Category: Business

How Video Analytics Help Security Drive Awareness and Insight

In diverse industries, video analytics help security to get a clearer view.

As a rule, there is a lot that video analytics can do to bolster security – whether that’s motion detection for perimeter security; facial recognition for access control; or artificial intelligence (AI) for object classification, to name a few of the possibilities.

As we consider the promise of video analytics in seven key sectors, a common theme emerges. Analytics don’t just enhance the security mission, acting as a force multiplier and driving new levels of awareness and insight. They also boost the position of the security professional, enabling security to leverage its investment in video as a means to drive new levels of efficiency across all levels of the operation.

K-12 Schools

In a K-12 school, where a security officer may need to watch over a large and complex facility, analytics and AI can expand that guard’s reach. “There is the security component from something simple: Was a child left on the playground when everyone returned from recess?” says Forrester Senior Analyst Nick Barber. “AI could be trained to tell the difference between a child and an adult, so that it isn’t falsely triggered if there is a teacher on the playground versus a student.”

“Or, is there an active shooter on campus and should 911 be contacted?” Barber says. AI, as applied to video, could be trained to recognize what a gun looks or sounds like and could automatically alert authorities, while simultaneously relaying the related video. Analytics could support simpler tasks as well, such as taking attendance as students enter the school or classroom.

Universities

The security challenge for universities and college campuses rests with sheer acreage. Universities may have a large security footprint, with their own police departments supported by cameras and a monitoring center. But they also have a lot of ground to cover. Analytics can provide a force multiplier.

Facial recognition, for instance, can offer a ‘be on the lookout’ mechanism to help security identify persons of interest. “If there’s a stalker, the analytics can pick up on those individuals,” says Scott Vogel, CEO of Incyte Security, a data analytics consultancy. Geofencing and other analytic tools can likewise help secure a sprawling perimeter. “You may have people hopping the fence at night to avoid the security gate, and analytics can provide a virtual barrier.”

Healthcare

In the healthcare environment, video is of greatest use in helping to secure entry and exit points, whether that is aimed at keeping unwanted individuals out of an emergency-care situation, or at keeping dementia patients in and on-premise at a senior care facility. “Analytics solutions can alert operators when people either enter or exit secure areas without proper identification procedures, such as swiping a badge, or they can utilize some facial recognition features to be sure that the person on camera who has earned entrance to a secure area is the person they are claiming to be,” says Danielle VanZandt, industry analyst for security, aerospace, defense and security at Frost & Sullivan.

Analytics can also be used to identify potential threats that might otherwise be overlooked by security personnel. Left objects or ‘loitering’ analytics will aid hospital security teams to identify either suspicious packages or behaviors, particularly if these alerts are generated in areas that should not have significant amounts of foot-traffic.

Cannabis

Video analytics can help cannabis growers to identify possible threats to the safety of their crop, says Ryan Douglas, founder of consulting firm Ryan Douglas Cultivation LLC. “High-tech greenhouses install mobile cameras that constantly run along tracks mounted to the ceiling. Analyzing this video can help with the early identification of pest or disease outbreaks, nutritional deficiencies and undesirable growth patterns before they negatively affect a crop,” Douglas says. It’s a way for security to leverage its video investment in support of enhanced operational efficiency.

Security could also utilize analytics to help ensure cannabis retailers comply with regulations, if, for instance, the system was programmed to monitor quantities of product changing hands at the point of sale. “It could ensure that during the purchase transaction, buyers don’t exceed the amount of product that they are legally allowed to purchase,” Barber says.

At grow sites, analytics can also be applied to remote video surveillance systems to help secure the perimeter.  Motion-detection capabilities and geofencing can likewise be leveraged to extend the eyes of the security force over the growing and production operations.

Property Management

For security on a commercial property, video alone can’t cover all the bases. Property management requires a combination of broad vision and deep insights. Beyond mere images, analytics can deliver the intelligence to help security professionals make best use of their time and cover ground more effectively.

“You might have teenagers climbing on the roof of the building. Beyond the general liability problem, they are damaging the roof,” Vogel says. “With analytics, you can identify the places where people go up on that roof and notify security. Within seconds you get notification and hopefully can deter that incident.”

Analytics can detect patterns of behavior, noting when a parking lot is filling up. This helps to ensure adequate security coverage when and where it is needed. Video analytic tools can help security to deter theft from commercial properties, by highlighting common traffic-flow patterns and sending out a notification to security officers when those patterns are disrupted. This helps security to see when products may potentially be walking out the back door and, with the help of automated notifications, to respond in real time.

Critical Infrastructure

Consider all the luminous dials in a hydroelectric plant or an oil refinery: Constant reminders that pressure and temperature are key determinants of safety. Security personnel can use analytics to monitor a vast array of analog sensors more effectively and in real time. Point a camera at an analog gauge, program the analytics to watch for threshold levels, “and an alert can get triggered if the pressure rises above a certain point as seen on the dial,” Barber says.

Video can also be used to understand how specific elements of the facility are operating and can signal when key components need replacement. Security thus pushes critical infrastructure closer to an IoT-enabled enterprise, Barber says.

Security personnel also are charged with tracking workers, vendors and others who  at critical infrastructure facilities. Video analytics capabilities, when paired with surveillance systems that provide facial recognition, will help critical infrastructure to improve access control, maintain security logs for entry and exits in specialized areas and better manage visitors or contractors, VanZandt says.

Manufacturing

Access control is a key issue in manufacturing, with security tasked to ensure that only the right people can get to certain places, especially sensitive production areas and inventory stores..[…] Read more »….

 

 

Meet Kellie Green: Cloud Expert of the Month – May 2020

Cloud Girls is honored to have amazingly accomplished, professional women in tech as our members. We take every opportunity to showcase their expertise and accomplishments – promotions, speaking engagements, publications and more. Now, we are excited to shine a spotlight on one of our members each month.

Our Cloud Expert of the Month is Kellie Green.

Kellie, began her career at Microsoft where she spent 9 years building skills in people management and support operations. After leaving Microsoft she spent about 4 years in India and the Philippines leading outsourced support operations for software companies. Her next role at Monster.com was initially in support outsourcing but morphed into a role leading the support knowledge management, content and training strategy for insourcing support. After 3 years at Monster.com Green became the support leader at a mid-size software company that was called Parallels. The company or division names changed but she was with that software company leading the support, customer training and managed services divisions for 6 years until one of the largest software products was acquired by Ingram Micro. After spending a year at Ingram, Kellie joined Amazon Web Services. She’s been with Amazon for 3 years now with leading AWS Support teams and currently as the leader of the corporate IT function.

When did you join Cloud Girls and why?
I joined Cloud Girls in 2017. I relocated to California in 2016 and was looking to network with other women working in the cloud industry. I found Jo Peterson on Twitter and sent her a direct message. She offered to meet for lunch and later introduced me to the Cloud Girls.

What do you value about being a Cloud Girl?
The annual retreat is a cherished opportunity for learning and bonding with other women in the cloud industry.

What career mistake has given you the biggest lesson?
I took a job in the Philippines without interviewing in the country and without any prior experience working there. I signed up for a 2-year contract with a pay-back clause for the relocation. I failed to earn trust with the large team that I was assigned to lead. I had been managing teams in India and assumed that my management style would be accepted in a different cultural context. My team reported a high level of dissatisfaction and I was removed from a leadership role with that team. I was given a second chance with some very specific direction from my manager about recommended corrective actions. Those directions were not aligned with my normal style but I followed the advice. When I left that team after my 2-year contract was over we had a fantastic farewell party with everyone in the management team that lasted all night and included a video of our team memories together. I learned so many lessons about how it’s possible to show up the day after a massive failure and start over and that the most important part of leadership is earning trust.

What will be the biggest challenge for the generation of women behind you?
The generation of women behind me inspires. I recently read an article about the #metoo movement and some of the women of my generation reported that until the next generation of women entering the workplace starting using the words sexual harassment to describe behaviors that women of my generation had encountered for years it wasn’t sexual harassment to us. I think the biggest challenge for younger women is to work in collaboration with senior female leaders to make sure that we never accept “being one of the guys” as the way to accomplish career success…[…] Read more »…..

 

Data Privacy and Data Security: Outsourcing to Third Parties and the Effect on Consumers, Companies, and the Cybersecurity Industry as a Whole

With the recent increase of global data privacy regulations and their ramifications on multinational organizations, it is crucial to examine the differences between data privacy and data security, why these nuances matter, and the impact they have on cybersecurity trends for not only organizations, but consumers.

Twenty years ago, data protection and information security were largely viewed as complementary activities. In today’s environment, data protection is rarely articulated without its privacy counterpart, and information security has transformed into “cybersecurity” to consider that data contains multiple threat factors.

Typically, cybersecurity is described as an intersection of three principles: confidentiality, integrity, and availability (CIA). If one of these core components is to fail or otherwise be wrongly configured, the resulting vulnerability could be a breach of information, commonly by means of unauthorized access, leakage, or wrongful deletion due to poor policy, risk management, or immature security practice.

Data privacy is often defined as the protection of sensitive data, typically referencing personally identifiable information (PII), such as a social security number, race, ethnicity, and age. Depending on the sector, regulation, or jurisdiction, the definition of which data is considered “sensitive” will vary and can expand beyond personal types of information to assets like trade secrets, intellectual property, or financial and operational data. The problem with this definition of data privacy is that the protection of this information is viewed more as a security attribute, lending to the longstanding proverb that you cannot have privacy without security.

If you reflect on the information trends since the turn of the last millennium, we experienced a shift to the cloud in the early 2000s, where organizations moved servers and other hardware assets to centralized vendors that maintain data center environments at scale. With this migration, the world’s first Software-as-a-Service (SaaS) companies came online at the height of the dot-com bubble.

The “as a service” business model placed a new dependence on service organizations when their customers outsourced critical elements of their supply chain for operational efficiencies or for the ability to scale quickly without having to gain expertise in an industry not core to their product. This reliance on third parties created increased security risks since more companies would now have access to the same information that was previously received, managed, and maintained all under the same roof.

The effect on consumers

Beginning in the 2010s, data breaches that affected consumers due to stolen credit card data, like those disclosed by Adobe, Target, and Home Depot all occurring within the same year, made data security a hot topic for consumers for the first time, causing boards and regulators to inquire about the controls in place to mitigate these threats. However, it was not until recently that consumers shifted that mindset to include data privacy, after public breaches exposed health and personal information at Anthem, Uber, Adult Friend Finder, and Marriott. These data breaches made headlines, and consumers began to ask, ‘what data are you storing for me, how do you plan to use this data, and how long will it be retained?’.

Lawmakers and regulators took notice of this shift to consumer protectionism and began to mandate public changes in normal business operations in lieu of federal privacy laws.

The effect on companies

With so many checkpoints to consider when engaging a new vendor, and the stakes for proper due diligence higher than ever, organizations began to turn to assessment firms for assurance around these security controls. Assistance is needed because companies are unable to audit every service provider that might interact with user or customer data. In the United States, an organization may request a System and Organization Controls (SOC) 2 report, an examination by a competent Certified Public Accountant (CPA) of their security controls based on set criteria. Or they may seek ISO 27001 certification, an accredited, point-in-time report on the conformity of their activities to requisite management processes and control objectives, establishing a baseline for what is considered a minimum state of security maturity.

Due to the shift in consumer focus on privacy considerations, globally recognized assurance programs have only recently been developed. In August 2019, the International Organization for Standardization (ISO) released the ISO 27701 standard – requirements and guidance for establishing a Privacy Information Management System (PIMS) for organizations that are controllers and/or processors of sensitive information like PII. While data privacy legislation had been around for several years through mechanisms like the EU-U.S. Privacy Shield and, more recently, the General Data Protection Regulation (GDPR), ISO 27701 is the first assurance program that organizations could certify demonstrating their commitment to privacy based on the legal context affecting their data subjects.

In the months following the release of ISO 27701, organizations such as Alibaba, Huawei, Microsoft, Accenture, Blackhawk Network, and OneTrust have certified to the new standard; however, these certified organizations plus a multitude of others looking to match the achievement have quickly realized that privacy hygiene requires different resources and in-house skill sets than were needed with their security program.

The challenges of incorporating data privacy

One of the top challenges security teams face when building a privacy program on top of their existing security management system is how to expand the enterprise risk assessment to include risks that threaten the protection of PII. They inherently gravitate towards thinking about this new taxonomy of risk in terms of the foundational CIA principles, but neglect to consider the rights of the data subject. As a result, they have been forced to merge security personnel with privacy personnel to complete this task, which now exposes a new problem – many organizations do not have privacy personnel.

Looking at some Fortune 500 organizations, job titles such as Chief Security Officer or Chief Information Security Officer (CISO) are far more commonplace than Chief Privacy Officer. Often, the privacy function of an organization is absorbed by General Counsel or outsourced to law firms kept on retainer. Early ISO 27701 certification plans at the largest processors of personal information in the world have been halted after discovering their security departments have little to no connection to their in-house privacy teams, if they exist at all. This results in a remediation only possible through a major shift in the organizational chart or hiring of competent personnel…[…] Read more »

 

Cyber Work Podcast: Growing the number of women in cybersecurity with Olivia Rose

Introduction

Cybersecurity is a field on the cutting edge, yet when it comes to gender parity, there’s still much progress to be made. For women, breaking into a male-dominated field like cybersecurity comes with a unique set of challenges.

Data from the (ISC)² Cybersecurity Workforce Report reveals that the landscape of women in cybersecurity is complex and — at least in some ways — evolving:

  • Women make up 24% of the cybersecurity workforce — a major increase from 11% in 2017
  • Women earn more degrees and cybersecurity certifications on average
  • More women than men hold leadership roles like IT Director, CISO and CIO

Seeing these numbers on the rise is exciting and encouraging. However, not all of the statistics are positive:

  • Of women in cybersecurity, 56% will leave to pursue jobs in another field
  • 17% of women earn salaries between $50,000 and $99,999, compared to 29% of men
  • Women in security management roles earn an average of $5,000 less than men in the same roles

In Infosec’s podcast “Growing the Number of Women in Cybersecurity,” Oliva Rose, the director of global executive risk solutions at Kudelski Security, shares her experiences as a woman in the field and shares some valuable advice with women considering a career in the cybersecurity world.

What can companies do to encourage women and minorities to take cybersecurity jobs? And just as important, how can companies encourage them to stay?

Network to overcome isolation

For many women working in cybersecurity, it’s unfortunately easy to feel like a stranger in a strange land. It’s not uncommon to be the only woman on a team or in an entire department, and the feeling of being the “odd woman out” can be enough to drive women to look for jobs in fields with better minority representation.

This leads us to the million-dollar question: what can cybersecurity companies do to make women feel less isolated at work? In this case, the most obvious answer (hire more women) is only one part of the equation, since retention rates for women in cybersecurity are also quite low.

According to Rose, access to networking opportunities is vital. Encouraging women to participate in conferences and professional groups can help them meet other women in the field and foster the sense of community they’ve been missing at work. For women trying to get their foot in the door, Rose suggests volunteering at conferences because it waives the fee! RSA, SecureWorld and ISACA are just a few of the many conferences available to women in information security.

Close the confidence gap

Self-doubt and insecurity can loom over women’s cybersecurity careers like storm clouds on an otherwise sunny day. Many women experience Imposter Syndrome, which is the perception that they’re not as skilled or as smart as their colleagues or that they’re not good enough for the job.

Although men can also experience extreme self-doubt at work, women and minorities are much more susceptible to it. Why? It largely stems from feeling like an outsider. This feeling of being on the outside looking in has ramifications on women’s careers in cybersecurity.

Many women feel the need to prove their skills with certifications and degrees. On average, women in cybersecurity hold more certifications than their male colleagues. They’re also more likely to earn a postgraduate degree, according to the (ISC)² Cybersecurity Workforce Report. Rose has experienced this herself, saying, “You have to know your stuff. You may have to know your stuff more than the five other guys in the room.”

How can we help women feel more confident in cybersecurity jobs? Networking and mentorship are two powerful strategies. Since self-doubt is something that can’t be fought in isolation, connecting women with peers who understand what they’re going through can be immensely beneficial.

Recruit from non-traditional backgrounds

Despite the long-running debate on the value of a college degree in cybersecurity, many recruiters still prefer to hire people with degrees in STEM. That alone disqualifies a huge number of professionals, many of them women, who would make a big contribution to the field.

To hire more women in information security roles, recruiters will have to break the mold and look beyond traditional education requirements. Why? Because women don’t graduate from STEM programs at the same rate as men. In the 2015-2016 school year, women earned only 18.7% of bachelor’s degrees in computer and information sciences..[…] Read more »….

 

 

CES Unveils Array of Security Technologies

If CES is any indication, artificial intelligence, drones, robots and more will soon be everywhere.

In last month’s issue we looked at some of the many LiDAR companies, technologies and security applications at the Consumer Electronics Show. This issue, it’s time for the best – or at least the most intriguing – of the rest. They fall under the categories of drones, robotics, facial recognition and sensing equipment. (Cyber and IoT developments were too voluminous for this article.)

Drones

If CES is any indication, drones will soon be everywhere. Not only unmanned aerial vehicles, but self-driving cars and trucks, as well as water-borne and undersea contraptions. Bell offered one of the most intriguing displays, presenting a model of a city abuzz with drone taxis that pick up and drop off passengers or deliveries on rooftops. Its Nexus 4EX is a four-duct vehicle that operates either as either electric or hybrid-electric, promising enough room for passengers to work on board.

Various vendors touted longer flight times for the battery-powered drones, beyond the standard 20 minutes. Unicorn of Smart IoT Service (USIS) of South Korea displayed its TB-506A, which lists a flight time of 70 minutes and a payload of 1.5 kg. Morocco-based ATLAN Space was flying the flag for its Core™, a UAV module that replaces human ground control stations with embedded artificial intelligence (AI) “capable of achieving mission objectives through cognitive vision, autonomous flight and contextual behavior when facing uncertainty,” according to the product description. CEO Badr Idrissi claims that its signal can’t be jammed. Out of Hong Kong comes XDynamics’ Evolve 2 aircraft, camera system and ground station combo. Reaching a max speed of 57 mph, the aircraft uses LiDAR sensors to optimize mapping and distance measurement.

Some drone applications surprised CES attendees. Beijing Mobox Technology Co. doesn’t put drones in the palm of your hand, but it gets close. The company introduced the TiMAX, what it promotes as the world’s first AI smart drone watch. The mini-drone that you wear on your wrist is encased in a bulky container, which makes it inconvenient for regular use. Though it’s aimed at recreational use, the drone could conceivably be used for low-profile competitive intelligence by people who are lost and are trying to attract rescuers.

Underwater drones

Referred to as ROVs or remotely operated underwater vehicles – also made a splash at CES. Chasing-Innovation Technology Company demonstrated its Gladius Mini, which resembles a diminutive yellow submarine. A Chasing spokesperson says that the ROV, which can run for up to two hours, is used to perform safety and security inspections on ship hulls and on docks in wharfs and marinas, with the ability to spot contraband.

Whereas Chasing aspired to a submarine look, Robosea of Beijing’s newest ROV mimics the appearance of a fish that other sea creatures won’t want to mess with. Its Robo-Shark looks the part, with motion generated by its tail. Robo-Shark is designed to carry devices such as sensors, monitoring and search equipment and trackers. According to its specs, Robo-Shark can dive to a depth of 2,000 meters below sea level and can remain in salt water continuously for a month and still operate.

Robotics

Robotics were also prominently on display at CES, but based on the exhibits, advances in the security realm appear to be gradual. Obodroid of Bangkok demonstrated its Smart Security Robot, which conducts automated patrols of sites such as parking and office areas, detects and recognizes faces and objects such as weapons, detects fire and smoke, recognizes license plates and identifies specific human poses, such as falling.

More tailored for security applications is UBTECH’s AIMBOT, which is marketed for securing data centers and power distribution rooms. Its sensor-laden “head” rises like a periscope to capture data up high.

Much more lifelike is the U-Partner U05 Humanoid Service Robot by CANBOT of Beijing. Though not primarily a security robot – it is marketed as essentially a combination interpreter, docent, customer service assistant and butler – the manufacturer claims features that would have significant security applications if the robot achieves what it promises. CANBOT, says U-Partner, recognizes and communicates in about two dozen languages, recognizes faces in microseconds, and, using a blend of sensors, recognizes hundreds of expressions and “perceives the internal and external world like a human being.” If it indeed has that capability, the robot would aid in identifying upset, angry, intoxicated, or aggressive people and trigger intervention before they turn to violence or malfeasance.

Facial recognition/video

Facial recognition software powers robots that can identify emotion, so it’s no surprise that facial recognition providers at CES promise that same capability. For example, Taiwan’s Face Me product can determine emotion, age within five years and gender, according to business development manager Munir Haddad. One of its more intriguing prospects is its use at ATMs to better verify users, which the company is exploring with partners. Face Me also reflects the industry trend of computing on the edge – where processing occurs more quickly – and working across platforms.

Anti-spoofing features prominently in Face Me’s marketing, and the company was just one of many facial recognition firms showcasing this ability. IDLive Face, by IDR&D of New York, for example, promoted itself at CES as “the world’s first truly passive facial liveness technology.” Demonstrations showed the software distinguishing between a photograph and a live person based on a single image of each. “We can take a single selfie, analyze the image, and tell if it’s a real person or a spoof,” says John Amein, VP of Sales. In other words, as opposed to some systems, a user doesn’t need to turn their head, smile, speak, or take some other action to be verified.

Exhibitors at CES also highlighted the multiple uses of facial recognition, and many industry- or task-specific facial recognition firms are gravitating to security applications. For example, Mikara, of Sydney, is a smart-store application that deploys facial recognition, machine learning and other technologies to deliver targeted messaging and displays to customers. As well as letting a retailer tailor service to a particular customer, the application can target known shoplifters and other offenders, says CEO Kuba Tymula.

Similarly, Bangkok’s Lumio 3D Co. uses spherical capture technology to record minute details of the human face for healthcare purposes, such as helping simulate post-operative appearance. Now the company is beginning to explore the security market, according to CEO Borom Tunwattanapong.

With Europe’s General Data Protection Regulation and similar legislation being enshrined into law worldwide, anyone capturing a face on video must take care  of how it is used and stored. A range of companies, from LiDAR manufacturers to AI providers, are addressing that issue. For example, Berlin’s Brighter AI has introduced an Identity Protection Suite that identifies faces in video images and overlays a blur or some other pattern. CEO Marian Glaser says that the resulting images can be used for further processing and data sharing without running afoul of privacy regulations.

Detection systems

Some of the most interesting exhibits at CES presented niche detection systems that can identify all classes of material and odors.

Video analytics detects visuals

Siri and Alexa understand audio. Touchscreen technologies detect touch. Taste and scent detection technologies, generally, have been confined to research labs. But at least two companies showcased scent-detection technology at CES: Stratuscent of Quebec and Israel’s Nanoscent…[…] Read more »….

 

 

What Every Employee Can Do Now to Strengthen Security at Home (Part-1)

With more than half the world now working from home, the home network and its devices become an extension of the corporate network. From the organization’s point of view, the attack surface is expanded to include points of exposure on home Wi-Fi networks, access points, home routers, mobile devices, workstations, and laptops. IT administrators take steps to mitigate risks through security policies that enforce security controls (Windows UAC and Group Policy, for instance) and mandate the usage of corporate VPNs. Additionally, there are certain things that employees can do themselves to tighten security. In a remote working scenario, security is a shared responsibility between the organization and its employees.

By Brian Pereira, Principal Editor, CISO MAG

Here are 4 things to secure in your IT infrastructure while working from home:

Secure network connections

Home network connections are mostly wireless, and we know that wireless connections are not as secure as wired (Ethernet) connections. If your home router has a weak password or the default one, it could be hacked by a tech-savvy neighbor. Even Bluetooth connections can be hacked (Bluesnarfing attacks).

To secure your home Wi-Fi, get out the router manual (or download it from the Internet). Look for the default router ID and password. The ID could be “Admin” and the default password could also be “admin”. Now load your browser and type the following in the address bar: 192.168.1.1  You should then see your router’s login page. Log in using the default credentials. Then head to the “change password” section and type in a new password. Read the guidelines for the password as mentioned in the manual. Also opt for strong wireless security standards like WPA-2 and AES.

Use strong passwords

Users tend to use a common password across services. If even one of those services is hacked, then the user’s account on the other services becomes vulnerable. So, maintain different passwords.

According to Microsoft, 30 percent of reused or modified passwords can be cracked within just 10 guesses.

If the browser (or an extension) offers to “remember” passwords, decline that request. Should you opt for a password manager then do keep a different master password.

When creating a new password, do not include a complete word in the password string. Hackers use password dictionaries that run multiple word combinations until the real password is matched. This is called “brute force” hacking. Passwords should be a minimum of 8 characters. Use a mix of upper- and lower-case letters, numbers and special characters.

And if the service offers the option for password thresholds, then use it. That’s the number of tries you can attempt for entering a password. Notice that online banking services already enforce this. If you forget your password and enter it wrong three times, you are locked out of your bank account. A call to your bank, with authentication checks will reset the password. But that’s a process implemented by the bank. Windows 10  also offers account lockout thresholds.

Use multi-factor or two-factor authentication

Email services like Gmail offer multi-factor authentication and two-factor authentication (2FA) for verification, but few Gmail users make use of this feature.

A Google report in 2018 suggested that less than 10% of Gmail users employ two-factor authentication, which is considered one of their best security features.

An organization can also set two-factor authentication for services on the company portal, or for corporate email.

With 2FA, you can opt to receive an SMS code on your mobile device whenever you try to log in. Gmail also lets you use one of your devices for authentication. For instance, you can tap your mobile phone screen (Push to Verify) after receiving an authentication message from Google. A third way is to use a hardware token like Google Titan Security Key or Yubikey (Yubico). And a fourth method is to use an authentication app like Google Authenticator. There are other methods for 2FA and it depends on what the service offers. Even social media sites like Twitter, LinkedIn and Facebook offer multi-factor authentication. Banks have enforced 2FA for many years (mainly through hardware tokens).

Secure mobile devices

There are four main things to secure: the mobile OS, the apps, the data and the device itself (physical security). Potential threats include data theft, stolen user credentials, malicious apps, inadequate user configurations, security vulnerabilities in the mobile OS and apps – and stolen devices.

You’d be shocked to learn about the things mobile malware can do – a hacker can activate your phone’s microphone and eavesdrop on conversations, for instance.

To secure the apps and the OS, update these often. Download apps only from authorized marketplaces (Google Play Store or Apple App Store). And ensure that the apps are verified (look for the “Verified by Google Play Protect” badge on the Play Store when downloading apps for Android phones). You can also scan all your installed apps later to verify them.

Don’t try to jailbreak your Apple phone or “root” your Android device. If you do that, the device becomes a threat to the networks and other devices it connects to. Malicious or unauthorized apps set up “backdoors” on jailbroken devices.

“Mobile devices do not have firewalls, so install a firewall app (or a mobile security suite) to scan all traffic between the apps and their corresponding servers.”

Disable the Bluetooth visibility/discovery mode. Use a Bluetooth PIN when pairing your phone with another user’s phone in public. And keep a watch on all the devices that have paired with your phone via Bluetooth. Remove old or unknown devices from the list.

Backup your contacts and data to an online service like Google Drive, Apple iCloud, or Microsoft Onedrive…[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

Here Come 5G IoT Devices: What Is “Reasonable Security”?

After years of waiting for 5G technology to transform industry and consumer devices, developments at this year’s Consumer Electronics Show suggest that 2020 may finally be the year when US companies make the leap.  Early signs show the healthcare and manufacturing sectors will lead the way this year in incorporating 5G and connected devices into their operations.

If the prognosticators are correct, our smart watches will soon talk to our refrigerators and order healthy groceries online.  And our doctors may receive real-time health updates from our workout equipment, pharmacies, and implanted medical devices.

The combination of 5G and the projected explosion in the number of IoT devices has industry excited, and the government focused on data security.  5G will allow massive evolution of products and services; leading to autonomous vehicles, remote surgery, and greater connectivity, automation, and precision in industrial manufacturing.  This coming integration and reliance on connected devices—the Internet of Things (IoT)—raises myriad new privacy and security concerns, and lawmakers and regulators are ready to take action.

The New Year brought new state laws in California and Oregon focusing specifically on security requirements for connected devices.  The laws are the first in the nation, and portend a coming wave of laws, lawsuits, and regulatory actions focused specifically on data security.  Lawmakers are wrestling with how to keep consumers safe in the face of rapid technological advancement, and are falling back on the concept of “reasonable security” to bridge the gap.  But reasonable security may not be an easy standard for engineers to implement.

The California and Oregon laws require manufacturers of connected devices to integrate reasonable security measures that (1) are appropriate to the nature and function of the device; (2) appropriate to the information the device may collect, contain, or transmit; and (3) designed to protect the device and its information from unauthorized access, destruction, use, modification, or disclosure.

This may seem like a simple threshold, but these laws’ definition of “connected devices” is expansive, potentially expanding the scope to include security cameras, household assistants, vehicles, and in the case of California, industrial manufacturing equipment.  Each different category of device is going to have a different level of sophistication, different uses, different interaction with data, and different manufacturing requirements.  What may be reasonable for a wifi-enabled juicer is not going to be reasonable for a connected vehicle.

The increasing inability of laws and policies to keep pace with advancements in technology means that efforts to address these issues are going to be crafted in an overly broad and flexible manner.  The California and Oregon laws, as well as similar efforts at the federal level, reflect a struggle to empower the government to address problems, the exact contours of which are not completely known or understood.  Rather than be behind the curve of a particular problem, these laws impose broad requirements that will evolve over time.

At the same time, laws run the risk of codifying standards that may be inapt or quickly become obsolete.  The California and Oregon laws provide that “reasonable security” can be satisfied by equipping a device with a unique preprogrammed password or a requirement that the user generate a new means of authentication before gaining access to the device for the first time.  This may be reasonable for some devices, but the law also covers devices where a compromise in security could result in significant physical harm, and where more stringent security requirements would be appropriate.

As security and encryption approaches continue to advance, the password requirements codified in the laws may actually be disincentives to the adoption of more effective—and reasonable—security practices.  So this is leaving engineers asking the question, what is reasonable security?

Unfortunately, “it depends” is the answer right now. Until regulators offer guidance on how they are going to interpret the requirements or, develop those standards through various enforcement actions, it will be up to manufacturers to develop industry-wide standards for what constitutes “reasonable security.”  This may be particularly challenging in light of the expansive scope of these laws.  The California Attorney General, at least, has previously endorsed the Center for Internet Security’s Critical Security Controls as a baseline for reasonable security.  And some industries, like the automotive industry, already have good track records and mechanisms to establish industry standards.  Emerging industries and existing companies unfamiliar with IoT and 5G, may not be in such an advantageous position..[…] Read more »

 

 

How Small Businesses Can Protect Themselves from Cyberattacks

When most people think of cyberattacks, major data breaches at humongous companies like Equifax and Yahoo!, typically come to mind. This is perfectly understandable, as these are the attacks that impact the most people and always make headlines. But cybercriminals don’t limit their attacks to large companies–they also target countless small businesses every year. And in many cases, these attacks destroy businesses and livelihoods.

By Zack Schuler, Founder and CEO of NINJIO

There’s no reason to put it delicately: The state of cybersecurity in the world of small and medium-sized businesses (SMBs) is nothing short of alarming. Not only are SMBs relentlessly targeted by hackers, but they’re also woefully unprepared to defend themselves and unequipped to handle the aftermath. This is a status quo that has to change immediately–SMBs are the biggest engine of the U.S. economy and they’re at risk like never before.

The Scope of the Problem

Every year, cyberattacks cost small businesses an average of almost US$80,000, and losses can range up to US$1 million (according to a report by the Better Business Bureau). Meanwhile, a 2018 study by the Ponemon Institute found that more than two-thirds of SMBs reported that they had been targeted by a cyberattack within the preceding year. Substantial majorities of SMBs also agree that cyberattacks are becoming more targeted, severe, and sophisticated, but despite these facts, almost half of respondents say they have no understanding of how to protect against cyberattacks.

Key findings from the report
  • Every year cyberattacks cost small businesses an average of almost US$80,000, and losses can range up to US$1 million.
  • A survey reports 88 percent of small business owners felt their business was vulnerable to a cyberattack.
  • Almost two-thirds of small businesses fail to act following a cybersecurity incident.
  • 56 percent of SMBs say, defending mobile devices from cyberattacks is extremely challenging.
  • The top three attack vectors cited by SMBs are mobile devices, laptops, and cloud systems.
  • Just 16 percent of SMBs are “very confident in their cybersecurity readiness.”
  • 60 percent of SMBs lack a “cyberattack prevention plan.”

A recent survey by the U.S. Small Business Administration found that 88 percent of small business owners felt their business was vulnerable to a cyberattack. However, due to resource constraints, a lack of technical expertise, and the rapid pace of change in the cybersecurity world, they often feel helpless or ill-prepared to defend themselves against the vast range of cyberthreats they face.

In fact, a survey of more than 4,100 SMB cybersecurity professionals recently conducted by Forrester, found that almost two-thirds of small businesses fail to act following a cybersecurity incident. Even when the threat is right at their doorstep, many SMBs don’t know what to do.

The World is Changing for SMBs

There are many factors that contribute to the challenging cybersecurity situation for SMBs. First, digital operations are no longer optional for any company–even if your market is small and local, consumers are increasingly demanding the ability to do all their business online.

SMBs are changing the way they operate in the digital era. For example, a 2018 Cisco survey of SMBs found that the percentage of their networks that are on the cloud increased from 55 percent to 70 percent between 2014 and 2017. While almost 70 percent of SMBs say they’re making this transition for security reasons, an increased reliance on cloud-based services can also open up new vulnerabilities.

Meanwhile, other aspects of the digital transition have proved difficult for SMBs, 56 percent of which say, defending mobile devices from cyberattacks is extremely challenging. Ponemon reports that the top three cyberattack vectors cited by SMBs are mobile devices, laptops, and cloud systems.

The Ponemon report also discovered that issues such as a lack of money, out-of-date cybersecurity technologies, and insufficient personnel are all major obstacles cited by SMBs. But the main threat cited in the report is employee negligence, as phishing/social engineering attacks were reported more than any other, while negligent employees or contractors were cited as the top root cause of the data breaches.

How SMBs can Protect Themselves

According to the Forrester survey cited above, just 16 percent of SMBs are very confident in their cybersecurity readiness. Despite the fact that SMBs are increasingly concerned about cybersecurity, Forrester also found that almost half of them don’t have a clearly defined strategy for protecting themselves. This is a common theme in surveys of SMBs. A 2019 Keeper survey found that 60 percent of respondents lack a cyberattack prevention plan..[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

4 strategies for balancing cybersecurity and business continuity planning during the coronavirus outbreak

As cybersecurity conferences worldwide cancel events, the impact of the coronavirus (COVID-19) on the industry comes close to home. At least two people who attended the annual RSA cybersecurity conference were officially diagnosed with the virus, with one placed in a medically induced coma. Compounding this industry impact, many companies have started initiating new “work from home” requirements for nonessential employees, including Apple and Google.

While companies brace for the coming changes that COVID-19 seems to be bringing, cybersecurity and compliance professionals find themselves struggling to balance workforce, member and data security. With this in mind, organizations should consider the following business continuity planning and cybersecurity strategies as they create their coronavirus preparedness plans.

Stay home, stay safe

Infosec’s education platforms were built from the start to be flexible and offer uninterrupted service.
For more than 5 years, Infosec courses have been online — helping remote students and employees meet their career goals and stay safe wherever they are.

What are the current governmental directives regarding COVID-19?

In late February 2020, the Centers for Disease Control (CDC) released its “Interim Guidance for Businesses and Employers.” This reads in part:

Important Considerations for Creating an Infectious Disease Outbreak Response Plan

All employers should be ready to implement strategies to protect their workforce from COVID-19 while ensuring continuity of operations. During a COVID-19 outbreak, all sick employees should stay home and away from the workplace, respiratory etiquette and hand hygiene should be encouraged, and routine cleaning of commonly touched surfaces should be performed regularly.

Employers should:

  • Ensure the plan is flexible and involve your employees in developing and reviewing your plan.
  • Conduct a focused discussion or exercise using your plan, to find out ahead of time whether the plan has gaps or problems that need to be corrected.
  • Share your plan with employees and explain what human resources policies, workplace and leave flexibilities, and pay and benefits will be available to them.

The Occupational Safety and Health Administration (OSHA) and Health and Human Services (HHS) issued a joint guidance of their own which stated, in part:

  • Employers should explore whether they can establish policies and practices, such as flexible worksites (e.g., telecommuting) and flexible work hours (e.g., staggered shifts), to increase the physical distance among employees and between employees and others

Although many companies already allow employees to work remotely, many others require employees to remain on-site when handling sensitive information. Unfortunately, those employees and organizations may not be able to control the required quarantine of sick individuals or may need to work remotely as part of physical distancing requirements for preventing the spread of COVID-19.

This means that companies need to start preparing new business continuity and security models now in order to limit business disruption.

Review your business impact analysis for cybersecurity controls

When people think about business impact analysis (BIA) and cybersecurity, they normally consider the potential impact of an organization’s essential functions being taken down by a malicious actor. While this remains true in terms of business continuity during an outbreak, the risks also shift.

Some considerations to include might be:

  • Availability of critical IT staff
  • Workforce member home wireless security
  • Use of Virtual Public Networks (VPN)
  • Enforcement of encryption processes
  • Managing user access to applications with multi-factor authentication
  • Monitoring user and entity behavior analytics (UEBA)
  • Limiting user access according to the principle of least privilege.[…] Read more »…. 

 

 

ICT in MEA: Increased Government Spending and Novel Strategies to Shape the Future of Innovation

The Middle East & Africa (MEA) region is currently on the verge of immense digital disruption.  In recent past, the cross-border data flow connecting MEA to the rest of the world has increased drastically. The adoption rate of smartphones and usage of social media have been moving on an upward swing. Additionally, some of the Middle East governments have begun to implement core initiatives for digitalization and are making considerable progress. However, there are still some   countries where digitalization is not widely explored and businesses and governments are struggling to grow. Although these countries are ready to lead digitally enhanced lives, businesses and governments have not fully incorporated the digital opportunity yet.

MEA governments to keep pace with digital transformation in developed markets

Favorable economic policies and legal frameworks are paving the way for IT transformation in MEA. Governments are now exploring various potential of technology to improve industry efficiency, in terms of equipment expense and production costs. Moreover, with visions of a digital future, these governments have adopted unique strategies in the past decade. For instance, Saudi Arabia’s National Transformation Program (NTP) 2020 prioritizes digital transformation, in addition to strengthening private sector partnerships, creating jobs, and maximizing local content. The program identified 29 digital initiatives for key sectors, 5 digital platforms, and a number of national digital assets that will receive further investments to back the government’s IT transformation. Similarly, the African government’s initiative is set to go beyond e-government, Fintech, and increased investments in the IT sector. Ongoing revolution in other parts of the world further calls for governments in the region to prioritize pragmatism over complexity and rapid implementation of these strategies.

Dubai to become global innovation and technology hub

Dubai is considered the heart of the Middle East & Africa’s ICT vertical. It is emerging as the regional base for the world’s most renowned international tech brands such as Oracle, Microsoft, Facebook, Google, and LinkedIn. ICT companies based in Dubai are well-positioned to capitalize on a large-scale operations, as government spending on ICT development in MEA is expected to grow exponentially in near future. Moreover, the EXPO 2020 Dubai and UAE Vision 2021 are driving the ICT demand with an intent to leverage emerging technologies for delivering better results. As a result, regional enterprises are investing in digital transformation to enhance customer experience and work efficiency.

Penetration of ICT in Africa soars rapidly; Governments set to drive digital economy

Recent technical innovations in telecommunication in developed regions across the world have drastically reduced the cost of mobile phones and made it easier to connect to the internet from anywhere, Africa is no different to such innovations. Growing access to internet and technologies is contributing massively to the overall economic development of the region. Currently, on the eastern and western coasts of Africa, many international undersea network cables are in place, which are expected to strengthen the connection with other parts of the continent in the future. Furthermore, technological solutions are also devising to resolve agricultural challenges. Farmers are now adopting agriculture applications that use artificial intelligence and image recognition to identify and suggest solutions for all kinds of crop diseases on their farms…[…] Read more »