Engaging Young Women and Girls in STEM to Bridge the Cybersecurity Job Gap

As the proliferation of digital technologies continues, cybersecurity’s importance will only increase – there’s a direct correlation between our use of devices and the deployment of digital technologies and the need for improved security.

This increased need for cybersecurity translates directly to the need for cybersecurity-focused professionals, as numerous reports over the past few years have highlighted that several million positions will need to be filled in the not-too-distant future.

To more effectively bridge the cybersecurity job gap, we should look towards a particularly underrepresented group in STEM – young women and girls.

The Cybersecurity Pros of Tomorrow

Today’s youth are the most digital native generation in the history of humanity. However, despite this, younger individuals comprise one of the most vulnerable demographics of users due to their practices, such as having a tendency to be freer in terms of what they share about themselves with strangers, making them prime targets for criminals to attempt to exploit.

Engaging young women and girls in cybersecurity-focused disciplines not only serves address this problem directly by helping educate them to enable them to protect themselves, but it also presents an opportunity to harness their experiences and unique perspectives to understand possible scenarios criminals are capitalizing on. It’s this diversity of thought that will help us as a means of deterring bad actors by anticipating their behavior and by placing individuals who have had relevant personal experiences with bad actors in positions to protect other individuals from future attacks.

Beyond this, women and young girls are predominantly attracted to disciplines that help people and our society.

By educating this demographic on how cyberattacks can cause harm, educators will be able to more effectively encourage young women and girls to envision themselves as protectors and enlist them to become cybersecurity superheroes.

By seeing the immediate impact they and their peers can have on the world and other individuals by using security technology, more young women girls will want to pursue careers in these areas – and, in turn, these individuals have the capacity to wind up as future advocates for additional diversity and inclusion in STEM, having had positive experiences in relevant fields themselves.

The Keys to Engagement

To better engage young women and girls in STEM to bridge the job gap in cybersecurity, educators should utilize the following strategies:

  • Find new and unique ways of connecting students to the larger societal issues they care about. More specifically, make a concerted effort to continuously stress the impact young women and girls can have on issues that they’re personally invested in by using and developing security-focused technologies.
  • Explore topics from students’ perspectives as opposed to introducing and approaching problems from a theoretical bottom-up approach, which can be confusing – this approach will enable educators to better engage students, resulting in a deeper understanding of technological concepts that might be otherwise hard to gras..[…] Read more »….

 

 

 

Meet Heather K. Margolis: Cloud Expert of the Month – March 2020

Cloud Girls is honored to have amazingly accomplished, professional women in tech as our members. We take every opportunity to showcase their expertise and accomplishments – promotions, speaking engagements, publications and more. Now, we are excited to shine a spotlight on one of our members each month.

Our March Cloud Expert of the Month is Heather K. Margolis.

Margolis is Founder and CEO of Spark Your Channel, creators of the Spark Your Channel through-channel marketing automation platform, and Founder and Chairperson of Channel Maven Consulting, a strategic channel marketing agency.

A self-proclaimed “recovering channel professional,” Margolis is passionate about enabling vendors to drive sales through their channel partners. She spent several years in channel programs and marketing for big-brand tech companies like EMC, EqualLogic and Dell before forming Channel Maven Consulting in March of 2009 to provide strategic channel marketing “to” and demand generation “with” IT and telecom channel organizations of all sizes.

Margolis has a master’s degree in business administration from Babson College in Wellesley, Mass. She grew up in Massachusetts and now lives in Boulder, Colo., with her husband and fellow entrepreneur Simeon, their two daughters and dog Zoe.

When did you join Cloud Girls and why?
I joined Cloud Girls in 2017 when I heard about the amazing group of women, the initiatives around mentorship and philanthropic goals.

What do you value about being a member of Cloud Girls?
I’m really thrilled with what I’ve learned and what we’ve accomplished as a group. The philanthropic aspect is incredibly important to me.

What is the biggest risk that you’ve taken?
Last year I saw a need in the marketing, did a ton of due diligence and then made a huge leap. I put my saving into it, took money from friends, colleagues and investors and started www.sparkyourchannel.com. Spark is a through-channel marketing automation tool that does things totally differently. No email, video/webinar/podcast personalization, and AI that deliver personalized content to the Partners on a set cadence.

What’s your favorite inspirational quote?
Quality isn’t job one, being totally F&$^)$g amazing is job one…[…] Read more »…..

 

With Enhanced Facial Recognition Technology Protections, the New Washington Privacy Act Would Be the Strongest U.S. Privacy Bill

As the United States federal government continues the slow process of hashing out a viable national privacy bill, state governments are creating and passing their own legislation. The state of Washington is close to passing one such bill, the Washington Privacy Act. This new bill is noteworthy due to the strength of its terms, which compare favorably to the California Consumer Privacy Act (CCPA). The Washington Privacy Act goes farther in certain areas, however; ability to control personal data, opt-out rights and requirements of explicit consent in the use of facial recognition technology.

How does the Washington privacy act stack up?

A side-by-side analysis provided by the Future of Privacy Forum compares the Washington Privacy Act’s terms to both the CCPA and the European Union’s General Data Protection Regulation (GDPR). Though the protections are not at the same overall level of the GDPR’s terms, the bill is a step forward relative to the CCPA in a number of areas.

One of the main highlights is the way in which the Washington Privacy Act handles facial recognition technology. The bill has provisions directly addressing biometric facial recognition data, something that the CCPA entirely lacks and the GDPR only addresses through indirect measures. The key feature is a requirement of explicit, opt-in consent in order for private companies to collect and use facial recognition data. Businesses that collect such data would also be subject to special handling rules and would be subject to third-party auditing.

The terms of the Washington Privacy Act are limited to non-government entities that conduct business in the state. This definition would include non-profit agencies, a group that is not subject to the CCPA’s terms. As with the CCPA, the Washington Privacy Act has revenue and customer count cutoffs that would make it applicable only to medium-to-large businesses. The bill applies to companies with information on over 100,000 consumers in any given year, or those with information on at least 25,000 consumers that derive over 50% of their annual revenue from the sale of personal data.

The bill also improves consumer visibility and access to data. The CCPA includes rights to access, delete and port data from one service to another, but the Washington Privacy Act adds the right to make corrections. Washington residents would also have improved opt-in and opt-out rights with any company that processes personal data; the ability to fully opt out of targeted advertising and profiling, and opt-in policies covering the collection of sensitive categories of personal information.

Other provisions unique to the Washington Privacy Act (among extant examples of US state law) include a category of “high risk activities” (e.g. medical and financial data) that would trigger a special assessment, data minimization and purpose limitation requirements, and a duty to avoid secondary use.

Will the bill pass?

The bill has cleared the first step in the state legislature, passing out of the Senate Ways & Means Committee. It now goes before the state Senate and House.

The Senate is favorable to the bill, but there is some question as to its ability to clear the House given that a very similar bill suffered a narrow defeat last year. The resistance in 2019 mostly came from privacy rights groups, such as the state’s branch of the ACLU; the stronger terms in the more recent bill are in no small part due to those concerns. One of the main issues expressed by these groups was a lack of provision for regulating facial recognition technology, something that lawmakers went out of their way to address in this second attempt. The bill would thus appear to have a good chance of passing this time.

The importance of facial recognition technology regulation

The Washington Privacy Act dovetails with a broader movement to limit the implementation of facial recognition technology in public places in the US.

At the federal level, the House Oversight and Reform Committee announced that it is working on facial recognition technology regulations that will debut in coming months. There is considerable bipartisan support for these sorts of regulations after a series of hearings in 2019 established the potential dangers of letting both the private sector and law enforcement agencies have a free hand with the technology. This follows an announcement by the EU that there may be a five-year moratorium on the deployment of facial recognition technology by any government agency as safety measures are studied and implemented..[…] Read more »

 

Connecting To Secure Wireless Networks In Windows 10

Introduction

Though they offer undeniable benefits of mobility, cost and convenience, wireless networks are less desirable from a security perspective. There is always a risk that signals can get intercepted as they traverse through the open air.

Unsecured or “open” wireless networks, like those found in public cafes and airports, offer cybercriminals an easy launching pad for attacks. Sensitive data can be compromised in many different ways on unsecured wireless networks through the use of malware, snooping or man-in-the-middle tactics.

Given a choice, it is always preferable to restrict your connectivity on Windows 10 devices to fully secured wireless networks. Such networks use various wireless security protocols to encrypt the connections and, more importantly, restrict access to authorized individuals and their devices.

Take a closer look at Windows 10

Take a closer look at Windows with this course covering everything Windows related. This skills course covers:

⇒ Your Windows Toolset
⇒ Windows 10 Task Manager
⇒ Information and Configuration Tools
⇒ And more topics related to windows 10

 

Different types of wireless security protocols

There are four main types of wireless security protocols currently in existence: WEP, WPA, WPA2 and WPA3. Their evolution was the result of incremental upgrades to wireless network security over the last 22 years pioneered by the Wi-Fi Alliance.

Though primitive implementations of wireless data technology date back to the 1970s, Wi-Fi as we know it (the 802.11 protocol) first came about in 1997. The earliest Wi-Fi security protocol was also unveiled the same year.

WEP — Wired Equivalent Privacy

As the first generation of wireless network security, WEP has been outdated for almost two decades. Due to the simplistic nature of the RC4 Encryption Algorithm used in WEP, hackers could easily crack its security encryption using basic network analysis tools like AirCrack, AirSnort and Kismet.

When it comes to WPE and Windows 10, the protocol is no longer supported by default due to its deprecated status. This has been the case since at least Windows 7. You can still use the protocol while creating a new network on Windows 10; it’s just not at all recommended.

WPA — Wi-Fi Protected Access

Due to the discovery of numerous security vulnerabilities within the Cyclic Redundancy Check (CRC) used in WEP authentication, WPA was developed as a new standard in 2003. Instead of CRC, the new system used Temporal Key Integrity Protocol (TKIP).

TKIP-based WPA was considered more robust, as it used unique encryption keys for each data packet sent across the network. This results in more complex codes that can take longer to decrypt and hack.

But the system was far from secure, as it still employed the RC4 encryption used by its predecessor. WPA served largely as a stopgap measure for the Wi-Fi Alliance as it was developing a stronger, more secure Wi-Fi security standard. WPA was quickly replaced by WPA2 in 2006.

WPA2 — AES

Until the announcement of WPA3 in 2018, WPA2 was the most advanced form of wireless security. Two major things set it apart from its predecessor: the mandatory usage of Advanced Encryption Standard (AES) algorithms and the replacement of TKIP with Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP).

While CCMP is a superior protocol with vastly improved security compared to other protocols, WPA2 is still vulnerable to brute-force attacks and rainbow table attacks which use vast databases of precomputed hash strings (rainbow tables).

Both WPA and WPA2 provide two separate authentication variants: Personal for individual and home use and Enterprise for use in an office context. In the former, there is just one single authentication key. In Enterprise, the system administrator can set multiple authentication keys for different users.

Connecting to a WPA or WPA2 network is a fairly straightforward process in Windows 10. The system automatically detects all available wireless networks in the vicinity. The user simply has to select the network from the list and provide the security key (Wi-Fi password) when prompted.

To check your current security protocol, go to the Taskbar and click the Wi-Fi Connection icon. Go to the Wi-Fi details found in Properties. Security Type is displayed prominently there.

WPA3 — The future

The next generation of wireless security is yet to reach widespread implementation. It aims to reduce the reliance on user-set passwords for security, which is a thing in WPA2 — the system is only secure if you use a 16-digit complex password.

In WPA3, this is no longer a necessity, as it uses a new protocol for key exchange called Simultaneous Authentication of Equals. As it reduces the reliance on hash string databases, attackers have to directly interact with the router/access point to crack the password.

Even if the security key is compromised, the protocol does not allow access to historic data transmitted through the network. WPA3 is also expected to make public or open wireless networks even more secure.

Different ways to connect to secure wireless networks

In Windows 10, users have multiple choices when it comes to connecting their PCs to a nearby secure Wi-Fi network. At least four options exist, with varying levels of convenience and complexity. They include:

Taskbar

The most straightforward option is using the taskbar. The wireless icon is usually located in the right corner. Clicking it displays a list of available connections. Select the appropriate network and provide the authentication key to connect.

Settings

Another option is to use the Network & Security page in the Settings menu. Head to the Wi-Fi section, select “Manage known networks” and opt for “Add a new network.” Provide the network name and select the appropriate security type. Input the security key (Wi-Fi password) and save the settings to connect..[…] Read more »….

 

Don’t Just Rely On Data Privacy Laws to Protect Information

Data privacy laws are evolving to allow individuals the opportunity to understand the types of data that companies are collecting about them and to provide ways to access or delete the data. The goals of data privacy law are to give some control of the data back to the individual, and to provide a transparent view on the collecting and safeguarding of that data.

Prior to the GDPR and CCPA, it was difficult to understand what was being collected and how it was being used. Was the website selling your information to other companies? Who knows, but chances are they were. We’ve all heard the line: “If it’s free, then you’re the product.” Also, paying for a service is no guarantee that your information is not being sold. Data privacy laws attempt to address these problems by requiring companies to obtain affirmative consent from individuals, explain what is being collected and define the purpose for its use.

This all sounds great and is a step in the right direction, but there are a lot of challenges for both individuals and companies. Various polls put the number of password protected accounts per person anywhere from 25 to 90. It would take a very concerned person to understand and track their personal information across these accounts. Companies need to understand the various data privacy laws that apply and develop internal frameworks to comply and protect the data. Even if both parties are playing fair, this is a difficult challenge.

For US-based companies, here is a non-exhaustive list of data privacy regulations that may apply:

  • US Privacy Act of 1974 – Applies to government agencies but provides a good foundation for companies to follow.
  • HIPAA (Health Insurance Portability and Accountability Act) – Created to protect health information.
  • COPPA (Children’s Online Privacy Protection Rule) – Created to protect information on children under 13.
  • GLBA (The Gramm-Leach-Bliley Act) – Requires financial institutions to document what information is shared and how it is protected.
  • CCPA (California Consumer Privacy Act) – In effect January 2020 to protect information of California citizens.
  • GDPR (General Data Protection Regulation) – An EU law that has global reach.
  • State laws – Each state may have their own privacy laws with slight variations.

On top of that, the data privacy laws can be interpreted in different ways, overlap each other and contradict each other. Like security frameworks and controls, privacy laws should be viewed as the minimum baseline to protect personal data. Individuals and companies should take a commonsense approach to data protection to fill the gaps that exist in data privacy laws. They should understand what data is being collected, what is its purpose and if it is necessary to have at all. The best way to protect data is to not have it at all. If it does not exist, then it cannot be lost. This will provide focus to the residual data and what needs to be done to safeguard it.

Here are some best practices on what firms as well as individuals can do to safeguard privacy.

  • If you collect it, protect it. Follow reasonable security measures to keep individuals’ personal information safe from inappropriate and unauthorized access. Reduce the amount of data collected to only what is needed to provide the service. Use role-based access control (RBAC) to limit access to the data. Always encrypt the data at rest and in transit. Create a robust backup strategy and test it to ensure the integrity and availability of the data.
  • Be open and honest about how you collect, use and share personal information. Think about how the individuals may expect their data to be used, and design settings to protect their information by default. Simply explain what is being collected in an understandable way and why it is needed. Allow individuals to Opt In to providing information and view what is currently stored about them.
  • Build trust by doing what you say you will do.  Communicate clearly and concisely to the public what privacy means to your organization and the steps you take to achieve and maintain privacy. This should be done with a public privacy policy that is easy to access and understand. The policy should be kept up to date as privacy laws and internal procedures evolve..[…] Read more »….

Brace Yourself for the New Intelligence of Things Revolution

The Consumer Technology Association Vice President of research Steve Koenig announced a new trend that is emerging in consumer technology called the Intelligence of Things. The CTA vice president made these remarks during the Consumer Electronics Show (CES 2020) in Las Vegas.

These are smart devices that are able to anticipate human needs and are at the core of smart cities’ infrastructure. The CTA vice president said the Internet of Things (IoT) will be out of fashion in 2020 giving way to the Intelligence of Things technology. This technology is a result of injecting artificial intelligence into connected devices thus enabling their capacity to act autonomously.

Proof of concept for Intelligence of Things

Connected Intelligence concept is already applied in various fields. In agriculture, farmers use drones to identify crops suffering from diseases as well as monitor water usage by identifying areas that need watering. Once identified, automated water systems can target these areas independently. In addition, farmers are using automated harvesters in collecting produce from farms.  The use of the Intelligence of Things technology in agriculture, therefore, leads to higher yields and reduced expenses. Furthermore, data from these devices are used in predicting the future of farming such as the weather and disease outbreaks.

Another example is the Japanese company Groove X which has developed the Lovot companionship robot that can recognize its owner’s need for cuddles through facial recognition. Similarly, the French cosmetic company L’Oreal has its AI-powered Perso that can create customized makeup formulas for the users.

Deployment of the new IoT

Various companies are currently experimenting on Intelligence of Things in various fields such as transportation, health, and robotics.  The market will be awash with these solutions on reaching maturity after successful testing. This will make such items a crucial part of life for the urban communities, whose population is expected to reach over 60%. Commercial deployments will be particularly common in autonomous transportation around the cities. For example, Ford has already made plans for deploying the autonomous fleet by 2021.

Artificial intelligence and 5G

Artificial intelligence and 5G will be the foundation for the Intelligence of Things technology. Unlike 4G whose main reason for the growth is the consumers’ demand, 5G growth will be powered by enterprise demand. Innovations that resemble those from science fiction movies will be possible in the near future. Companies are already building 5G networks parallel to the 4G networks in preparation for the transition.

5G will form the core of any usable new IoT platform because of the massive amounts of data transfer involved. For example, streaming a virtual reality scenario during a remote surgery session requires the transmission of massive amounts of data. Success in 5G capability will, therefore, spur the success in other areas of IoT technology.

Categories of Intelligence of Things

The new IoT Intelligence of Things technology falls into the categories of either Massive IoT or Critical IoT. Massive IoT contains little data but connects many devices and endpoints. On the contrary, Critical IoT connects fewer devices but with massive data. Because the defining factor in Intelligence of Things is data, the latter will find many commercial applications in critical areas such as remote surgery, industrial robotics, and virtual reality.

Emerging tech trends

AI will become embedded in almost everything creating an AI and Everything scenario. Intelligence of Things will inspire devices such as smart ovens that can prepare food correctly and robotic companions that can detect their users’ moods.

Augment Reality (AR), Virtual Reality (VR), and Cross Reality (XR) will be other trends to watch in the connected intelligence revolution. Most AR devices are now capable of providing room-scale experiences…[…] Read more »

 

Low-Code Player Grabs RPA for Automation

Low-code platform vendor Appian is looking to provide a single platform for automation, AI and low code with a new RPA acquisition.

The year 2019 marked a big one for consolidation among data, analytics, and related vendor companies as the industry reorganized for the cloud and big vendors staked their competitive positions. Now in early 2020, an acquisition in an adjacent technology may be signaling further changes ahead for another hot technology in the enterprise.

Low-code development platform vendor Appian has acquired startup Novayre Solutions SL, developer of the Jidoka robotic process automation platform. In announcing the deal, Appian said that it now makes the company a “one-stop shop for automation, with best-in-class solutions for workflow, AI, and RPA.”

That’s something that many vendors and enterprise companies are pursuing. RPA and artificial intelligence are technologies that organizations often will want to put together to automate tedious repetitive tasks. Indeed, analyst firm Gartner named hyperautomation as one of the top 10 strategic technology trends for 2020, saying that the No. 1 use case for artificial intelligence is automation. Putting AI together with RPA can streamline operations and make organizations more efficient. It’s another step toward achieving the digital transformation that all organizations are pursuing.

Appian’s plans for the acquisition are very much along these lines. The company said that it plans to unify low-code development and RPA into one comprehensive automation platform that enables “the orchestration of all three agents of modern work — humans, bots, and artificial intelligence.”

But the acquisition won’t exclude technologies from other RPA vendors. Appian said the platform will deliver RPA governance for the enterprise that will enable management of robotic workforces from the major RPA vendors including Blue Prism and UIPath. That includes monitoring, scheduling and reporting. The service will be available on the Appian cloud.

“Appian’s goal is to be a one-stop shop for Digital Process Automation (DPA) and RPA, and to build out a more complete Intelligent Automation (IA) platform, an increasing  need, as enterprises begin to scale automation initiatives,” wrote Forrester principal analyst and VP Craig Le Clair in a blog post.

Forrester defines digital process automation as dealing more with larger processes while RPA deals more with single tasks.

“RPA remains at the very center of many of these,” Le Clair wrote. “Appian is less likely to go head to head with the top RPA platforms but will look first to add RPA to their existing customers or find opportunities where DPA and RPA are both valuable.”

Le Clair also noted that for Appian, this is a technology acquisition. Jidoka’s architecture is Java-based and runs on Linux, plus it is containerized and cloud-native…[…] Read more »…..

 

The History of Security and the Fight to Protect Ourselves

While almost everyone in modern industry has heard and thought about cyberattacks, breaches, data compromises and defenses, cyber warfare pre-dates the modern computing era. As far back as 1976, when I started my first job in astrodynamics working on Air Force satellites, security was an important consideration–decades before the Internet and our powerful computing devices.

By Michael Miora, SVP & CISO, Korn Ferry

The security story I want to share begins in the late 1970s. As a young UC Berkeley graduate, my attention was on mathematics and getting a job! I never imagined that I would focus on security for the next few decades. I never envisioned myself as a critical decision maker, whose actions would affect the course and success of a multi-billion-dollar, global enterprise.

Understanding this security story will help us all be better at identifying what needs to be protected and how we need to define and design our protections.

With a background in mathematics, I opted to study Satellite Orbit Calculation and Manipulation during my first job. However, my attention was quickly captured by the need to protect the information assets of the 70s against our adversary, the then-Soviet Union.

Today, it is obvious that we need to encrypt the large amount of data coming from satellites and going to ground-based receivers. In the 1970s though, such encryption and protection was beyond the capabilities of the small and low-powered satellite computers. Therefore, we needed to solve this problem using innovations that would use the capabilities we had at our disposal.

Scientists in the early satellite industry designed a process of commutation and de-commutation of data; this was an accidental security design. By having each bit of a downstream represent specific information known only to the receiving equipment, we had a de facto secret required to understand the data.

The Major Transformation

In November 1988, we experienced the first major, though ostensibly unintentional, attack on the ARPANET, the predecessor to the Internet. It was the “The Morris Worm,” which exploited known vulnerabilities very similar to those that still plague us today, including weak passwords, lack of filtering, and trusting outside networks without controls.

At the time, I was working for a major defense contractor that was affected by this worm. We formed a rudimentary team to study the attack and plan how to respond to the future attacks we already knew were going to come. Today, we call this a Security Incident Response Plan!

By the end of the eighties, I gathered all the experiences that I gained from my satellite and defense work to launch InfoSec Labs, one of the pioneering security consulting firms that focused on helping major financial, healthcare, and manufacturing companies protect themselves. I thereby entered an environment where my advice needed to be presented and then sold to clients as reasonable and justifiable actions. We all know how difficult it is to convince top management to spend money on intangible rewards and returns. It was challenging but rewarding to provide advice, help implement that advice, and then witness the result.

We built InfoSec Labs from the ground up without external funding because the Venture Capital firms had not yet fully grasped the importance of security or the role it would play in the coming years.

The Holy Grail: Anti-Virus

“I Love You!” Sound familiar? For those who were using email and Microsoft Word in 2000, you probably know the impact of this virus. This was one of the first major and wildly successful attacks in the history of computing, with far reaching effects that dwarfed the Morris Worm. It was very innovative because it was the first use of embedded macros in a trusted program, perverted to malicious use, and it embodied all the “features” of our modern viruses.

It was at this time that I was approached by some well-established security companies. The reputation of my company and my team attracted their attention, and my firm eventually was acquired by Rainbow Technologies, a major, publicly traded security company.

There were already anti-virus programs and systems available, but this helped spur quicker and more widespread implementation of these protections across industries and companies worldwide. The evolution of anti-virus quickened and increased in its sophistication. So did the attackers.

Over the coming years, there were many and varied attacks, ever increasing in their sophistication. Even last year, in 2018, we saw new forms of attacks that recognized the improving protections and worked to circumvent them. Some of those used normal-looking software that launched and encrypted systems (“ransomware”). Others used stealth methods that did not use files to attack and take over systems; still others used other advanced techniques.

Today the original anti-virus has transformed into anti-malware and Endpoint Detection and Response (EDR) which include sophistication unimaginable even a few years ago, with storage of data and interactions requiring terabytes of storage. Cloud strategies along with global regulations and compliance requirements have made us smarter and caused us to work harder. We all know that compliance does not drive security, but smart security achieves compliance and protects us against the attackers.

Are We There Yet?

In 2017 and 2018, every U.S. voter was compromised. Every Hong Kong voter was compromised. Over the past two years, every U.S. adult has had their credentials and credit information compromised (300 million last year). The European Banking Commission has mandated that all banking compromises in EU be reported to them immediately. Twenty-five percent of all Australian companies were compromised last year.

The attackers work just as hard as we do, sometimes with significantly greater flexibility and resources. Often, these resources and protections are provided by nation states that provide immunity from capture and prosecution. It is our job to coordinate better with each other, to share information and to jointly find newer and better ways to protect ourselves. Let’s not be bashful in telling our vendors what we want and suggesting collaboration and cooperation among competitors and complementary products.

I do that with some success. Though the vendors don’t always follow the advice, their attention shifts to include that thinking.

The Goal of Availability

There is a creative tension between meeting security requirements and achieving business goals. Security is not just technical security; it means working securely and with recognition of required operational security considerations. Business goals require a significant dedication to customer service, translated to keeping systems and applications up and running nearly all the time…[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

Legislation Passed to Build National 5G Strategy & Protect US Telecommunications Networks

The U.S. House of Representatives has passed a bipartisan bill that would build a national strategy to protect 5G telecommunications systems in the United States and among U.S. allies.

According to a 2018 North Atlantic Treaty Organization report, Huawei’s growing influence as a leading supplier of 5G technology could be exploited by China to engage in espionage, monitor foreign corporations and governments, and support Chinese military operations. In November 2019, the Federal Communications Commission placed greater restrictions on Huawei and fellow Chinese tech firm ZTE due to widespread security concerns. However, the United States still lacks a comprehensive strategy.

The legislation, led by U.S. Representative Abigail Spanberger, is titled Secure 5G and Beyond Act. It would require the administration to develop an unclassified, national strategy to protect U.S. consumers and assist allies in maximizing the security of their 5G telecommunications systems. The strategy would also identify additional ways to spur research and development by U.S. companies in a way that maintains reliable internet access. Spanberger introduced th bipartisan legislation in May 2019 alongside U.S. Representatives Susan W. Brooks (R-IN-05), Tom O’Halleran (D-AZ-01), Francis Rooney (R-FL-19), Elissa Slotkin (D-MI-08), and Elise Stefanik (R-NY-21).

“The United States needs to be proactive in preventing any vulnerabilities that could be exploited by our adversaries. In our increasingly interconnected world, that means protecting our telecommunications and infrastructure, and those of our allies, from malign foreign interference,” said Rep. Rooney. “Today’s passage of this critical bill, which I was honored to cosponsor, will assist in ensuring the safety, security, and freedom of the United States and in safeguarding our technology infrastructure.”

“I’m proud to help pass this important bill to provide clarity and inter-agency strategy to secure 5th generation and future-generation telecommunications systems and infrastructure across the United States,” said Rep. Stefanik. “Ensuring the United States remains a leading global competitor in both the economy and technology is critical to the future of our nation. This bipartisan legislation requires the President to implement a strategy to secure these systems and maximize their security. I look forward to the bills implementation, and to protecting the competitiveness of American companies and the privacy of American consumers.”

The legislation passed in the U.S. House is the companion legislation to a bill introduced in the U.S. Senate by U.S. Senators John Cornyn (R-TX) and Richard Burr (R-NC)…[…] Read more »….

 

Cybersecurity Weekly: Colorado BEC scam, CyrusOne ransomware, new California privacy law

A town in Colorado loses over $1 million to BEC scammers. Data center provider CyrusOne suffers a ransomware attack. California adopts the strictest privacy law in the United States. All this, and more, in this week’s edition of Cybersecurity Weekly.

1. California adopts strictest privacy law in U.S.

A new privacy rights bill took effect on January 1, 2020 that governs the way businesses collect and store Californian consumer data. The California Consumer Privacy Act mandates strict requirements for companies to notify consumers about how their data will be used and monetized, along with offering them a hassle-free opt-out process.
Read more »

2. Starbucks API key exposed online

Developers at Starbucks recently left an API key exposed that could be used by an attacker to access the company’s internal systems. This issue could allow attackers to execute commands on systems, add/remove users and potentially take over the AWS instance. The security researcher who reported the incident to Starbucks was awarded a $4,000 bounty.
Read more »

3. Cybercriminals filling up on gas pump transaction scams

Gas stations will become liable for card-skimming at their pay-at-the-pump stations starting in October. In the meantime, cybercriminals are targeting these stations with a vengeance, according to security researchers. This is because pay-at-the-pump stations are one of the only PoS systems that don’t yet comply with PCI DSS regulations.
Read more »

4. Travelex currency exchange suspends services after malware attack

On New Year’s Eve, the U.K.-based currency exchange Travelex was forced to shut down its services as a “precautionary measure” in response to a malware attack. The company is manually processing customer requests while the network stays down during the incident response and recovery process.
Read more »

5. Xiaomi cameras connected to Google Nest expose video feeds from others

Google temporarily banned Xiaomi devices from its Nest Hub following a security incident with the Chinese camera manufacturer. Several posts on social media over the past week have showcased users gaining access to other random security cameras. Google warned users to unlink their cameras from their Nest Hub until a patch arrives.
Read more »

6. Colorado town wires over $1 million to BEC scammers

Colorado Town of Erie recently lost more than $1 million to a business email compromise attack after scammers used an electronic payment information form on the town’s own website. They requested a change to the payment information on the building contract for a nearby bridge construction project.
Read more »

7. Maze ransomware sued for publishing victim’s stolen data

The anonymous hackers behind the Maze ransomware are being sued for illegally accessing a victim’s network, stealing data, encrypting computers and publishing the stolen data after a ransom was not paid. Lawyers claim the lawsuit may be to reserve their spot for monetary damages if money is recovered by the government.
Read more »

8. Landry’s restaurant chain suffers payment card theft via PoS malware

A malware attack struck point of sale systems at Landry’s restaurant chain that allowed cybercriminals to steal customers’ credit card information. Due to end-to-end encryption technology used by the company, attackers were only able to steal payment data “in rare circumstances.”..[…] Read more »….