isn’t a dearth of telemetry, nor a lack of data analytics know-how; we’ve got plenty of both. The reason threat actors are having a field day is because of a fundamental lack of interoperability between legacy and next-gen security tools delivered by highly competitive technology vendors.

Meshing agility, security

Matter signals the start of addressing this interoperability conundrum, Hanna told me. Here’s how:

Google, Amazon and Apple, arguably the most competitive tech giants, have spent nearly three years hammering out Matter, a global open-source standard designed to ensure that smart home devices from different manufacturers can communicate simply and securely.

Starting this fall, smart light bulbs, thermostats and garage door openers using the Matter standard will start appearing on store shelves. Matter devices will be compatible with Amazon AlexaGoogle Assistant, or Apple HomeKit. Notably, they’ll connect to the Internet – and to each other – via an advanced type of mesh network. 

This mesh network will be both agile and secure, fostering both convenience and security. Consumers will be able to control their IoT devices with any phone, without necessarily having to connect to the Internet.

This ability for a consumer to disconnect smart home devices from the Internet, yet still operate them locally, should enhance convenience while also boosting security. By using Matter devices offline, most of the time, i.e. when at home, a consumer can directly eliminate a primary attack vector.

Baked-in security

Thus Matter is a template and a harbinger. Hardware manufacturers, Infineon among them, as well as security software developers, are already off and running. They’re designing and testing prototype components for the coming generation of interoperable network security solutions that, if all goes well, should extend from Matter, Hanna says.

At one level, Matter provides a model for how rival tech vendors can, and must, collaborate to derive a new tier of standards for highly-interconnected digital services. At another level, Matter tangibly demonstrates how convenience and security can be two sides of the same coin.

For its part, Infineon is pioneering a way to bake-in advanced security controls at the chip level. Please do watch the accompanying video for Hanna’s deeper dive into work that’s underway to set up a cloud-based “resiliency engine” that can keep close track of things like real-time threat intelligence and vulnerability patching – and then automatically update systems at the chip level, as needed. In order to do this comprehensively, industry-wide consensus needs to gel around several more levels of connectivity standards. Matter is the first baby step.

“The Internet of Things needs a full set of interoperability standards in order for new applications to be invented,” Hanna observes. “Then the more interesting innovation can happen. We’re creating a platform for innovation and none of us can predict what those innovations will be, any more than Vint Cerf knew what the Internet would become when he was involved in creating it in 1969.”

The traction Matter gains in the coming months will tell us a lot about whether companies understand what it will take to get us to the next level of digital innovation. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

As digital technologies become more immersive and tightly integrated with our daily lives, so too do the corresponding intrusive attacks on user privacy.

Related: The case for regulating facial recognition

Virtual reality (VR) is well positioned to become a natural continuation of this trend. While VR devices have been around in some form since well before the internet, the true ambition of major corporations to turn these devices into massively-connected social “metaverse” platforms has only recently come to light.

These platforms, by their very nature, turn every single gaze, movement, and utterance of a user into a stream of data, instantaneously broadcast to other users around the world in the name of facilitating real-time interaction. But until recently, the VR privacy threat has remained entirely theoretical.

Berkeley RDI is a preeminent source of open-access metaverse privacy research. To test the true extent of data collection in VR, we designed a simple 30-person user study called MetaData. Users were asked to play an innocent-looking “escape room” game in VR, while in the background, machine learning scripts were secretly observing their activity and trying to extract as much information about them as possible.

The game was explicitly designed to reveal more information about users than they would otherwise have revealed, a unique threat of XR environments. In fact, most of the Montreal Cognitive Assessment (MoCA) test was hidden within the escape room.

Nair

In the end, the adversarial program had accurately inferred over 25 personal data attributes, from environmental data like room size and geolocation, to anthropometrics like height, wingspan, and reaction time, within just a few minutes of gameplay.

Why, one may wonder, should I care if my use of VR reveals my height or reaction time? In short, we should care not just which attributes can be directly observed, but also what that data can in turn be used to infer.

For example, by combining height, wingspan, and voice frequency, a user’s gender is revealed with a high degree of accuracy. On the other hand, the combination of vision, reaction time, and memory can reveal a user’s age to within a year. The sheer scale of data attributes available in VR make such inferences more accurate and abundant than on any conventional platform, such as web or mobile applications.

Garrido

And instead of having to combine numerous data sources (like a smartphone, laptop, and wearable device) to build a user profile, VR constitutes a one-stop shop for all of the biometric, environmental, behavioral, and demographic data an application could ever hope to harvest.

The story is not entirely pessimistic, however. In a follow-up work, called “MetaGuard,” we present a promising solution to our VR data privacy woes. Using a statistical technique called local differential privacy, we allow users to “go incognito” in the metaverse to obscure their identity and hinder tracking between sessions, just as they might on the web.

In fact, MetaGuard goes far beyond “incognito mode” on the web, protecting not just metadata but the telemetry data itself. It does so by literally warping the coordinate system virtual world to hinder the accuracy of adversarial measurements, while achieving a provably-optimal balance of privacy and usability impact. The result: a 94.6 percent reduction in the ability to deanonymize VR users even at the lowest supported privacy setting.

MetaGuard is by no means a complete solution to privacy concerns in VR. Instead, it is a first step towards solving a dangerous technological disparity: despite posing an unprecedented degree of privacy risk, VR currently lacks even the most basic privacy tools.

We hope our work begins to shed light on the risks that lie ahead, and encourage practitioners to advance research at the intersection of data privacy and VR.

About the essayist: Vivek Nair is an NSF CyberCorps Scholar, NPSC Fellow, Hertz Foundation Fellow, IC3 Researcher, and an EECS Ph.D. student researching applied cryptography at UC Berkeley. Gonzalo Munilla Garrido is a researcher at the BMW Group and CS Ph.D. student researching differential privacy at TU Munich. Nair and Garrido are members of the UC Berkeley Center for Responsible, Decentralized Intelligence, a preeminent source of open-access metaverse security and privacy research.

 (Editor’s note: This work was supported by Berkeley RDI, the NSF, the NPSC, and the Hertz Foundation. Opinions expressed in this material are exclusively those of the authors and not the supporting entities.)

Phishing attacks are nothing new, but scammers are getting savvier with their tactics.

Related: The threat of ‘business logic’ hacks

The Iranian hacker group TA453 has recently been using a technique that creates multiple personas to trick victims, deploying “social proof” to scam people into engaging in a thread. One example comes from Proofpoint, where a researcher began corresponding with an attacker posing as another researcher.

Other Iranian-based cyberattacks have included hackers targeting Albanian government systems and spear phishing scams. According to a new study, phishing attacks rose 61 percent in 2022, with cryptocurrency fraud increasing 257 percent year-over-year.

Companies and consumers must be more cautious than ever when using their devices. Here are four new phishing trends keeping businesses on their toes.

Spear phishing

Spear phishing attacks have taken the dangers of traditional phishing to another level, mainly because it’s highly targeted and precise.

Nowadays, small businesses are more susceptible to spear phishing since they lack the IT security infrastructure in larger organizations. As more people work remotely, companies must be vigilant when sending and filling out online forms, such as login pages — a newly-preferred mode of enticing potential victims.

These cases involved employees entering a harmless site, then getting redirected to a dangerous one. From there, they enter their credentials and unknowingly give them to hackers.

Compromised email

Malicious ransomware is one of the top-growing cyberattack threats companies face. However, hackers are getting smarter as they develop new money-making methods to exploit businesses.

Amos

Compromised emails are now the norm, as attackers have found a way to infiltrate these systems to send phishing emails to employees, vendors and consumers. Because the address comes across as an internal team member, people trust them, ultimately exposing themselves to cybercrime.

Business email compromise also increased during the COVID-19 pandemic — it’s a common entry point for cybercriminals. As such, staff must avoid sending personal and sensitive information via email for hackers to steal.

Wire fraud

Imagine someone is about to buy a house and receives email instructions for wiring the closing costs — with just one click, they’ll be a new homeowner. Now imagine how they’d feel finding out they were the victim of wire fraud, as the $20,000 payment suddenly disappears.

Business impersonation is increasing exponentially with hackers gaining access to company email accounts. After monitoring conversations for some time, they look for the start of the transaction and insert themselves into the chain. The hackers then send a legitimate-looking, well-crafted, error-free email with a link that wires the money to a separate bank account.

The real estate industry is currently battling an influx of these cyberattacks. A recent survey showed that one-third of all real estate transactions had a wire fraud attempt in 2020. Additionally, 76% of real estate agents reported increased fraud attempts from the previous year.

Phishing via texting

If it seems more spam texts are coming in, that’s because they are — the FCC reported a 146% uptick throughout the pandemic.

Text message phishing — also known as “smishing” — is when scammers send texts to entice people to transmit personal information, such as passwords or credit card numbers. Because people tend to open messages within 15 minutes of receiving them, scammers have found it a lucrative way to trick people.

Smishing might impersonate the government, banks or other agencies to seem more legitimate. Although most people can tell when they’ve received spam texts, 6% report losing money through text fraud.

Steps to effective security

Developing a secured network strategy is essential to avoid cyberattacks, as these new phishing tactics could negatively impact a business. To prevent malicious scams, companies should do the following:

•Install high-quality antivirus software and spam filters.

•Implement a policy to update passwords every 90 days.

•Require strong passwords or two-step and multi-factor.

•Encrypt all sensitive information and documentation.

•Secure web browsers and only use those providing adequate security.

•Train workers on how to identify phishing attempts.

Human error often drives phishing success, so deploying the right security tools and ensuring employees understand their place in avoiding cybercrime is the best way to protect company data.

Companies must implement several security measures to prevent the repercussions of cyberattacks. Otherwise, they risk dire consequences.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

Digital resiliency has arisen as something of a Holy Grail in the current environment.

Related: The big lesson of Log4j

Enterprises are racing to push their digital services out to the far edge of a highly interconnected, cloud-centric operating environment. This has triggered a seismic transition of company networks, one that has put IT teams and security teams under enormous pressure.

It’s at the digital edge where all the innovation is happening – and that’s also where threat actors are taking full advantage of a rapidly expanding attack surface. In this milieu, IT teams and security teams must somehow strike a balance between dialing in a necessary level of security — without unduly hindering agility.

Digital resiliency – in terms of business continuity, and especially when it comes to data security — has become a must have. I had the chance to visit with Paul Nicholson, senior director of product at A10 Networks, a San Jose, Calif.-based supplier of security, cloud and application services.

Guest expert: Paul Nicholson, Senior Director of Product, A10 Networks

We discussed how and why true digital resiliency, at the moment, eludes the vast majority of organizations. That said, advanced security tools and new best practices are gaining traction.

There is every reason to anticipate that emerging security tools and practices will help organizations achieve digital resiliency in terms of supporting work-from-home scenarios, protecting their supply chains and mitigating attack surface expansion. As part of this dynamic, Zero Trust protocols appear to be rapidly taking shape as something of a linchpin.

“When you say Zero Trust, people’s ears perk up and they understand that you’re basically talking about making sure only the right people can get to the digital assets which are required,” Nicholson told me.

For more context on these encouraging developments, please give the accompanying podcast a listen. Meanwhile, I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Today’s enterprises are facing more complexities and challenges than ever before.

Related: Replacing VPNs with ZTNA

Thanks to the emergence of today’s hybrid and multi-cloud environments and factors like remote work, ransomware attacks continue to permeate each industry. In fact, the 2022 Verizon Data Breach Investigation Report revealed an alarming 13 percent increase in ransomware attacks overall – greater than past five years combined – and the inability to properly manage identities and privileges across the enterprise is often the root cause.

As enterprises continue to fall victim to increasingly complex attacks, there’s one topic that cybersecurity professionals and vendors can agree on: the importance of Zero Trust. Still, ways to properly identify and tackle this strategy often remains one of the biggest challenges to overcome.

A ‘Zero Trust’ core

The Zero Trust buzzword has exploded in use over the last few years. Through endless redefinitions, it’s difficult to find a reliable one. While this continuous pivot can be tough to track, it does not diminish the need for a real, executable strategy for tackling its core tenants.  One helpful perspective is to view Zero Trust as a three-legged tripod:

•The first leg of this tripod is the network protecting the perimeter and ensuring organizations are safeguarded from the outside in, as well as inside out.

•The second is the endpoint – protecting the workstations, servers, laptops, cloud instances, network devices, etc. – the crown jewels are on endpoints or accessed from these

•The third is identity – the validation that a requestor is who they say they are and has the ability and limitation to do only what they should.

Dodhiawala

Without addressing the identity leg of the tripod, and more importantly privileged identity, there simply is no Zero Trust. With its core tenant of verify (not trust), a robust Zero Trust framework must include the privileged identity and just-in-time authorizations.

In typical attacks, the attacker uses compromised admin credentials to elevate privileges and move laterally between systems. These techniques succeed due to standing privilege granted to the privileged identities – the accounts which are trusted.

To build identity-centric trust across an organization, every enterprise asset must be identified and managed – putting greater emphasis on privileged identity for both human (employees, consultants, partners, vendors, customers, etc.) and digital identities (apps, devices, machines, etc.)

While solutions are available to augment the authentication of an entity through MFA and credential-centric tools, there is a key component missing – authorization. Without this, the identity leg of the tripod will remain incomplete. Attacks are still successful and realized identity enforcement is impossible.

Redefining access

As most of today’s attackers accomplish their mission by leveraging privilege (or admin) account sprawl – a prominent and highly exploited attack surface – it’s unsurprising that once an attacker is inside the network, finding the organization’s crown jewels is straightforward. From there, they can encrypt data, execute a ransomware attack and more.

Given these eminent threats, the industry needs a paradigm shift that goes beyond credential hygiene that more holistically solves for authorization. Given that nearly 80 percent of today’s cyberattacks involve leveraging privileged identities, one novel approach is to forego the focus on the password itself for something different – Zero Standing Privilege (ZSP).

Coined by Gartner, ZSP goes beyond the typical privilege access management (PAM) strategies. It removes the typical, 24×7 standing privilege and protects organizations against the discovery of administrative credentials, hashes, or secrets.

Even if the attacker gains a foothold through a weak password, ZSP protects the organizations by reducing the attack surface they can move to. ZSP is the most important and proactive IAM measure an organization can implement to mitigate real and present threats.

In the end, there is no silver bullet for achieving and maintaining Zero Trust security, and we as an industry have long road to truly establish Zero Trust across each pillar within an organization. With a ZSP approach to identity management though, organizations can more successfully ensure the identity leg of the Zero Trust tripod is powerful and secure.

 About the essayist: Raj Dodhiawala is President of Remediant, a San Francisco-based cybersecurity company. He has over 30 years of experience in enterprise software and cybersecurity, primarily focused on bringing disruptive enterprise products to new markets.

Cybersecurity is a top concern for individuals and businesses in the increasingly digital world. Billion-dollar corporations, small mom-and-pop shops and average consumers could fall victim to a cyberattack.

Related: Utilizing humans as security sensors

Phishing is one of the most common social engineering tactics cybercriminals use to target their victims. Cybersecurity experts are discussing a new trend in the cybercrime community called phishing-as-a-service.

Why should companies be aware of this trend, and what can they do to protect themselves?

Phishing-as-a-Service (PhaaS)

Countless organizations have adopted the “as-a-service (-aaS)” business model. It describes companies that present customers with an offering, as its name suggests, to purchase and use “as a service.” Popular examples include artificial intelligence-as-a-service (AIaaS), software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS).

Phishing-as-a-service, also called PhaaS, is the same as the SaaS business model, except the product for sale is designed to help users launch a phishing attack. In a PhaaS transaction, cybercriminals or cybercrime gangs are called vendors, and they sell access to various attack tools and technical knowledge to help customers carry out their crimes.

Ready-to-use phishing kits with all necessary attack items are available on the web. Some vendors offer more specialized products, such as back-end codes to build fraudulent websites for harvesting credentials. They might provide access to collated open-source intelligence (OSINT) to create highly sophisticated phishing attacks.

Rising popularity

PhaaS services are growing in popularity for a few reasons. These products lower the barrier to entry for malicious actors and are relatively affordable.

Amos

Traditionally, people faced high barriers to entry to become successful hackers. With PhaaS, this is no longer the case. Anyone with enough funds and access to the dark web can purchase PhaaS tools to help them launch a phishing attack.

Aside from a low barrier to entry and affordability, PhaaS is a win-win situation for vendors and their customers. Vendors benefit from PhaaS because they earn a profit from selling their skills while avoiding the risks associated with committing a cybercrime. On the customer side, it requires minimal effort to pay for a phishing kit and launch a professional-level attack on a victim.

PhaaS has grown so popular that it’s now a commercialized industry on the dark web. As a result, the number of phishing attacks worldwide will increase, allowing lucrative cybercrime to flourish in the digital age.

Mitigating PhaaS

The PhaaS industry is rapidly expanding and presenting more risks to businesses of all types and sizes. An individual company is likely unable to take down the entire PhaaS community, but it can certainly take proactive cybersecurity measures to reduce the chances of facing a phishing attack.

Many modern organizations know the basics of online safety and follow the best cybersecurity practices. However, this new trend could change the landscape, forcing businesses to adapt, use new technologies and implement different defense strategies.

Businesses can respond to the rise of PhaaS services in three ways:

•Heed cybersecurity standards and compliance rules

Many industries implement cybersecurity standards and compliance requirements to protect businesses and their clients or customers. For example, government defense contractors must pass the Cybersecurity Maturity Model Certification (CMMC) assessment to conduct business with the Department of Defense (DoD).

By passing the CMMC, the DoD ensures that contractors maintain a strong cybersecurity posture so any sensitive data remains secure. Organizations should determine which industry standards and compliance requirements they must follow to improve their security measures.

•Leverage security software

Several new technologies, including artificial intelligence (AI) and machine learning (ML), are included in today’s cybersecurity software solutions. Those with a zero-trust approach or powered by AI and ML tech can help companies defend themselves against cyberattacks.

•Prioritize training

Human error is the main factor contributing to a successful phishing attack. Employees who receive exceptional cybersecurity training are less likely to put an organization at risk of attacks. Businesses must prioritize education for employees so they can act as the company’s first defense.

PhaaS is not going anywhere. Organizations must take various preventive measures to bolster their cybersecurity as this black-market industry grows. Company leaders must be aware of PhaaS and take phishing attacks seriously to keep their business running.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

The pace and extent of digital transformation that global enterprise organizations have undergone cannot be overstated.

Related: The criticality of ‘attack surface management’

Massive global macro-economic shifts have fundamentally changed the way companies operate. Remote work already had an impact on IT strategy and the shift to cloud, including hybrid cloud, well before the onset of Covid 19.

Over the past two years, this trend has greatly accelerated, and working practices have been transformed for many workers and organizations.

Yet, with all these changes, the specter of security breaches remains high. This explains the rise and popularity of Zero Trust as a framework for securing networks in these new realities as an effective tool to drive cybersecurity initiatives within the entire enterprise.

Fundamentally, Zero Trust is based on not trusting anyone or anything on your network by default and using least required privilege concepts. Every access attempt by any entity must be validated throughout the network to ensure no unauthorized entity is moving vertically into or laterally within the network undetected.

At the same time, digital resilience has arisen as a top priority for enterprises across all sectors, especially as cyber threats continue to accelerate. Ensuring the maximum uptime and network and application availability is critical to digital business.

Now is an ideal time to explore enterprise perceptions about the future. To gain these insights, A10 Networks surveyed 2,425 senior application and network professionals from across ten regions around the globe. Not surprisingly, there were high levels of concern about digital resiliency, with a strong focus on business continuity.

Four top resiliency trends surfaced in the findings, including: digital resilience is a top priority; cyberthreats are accelerating; private cloud is the preferred environment; and Zero Trust strategies are being implemented to shore up defenses.

Most importantly, all these forces are foundational to more remote and hybrid work as we enter a new phase of living with COVID-19. Additional key features of the enterprise IT landscape that we uncovered included the following:

Private clouds preferred

Some 23 percent of respondents have retained an on-premises environment, and this is unlikely to change for some organizations in the future. Private clouds were the preferred environment for 30 percent of respondents, while just under one quarter said their environment was in a public cloud with a similar percent in SaaS environments.

Nicholson

Looking forward, organizations expect to retain a similar split, with private clouds being the most popular in all regions apart from the U.S. and Eastern Europe, which favor public cloud. This is likely because private clouds give organizations more control over data. Organizations, such as financial services or government, deal with sensitive information and prefer a private cloud model with greater control over the security of applications, users, and data.

Strategy reassessment needed

Resilience has become a board-level discussion as senior leaders look to ensure that the business can cope with future disruption. Enterprise respondents said that digital transformation solutions, business continuity (both technically and organizationally), and stronger security requirements have all become paramount. This puts tremendous pressure on IT professionals to rethink their architectures and IT strategies to meet the challenge.

Asked to rate their concern about 11 different aspects of business resilience, nine out of 10 respondents expressed some level of concern about every issue. The top concerns were around the challenge of optimizing security tools to ensure competitive advantage, using IT resources in the cloud, and enabling remote access and hybrid working while ensuring that staff feel supported in whatever work style they wish to adopt.

Cyber threats impact

High among a broad array of issues is the loss of sensitive assets and data, followed by the disruptive impact of downtime or network lockdown. In response, AI and machine learning have entered mainstream adoption as proven technologies for automation, human error reduction, and increased efficacy.

Meanwhile, there has also been a shift to a Zero Trust security approach. Some 30 percent of enterprise organizations surveyed said that they had already adopted a Zero Trust model.

Looking to the future, the adoption of cybersecurity initiatives will remain high and continue to grow. The increased threat surface that developed under pandemic conditions will require a more pervasive adoption of the Zero Trust model.

Although the urgent demands of the pandemic have lessened, there is unlikely to be any less pressure for IT practitioners, whether in infrastructure or security. Enterprises will be dealing with the impact of these pandemic-related changes for years to come, along with the continued integration of newer technologies, strategies, and evolving standards.

Organizations must meet their multifaceted digital resiliency needs by continuing to invest in modern technologies that will support ongoing digital transformation initiatives while striking the balance between strong Zero Trust defense and operational agility.

About the essayist: Paul Nicholson is senior director, product marketing, at A10 Networks, a San Jose, Calif.-based supplier of security, cloud and application services. He has held technical and management positions at Intel, Pandesic and Secure Computing. 

Finally, Uncle Sam is compelling companies to take cybersecurity seriously.

Related: How the Middle East paved the way to CMMC

Cybersecurity Maturity Model Certification version 2.0 could  take effect as early as May 2023 mandating detailed audits of the cybersecurity practices of any company that hopes to do business with the Department of Defense.

Make no mistake, CMMC 2.0, which has been under development since 2017, represents a sea change. The DoD is going to require contractors up and down its supply chain to meet the cybersecurity best practices called out in the National Institute of Standards and Technology’s SP 800-171 framework.

I sat down with Elizabeth Jimenez, executive director of market development at NeoSystems, a Washington D.C.-based supplier of back-office management services, to discuss the prominent role managed security services providers (MSSPs) are sure to play as CMMC 2.0 rolls out. For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

Passing muster

CMMC 2.0 sets forth three levels of cybersecurity certification a company can gain in order to provide products or services to the DoD, all having to do with proving a certain set of cybersecurity controls and policies are in place.

Level 1, for instance, requires some 17 controls to protect information systems and limit access to authorized users. Meanwhile, Level 3, calls for several more tiers of protection specifically aimed at reducing the risk from Advanced Persistent Threats (APTs) in order to safeguard so-called Controlled Unclassified Information (CUI.)

In addition, every DoD contractor must conduct, at the very least, an annual self-assessment. Crucially, this includes accounting for the cybersecurity posture of third-party partners. In general, contractors must be prepared to divulge details about the people, technology, facilities and external providers — just about anything that intersects with their position in the supply chain. This includes cloud providers and managed services providers.

“It’s a milestone, for sure,” Jimenez told me. “All these controls need to be fulfilled from a compliance perspective and internal practices need to be put into place. This is all to attest that the contractor has a robust security posture, and, in the event of an audit, could pass muster.”

Auditable reviews

To get to square one under CMMC 2.0, a contractor needs to get a couple of very basic, yet widely overlooked, things done; those that handle controlled unclassified information, or CUI, must implement both a formal security management program and have an in place.

This comes down to reviewing IT systems, identifying sensitive assets, cataloguing all security tools and policies and, last but not least, implementing a reporting framework that can be audited. This seems very basic, yet it is something many organizations in the throes of digital transformation have left in disarray.

Jimenez

“Having both a security program and incident response plan in place is really important,” says Jimenez. “This should include continuous monitoring to highlight that the security environment is constantly being reviewed and refreshed with data that has an audit trail available for future reference.”

Doing basic best practices to pass an audit suggests doing the minimum. However, companies that view CMMC 2.0 as a kick-starter to stop procrastinating about cyber hygiene basics should reap greater benefits.

Performing auditable security reviews on a scheduled basis can provide critical insights not just to improve network security but also to smooth digital convergence.

“You can reconcile your current controls with your risk tolerance, and align your IT risk management programs with your security and business goals,” Jimenez observes.

Raising the bar

In short, CMMC 2.0 is the stick the federal government is using to hammer cybersecurity best practices into the defense department’s supply chain. In doing so, Uncle Sam, should, in the long run, raise the cybersecurity bar and cause fundamental best practices to spread across companies of all sizes and in all sectors.

This is much the way we got fire alarms and ceiling sprinklers in our buildings and seat belts and air bags in our cars. In getting us to a comparable level of safety in digital services, managed security services providers (MSSPs) seem destined to play a prominent role.

It was a natural progression for MSSPs to advance from supplying endpoint protection and email security to a full portfolio of monitoring and management services.  In a dynamic operating environment, rife with active threats, it makes perfect sense to have a trusted consultant assume the burden of nurturing specialized analysts and engineers and equipping them with top shelf tools.

Full-service MSSPs today focus on improving visibility of cyber assets, detecting intrusions, speeding up mitigation and efficiently patching vulnerabilities. This reduces the urgency for companies to have to recruit and retain in-house security teams.

Meeting a dire need

Thus, MSSPs have advanced rapidly over the past five years to meet a  need, a trend that only accelerated with the onset of Covid 19. The leading MSSPs today typically maintain crack teams of inhouse analysts and engineers myopically focused on understanding and mitigating emerging cyber threats.

They leverage leading-edge, cloud-centric security tools – often by hooking up with best-of-breed partners for vulnerability management, endpoint security and threat intelligence gathering. Many of these experts in the MSSP trenches helped develop NIST best practices — and continue to help refine them.

MSSPs are increasingly assuming a primary role in mid-sized enterprises for maintaining endpoint security, vulnerability patch management and even things like firewall management and configuration management.

NeoSystems, for its part, offers all these security services, in modular packages, with a focus on eliminating compliance hurdles for federal government contractors. It’s gaining a lot of traction with small businesses and mid-sized enterprises that can’t spare resources to suddenly infuse security into their networks, Jimenez told me.

CMMC 2.0, coming in May 2023, puts defense contractors’ feet to the fire – and it sends a signal to all companies. “It’s the first real, definitive step from the federal government saying this has to be in place, you must have a security posture and it has to be robust,” Jimenez says. “Once it really takes hold, it will be paramount for companies to step into line and make sure that they’re ready for an audit.”

Companies could have, and should have, embraced NIST’s cybersecurity best practices a decade ago. Hopefully, CMMC 2.0 will nudge them forward in the 2020s. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

The internet has drawn comparisons to the Wild West, making ransomware the digital incarnation of a hold-up.

Related: It’s all about ‘attack surface management

However, today’s perpetrator isn’t standing in front of you brandishing a weapon. They could be on the other side of the globe, part of a cybercrime regime that will never be discovered, much less brought to justice.

But the situation isn’t hopeless. The technology industry has met the dramatic rise in ransomware and other cyber attacks with an impressive set of tools to help companies mitigate the risks. From sharing emerging threat intelligence to developing new solutions and best practices to prevent and overcome attacks, it’s possible to reduce the impact of ransomware when it happens.

Prevalence

The FBI’s Internet Crime Complaint Center (IC3) received 3,729 ransomware complaints in 2021, representing $49.2 million in adjusted losses. Healthcare and public health, financial services, and IT organizations are frequent targets, although businesses of all sizes can fall victim to these schemes.

The increase in remote workforces and difficulty enforcing security controls with expanding perimeters has played a role in the rise of ransomware. Likewise, lookalike and spoofed web domains and well-crafted phishing emails now easily trick employees into thinking they’re dealing with trustworthy sources.

A typical attack

Ransomware usually starts with a phishing email. An unsuspecting employee will open a legitimate-looking message and click a link or download a file that releases embedded malware onto their machine or the broader company network.

This gives the perpetrator the access needed to launch the ransomware and lock the company out of its own infrastructure or encrypt files until the ransom is paid in cryptocurrency.

Victims have two equally unattractive choices to resolve the situation. They can refuse to pay the ransom and have criminals release sensitive data. Or they can pay it—and often see the information released anyway. Not surprisingly, cyber criminals don’t always stick to their word.

High-stakes threat actors

Who are these masterminds? These threat actors aren’t playful hackers just testing their abilities. They’re often state-sponsored entities, foreign governments, or actual businesses. In fact, ransomware-as-a-service is alive and well, educating would-be offenders on how to undertake an attack and even offering customer support.

You may remember ransomware incidents that made the news in recent years, such as the Colonial Pipeline attack in 2021 that crippled national infrastructure or WannaCry in 2017 that exploited a Windows vulnerability. Sometimes ransom payments are recovered, but not always.

The impact of ransomware

The price tag of the ransom is just one of the many costs of these attacks, and remediation can often exceed this fee many times over. The inability to run the business effectively or access crucial data for days, weeks, or even months can result in lost revenue, customers, and opportunity.

Data, even when returned, can be damaged or useless, delaying ongoing projects. Altogether, the situation can cause the business reputational harm and losses spanning long periods.

Preventing ransomware

Like all cyberthreats, ransomware is constantly evolving as attackers become more sophisticated and bolder in their attempts. Building security with a layered approach is the most effective strategy as you work to move from passive to active defense.

These are just a few of the tactics you can take:

•Understand where sensitive data resides, how it’s protected, and why it’s valuable to outsiders

•Keep up on the latest cyber threats and monitor for lookalike/spoofed domains and registrations

•Educate employees on how to spot and respond to suspicious emails that bypass filters

•Bolster your monitoring and email authentication capabilities

Incident response

Early detection is critical, and ransomware attacks evolve. This means the response you’re likely to take can shift as you learn more along the way. Have a response plan that details the steps you can take across all departments.

Even after you’ve determined whether to pay the ransom, you’ll need ongoing monitoring for stolen data and compromised domains on the dark web and social media sites. Your experience will also inform employee education practices and the types of safeguards you put in place going forward.

Go in depth on ransomware and learn how to protect your business in this report from PhishLabs by HelpSystems: Ransomware Playbook: Defense in Depth Strategies to Minimize Impact.

About the essayist: Eric George is the Director of Solution Engineering at PhishLabs by HelpSystems. He  has held over 10 industry certifications including CISSP and serves as a Technical Malware Co-Chair for the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).

Network security has been radically altered, two-plus years into the global pandemic.

Related: Attack surface management’ rises to the fore

The new normal CISOs face today is something of a nightmare. They must take into account a widely scattered workforce and somehow comprehensively mitigate new and evolving cyber threats.

Criminal hacking collectives are thriving, more  than ever. Security teams are on a mission to push network defenses to the perimeter edges of an open, highly interconnected digital landscape; the defenders are under assault and running hard to stay one step ahead.

Managed Security Services Providers have been steadily evolving for two decades; they now seem poised to help large enterprises and, especially, small to mid-sized businesses manage their cybersecurity.

The global market for managed security services is estimated to be growing at a compound annual rate of 14 percent and should climb to $44 billion by 2026, up from $23 billion in 2021, says research firm MarketsandMarkets.

Jimenez

“Managed security service providers are rising to meet a need that’s clearly out there,” observes Elizabeth Jimenez, executive director of market development at NeoSystems, an MSP and systems integrator. “We can plug in parts or all of a complete stack of cutting-edge security technologies, and provide the expertise an organization requires to operate securely in today’s environment.”

MSSPs arrived on the scene some 17 years ago to help organizations cope with the rising complexity of their IT infrastructure. The focus in those early days was on compliance and device management. MSSPs have since broadened and advanced their services, a trend that continues as cloud migration gained momentum in the 2010s — and then accelerated with the onset of Covid 19.

Today, it’s feasible for an enterprise or SMB to outsource just about any facet of their security program — much the same as outsourcing payroll or human services functions.

I’ve a had a couple of deep discussions about this trend with NeoSystems. The company is based in Washington D.C. and one of its specialties is helping government contractors continuously monitor and manage their networks, systems and data. For more info, visit neosystemscorp.com.

A drill-down on MSSPs is coming tomorrow in a news analysis column and podcast. Stay tuned.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)