The One IT Security Issue That Too Many Media Are Totally Missing

Posted by Gerd Meissner

Jun 8, 2017

Tumbnail Illustration: InfoSec Luminary Lineup: The One IT Security Issue That Too Many Media Are Totally Missing - Authentic8 BlogSECURITY, NEWS

Did you notice how some journalists ask one particular question at the end of an interview? It’s usually a good sign: "Is there anything I didn't ask you but should have?"

This question indicates curiosity to go past the obvious talking points. It shows the interviewer’s openness to considering new angles. We decided to rephrase and broaden that question and pose it to our InfoSec Luminaries:

"What's the one IT security issue that you wish journalists would cover more or better, and why?"

No media bashing or gripe-airing intended here. Reporting on IT security, computer crime, data protection and privacy - and getting it right - is tough enough. It looks like more fun from the outside (if you’re not  doing it yourself ) than it actually is. We get it.

But even those in the industry who enjoy stellar media coverage can point to an issue or two that deserves more attention than it is actually getting.

The premise of this Lineup was to highlight aspects that rarely make it on page 1 of the Daily Data Breach. Perhaps we can even seed one or two story ideas. In any case, all our contributors welcome your questions if you’re a journalist covering the industry and looking for expert input or a fresh perspective on a related topic.

Illustration: InfoSec Luminary Lineup Discussion: The One IT Security Issue That Journalists Should Cover Better Or More

At Authentic8, for example, we would like to see more light shed on the web’s inherent security weakness, for better general awareness of what's needed to better protect ourselves. Below, our InfoSec Luminaries highlight the IT security issues that they think could otherwise get lost in the shuffle.

The submissions cover a broad range this time. They address gender aspects and the human element (Daniel Garrie/ Masha Simonova, Eric Vanderburg). They offer facts and insights for less dark (Fred Scholl) and more diligent (Benjamin Wright, Mike Baukes, Pete Kofod) reporting.

Another one highlights an upcoming regulatory requirement that will have a significant global impact (Steve Durbin). And we close this round with a practical reminder that WiFi connections always warrant a second look - for all of us, but for journalists in particular (Joseph Raczynski).

On that last note, check out these posts on how to secure a WiFi connection when traveling and why Stealing Data Over WiFi Is Easier Than You Think.

PS: Do you have something to add or would you like to be included in future InfoSec Luminary Lineup discussions? Connect with us through one of the links at the top of this page or use the comment form below.

Topics: News, Security

Why Hollywood Should Disconnect from the Web

Posted by Drew Paik

May 23, 2017

Illustration: Why Hollywood Shoud Disconnect from the Web. Hollywood Sign HackedSECURITY

Production companies need to revise the way they access the internet or more major studios will fall victim to hackers because of web-borne attacks.

*

News of an unreleased Disney film (coincidentally about pirates) being held hostage by hackers marks the latest in many costly and embarrassing web-based attacks targeting content producers and their supporting vendors.

The causes of these data breaches have one thing in common: criminals gained unauthorized access via the web.

In the case of Sony, malware installed via an open port exfiltrated terabytes of sensitive data, including emails, contracts, and content. For Disney and Netflix, their breaches seem to have occurred because criminals targeted a production partner with weaker defenses.

Topics: Security

WannaCry? Cry Over Too Much Complexity

Posted by Scott Petry

May 16, 2017

Tumbnail Illustration: WannaCry Ransomware - Authentic8 BlogSECURITY

There’s plenty of blame to go around for WannaCry (a.k.a. Wcry, Wanna Decryptor), the ransomware that hit more than 200,000 organizations in 150 countries. Let’s focus on a driver behind this malware campaign that hasn't been widely discussed: complexity.

*

WannaCry encrypted files on Windows computers in hospitals, train stations, shipping hubs, automotive manufacturing plants and power companies (among others), then demanded a ransom - payable in BitCoin -  to unlock the files on the victim’s PC.

Once delivered to a Windows machine, this ransomware exploits a security hole in the file transfer protocol used in Microsoft networks. For in-depth information, I recommend the  Wcry US-CERT Alert and Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware on Troy Hunt’s blog.

Who’s behind it? We still don’t know. As for who’s to blame, let the finger pointing begin:

Topics: Security

5 Must-Read Reports for IT Security Leaders in Financial Services

Posted by Gerd Meissner

May 2, 2017

Thumbnail Infographic - Cyber Liablity Claims for Financial Institutions?SECURITY

In 2016, most attacks against financial services firms were unknowingly facilitated by “inadvertent actors,” reports IBM. That is, by insiders without malicious intent, such as employees or contractors, who simply clicked a bad link or downloaded the wrong attachment.

A November 2016 survey by Palo Alto, CA-based MetricSream, found that 66.2 percent of financial organizations faced at least one cybersecurity attack over the preceding year. In 33 percent of data breach attempts against financial services firms, the attackers succeeded, according to  Accenture [PDF], based on its own findings.

CIOs and CISOs in the financial services sector face mounting challenges. Cybersecurity talent shortage, outdated toolsets and new regulations make it difficult to ensure regulatory compliance and minimize risk across their organizations.

While the industry may have reversed the overall trend of year-over-year data breaches, as the ITRC Data Breach Report for 2016 [PDF] and the 2017 IBM X-Force Threat Intelligence Index (more below) indicate, this achievement has come at a price.

Topics: Security

When URL Filtering Fails, This Secure Browser Has Your Back

Posted by Gerd Meissner

Apr 11, 2017

Illustration: Infographic - Silo, the Remote Secure Enterprise Browser with Secure Web Gateway (SWG) IntegrationCORPORATE NEWS, SECURITY

Too frequently, URL filtering fails to catch malicious websites, or it blocks resources that employees need to do their job. With its new secure web gateway (SWG) integration Authentic8’s remote secure browser Silo now helps enterprises close this security gap.

*

Secure web gateway (SWG) solutions provide a generally reliable way for the enterprise to handle users’ web requests, allowing some sites to be accessed and others to be blocked.

To maintain security and efficiency, “generally” reliable may not be enough. A web resource that an employee needs may not have been crawled and categorized by the SWG vendor yet. Another URL may have been cataloged, yet somehow ended up in the wrong category. Or a resource that was approved earlier has since been infected with malware.

If the SWG allows users to access a potentially dangerous web resource without protection or security backstop, the consequences to the company could be disastrous.

Because regular browsers fetch and process all code from the web locally, at the endpoint, connecting to an infected website opens the door for malicious software, such as ransomware or spyware, to enter your local IT infrastructure.

Most companies have come to terms with the trip-ups of URL miscategorization. But an even bigger challenge remains:

Beware the uncategorized URL

Should you allow access to a website that has not been classified yet by the SWG vendor? This may expose the local browser and your IT infrastructure to potential security violations.

Or should you simply block all unclassified URLs? This step would likely reduce the efficiency of your business, while increasing the number of angry messages in your inbox from employees who need a particular URL unblocked, and pronto.

Topics: Security, Corporate News

ISPs & Privacy: Why it Matters, and How to Cover Your A$$

Posted by Scott Petry

Apr 5, 2017

Illustration: ISPs & Privacy: Why it Matter, and How to Cover Your A$$NEWS, POLICY

Both the US Senate and the House of Representatives have cleared the way to remove privacy rules for internet service providers (ISPs) like AT&T, Charter, Comcast and Verizon. The President  signed the executive order to repeal these rules, which were originally put in place by the FCC in 2016 to protect consumers on the web. 

Topics: News, Policy

New One-Tab Browser Aims to Boost Productivity on the Web

Posted by Gerd Meissner

Apr 1, 2017

Illustration: Unibrowser SMNEWS, CORPORATE NEWS

Multitasking as bad for business as data breaches, says maker of “Unibrowser”

(MOUNTAIN VIEW, CA -- April 1, 2017)  A revolutionary “one-tab” web browser that aims to dramatically improve focus and productivity of internet users has been introduced by Silicon Valley-based Authentic8.

Named the “Unibrowser”, the new distraction-free browsing environment was developed based on the latest neuroscience and mindfulness research. Its core feature is one single tab. It has been streamlined for users to exercise restraint when they access the web, and to force focus on the task at hand, instead of multi-tasking.

The launch of the Unibrowser marks a radical departure from industry’s multi-tabbed browser model, which dates back to 1997 and has been blamed for many of modern society’s ills. Authentic8 touts its new browser as a tool to fight “task inflation” and to achieve measurable  “attention deficit reduction.”

Topics: Corporate News

How to Build Better Cybersecurity Habits in a Large Enterprise in Just Four Weeks

Posted by Gerd Meissner

Mar 2, 2017

How to Build Better Cybersecurity Habits in a Large Enterprise in Just Four Weeks - InfoSec Luminary Lineup IllustrationSECURITY

“You have four weeks to create strong cybersecurity habits in a business with 500+ employees. What would you do, and why?”

Granted - such a request “may indicate a big problem in [the board’s] understanding of security,” as Fred Scholl (Monarch Information Networks) points out below, because in this scenario,  “[t]he CISO has failed to proactively educate leadership.”

We posed the question to our circle of InfoSec Luminary Lineup contributors anyway. Nothing focuses the mind like a deadline.

Jordan McQuown, CIO at LogicForce Consulting, writes in response: “[U]ser awareness, reinforcement and training are key to improving security habits.” So how do we get there, fast? Jordan reminds us that “[t]ypical attackers are looking for easy targets” - and provides ample advice how to frustrate their plans.

Richard Caplan (LeClairRyan) points out the importance “to clarify the rules and responsibilities” in such a concerted effort. And like Jordan McQuown , Joseph Raczynski (Thomson Reuters Legal) urges CISOs to create teachable moments:  “Companies need to phish their own employees.”

Steve Durbin, Managing Director of the UK-based Information Security Forum (ISF), includes a warning in his contribution. Given the time restraints in this scenario, he writes, “[l]ooking for a silver bullet will be a waste of time.”

A8 InfoSec Luminary Lineup Theme Image:Four weeks to build strong cybersecurity habits in a large enterprise

Steve advises to step back and understand the bigger picture first, then “let risk drive the solution” His “Ten tips on how to make cybersecurity a habit on a deadline” round out this InfoSec Luminary Lineup.

Tip #4 on his instructive list below is our favorite. Why?

Topics: Security

8 Must-have Features of a Secure Browser (2)

Posted by Gerd Meissner

Feb 7, 2017

Illustration: Empty Canvas - 8 Must-have Features of a Secure Browser (2)SECURITY

Regular browsers, such as the one that came with your PC or mobile device, are leaking data on the internet like a sieve. The inherent vulnerabilities of the local browser model allow criminal hackers to infiltrate computers and steal or manipulate data.

Firewalls or antivirus software provide little or no protection against modern attackers and their tools. Browser add-ons, plugins and extensions promising “extra” security and privacy cannot be trusted. Their makers were even caught selling out private user data.

Because the “traditional” browser architecture is inherently unsafe and promoting data leakage,  a new generation of secure browsers has been developed for security-conscious companies and consumers.

Not all supposedly “secure” browsers are equal, and some are not secure at all. How can you tell the difference?

In this second part of “8 Must-Have Features of a Secure Browser” (read Part 1 here), we examine another four features and capabilities your browser must have to deserve the label “secure” for business or personal use.

Topics: Security

Book Review: What They Really Do With Your Medical Data

Posted by Scott Petry

Jan 28, 2017

Thumbnail: Book Review: What They Really Do With Your Medical Data - Illustration for Authentic8 blog review of Our Bodies, Our Data by Adam TannerSECURITY, IDENTITY, NEWS

Happy Data Privacy Day.  A new book provides an in-depth look at the commercial trade in patient medical data.  Sensitive data, a vibrant market, and not much cause for celebration.

*

A while ago, I wrote about the wave of data breaches at healthcare organizations and medical identity theft that is impacting millions and what we can do to protect ourselves better.

One of the readers of that post was acclaimed journalist Adam Tanner, who has reported on data collection and consumer privacy since 2012.

Adam and I have had an ongoing discussion on data privacy and security matters since we met a few years ago.  He was covering the issue for Forbes, and I had a chance to brief him on our secure browser solution.

A few weeks ago, he kindly directed my attention to an unknown - to me, at least - aspect of our personal medical records.

Topics: News, Identity