Category: For technologists

To tap the full potential of massively interconnected, fully interoperable digital systems we must solve privacy and cybersecurity, to be sure.

Related: Using ‘Big Data’ to improve health and well-being

But there’s yet another towering technology mountain to climb: we must also overcome the limitations of Moore’s Law.

After 30 years, we’ve reached the end of Moore’s Law, which states that the number of transistors on a silicon-based semiconductor chip doubles approximately every 18 months. In short, the mighty integrated circuit is maxed out.

Last spring, I attended NTT Research’s Upgrade 2023 conference in San Francisco and heard presentations by scientists and innovators working on what’s coming next.

I learned how a who’s who list of big tech companies, academic institutions and government agencies are hustling to, in essence, revive Moore’s Law and this time around direct it at optical technology.

I had a wide-ranging conversation with NTT Research President & CEO Kazu Gomi about an ambitious initiative called Innovative Optical and Wireless Network (IOWN) that aims to develop next-generation networks and computations. IOWN is all about supporting increased bandwidth, capacity and energy efficiency.

What really struck me was that IOWN also seeks to foster an “affluent and diverse” global society. For a full drill down on our discussion, please watch the accompanying videocast. Here are my takeaways.

What’s next: Internet of Everything

The world of the near future holds the promise of climate-restoring cities, autonomous transportation systems, incredible breakthroughs in healthcare and many more amazing services that could greatly benefit everyone on the planet.

However, the laws of physics dictate that silicon semiconductor chips simply won’t be able to support the massive data ingestion – and the colossal data crunching – that the Internet of Everything demands.

Fortunately, optical circuits are well suited to the task at hand. The Internet of Everything requires distributing billions more data capture sensors far and wide to form sprawling, interoperable digital shrouds overlapping one another. Each sensor in each shroud must be uniquely smart and use next to zero energy.

Working in concert, these sensor shrouds will very precisely and very securely move vast amounts of useful data very quickly to and from —  in traffic grids, utilities, communication systems, buildings and our homes.

“Optical technology can enable us to control energy consumption so we can support increasing capacity and increasing bandwidth,” Gomi summarizes.

At NTT Research in Sunnyvale, Calif., scientists are working on basic research to develop optical technology that can overcome current challenges. Their work focuses on creating smaller laser oscillators, which produce the light necessary for optical circuits. Smaller oscillators create shorter pulses that can increase bandwidth exponentially.

The business case for optical

One of the key benefits of optical circuits, Gomi emphasized, is their lower energy consumption compared to traditional circuits. This is particularly important for AI engines, which currently require large GPU clusters that use integrated circuit chips and consume vast amounts of energy.

Optical circuits have the potential to replace these GPUs, offering faster computation and drastically reduced energy consumption, he says.

Energy-efficient AI technology would make it possible to move computation to sensors at the network edge where intelligent analytics can be done in much quicker response times, consuming much less energy.

NTT executives and scientists speak often about how advanced optical technology can benefit society as a whole. It’s notable that the IOWN

mission statement actually calls for fostering a rich global society, one that’s tolerant of diversity and respectful of individual privacy.

I asked Gomi about the business case for this. He argues that if drastic changes are not made to shift to optical technology, carbon footprint issues will become a significant concern. By embracing optical technology, industries can grow, and society can benefit from the development of smarter infrastructure.

Deploying AI ethically

Gomi also acknowledged the need to strike a balance between humans and AI and to consider the ethics of AI. The conversation around AI’s potential impact on society, culture, and economics is just beginning, he says, but it’s essential to ensure that AI is implemented responsibly to avoid unintended consequences.

“AI right now can be undisciplined and has the potential to behave badly,” Gomi told me. “Bad behavior is something that must be corrected and we need to do something to discipline AI, as needed, when needed.”

You just don’t hear that kind of perspective very much from Amazon, Microsoft or Google, and certainly not from Facebook or Twitter.

In preparing to attend Upgrade 2023, I ran across a transcript of a lecture introducing IOWN delivered in 2019 by Jun Sawada, former CEO of NTT, the parent company of NTT Research.

Sawada begins by pointing out Japan’s history as a supplier of silver pearls, sapphires and cinnabar. He draws a comparison between Europe and Japan during the Industrial Revolution (1750-1850) noting the opposing perspectives of centralization vs. decentralization.

Sawada

He suggests that Japan’s Edo city, with its population of one million, represented a recycling-oriented eco-metropolis, while European cities focused on centralization and energy-driven growth. Moving on to an assessment of modern society, Sawada posits that the divisions between nations we see today results from conflicts between socialism and capitalism.

Today, he observes, the flood of information, coupled with AI-driven filtering, has led to divisiveness based on biased preferences. He advocates reconciling the economic expansion of modern European societies with Edo’s recycling mindset — and developing a global society that recognizes diverse values.

Sawada’s larger point is that IOWN holds the potential to reset our communication systems with the intention of driving towards a much greater global good. IOWN quietly continues to gain traction. How far can it take us?

I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

SMS toll fraud is spiking. I learned all about the nuances of deploying – and defending – these insidious attacks in a recent visit with Arkose Labs CEO, Kevin Gosschalk, who explained how the perpetrators victimize businesses that use text messages to validate phone users signing up for a new account.

Related: Countering Putin’s weaponizing of ransomware

The fraudsters set themselves up as “affiliates” of phone companies in Indonesia, Thailand and Vietnam and then use bots to apply for online accounts, en masse, at a targeted business. The con: each text message the business then sends in return —  to validate the applicant — generates a fee for the phone company which it shares with the affiliate.

This fraudulent activity usually remains undetected until the business receives a bill for an unusually high number of text messages sent to seemingly legitimate users.

As a solution, Arkose Labs aims to increase the cost of attacks, making them less profitable for the fraudsters.

Guest expert: Kevin Gosschalk, CEO, Arkose Labs

Their technology detects malicious actions and offers differing levels of challenges, based on a risk threshold. They also provide their customers with threat intelligence that can be used to prevent attackers from profiting. For a full drill down on our discussion, please give the accompanying podcast a listen.

This is one more example of cybercriminals cleverly exploiting the flaws in a convenient business process. It surely won’t be the last. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

As the threat of cybercrime grows with each passing year, cybersecurity must begin utilizing artificial intelligence tools to better combat digital threats.

Related: A call to regulate facial recognition

Although AI has become a powerful weapon, there’s concern it might be too effective compared to human cybersecurity professionals — leading to layoffs and replacements.

However, the truth is that automated AI tools work best in the hands of cybersecurity professionals instead of replacing them. Rather than trying to use AI to get rid of your security team, seek to use automated tools in conjunction with your existing professionals to ensure the strongest cybersecurity defense.

AI breakthrough

The newest breakthrough in artificial intelligence technology is machine learning and generative AI. Unlike traditional AI, machine learning can be taught to act on data sets and make accurate predictions instead of being limited to only analyzing.

Machine learning programs use highly complex algorithms to learn from data sets. In addition to analyzing data, they can use that data to observe patterns. Much like humans, they take what they have learned to “visualize” a model and take action based on it.

A program that can take data sets and act independently has enormous cybersecurity potential. Generative AI can look for patterns in code and identify the most common forms of cyberattacks. Instead of alerting a human administrator to handle the problem, the program can eliminate the threat itself.

The greatest strength of machine learning is its adaptability. The more data it collects, the more it learns and the more threats it can stop. However, that doesn’t mean this tech is infallible. The capabilities of machine learning programs depend on how much data is available.

Role for pros

That’s why the role of cybersecurity professionals is still important. Machine learning requires human operators that teach the programs how to use relevant data. The programs also require human supervision in case it makes mistakes. Alone, machine learning is not yet strong enough to stop all determined hackers; but together, machine learning and human professionals can be a formidable force.

The benefits of machine learning programs for cybersecurity professionals are potentially enormous. Security programs that can enforce themselves to an extent instead of simply analyzing data have the potential to cut down on workloads and give professionals breathing room.

While cybersecurity has become an essential part of everyday life, it can also be hard to keep up with all the latest trends, policies and programs. This is especially true for cybersecurity professionals — whose job is to remain vigilant for threats.

These professionals are constantly bombarded with alerts and information on possible security breaches. Some of these alerts may be false — for example, the system flagged it as a potential threat but not confirmed or it was an error.

Relieving fatigue

The only way to tell if an alert is false is for the professional to check all avenues related to the threat to confirm. This process can be long and time-consuming, just to end up as a false alarm in the end.

Amos

If not addressed, cybersecurity fatigue can lead to human error. Failing to check alerts properly risks an actual threat actor breaching the system. Machine learning and AI tools can help reduce that margin of error by automating mundane tasks.

Generative AI tools can be taught the most common causes of false alarms and how to confirm them. If such an alert appears, the AI tool can check the reason by itself and report it to the administrator. This process will significantly reduce cybersecurity professionals’ workload, giving them time to address more critical issues.

While machine learning tools are potent weapons against cyber threats, they need cybersecurity professionals to wield them properly. The power of generative AI tools in the hands of security experts can defeat any cyber attack.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

To be productive in an interconnected work environment, employees need immediate access to numerous platforms both on- and off-premises.

Related: Why SMBs need to do PAM well

Keeping track of user activity and effecting proper on- and off-boarding is becoming more and more difficult, even as unauthorized access via unused, expired, or otherwise compromised access credentials has become the number one cybersecurity threat vector.

Some nine out of ten cyberattacks are estimated to begin with a threat actor gaining unauthorized access to a computer system via poorly managed access credentials.

The sophistication of cyberattacks is perpetrated through unused, old, expired, and otherwise mismanaged access credentials are increasing by the minute, at the same time as it’s becoming challenging to respond to these attacks in an organized and timely manner.

Context needed

Organizations that are used to workflow-based access systems or ticket-based systems, i.e. traditional Privileged Access Management (PAM,) must now make a big cultural shift. PAM enables granular access and monitors, detects, and alerts instances of unauthorized access through policy guardrails.

However, while PAM and other legacy access management systems do alert to unauthorized access, these warnings lack a clear picture of the user’s intent and the context behind the alert.

Today’s alert fatigue is not caused by the sheer number of alerts but by the poor quality of individual alerts.

SaaS platforms have led to very different types of user profiles over the last few years. Users are now dynamic; they move from platform to platform, and their need for access changes continuously.

Key variables

A modern access management system should handle the following:

•The sprawl of user roles and their privileges and activities, growing at the same rate as the infrastructure proliferation.

•The traditional Role-Based Access Control (RBAC) provides perpetual access based on a user’s roles – a methodology that has run its course. Even with the addition of zero-trust-based access on a granular level, RBAC is no longer enough.

•Today’s enterprise users wear multiple hats and use different software with varying privileges. The nature of these privileges has to be dynamic, or the access management system becomes a bottleneck.

•A user with a specific level of access may need to temporarily elevate their privilege because they need access to protected data to complete a task. Scaling workflow-based systems to match larger teams’ needs is difficult and creates a chaotic situation with many users simultaneously bombarding the security admins for approval.

*Some access monitoring solutions rely heavily on automated access controls, such as group policies or other sets of criteria, that will allow access requests to be processed automatically. Automation lacks the intelligence to adapt to changing user behaviors and entitlements.

Noisy ‘observability’

PAM and SIEM solutions are classic systems built on observability. But observability is no longer enough to keep your organization safe.

Observability system work by alerting to unauthorized access, but they also create a lot of extra noise, and experience shows that they are often not fully implemented. Another problem is that alerts come in after the fact and not in real time. Privileged access abuse is a hear-and-now problem that must be addressed as it happens.

One of the functions of Inside-Out Defense – Automated Moving Target Defense SaaS – is that it can immediately remediate privileged user access abuse in-line. This is accomplished by determining the context and intent behind every user activity.

Srivatsav

It provides customers, for the first time, an aggregated view of users, their profiles, and activities across different environments which is a big challenge faced by enterprises today. We provide a comprehensive 360-degree view of what every user is doing at any one time, along with an immutable forensic log, thereby enabling enterprises to stay in compliance.

At Inside-Out-Defense we know that threat actors are constantly becoming more cybersecurity sophisticated as they work to find new avenues for disruption. Current solutions focusing on static signatures of threats often miss a crucial understanding of cyber attackers’ sophisticated yet unknown behaviors. Customers need solutions like ours that can work at scale and in real-time to address some of the most persistent problems in network security.

About the essayist: Ravi Srivatsav is co-founder and CEO of Inside-Out-Defense, which emerged from stealth in April 2023 with a solution to solve privilege access abuse and provide real-time detection and remediation to today’s most prolific attack vector – privilege access abuse.

Tel Aviv, Israel, June 19, 2023– Radiflow, creators of the leading OT network cybersecurity platform CIARA, continue to see budgetary pressure as a main driver in prioritizing OT Cybersecurity projects. This has created opportunities for more partnerships across the OT Cybersecurity sector, resulting in greater flexibility and coverage in the analysis of OT networks.

CISOs of OT operational facilities, such as production plants, utility operations, critical infrastructure, and logistics centers, are facing a hostile environment where outdated machines are susceptible to attack for financial gain or political statements. In response, Radiflow recently released CIARA 4.0, focusing on illuminating the vulnerabilities of all network devices and mapping of the recommended security controls using a breach attack simulation (BAS) engine.

Radiflow has partnered with industry leaders to feed greater data into its analytics platform and provide quick risk assessment insights to help CISOs optimize and justify OT security budgets despite the overall pressure for budget cuts. One such major integration is with Awen Collective to conduct in-depth asset discovery for critical infrastructure networks. Awen Collective provides Dot, an OT Asset discovery tool with a lightweight nature that can be deployed in a scalable way on portable devices in distributed OT networks. The in-depth assets map generated by Dot can now be uploaded into Radiflow’s CIARA to perform a data-driven risk assessment and quickly provide accurate risk scoring for large industrial enterprises.

Farrow-Lesnianski

“The OT cyber security industry is maturing and better serving the needs of our critical infrastructure, manufacturing, and defense organizations by working collaboratively to deliver better solutions,” said Jules Farrow-Lesnianski, Co-Founder & CEO of Awen Collective. “Providing in-depth visibility of traditionally hard-to-reach OT networks using Dot to Radiflow’s CIARA significantly increases our client’s ability to quickly and accurately quantify and mitigate OT cyber risk.”

Another partnership is with Atrinet Networks, a provider of a Network Management System (NMS). The NetACE tool of Atrinet can query a multitude of network infrastructure devices and generate a map of the assets in the network for the Radiflow CIARA tool without requiring the configuration of a span port in the OT network switches, thus simplifying the initial risk assessment exercise.

Barda

“Partnering across the industry allows us to pool together previously unidentifiable data, enabling greater automation across the full OT network,” said Ilan Barda, Co-Founder & CEO of Radiflow. “Relieving CISOs of tedious visibility gathering tasks grants them an extensive view to quickly deploy large-scale OT Cybersecurity operations.” These capabilities bring them in line with automation and continuous threat analysis which are being increasingly required in the dynamic market landscape.

To support the sector’s growth, Radiflow has opened offices in Spain, Germany, the Czech Republic, the Netherlands, and Italy, overall tripling its EMEA sales team in the last 9 months.

Miami, Fla. – June 20, 2023 –  ThriveDX, the leader in cybersecurity and digital skills training, today announced the official launch of its new Cyber Academy for Enterprise. This innovative solution, part of the company’s Human Factor Security suite, empowers organizations to reskill and upskill employees for cybersecurity positions while also attracting diverse external candidates, simultaneously addressing the growing talent and diversity gaps in the cyber industry.

Cyber Academy for Enterprise is more than a cybersecurity training program – it’s a complete solution that enables businesses and government agencies to cultivate their internal talents while simultaneously attracting diverse external candidates for cybersecurity positions.

Designed for an end-to-end cybersecurity learning journey, the program offers pre-training screening, intensive training, and post-training matching to facilitate an efficient talent acquisition and development process.

“The cybersecurity talent shortage and lack of diversity, is one of the biggest challenges of human resources and cybersecurity leaders. Effective reskilling of employees demands considerable investment, and recruiting diverse talent requires a comprehensive understanding of organizational needs to properly align candidates with open positions,” said Roy Zur, CEO of ThriveDX Enterprise.

“Our Cyber Academy for Enterprise creates unprecedented educational opportunities for all, irrespective of their background or skill level,” Zur continued. “It not only aids in talent acquisition from outside the company but also facilitates the reskilling and upskilling of current employees, fostering an environment of continual learning and development.”

Zur

The global shortage of cybersecurity talent and the skills gap continue to widen, with more than 3.5 million unfilled cybersecurity jobs worldwide. Eighty-percent of organizations attribute one or more recent breaches to a lack of cybersecurity talent and skills within their company.  At the same time, the industry suffers from a lack of diversity. The Cyber Academy for Enterprise targets both these issues, offering a robust platform for building cyber skills and enhancing diversity within the industry.

Holistic training

The academy offers a holistic training experience, with rigorous learning supplemented with access to virtualized cyber labs and challenges. Overall, trainees have an opportunity to access 1000+ hours of immersive learning and hands-on practice, ensuring they are thoroughly prepared for real-world cybersecurity scenarios. Key advantages of the Cyber Academy for Enterprise include:

•Access to over 1000 hours of immersive, hands-on training, adhering to globally recognized cybersecurity education frameworks such as the National Initiative for Cybersecurity Education (NICE) and National Institute of Standards and Technology (NIST).

•Real-world simulations on a skills-based learning platform, providing trainees with exposure to current threat landscapes.

•A comprehensive curriculum, offering diverse cybersecurity modules tailored to various career tracks.

•Access to a network of 1000+ professional cybersecurity trainers

•Pre-training screening to identify high-potential talent, offering an objective comparison of candidates and unbiased talent assessment.

•Data-driven post-training matching, enabling optimization of both internal and external recruitment practices.

•Partnership option to run the academy in conjunction with leading universities, providing graduates with a university certificate.

ThriveDX’s Cyber Academy has been implemented and deployed with global universities, enterprise, MSSPs, non-profits, and government agencies to broaden access to cybersecurity training and employment opportunities across all regions.

“We aim to democratize access to cybersecurity education, allowing anyone, regardless of their technical background, to embark on or advance a cybersecurity career. Having already reskilled more than 60,000 learners globally into cybersecurity and related positions, we now provide organizations with the tools to attract, develop, and retain diverse talent, educated in the latest cybersecurity technologies, and capable of mitigating enterprise risk,” Zur added.

For more information and to request a demo please visit thrivedx.com.

About the company:  The ThriveDX team is composed of military-trained cyber experts, industry veterans, and seasoned educators united in the mission to close the worldwide skills and talent gap in cybersecurity, and encourage diversity, equity and inclusion across industries.

# # #

It was bound to happen. Clop, the Russia-based ransomware gang that executed the MOVEit-Zellis supply chain hack, has commenced making extortion demands of some big name U.S. federal agencies, in addition to global corporations.

Related: Supply-chain hack ultimatum

The nefarious Clop gang initially compromised MOVEit, which provided them a beachhead to gain access to Zellis, a UK-based supplier of payroll services. Breaching Zellis then gave them a path to Zellis’ customer base.

According to Lawrence Abrams, Editor in Chief of Bleeping Computer, the Clop ransomware gang began listing victims on its data leak site on June 14th, warning that they will begin leaking stolen data on June 21st if their extortion demands are not met.

Among the victims listed were Shell, UnitedHealthcare Student Resources, the University of Georgia, University System of Georgia, Heidelberger Druck, and Landal Greenparks.

As for federal agencies, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed breaches due to this vulnerability. “CISA is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” said Eric Goldstein, CISA’s executive assistant director for cybersecurity, emphasizing the urgency to understand the impacts and ensure remediation. According to Federal News Network, Oak Ridge Associated Universities and Energy’s Waste Isolation Pilot Plant were victims of the cyberattack, with Energy Department sources treating it as a “major incident.”

Pilling

U.S. government agencies have not yet received any ransom demands, but the threat looms large. Rafe Pilling, Director of Threat Research at Dell-owned Secureworks, told CNN, “Adding company names to their leak site is a tactic to scare victims, both listed and unlisted, into paying.”

Progress Software, the company behind MOVEit, has acknowledged the vulnerability and taken swift measures to mitigate it. They revealed they’ve discovered a second flaw in their software that could be exploited, which they are working urgently to patch.

Easterly

It’s clear that the present situation underscores the need for robust cybersecurity measures to shield our digital infrastructure from increasingly sophisticated threats. Despite CISA’s Director, Jen Easterly, assuring that the MOVEit intrusions are not being leveraged to steal specific, high-value information, the scale and rapidity of the cyberattacks remain cause for concern. This is especially true when considering that numerous organizations and companies are still in the process of investigating and understanding the scope of their involvement in this breach.

Gerasim Hovhannisyan, CEO of email security provider EasyDMARC, observes that the MOVEit-Zellis hack should put a spotlight on supply chain vulnerabilities arising in the highly interconnected, cloud-centric operating environment.

“Businesses and governmental organizations alike should be considering third-party suppliers and partners as part of their cybersecurity ecosystem and stressing the need for them to implement rigorous security protocols,” Hovhannisyan told Last Watchdog. “With Clop threatening to publish stolen data on June 21st if demands are not met, the organizations affected will be particularly vulnerable to phishing campaigns over the coming weeks and months. Educating workers on identifying, reporting and removing malicious emails will be crucial in preventing further breaches.”

Hovhannisyan advocates focused use of email authentication tools such as SPF, DKIM, and DMARC. “No  organization can expect perfection and should therefore work to stop these emails from hitting inboxes in the first place,” he says.

The Clop ransomware group’s tactics are reminiscent of past attacks involving the Accellion FTA, GoAnywhere MFT, and SolarWinds Serv-U managed file transfer platforms, wherein threat actors demanded hefty ransoms to prevent data leaks. This presents a persistent and evolving threat landscape that demands constant vigilance and proactivity from organizations, governments, and cybersecurity agencies alike.

In the face of this international cyberattack, the pressing need is to focus on modernizing cybersecurity infrastructures, securing vulnerable platforms, and intensifying the fight against such ransomware attacks. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

The cybersecurity community is waiting for the next shoe to drop in the wake of the audacious MOVEit-Zellis hack orchestrated by the infamous Russian hacking collective, Clop.

Related: SolarWinds-style supply chain attacks on the rise

Clop operatives went live last week with an unusual ultimatum —  written in broken English and posted in a Dark Web forum —  giving the victimized organizations a June 14th deadline to make direct contact with them under threat of having sensitive stolen data made public.

The hackers took advantage of a SQL injection vulnerability – known as CVE-2023-34362 – that, left unpatched, leaves a path for an intruder to gain access to assets like MOVEit’s Transfer database.

Security strategist Delilah Schwartz of Cybersixgill, a Tel Aviv-based threat intelligence firm, noted that depending on the database engine being used, for instance, MySQL, Microsoft SQL Server or Azure SQL, an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements.

“These attacks are a glaring illustration of the imminent dangers we face in the cyber threat landscape,” Schwartz said. “It is alarming to realize that while the current perpetrators are associated with a highly advanced cybercriminal operation, a widely circulated proof-of-concept (PoC) could allow less experienced actors to replicate this attack by exploiting additional exposures from this vulnerability in the wild.”

Post SolarWinds

This is a prime example of what multi-stage supply chain hacks have morphed into two years after the milestone SolarWinds hack. The nefarious Clop gang initially compromised MOVEit, which provided them a beachhead to gain access to Zellis, a UK-based supplier of payroll services. Breaching Zellis then gave them a path to Zellis’ customer base.

Cybersixgill’s analysts have been monitoring escalating activity in the underground related to the MOVEit flaw. On several Russian cybercrime forums, Schwartz says, there have been requests to acquire payroll-related data stolen from Zellis’ customers.

For instance, Cybersixgill’s security analysts observed a member from a leading dark web forum offering up to $100,000 for data from UK-based victims of the MOVEit attacks. The member’s intended use of the data remained unclear but suggested the formation of a team dedicated to leveraging UK-sourced data, she says.

Schwartz observed, “The member seems to be an experienced and reputed threat actor with a history on the forum dating back to 2020. They have shown interest in various cybercriminal activities, including ransomware, carding, bots, sim card swaps, stolen databases, remote access trojans (RATs), and information stealers.”

She added, “If a proof-of-concept for CVE-2023-34362 eventually surfaces in the underground, the fallout could be disastrous. We are already witnessing a surge of interest in the MOVEit PoC following the wave of Zellis-related attacks.”

It’s not a time to panic, security experts say.  However, the MOVEit – Zellis hack does serve as a glaring reminder of the need for companies to make effective vulnerability management a high priority. This is because this latest attack reinforces the motivation for hacking collectives, like Clop, to increasingly target software supply chain hubs, like MOVEit and Zellis.

“These are attractive targets for attackers because they are a multiplier for their efforts,” observes James Watts, Managing Director, at Databarracks, supplier of cloud continuity solution. “A single breach gets into numerous organizations and provides multiple avenues for ransom.”

Companies would do well to meticulously audit their software supply chains and purposefully embrace best security practices. “The first place to start is to understand your risks,” Watts says. “That means identifying the sensitivity of the data your suppliers hold, and knowing who your suppliers are and what risks they pose.”

Oz Alashe, CEO of CybSafe, which supplies a human risk management platform, argues that proactive human collaboration is a vital component.

Alashe

“People are the first and last line of defense in protecting a company’s data, and organizations should give them the tools to be part of the solution,” Alashe says. “We will make significant improvements by targeting the specific security behaviors that leave individuals vulnerable to attack and addressing them through positive cooperation.”

How much will Clop ultimately plunder? I’ll keep watch and keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Information privacy and information security are two different things.

Related: Tapping hidden pools of security talent

Information privacy is the ability to control who (or what) can view or access information that is collected about you or your customers.

Privacy controls allow you to say who or what can access a database of customer data or employee data.

The rules or policies you put in place to make sure information privacy is maintained are typically focused on unauthorized disclosure of personal information.

Controls need to be in place to protect individuals’ privacy rights, including,  often, their right to be forgotten and be deleted from your company database.

Here are a few examples of demographic data that in combination with sensitive data makes it Personally Identifiable Information (PII).

Demographic data:

•Customer names

•Address

•Phone number

•Email address, IP address

When you combine information like that with sensitive data like below you get data that is now regulated.

•Social security number

•Passport number

•Driver’s license

•Credit card information

•Biometric data (fingerprint, eye scan, facial recognition data)

•Health records

Bruggeman

When demographic information and sensitive information are combined and then inappropriately disclosed, you end up with a data disclosure incident or a data breach. A data breach typically means the company  must notify customers and local law enforcement, often government agencies like the FTC, or Health and Human Services, or others.

Companies like Google, Facebook, Experian, Entrust, GoodRx, are companies that track what you do online, what you buy, what credit cards you have and loans you’ve taken out. They take all this private information, and then they sell it.

That’s not a data breach, that is not broken security, or a lapse of their information security program, that’s how they make money.

Information security, on the other hand, refers to something else: it is the protection of computers, information systems, networks, and data from unauthorized access, use, or damage. Information security is focused on all three elements of the CIA triad: confidentiality, integrity and availability.

Information security involves using the appropriate controls, tools, and processes to prevent or mitigate attacks, minimize or eliminate threats, and reduce vulnerabilities.

Information security has a foundation of governance, in the form of acceptable use policies and many others, that direct and govern what people can and can’t do with the technology that is in place at an organization. Once you have a solid foundation of what people can and can’t do, then you can put in the processes, procedures, tools, and technologies to implement those controls.

Now let’s look at integrity and the policies, procedures, and tools that a company needs to have to ensure that the data in the system is correct.

Think about your bank account, it is very important for you to know that when you deposit a check into your account the right amount is deposited. It is also important to the bank to make sure that the amount is correct as well, so integrity is key.

The same would be true of the prices of your products for sale on Amazon, or your own website. Making sure that the data stored in your systems maintains its integrity is critical to your information security and the continued success of your business.

Availability gets a lot of attention these days, usually when the topic of ransomware comes up. Ransomware uses encryption (typically a good thing) to make your business information un-available.

The criminals encrypt your data with a password or phrase that only they know, and then hold your data hostage until you pay a ransom. If you have a good security program in place, you have backups or other systems that protect your data from being encrypted, or in the case of some other computer incident (flood, power outage, etc.), still available for you to use.

There are a lot more details to consider in an information security program and information privacy, but the way to think about information privacy compared to information security is to understand that information privacy is focused on protecting personal information, while information security is focused on safeguarding the computer, systems, data, and networks.

About the essayist: John Bruggeman is Consulting CISO at CBTS; he is a veteran technologist, CTO, and CISO with nearly 30 years of experience building and running enterprise IT and shepherding information security programs toward maturity.

Back in 2002, when I was a reporter at USA Today, I had to reach for a keychain fob to retrieve a single-use passcode to connect remotely to the paper’s publishing system.

Related: A call to regulate facial recognition

This was an early example of multifactor authentication (MFA). Fast forward to today; much of the MFA concept is being reimagined by startup Circle Security to protect data circulating in cloud collaboration scenarios.

I learned about this at RSA Conference 2023 from company Co-founder and CEO Phani Nagarjuna, who explained how Circle extends the use of encryption keys fused to biometrics and decentralizes where copies of the keys are stored. For a full drill down, give the accompanying podcast a listen.

Guest expert: Phani Nagarjuna, CEO, Circle Security

According to Nagarjuna, Circle’s technology places a small agent on the endpoint device. This facilitates the creation of an asymmetric key pair and a symmetric AES256 key. Together these keys authenticate the user’s identity and enable secure and private access to cloud-stored data and resources.

Access to cloud-stored files can then be shared widely. But only authorized individuals, with proof of identity originating from their authenticated device, can open the files. All access attempts get audited using a built-in distributed ledger, allowing policy enforcement and quick remediation.

This iteration of my old-school keychain fob thus eliminates the need for usernames and passwords while much more robustly protecting sensitive data, Nagarjuna asserts. How much traction will it get? I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)