Work from Home: Manage This, Please
November 19, 2020
I read “Over Half of Remote Workers Admit to Using Rogue Tools Their IT teams Don’t Know About.” If the information in the write up is on the money, cyber security for the WFH crowd may be next to impossible. The write up reports:
According to a new report from mobile security firm NetMotion, the vast majority of remote workers (62 percent) are guilty of using Shadow IT, with some of them (25 percent) using a “significant number” of unapproved tools.
The article includes this statement:
“Sadly, our research showed that nearly a quarter of remote workers would rather suffer in silence than engage tech teams,” said Christopher Kenessey, CEO of NetMotion.
Net net: Bad actors relish the WFH revolution. The inducement of WFHers using software not vetted by their employer creates numerous opportunities for mischief. How does a firm addicted to Slack and Microsoft Teams deal with this situation:
Hey, team. I am using this nifty new app. It can speed up our production of content. You can download this software from a link I got on social media. Give it a whirl.
Manage this, please.
Stephen E Arnold, November 19, 2020
Virtual Private Networks: Not What They Seem
November 17, 2020
Virtual private networks are supposed to provide a user with additional security. There are reports about Apple surfing on this assumption in its Big Sur operating system. For more information, check out “Apple Apps on Big Sur Bypass Firewalls and VPNs — This Is Terrible.” Apple appears to making privacy a key facet of its marketing and may be experiencing one of those slips betwixt cup and lip with regard to this tasty sales Twinkie?
Almost as interesting is the information in “40% of Free VPN Apps Found to Leak Data.” Note that the assertion involves no-charge virtual private networks. The write up reports:
ProPrivacy has researched the top 250 free VPN apps available on Google Play Store and found that 40% failed to adequately protect users privacy.
Okay, security conscious Google and its curated apps on its bulletproof Play store are under the Microscope. The write up points out:
… A study by CSIRO discovered that more than 75% of free VPNs have at least one third-party tracker rooted in their software. These trackers collect information on customers online presence and forward that data to advertising agencies to optimize their ads.
Who is involved in the study? Possible the provider of for fee VPN services like NordVPN.
Marketing and privacy. Like peanut butter and honey.
Stephen E Arnold, November 17, 2020
Security Is a Game
November 12, 2020
This article’s headline caught my attention: “Stop Thinking of Cybersecurity As a Problem: Think of It As a Game.” I think I understand. The write up asserts:
The thing is, cybersecurity isn’t a battle that’s ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won’t find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it’s on organizations to protect these digital assets.
Interesting idea. Numerous cyber security solutions are available. Some organizations have multiple solutions in place. Nevertheless, bad actors continue to have success. If the information in Risk Based Security 2020 Q3 Report Data Breach QuickView is anywhere close to accurate. The “game” is being won by bad actors: Lots of data was sucked down by cyber criminals in the last nine months.
Fun, right?
Stephen E Arnold, November 12, 2020
AWS Security Maturity
November 10, 2020
Struggling with leaky S3 buckets? Discovering phishing campaigns launched from your AWS instance? Wrestling with multiple, often confusing, security options? Answer any of these questions with a “yes”, and you may want to check out this paper, “AWS Security Maturity Roadmap.” After reading the essay, you will probably consider seeking an expert to lend a hand. Hey, why not call the author of the paper? The white paper does a good job of providing a useful checklist so the reader can determine what’s been overlooked.
Stephen E Arnold, November 10, 2020
Microsoft Security: Time for a Rethink
November 1, 2020
Not long ago, the Wall Street Journal ran this full page ad for a cyber security company named Intrusion:
The ad is interesting because it highlights the failure of cyber security. Evidence of this ineffective defense is revealed in reports from the FBI, Interpol, and independent researchers: Cyber crime, particularly phishing and ransomware, are increasing. There are hundreds of threat neutralizers, smart cyber shields, and a mind boggling array of AI, machine learning, and predictive methods which are not particularly effective.
“Microsoft 365 Administrators Fail to Implement Basic Security Like MFA” provides some interesting information about the state of security for a widely used software system developed by Microsoft.
The article reveals that researchers have found that 99 percent of breaches can be “prevented using MFA.” MFA is cyber lingo for multi-factor authentication. A common way to prove that a log on is valid is to use a password. But before the password lets the user into the system, a one time code is sent to a mobile phone. The user enters the code from the phone and the system lets the person access the system. Sounds foolproof.
The write up states:
The survey research shows that approximately 78% of Microsoft 365 administrators do not have multi-factor authentication (MFA) activated.
Another finding is that:
Microsoft 365 administrators are given excessive control, leading to increased access to sensitive information. 57% of global organizations have Microsoft 365 administrators with excess permissions to access, modify, or share critical data. In addition, 36% of Microsoft 365 administrators are global admins, meaning these administrators can essentially do whatever they want in Microsoft 365. CIS O365 security guidelines suggests limiting the number of global admins to two-four operators maximum per business.
Let’s step back. If the information in the write up is correct, a major security issue is associated with Microsoft’s software. With an increase in breaches, is it time to ask:
Should Microsoft engage in a rethink of its security methods?
We know that third party vendors are not able to stem the tide of cyber crime. A security company would not buy a full page ad in the Wall Street Journal to call attention to failure if it were just marketing fluff. We know that Microsoft admins and Microsoft apps are vulnerable.
Perhaps shifting the burden from the software and cloud vendor to the user is not the optimal approach when one seeks to make security more effective and efficient. The shift is probably more economical for Microsoft; that is, let the customer carry the burden.
Some Microsoft customers may push back and say, “Wrong.” Perhaps regulators will show more interest in security if their newfound energy for taking action against monopolies does not wane? Over to the JEDI knights.
Stephen E Arnold, November 1, 2020
Cybersecurity Lapse: Lawyers and Technology
October 29, 2020
“Hackers Steal Personal Data of Google Employees after Breaching US Law Firm” is an interesting article. First, it reminds the reader that security at law firms may not be a core competency. Second, it makes clear that personal information can be captured in order to learn about every elected officials favorite company Google.
The write up states:
Fragomen, Del Rey, Bernsen & Loewy LLP, a law firm that offers employment verification compliance services to Google in the United States, suffered unauthorized access into its computer systems in September that resulted in hackers accessing the personal information of present and former Google employees.
The article quotes to a cyber security professional from ImmuniWeb. I learned:
According to Ilia Kolochenko, Founder & CEO of ImmuniWeb, the fact that hackers targeted a law firm that stores a large amount of data associated with present and former Google employees is not surprising as law firms possess a great wealth of the most confidential and sensitive data of their wealthy or politically-exposed clients, and habitually cannot afford the same state-of-the-art level of cybersecurity as the original data owners.
This law firm, according to the write up, handles not just the luminary Google. It also does work for Lady Gaga and Run DMC.
Stephen E Arnold, October 29, 2020
Covid Trackers Are Wheezing in Europe
October 19, 2020
COVID-19 continues to roar across the world. Health professionals and technologists have combined their intellects attempting to provide tools to the public. The Star Tribune explains how Europe wanted to use apps to track the virus: “As Europe Faces 2nd Wave Of Virus, Tracing Apps Lack Impact.”
Europe planned that mobile apps tracking where infected COVID-19 individuals are located would be integral to battling the virus. As 2020 nears the end, the apps have failed because of privacy concerns, lack of public interest, and technical problems. The latter is not a surprise given the demand for a rush job. The apps were supposed to notify people when they were near infected people.
Health professionals predicted that 60% of European country populations would download and use the apps, but adoption rates are low. The Finnish, however, reacted positively and one-third of the country downloaded their country’s specific COVID-19 tracking app. Finland’s population ironically resists wearing masks in public.
The apps keep infected people’s identities secret. Their data remains anonymous and the apps only alert others if they come in contact with a virus carrier. If the information provides any help to medical professionals remains to be seen:
“We might never know for sure, said Stephen Farrell, a computer scientist at Trinity College Dublin who has studied tracing apps. That’s because most apps don’t require contact information from users, without which health authorities can’t follow up. That means it’s hard to assess how many contacts are being picked up only through apps, how their positive test rates compare with the average, and how many people who are being identified anyway are getting tested sooner and how quickly. ‘I’m not aware of any health authority measuring and publishing information about those things, and indeed they are likely hard to measure,’ Farrell said.”
Are these apps actually helpful? Maybe. But they require maintenance and constant updating. They could prevent some of the virus from spreading, but sticking to tried and true methods of social distancing, wearing masks, and washing hands work better.
Whitney Grace, October 19, 2020
China Alert from the FBI
October 10, 2020
DarkCyber noted “New FBI Film Warns about China’s Recruitment of US Officials.” The DarkCyber research team has not viewed this video. We did note this statement in the article about the video:
FBI Director Christopher Wray and other officials have said that China’s goal of becoming the world’s top technology provider is fueling Beijing’s aggressive techniques to get as much information on technologies from around the world as possible. “Social media deception continues to be a popular technique for foreign intelligence services and other hostile actors to glean valuable information from unsuspecting Americans,” NCSC Director William Evanina said in a statement. “Through this movie and other resources, we hope to raise awareness among Americans so they can guard against online approaches from unknown parties that could put them, their organization, and even national security at risk.”
Data generated by social media provides one skilled in certain arts to:
- Identify individuals who may be susceptible to pressure or payoffs
- Provide hints about an individual’s weaknesses or pressure points
- Pinpoint activities, including destinations, so that person contact can be initiated.
The cavalier dismissal of social media like TikTok as no big deal is not warranted. The FBI’s concern is understandable. If anything, enforcement agencies should have been more aggressive. The film is a useful first step, but more communication about the risks certain countries pose to the security of US businesses and governmental agencies is needed.
Stephen E Arnold, October 8, 2020
Corporate Reputations and Sketchy Security
October 7, 2020
Cyber attacks are on the rise not only for individuals, but also for businesses, hospitals, banks, and other organizations. While organizations dedicate entire departments to cyber security, they still run the risk of their reputations being harmed. Daiji World explains more about threat
In the article “Reputational Risks From Cyber Attacks On Rise As Episodes Become Public: Moody’s.”
Consumers want reliable organizations to purchase goods and services from as well as manage their health and finances, but if organizations become cyber attack victims their clients lose trust in them. Moody’s Investors Service reported on the topic and said companies that rely heavily on their reputations and/or it is easy for their clients to switch to a competitor suffer the most from cyber attacks.
Organizations avoided disclosing cyber attacks in the past, because they did not want to further damage their reputations. Bad actors, however, enjoy bragging about their conquests and also want their victims to squirm in a public forum, so they announce their attacks online. New laws also require organizations to notify clients if there is a breach. Moody’s also wrote:
“’Damaged reputations can result in increases in the cost of capital, regulatory costs and additional costs for attracting and hiring talent. Companies with damaged reputations may also lose the support of customers, investors and other counterparties, causing a reduction in revenue…
“Besides, the report cited that companies with lower customer bargaining power or confidence-sensitive business models have more exposure to cyber-related reputational risks.’The effects vary, with acute financial consequences for some companies and little or no impact for others. Companies can employ various strategies to reduce customer churn and limit reputational harm, although these strategies can be expensive or frustrate customers,’ the report suggested.”
Ransomware tactics are still preferred by bad actors. Organizations only pay the ransom if they are publicly called out, while others do not have a choice due to the sensitive nature of the data.
In the future, organizations must budget for bigger cyber security departments and insurance for ransomware attacks. Insurance companies probably already have.
Whitney Grace, October 7, 2020
Thinking about Security: Before and Earlier, Not After and Later
September 30, 2020
Many factors stand in the way of trustworthy AI, not the least of which is the involvement of those for whom a raise, a bonus, or a promotion is involved. Then there is the thorny issue of bias built into machine learning. InformationWeek, however, looks at a few more straightforward threats in its article, “Dark Side of AI: How to Make Artificial Intelligence Trustworthy.”
Gartner VP and analyst Avivah Litan notes that, though AI is becoming more mainstream, security and privacy considerations still keep many companies away. They are right to be concerned—according to Garnter’s research, consumers believe responsibility lies with organizations that adopt AI technology, not the developers or vendors behind it. Litan describes two common ways bad actors attack AI systems: malicious inputs and query attacks. She writes:
“Malicious inputs to AI models can come in the form of adversarial AI, manipulated digital inputs or malicious physical inputs. Adversarial AI may come in the form of socially engineering humans using an AI-generated voice, which can be used for any type of crime and considered a ‘new’ form of phishing. For example, in March of last year, criminals used AI synthetic voice to impersonate a CEO’s voice and demand a fraudulent transfer of $243,000 to their own accounts….“Query attacks involve criminals sending queries to organizations’ AI models to figure out how it’s working and may come in the form of a black box or white box. Specifically, a black box query attack determines the uncommon, perturbated inputs to use for a desired output, such as financial gain or avoiding detection. Some academics have been able to fool leading translation models by manipulating the output, resulting in an incorrect translation. A white box query attack regenerates a training dataset to reproduce a similar model, which might result in valuable data being stolen. An example of such was when a voice recognition vendor fell victim to a new, foreign vendor counterfeiting their technology and then selling it, which resulted in the foreign vendor being able to capture market share based on stolen IP.”
Litan emphasizes it is important organizations get ahead of security concerns. Not only will building in security measures at the outset thwart costly and embarrassing attacks, it is also less expensive than trying to tack them on later. She recommends three specific measures: conduct a threat assessment and carefully control access to and monitoring of training data/ models; add AI-specific aspects to the standard software development life cycle (SDLC) controls; and protect and maintain data repositories to prevent data poisoning. See the article for elaboration of each of these points.
Cynthia Murrell, September 30, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
