Category: IT

Futurizing IoT Security for Smart Cities

Many view smart cities as the future of urban living, promising to boost the efficiency and effectiveness of city services and the quality of life for residents while helping cities keep pace with growth and the associated pressure on aging infrastructures. To do this, smart cities must weave the Internet of Things (IoT) and interconnected devices into the existing technology infrastructure to bring entire communities online. However, this new wave of energy and excitement also brings new cyber risks that could impact the very existence of smart cities.

Smart cities are fast approaching mainstream, and for good reason: a 2018 United Nations study found that over 55 percent of the world’s population lives in an urban environment, and the top 33 cities all have populations in excess of ten million people. Across these vast urban landscapes, interconnected networks of IoT devices can do much to relieve congestion, reduce environmental impact, improve community health and safety, modernize city services and much more.

As connected devices proliferate, vulnerabilities in one area can extend into numerous other areas. In extreme cases, the consequences of a successful cyberattack could lead to disruption of crucial city services and infrastructure across health care, transportation, law enforcement, power and utilities, and residential services. Such disruptions could potentially lead to loss of life and breakdown of social and economic systems.

Cyber threats multiply

With the proliferation of IoT devices in smart cities, attackers now have countless entry points available to compromise a city’s systems. Making matter worse, many cities have chosen to deploy IoT sensors on top of existing systems. One example is sensors on established gas and water systems that are in turn connected to broader networks for data aggregation and analysis. Unfortunately, these sensors often have minimal security capabilities, and minimal ability to be upgraded over time as vulnerabilities are uncovered.

Another challenge is the lack of generally accepted standards governing the functioning of IoT-enabled devices. Even within the same city, various agencies and departments can select IoT devices from different vendors that use different communications protocols, different security models and generate data in different format. The outcome is that cities face a trade-off between interoperability and security. Fundamentally, every new device added to an IoT ecosystem adds a new attack surface or opportunity for malicious attack.

Integrated components

In addition to multiple layers of devices and sensors at the edge, a smart city also requires a network layer and a central core through which all data, communications and updates can be processed. To ensure success and maintain security across the network, it’s vital that all integrated components within the city’s IoT meet certain baseline requirements. These should include the following:

Scalable — Devices should be paired with other devices for increased functionality and security and should remain open and available for system-wide updates. Scalability also means that older IoT devices can be easily switched out over time with more efficient components.

Compliant — Systems and devices should be compliant with universal standards such as FIPS-2 or AEAD. Even though standards are no panacea, selecting compliant products can improve interoperability and reduce reliance on a single vendor.

Interoperable — Devices must be built to communicate and function with one another, across departments.

Crypto-agile — All communications within the IoT must be able to be encrypted, decrypted, and authenticated quickly to prevent availability issues and respond to threats quickly.

On-premises and cloud — On-premise hardware security modules (HSM)allow for data storage in tamper-resistant modules at a secure location, while storing data in the cloud allows for ease of access to information across industries. A hardware security module is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. Using both simultaneously or for different needs provides ease of access and secure backups.

In addition to the above considerations, one of the most important steps toward smart city security is a city-wide public key infrastructure (PKI). Multiple systems within the smart city cannot function securely without a PKI, including communication between devices and the authentication of messages in the IoT. Use of a universal standard for PKI compliance provide security and peace of mind for the entire smart city infrastructure.

As the smart city relies on a system of encrypted communications and sensitive data collection through IoT devices, the model should be secured via a PKI foundation of trust. Like the IoT, the use of PKI is vital in all sectors of the smart city, including transportation, environment, and business. PKI can be applied to a wide range of security solutions within the city infrastructure such as access control, device ID and lifecycle management.

Phased deployment

As cities begin to implement a smart infrastructure, they must enforce security requirements across every IoT device in the smart city ecosystem as well as the entire network. To prevent city-wide threats and disruptions, cities should have a comprehensive cybersecurity plan. Such a plan is complex and won’t happen overnight. Instead, most cities will employ a phased approach:

Phase 1, Initialization – As we see happening now, various city stakeholders are creating smart devices and systems that operate independently of one another, each with their own security solutions and standards. The risk is considerable without a central security and PKI model in place, but since the IoT network is often limited, the risk is somewhat moderated.

Phase 2, Connected — As smart IoT applications expand, new programs will be put into place to connect and secure both new and existing systems. A universal model will be defined for secure communication and older, less secure deployments will be updated or replaced.

Phase 3, Integrated – In this final phase, the IoT infrastructure is established city-wide to connect the smart city ecosystem together. With a universal cryptographic security plan in place, the city can begin to fully realize the benefits of smart city technologies while maintaining strong defenses against cyberattack […] Read more »

The Impact of Artificial Intelligence on Cyber Security

There is currently a big debate raging about whether Artificial Intelligence (AI) is a good or bad thing in terms of its impact on human life. With more and more enterprises using AI for their needs, it’s time to analyze the possible impacts of the implementation of AI in the cyber security field.

The positive uses of AI for cyber security

Biometric logins are increasingly being used to create secure logins by either scanning fingerprints, retinas, or palm prints. This can be used alone or in conjunction with a password and is already being used in most new smartphones. Large companies have been the victims of security breaches which compromised email addresses, personal information, and passwords. Cyber security experts have reiterated on multiple occasions that passwords are extremely vulnerable to cuber attacks, compromising personal information, credit card information, and social security numbers. These are all reasons why biometric logins are a positive AI contribution to cyber security.

AI can also be used to detect threats and other potentially malicious activities. Conventional systems simply cannot keep up with the sheer number of malware that is created every month, so this is a potential area for AI to step in and address this problem. Cyber security companies are teaching AI systems to detect viruses and malware by using complex algorithms so AI can then run pattern recognition in software. AI systems can be trained to identify even the smallest behaviors of ransomware and malware attacks before it enters the system and then isolate them from that system. They can also use predictive functions that surpass the speed of traditional approaches.

Systems that run on AI unlock potential for natural language processing which collects information automatically by combing through articles, news, and studies on cyber threats. This information can give insight into anomalies, cyber attacks, and prevention strategies. This allows cyber security firms to stay updated on the latest risks and time frames and build responsive strategies to keep organizations protected.

AI systems can also be used in situations of multi-factor authentication to provide access to their users. Different users of a company have different levels of authentication privileges which also depend on the location from which they’re accessing the data. When AI is used, the authentication framework can be a lot more dynamic and real-time and it can modify access privileges based on the network and location of the user. Multi-factor authentication collects user information to understand the behavior of this person and make a determination about the user’s access privileges.

To use AI to its fullest capabilities, it’s important that it’s implemented by the right cyber security firms who are familiar with its functioning. Whereas in the past, malware attacks could occur without leaving any indication on which weakness it exploited, AI can step in to protect the cyber security firms and their clients from attacks even when there are multiple skilled attacks occurring.

Drawbacks and limitations of using AI for cyber security

The benefits outlined above are just a fraction of the potential of AI in helping cyber security, but there are also limitations which are preventing AI from becoming a mainstream tool used in the field. In order to build and maintain and AI system, companies would require an immense amount of resources including memory, data, and computing power. Additionally, because AI systems are trained through learning data sets, cyber security firms need to get their hands on many different data sets of malware codes, non-malicious codes, and anomalies. Obtaining all of these accurate data sets can take a really long time and resources which some companies cannot afford.

Another drawback is that hackers can also use AI themselves to test their malware and improve and enhance it to potentially become AI-proof. In fact, an AI-proof malware can be extremely destructive as they can learn from existing AI tools and develop more advanced attacks to be able to penetrate traditional cyber security programs or even AI-boosted systems.

Solutions to AI limitations

Knowing these limitations and drawbacks, it’s obvious that AI is a long way from becoming the only cyber security solution. The best approach in the meantime would be to combine traditional techniques with AI tools, so organizations should keep these solutions in mind when developing their cyber security strategy:

  • Employ a cyber security firm with professionals who have experience and skills in many different facets of cyber security.
  • Have your cyber security team test your systems and networks for any potential gaps and fix them immediately.
  • Use filters for URLs to block malicious links that potentially have a virus or malware.
  • Install firewalls and other malware scanners to protect your systems and have these constantly updated to match redesigned malware.
  • Monitor your outgoing traffic and apply exit filters to restrict this type of traffic.
  • Constantly review the latest cyber threats and security protocols to get information about which risks you should be managing first and develop your security protocol accordingly.
  • Perform regular audits of both hardware and software to make sure your systems are healthy and working.

Following these steps can help mitigate many of the risks associated with cyber attacks, but it’s important to know that your organization is still at risk of an attack. Because of this, prevention is not enough and you should also work with your cyber security team to develop a recovery strategy […] Read more »

 

 

“Take charge of your own career, and do it passionately,” with Varsha Waishampayan, CEO and Founder of WINGS for Growth.

Apex sat down with Varsha Waishampayan, CEO and Founder of WINGS for Growth who has tremendous experience on Wall Street building global teams from the ground up, problem solving and whose passion to promote women leaders led her here. She shares her experience along with ways that we can all move the needle through mentorship and support.  

 

Q: Is the lack of women in tech really a pipeline problem or is it that companies are not providing the culture to cultivate and promote their women talent? 

A: Lack of women in tech is a similar issue as lack of women leaders rising to the top in any industry. I do not believe in blaming companies, society or the world alone in general. Times have changed. Many opportunities have opened up for women to do what they want to do. Yes, there is still a lot of work that needs to be done to promote gender equality but we are heading in the right direction. Now the question is, are women ready when the opportunities arise? Do they have the right support system to rise? I do think companies have to do more work in creating an upward mobility path for all employees wanting to pursue a career in Tech regardless of their gender. In my view, CIOs still don’t have an important seat at the table. WHY?

Q: Does the current conversation about women in tech single women out and leave men out of the solution in your organization? 

A: No conversation should ever single women out. We always need men as our allies and partners in every growth conversation. No questions. Organizations need to create an inclusive culture not just by talking about it, but by doing it. 

Q: What can organizations do to get more women into senior-level and executive positions? Where do you see gaps? 

A: This is a longer conversation, but this is how I will summarize:

  1. First, women have to be ready and willing 
  2. Structured Mentoring and coaching program should be offered to high potential women feeling stuck in the middle 
  3. Women must create a better support system at home so that they can have work and life balance (Work and life Integration does not work in my opinion). Organization must support flexible work environment even for senior women. They should not have to pick promotion vs. family. 
  4. Women have to lift each other to reach the top  
  5. The organizations need to create opportunities for women and women need to learn how to spot, seize and grab the opportunity when they see it 

Q: What can companies do to address unconscious bias at all levels of the organization? 

A: Train them well and test them over and over again. Create a culture where employees feel empowered, respected and they are not afraid to own their actions.

Q: What advice would you give to a woman considering a career in the tech industry? What do you wish you had known?

A: If tech is your passion, go at it with full force. Doors will open if you want them opened. Perseverance and focus will clear the path. Don’t be afraid to chase opportunities where they exist. The biggest challenge with Technology is continuous education and innovation. Women have a lot more demands on their time. So, I found it challenging to keep up with new technologies while fulfilling my duties as a mom and wife at home. Prioritization and support system at home is key.

Q: What do you think is the biggest challenge for the next generation of women and how can we be stronger role models for them? 

A: Millennials have everything boomers often lacked – confidence, focus, passion and a great sense of entitlement. They MUST NOT undervalue experiential guidance. We need to be open-minded and flexible. Make room for the next generation to grow. Engage them in the decision-making process. Companies should fire their managers if they do not have a succession plan. 

Q: How is your organization creating programs and training for men to be better advocates for women specifically around support and sponsorship?  

A: WINGS for Growth is a nonprofit, we deliver a formal mentoring and coaching program to women with high potential. Many of our mentors are men and they are senior executives. We coach them and train them to become great mentors while they are in our program for 10 months. We also have female mentors. Often, they learn from each other’s experience.  

Q: How can women better support other women in technology? 

A: Women need to lift other women in any industry not just in Technology. There are plenty to go around, no need to be insecure. Just because we struggled does not mean others should. Progress will be very slow if we keep blaming companies, society, and businesses for gender equality, and we do not do our part. I am doing mine.

Q: It is no secret that many women in the tech industry felt their gender has affected the way that they are perceived or treated in their role. Have you come across a situation that made you feel that way?

A: I have not, mostly because I focus on what I can control and find a way to navigate through challenges. But I know gender plays a role. If you equip yourself with knowledge, passion and strong drive nothing is impossible. It may take longer but you will feel the progress.  

This is the reason I left corporate America to focus on the solution rather than complaining about the problem. I started a nonprofit called WINGS for Growth. We prepare women for upward mobility through formal mentoring and coaching. We also prepare senior executives to be better mentors. This is a ground level work we must do before we can have any meaningful conversation about Diversity and Inclusion and gender gap. 

 

Varsha Waishampayan, CEO and Founder, WINGS for Growth

Varsha has decades of management experience on Wall Street. During her career, Varsha has built large global teams from the grounds up, led complex problem-solving opportunities, and developed meaningful relationships in fortune 500 companies as well as in large nonprofit organizations. Varsha has worked with several C-level executives in her management-consulting career at PwC. She knows knowledge, authenticity, and insight is what matters in almost every business and she has learned and practiced that all her life. Her strong operational background helps her to stay focused on execution and delivery. 

Varsha is passionate about creating and promoting women leaders. She has worked and led nonprofits that focus on girls’ education. She is a teacher at heart and has seen her father changing people’s life from good to great by being a teacher all his life. Before stepping into financial services, Varsha was a professor of Chemistry in her previous life. She taught graduate level courses. 

Her fascination with leadership development in women was kindled by being a participant of the corporate run “Developing talent program” focused on women’s development. Varsha had a chance to observe, participate and understand the dynamics of what worked and what could be made better in workplace mentoring. At this point, she recognized she was drawn to constantly mentoring women around her and she could make a difference with her approach.

This led to a discovery and then new beginning of her purposeful journey. Varsha left her long successful career in corporate America and founded WINGS for Growth to pursue her father’s vision in a purposeful journey. WINGS for Growth is a non-profit organization, which empowers women to unleash their inner leader and accelerate their personal and professional growth.

Music is Varsha’s muse. She is rejuvenated by music and equally loves being energized by a day at the spa. Nature in its selfless giving inspires her every day. She is ever grateful to have a wonderful family and thankful that she followed her father’s best advice “There is never a bad time to do good, it is a matter of priorities”. She lives in Bridgewater, NJ with her husband and enjoys the natural bounty of her surroundings. 

 

Managed Services and Risk: Mitigation or Inherent Acceptance?

With the evolution of cybersecurity over the last decade, it’s easy to forget what security is; the art of dealing with risk. The flood of funding into the space has created a host of marketing buzzwords that pollute the board room and pull the attention from the “why?” of security. What is the reason cybersecurity exists? What is the problem we’re trying to solve?

Control-based vs risk-based

The conversation around security has shifted, and not for the better. Historically, security teams built programs around assessing risk and deciding on how best to deal with it. However, today’s world of endless frameworks focus more on technologies, and less on the risks they’re implemented to address. This controls-oriented program development has led to the emergence of security leadership that show pause at the mention of a “risk register”. This isn’t to say that risk isn’t considered, but more that it isn’t properly enumerated at a level that gives the security team flexibility in addressing the risk.

Security frameworks like NIST, SANS, ISO, etc. are great lists of controls to consider for a security program but are built with a one-size-fits-all approach. By starting with a comprehensive audit, and developing controls that mitigate specific threats, many organizations can move to an acceptable risk posture without many of the “checkbox” controls contained in most frameworks.

Risky decisions

Common risks exist across different organizations, but how those risks are addressed is a business decision the security team develops their strategy around. When handling risk, there are three options:

  • Accept – The risk does not represent itself as a threat worth investing resources to lessen. Accepted risks should be entered into a risk register, naming the business owner that accepted the risk and note why they’ve accepted it; usually due to low probability or low impact.
  • Mitigate – These risks are not accepted and pose enough threat to a business that resource investment is warranted to prevent the risk from coming to fruition, or at least lessening the probability or impact to an acceptable amount.
  • Transfer – The risk is not accepted, but the business will not mitigate on its own. Leveraging third parties, the risks are contractually moved from the business to the provider. Common forms of cyber security risk transference include Cyber Security Insurance and Managed Security Services.
Risks worth transferring

There’s an existential problem in security right now. The problem isn’t new attacker tactics, techniques, and procedures (TTPs), new malware, or the speed of malware to get to market; rather, there are products to identify these threats, but not enough skilled headcount to properly implement the products, and investigate and respond to the alerts! This headcount shortage is an industry epidemic leaving security teams scrambling just to perform basic tasks, forcing most organizations to ignore alerts generated from the implemented security products, assuming the products were properly implemented and configured in the first place.

Alert triage and response

Looking at the tasks security teams perform to achieve risk equilibrium, many require deep knowledge of the organization and continuous communication and participation in meetings like change-control. However, the tasks of identifying a false-positive for a wrongly flagged graphics card driver requires little knowledge of the organization.

Transferring the risk of alert triage and response can free organization resources to focus on security responsibilities that are best kept in-house like GRC, vulnerability management, and policy creation. This transference also lessens the probability or impact of the departure of a single person being a significant detriment to the security team.

The most common cause of shelf-ware (technology that is being paid for, but is no longer, or was never used) is the sole-owner or user of that technology leaving the organization. Regarding incident detection, triage, and response, employee churn presents a much larger threat than underutilized budget. This risk is magnified by the litany of false-positives generated by security products making the required headcount necessary to triage every security alert unattainable.

Leveraging a service provider for certain functions will provide the level of expertise necessary to implement, maintain, and utilize the technology. The shift also transfers the burden of hiring and maintaining the staff necessary to perform these functions to the service provider; ideally removing the shelf-ware dilemma.

Transferring risk to a service provider

Ignoring alerts and foregoing security expertise is not a risk most organizations choose to accept and handling it in-house is often difficult or cost-prohibitive, so it makes sense security service providers (MSSPs), including managed detection and response (MDR), are gaining in popularity. The difficulty comes in choosing the right MDR, and ensuring they’re mitigating risk, rather than accepting it.

The false-positive dilemma

As mentioned earlier, the problem of false-positives and the impacts they have on security teams is significant, but why does this problem exist?

Defining the terms:

  • False-positive – An alert that was generated based on an event that was not malicious.
  • False-negative – An event that was malicious but did not generate an alert.

From a product-manufacturer perspective, a false-negative is brand damaging, but a false-positive is just assumed. Endpoint and network detection technologies are attempting to identify everything an attacker could do to perform malicious activity in an environment. With the skill of attackers improving, products have had to create looser detection rules that allow them to be effective at detecting potentially malicious activity, thus avoiding false-negatives. For an effective, detection-oriented, security product, false-positives are almost necessity. With this understanding, how do service providers, who are providing services for potentially millions of endpoints, profitably scale a service?

The Techniques
  • Build a Bigger Army – This is not scalable or profitable, but it is pursued by some service providers. This approach typically results in sub-par service that provides little value and leads to a frustrated customer that has essentially purchased a different source of alert fatigue.
  • Attack the Source of Alerts – Is a particular detection rule being too noisy? Shut it off! The alert fatigue problem is solved, but it also diminishes the effectiveness of the product.
  • Set an Arbitrary Investigation Threshold – Too many Critical, High, and Medium alerts to investigate? Just look at the Critical and High. Still too many? Critical-only should be fine (if we forget the retail breach was a medium alert).
  • Turn Alerts into Incidents –Rolling up multiple alerts into a single incident is a great way to make, what looks like, a high-fidelity alert, but could also be a group of false-positives. The danger here is creating incidents that take much longer to investigate.
Machine Learning!

Another technique that’s becoming increasingly popular is the use of machine learning to weed through false-positives. Moving past the animosity towards marketing teams for taking real technology and turning it into a glorified way to describe statistics; machine learning can be broken into two main concepts:

  • Supervised – Using a set of training data, an algorithm can be created to determine the relationship between a new piece of data matches and data used for training. This methodology is commonly leveraged in security to identify malware. While useful in scenarios where training data is properly labeled and available, those prerequisites somewhat limit the usefulness in identifying malicious behavior.
  • Unsupervised – Developing a baseline of “normal”, unsupervised machine learning identifies deviations from the baseline. Unsupervised machine learning technically doesn’t generate false-positives, because it is alerting on anomalies, but given all anomalies aren’t necessarily malicious, this technique is usually paired up with cumulative risk scoring to drive anomalous activity past a threshold, where it will generate an alert hopefully more relevant to security.
Inherent risk

Given the available approaches to dealing with false-positives, it’s clear that there is some necessary risk-acceptance that must happen to get the alert count to a level that allows security teams to efficiently deal with the “high-priority” alerts. This acceptance is not based on the organization’s risk tolerance, but instead on the limitation of resources to mitigate, which places an inflated cost on the risk […] Read more »..

Instituting Security in IoT Networks to Prepare for Massive 5G Rollouts

IoT is dramatically transforming how we approach business⁠— from manufacturing to energy to retail, the industry use cases are endless.

Internet of Things networks of connected devices can generate mountains of data in a matter of seconds, enabling projects like smart cities and autonomous cars, and fundamentally changing what’s possible in enterprise and consumer services. We’re likely to see more use cases emerge in the coming years, as the number of IoT devices is set to increase; by 2025, it is projected that there will be 75.44 billion connected devices.

However, IoT technology is still kind of like the Wild West – while the possibilities that come along with exploring this untamed territory are seemingly endless, the risks associated can be extremely high. In the first half of 2018 we saw a 29 percent increase in DDOS attacks, which can be directly attributed to IoT. Now more than ever, cyberattacks have the power to spread from end user to end user with incredible speed, making it even harder to pinpoint the genesis of the attack given the massive number of connected devices on the network.

Despite the security risks, enterprises cannot afford to ignore the significant use cases as connected devices move from the well-understood traditional endpoints to connected IoT sensors attached to almost any device. The advent of 5G will enable enterprises to collect and analyze vast amounts of data from IoT edge devices around the globe, paving the way for cost and performance reductions, but the need to protect the valuable data on these devices will be an opportunity for the bad-guys who will want to either steal or control it.

Operators should view this as not only an opportunity to fortify their networks against cybercriminals but as a competitive advantage to offer services to spot and mitigate risks as more operations move to the edge. With a proliferation of endpoints and more avenues into the network, there must be a massive shift from a “reactive” mode of operations to a “predictive” mode of operations. Furthermore, as 5G rollouts continue across the globe, the attack surface will only increase. 5G networks will enable and support new services and users via IoT devices, exposing the network to severe threats.

Here are a few best practices when it comes to managing IoT security issues.

Start with the Network

A perimeter-based security approach is no longer sufficient when today’s era of cybercriminals can launch an attack from any and all sides using a variety of vectors. Protection must be embedded into the network fabric to further strengthen lines of defense, enabling real-time monitoring and detection.

To thwart potential attacks, businesses need a comprehensive security policy that leverages automation, anti-malware software and firewalls while also regularly documenting their cybersecurity policies. Security cannot be an afterthought – it must be built in from the very beginning to every component of the network. Starting from the network means that you are applying security to the broadest number of endpoints possible, so even if embedded security has not always been a consideration when rolling out new solutions, this will ensure the best possible coverage and awareness as new solutions are considered and deployed.

Automation is Your Friend

According to a recent study by the Ponemon Institute, security automation increases the productivity of IT security personnel and more accurately correlates threat behavior to better address the volume of threats. Security programs powered by automation are by design, nimbler and more actionable, and even the most seasoned security teams can benefit from this additional help. Investing in solutions that are able to glean insights from network automation tools can quickly interpret data into actionable insights, empowering security teams to better pinpoint security threats.

Education is Key

There is a serious skills gap when it comes to implementing security automation technology. This problematic shortage is only opening businesses up to greater vulnerabilities. Until we can close this gap, network equipment and security solutions with built-in automation and seamless integration will be key. A well-rounded security posture calls for comprehensive training programs for anyone who is, or will be, involved in managing the IoT environment. Consider training at the start of any IoT deployment and ensure that staff are well-versed in the workings of any new solution before it is designed and implemented on your network. Vendors will have both product specific and general cybersecurity training options […] Read more »….

Luanne Tierney: Cloud Expert of the Month – August 2019

Cloud Girls is honored to have amazingly accomplished, professional women in tech as our members. We take every opportunity to showcase their expertise and accomplishments – promotions, speaking engagements, publications and more. Now, we are excited to shine a spotlight on one of our members each month.

August Cloud Expert of the Month is Luanne Tierney
Luanne Tierney, currently CMO of Open Systems, which is a secure SD-WAN managed services company, has extensive experience in leading complex marketing organizations for Fortune 500 and mid-market SaaS companies. She has had marketing leadership roles at Cisco, Juniper, Fortinet and Proofpoint. As a young working executive, she was the first in the industry with the sponsorship of Chuck Robbins- now CEO of Cisco, to develop a Women-in-Tech leadership programs in Silicon Valley. Luanne has won numerous awards in the industry, from PBWC Industry Leader Award, Silicon Valley Women of Influence Award, multiple CRN Channel awards, YWCA TWIN Executive Award but the recognition she most appreciates is from the sales teams that she has supported throughout her career

When did you join Cloud Girls and why?
Jo Peterson one of the co-founders reached out to me in 2017 and invited me to join. Right away I was impressed about the organization because it was an intimate organization, focused on sharing ideas by women working in all levels in tech. The group would meet monthly to discuss cloud technologies as it related to their professional roles.

What do you value about being a Cloud Girl?
I value the opportunity to learn, interact, share best practices, support and personally connect with the other women who are at different stages in their careers.

What is the best career advice you’ve ever received?
When I was a young working mom, I had dinner with the late outspoken Ann Richards ( former governor of Texas). I had developed and initiated the first “Women in Channels Leadership Program” at Cisco and was in Dallas, Texas hosting one of first of these programs.  I remember having the honor of sitting next to her at dinner and asking her “How do I have a successful career and simultaneously raise great kids?” Her feisty delivery response was this, “Give up the guilt, bring them with you to your work, show them what you are doing and that you are passionate about your job, so that when you are not with them they understand what your work life is like and are positively exposed.”

How do I avoid being complacent in my role?
Well that’s a funny question. I find this to be true – there is always someone younger, smarter, with seemingly cooler professional experiences – especially in the digital area. First of all, I prioritize staying current through learning by in person conversations. Each week, I make sure I have scheduled external meetings with individuals who I can learn from. These are not necessarily people who are solely focused on marketing, but rather Executives in Sales, CEOs, CIO’s, Human Resources, and recent college graduates. I also make sure I invest in myself by learning from my peers through Industry Associations. In addition to Cloud Girls, I am member of SVEN, (Silicon Valley Executive Network)  and the CMO Club. I am also an avid podcast listener- some of my favorites are: What’s Next, How I Built This, and Super Women. I am also on public and a private boards in the consumer space, Crimson Wine Group  and KNOCK Inc., which gives me exposure to market dynamics and challenges in the consumer industry.

How can you be a role model for young women and young men about what it means to be a leader in tech?
It doesn’t matter what industry you are in; leadership is all about people! Take the time to listen to your people. Surround yourself with a diverse team of people who are have different expertise. It can’t be about you, the more you help the organization the better you will feel. Your team accomplishments and what they deliver will identify you as a great leader […] Read more »

 

The Truth about Unstructured Data

The exponential growth rate of unstructured data is not a new phenomenon. While the hacking of a database to steal sensitive credit card or personally identifiable information is what dominates the headlines, the reality is that a large amount of an organization’s intellectual property and sensitive information is stored in documents.  But they are unsure of where it resides or how much of it they have.  And worse yet, it is accessed, shared, copied, and stored all in an unprotected state.

Managing and controlling unstructured data is by far one of the most challenging issues of data security for enterprises. All personally identifiable information and other sensitive information, corporate or otherwise, should be protected with encryption and persistent security policies so that only authorized users can access them.  In this article, I will discuss the key drivers behind the influx of unstructured data in enterprises, the risks associated with not properly managing and securing unstructured data, as well as best practices for document protection.

Unstructured data is not dark data (although it can be depending on your definition of dark data) or social media, but it is the collection and accumulation of documents (files), emails as a file in a folder, and file sharing that takes place every day in businesses around the world. It’s the on-going creation of everyday information pulled from structured databases and saved in a variety of formats from Microsoft Office files, PDF, and intellectual property such as CAD drawings – photos and graphics – created for internal use, drafted for external use, and/or published via social media and other channels, just to name a few categories.

According to Search Technologies, eighty percent of data is unstructured, yet the issue of securing unstructured data is still low on the security radar. Adding to the chaos of unstructured data are numerous challenges, including stricter regulatory requirements; protection of intellectual property (IP) and trade secrets; disparate security domains beyond traditional corporate WAN/LAN into cloud, mobile, and social computing; and preventing threats by insiders, both accidental and malicious.

Traditional security has focused on preventing a breach of the enterprise perimeter with layers of physical and electronic security, using a range of tools such as firewalls, filters, and anti-virus software to stop access. Once those measures fail or are subverted, intruders gain access to all the (figurative) candy in the candy store and potentially “crown jewels”.

The first attempts to deal with unstructured data came via Enterprise Digital Rights Management (ERDM) systems. Such dedicated systems typically didn’t work well with existing workflows, required training, needed staff time to manage, was often not realistically scoped and had unforeseen negative impacts on other IT functions. At the end of the business day, ERDM projects were often stranded at the security doorstep.

A better approach is to accept the free-wheeling chaos of unstructured data and adapt technologies that find it in the enterprise, classify and prioritize it, and protect it via encryption with policies on who can see or access the data.

The first step is discovery, using a scanning process to analyze file information across enterprise files, discovering unprotected files and looking for sensitive information. A scanning process can be instructed (on an automated basis) to review certain types of files, such as Microsoft Office (Word, Excel, Powerpoint), images, PDFs, CAD drawings, as well as the names and contents of files that match regular expressions or keywords. In addition, discovery can include analyzing unprotected data files along with files that have been encrypted by a protective process and “watermarked” with a digital rights management (DRM) token. Discovery of unstructured data is a constant process, analyzing data in motion between computers and networks, data at rest (storage), and data in use when a document is opened, with the potential for data to be shared, printed, copied, or saved in an alternative file type (i.e. word to pdf).

Securing unstructured data via encryption is a necessary and logical step, but encryption alone is not enough. A more robust approach adds a unique “tag” or embedded ID into the encryption process to the final protected file, providing the basis to track changes to and copies of files and provide user access policies through a centralized corporate file management process. The embedded tag can be used to restrict access to data in the encrypted file to a specific user or designated classes of users, as well as providing the ability to trace the creation and migration of data from one computer within the enterprise to anywhere else within or external to the enterprise, from endpoints to clouds and backup storage locations […] Read more »

Louise Bowman: Cloud Expert of the Month July, 2019

Cloud Girls is honored to have amazingly accomplished, professional women in tech as our members. We take every opportunity to showcase their expertise and accomplishments – promotions, speaking engagements, publications and more. Now, we are excited to shine a spotlight on one of our members each month.

July’s Cloud Expert of the Month is Louise Bowman

Louise Bowman is a customer-focused enterprise sales executive that has been in the IT industry for almost 20 years. Her career began at Rackspace, a Global Managed Hosting & Cloud provider, where she built the insides sales team – both in San Antonio and London. In 2007, she returned to her hometown of Denver, and began working for ViaWest, now Flexential, a National Colocation, Managed Hosting and Cloud provider. There she was a Major Account Executive managing top ten named accounts, and later was asked to build ViaWest’s inside sales team. Her next adventure, NIMBL, a national system integrator based in Denver, gave her the opportunity to move up the IT stack where she began working within the SAP ecosystem selling software, consulting, staffing and managed application services to clients primarily in the Pacific Northwest.

Bowman is intrinsically motivated by responsibility, positivity, winning others over, learning, complex deals, and dynamic and thriving organizations. She is currently a member of Cloud Girls and is the SAP ASUG Pacific Northwest Chair Lead.Outside of work, she enjoys great food and wine (cooking or eating out), traveling, skiing, hiking, working out, murder mystery movies andbooks, and spending time with her husband & fur baby, Edie! Louise has a Bachelor of Science degree in psychology from the University of Colorado, Boulder, where she was member of Phi Beta Phi and Captain of the Women’s Lacrosse team.

When did you join Cloud Girls and why?

Manon Buettner, Cloud Girls’ co-founder, and I had met earlier in 2014, and through many discussions she invited me to I join Cloud Girls in 2015. I was able to attend my first retreat in Park City – that weekend really gave my insight into what an amazing organization Cloud Girls is, especially all the women involved.

What do you value about being a Cloud Girl?

First, the annual retreat because this is the time I have been able to learn about each “girl” in the group, dig into key issues and how others see/handle situations, let our hair down, laugh, play and leave with a feeling of belonging. This event always reminds me what a dynamic, eclectic, accomplished and vocal group I am a part of – I am proud to be a Cloud Girl. Second, the ongoing education, strong network and our community involvement.

What is the best career advice you’ve ever received?

“Feel, Think, Do”

What is the best professional/business book you’ve read and why? 

Gallup Poll’s “StrengthFinder” by Tom Rath. This book is the only personality test that has ever really resonated and gave me great insight into myself and others.  I highly recommend to this to everyone, no matter your profession […] Read more »

 

Small and Medium-sized Financial Institutions: The Security Challenges They Face Each Day

It’s no secret that financial institutions are in criminals’ crosshairs. This has been the story ever since people and organizations started putting their cash in the care of others. But unlike the good ol’ days of dramatic ski-masks-over-face, gun-in-hand heists, the majority of today’s banking crimes are digital, and thus, involve far less bravado and derring-do.

While cybercrime and fraud affect all financial institutions, each sector has its own specific concerns. The concerns of large institutions generally take center stage due to their high profiles and the large stakes involved, but often, concerns specific to small and medium-sized institutions go overlooked. In this article, we will examine the issues that cause the most distress to IT and security teams at small and medium-sized financial institutions.

Why Cyber Criminals Love Small and Medium-sized Financial Institutions

Small and medium-sized financial institutions are often seen by cyber criminals as low-hanging fruit — sure, they could go after JPMorgan Chase or Goldman Sachs for a huge payoff — but a heist of that nature requires boatloads of planning and effort. For an attack of that scale, an assailant must have incredibly powerful tools as well as a flawless plan, which could take months and even years to orchestrate.

Add to that the immense challenge of evading the law once the attack has been executed. High profile attacks on banks make great news fodder and criminals can expect to be hotly pursued and tried for their misdeeds.

Unfortunately, this is not typically the case with smaller targets. It doesn’t take quite as much planning or effort to hit smaller players and since these crimes are not as high profile, it may be easier for the attacker to get away with them. All in all, small and medium-sized financial institutions are a wise choice for attackers looking for a relatively easy swindle.

The Security Challenges that Keep Small and Medium-sized Financial Institutions CISOs Up at Night

There are many cyber security issues that plague small and medium-sized financial firms, ranging from structural issues to out-and-out threats. While each organization is unique, security leaders at most, if not all, small and medium-sized financial services firms must overcome these structural challenges.

Lack of Buy-in/Understanding from C-Suite/Leadership

Each financial services firm has its own business drivers, those issues that are integral to the success and advancement of the business model. While issues like customer satisfaction and regulatory compliance generally top execs’ lists, the issue of cybersecurity doesn’t always show up on their radar.

There are a few reasons that cyber security may not be the first thing on many leaders’ minds. To start with, it can be very difficult to prove the return on investment for security-centered projects. In the words of security expert Bruce Schneier, “Security is about loss prevention, not about earnings.” Proving how much a company saves by preventing a breach does not produce the same tangible benchmarks as do other, more concrete investments.

Moreover, leaders may not have sufficient IT and/or security knowledge to grasp the full severity of weak or inadequate defenses. While some decision makers certainly are well versed in technology, it’s often not a part of their job requirements and they simply may not grasp the importance of investing in new solutions as they become available. Likewise, they may not understand the full legal and operational ramifications of falling prey to a breach.

Lastly, according to ChiefExecutive.net, leaders at smaller firms are often convinced that their firm is not worth the attacker’s time or effort. This leads to a dangerous stance of security complacency, an attitude that nothing further is required to protect the firm, based on their own erroneous assessment of limited risk.

Limited Budgets

As mentioned above, small and medium-sized financial institutions typically have much more limited cyber security budgets than larger institutions. A recent survey by Untangle found – shockingly! — that of 350 small and medium-sized businesses polled, 50 percent had annual security budgets of less than $5,000 US and of those, 50 percent had budgets of less than $1,000 US.

In light of these numbers, it comes as no surprise that at many smaller FinServs, there is no one specific person or team tasked with cybersecurity – it’s just another aspect of IT’s responsibilities. Moreover, their tools are nowhere near as comprehensive as those found at larger institutions. This increases the chances of breaches and extends time to detection (TTD) and time to respond (TTR) in the face of incidents.

At the same time, small and medium-sized financial firms still have conveniences like customer-facing apps and websites, which are necessary to compete with the big guys. But as with the rest of their technology stack, these applications may be less robust and secure than those developed by banks with more money to allocate to security. This makes these less secure applications prime pickings for attackers.

Dependence on Third Party Vendors

Small and medium-sized financial institutions are heavily reliant on integrations with third party suppliers. As with businesses of any size, these firms need to share information with partners and contractors to remain relevant and agile in an increasingly connected world.

But granting access to third parties can come with great risks — by making your network accessible to third parties, you allow their vulnerabilities to become your vulnerabilities, their liability to become your liability. This was clearly demonstrated in the infamous Target hack of 2013, when the behemoth saw their point of sale system breached due to an integration with an HVAC vendor whose credentials were stolen.

In the typical integration, external partners can access the company’s networks without adequate monitoring and limitations. This allows them access to far more resources than needed to do their jobs, making the organization a sitting duck. And as third-party vendors are often also small and medium-sized businesses, there is a very real chance that they may have less-than-adequate security, which compounds the risk. Further, the decision of which vendor to use is often made with little regard to vendor security practices and how those may affect the institution and its networks.

The Threats that Nightmares are Made Of

While budget limitations, support from top brass and third-party vendors are ongoing headaches for security officers, threats that commonly target financial service businesses are the night terrors that bolt them awake in a cold sweat.

The Many Flavors of Insider Threats

Insider threats take many forms and affect all businesses, from the largest enterprises to shoestring operations. And while all businesses suffer when an employee goes rogue or an ex-staffer decides to spill the company beans, small businesses experience damage from insiders more often than their larger counterparts. This is especially true in finance, where the stakes are inherently much higher than for most other businesses. In fact, according to the 2019 Verizon Data Breach Investigations Report, the threat actors in 36 percent of breaches of financial institutions were insiders.

One reason small and medium-sized financial firms fall prey to insiders is that they often lack proper protocols for revoking access after an employee has been terminated. Smaller financial firms tend to have less robust IT standard operating procedures and thus when an employee is asked to leave, it may take days or weeks before his or her access to critical resources is revoked. This leaves the ex-staffer with plenty of time to collect whatever data he or she wants, which can then be given to competing banks — or worse, such as nation state adversaries and cyber-criminal syndicates.

Similarly, smaller firms also tend to engender feelings of trust and familiarity among employees. While this is great for the general work ethic, there is risk in trusting your employees too much. Large institutions often have tiered Identity Access Management (IAM) solutions in place to prevent employees from seeing information which is beyond the scope of their requirements. Once again, due to less sophisticated IT infrastructure and because of that cozy, feel-good atmosphere, smaller institutions may not have the same precautionary measures in place, allowing employees access to data far beyond their actual data needs.

Then there is the insider who, although not necessarily malicious in intent, is simply impervious to training. This is the employee who routinely clicks suspicious links or fails to notice clues indicating that he or she is being phished or scammed. Scary but true: According to Verizon’s 2019 DBIR, three percent of people will click on any given phishing campaign. And these well-meaning employees can cause just as much damage as those with ill intentions: In a small and medium-sized bank, the means or understanding to track just which employee is “that guy” may simply not exist — thus, the risk goes unmitigated.

Business Email Compromise (BEC) Scams

According to a report by security firm IronScales, 95 percent of successful cyber-attacks include an element of social engineering. Humans are easily manipulated and attackers are adept at creating all kinds of compelling scams to help victims and their money or data part ways. According to the Verizon 2019 DBIR, financially motivated social engineering attacks target financial services institutions disproportionately vis a vis other industries.

In recent years, BEC, or Business Email Compromise, has become one of the most potent phishing methods, generating losses of $676 million US in 2017. According to HSBC, small and medium-sized businesses are harder hit than larger enterprises.

In the typical BEC scam, the scammer impersonates someone in a position of power within the organization, perhaps the CEO or a senior member of the IT team. The scammer sends an urgent email to a lower ranking employee, demanding funds to be transferred. This perfectly crafted email is almost indiscernible from an authentic one and implies that the recipient must see to it that the funds are transferred immediately – or face repercussions. If things go according to the attacker’s plan, the employee sends the request off to the organization’s bank, where an unwitting bank employee complies with the email’s instructions and transfers the funds.

BEC scams cause damage to all kinds of businesses, as well as banks.  But no matter the industry, they affect banks because they are the ones through which financial transfers take place. In smaller institutions, standard operating procedure for transfers may not be clearly outlined and thus there is a greater danger that someone within the bank may authorize such fraudulent transfers.

Browser-Based Threats

Like all businesses, small and medium-sized financial institutions need to use the Internet for tasks such as researching loan applicants and corresponding with customers. So, every employee needs web access. But the risk that comes with open connectivity, namely, the fact that browser-borne malware can easily spread laterally throughout networks, cannot be tolerated in such a sensitive arena.

Browser-based malware is always morphing to ensure that it evades traditional security methods, but some attack elements remain the same; Cross-site scripting (XSS) and SQL injection (SQLi) attacks are some of the most common web-based attack methods and can potentially come from any website that has been infected — even those that have been deemed secure. These complex attacks can easily exfiltrate data off employee’s browsers. Moreover, browser-based threats are difficult to detect, which puts critical assets directly in harm’s way.

Many IT admins turn to whitelisting pre-approved web applications and websites to help keep out browser-based threats. But whitelisting has significant drawbacks — it leads to reduced productivity and agility as employees cannot always access the resources they need when they need them. It’s also not completely effective, as once-good sites can become infected with malware and in turn, pass that infection on to your network.

Small and Medium-sized Banks Have to Level Up to Survive

Beyond the threats themselves, small and medium-sized FinServs have to consider the costly fallout that comes along with successful cyber security attacks. Understandably, in the wake of an attack, customers may lose confidence and jump ship. And while larger financial institutions can absorb the costs of many, if not most, attacks, smaller ones cannot, which may lead to closures […] Read more »..

A New Framework for Preventing Cyber Attacks

The scale of data theft is staggering. In 2018, data breaches compromised 450 million records, while 2019 has already uncovered the biggest data breach in history, with nearly 773 million passwords and email addresses stolen from thousands of sources and uploaded to one database.

Current cyber defense tactics simply aren’t enough, a new model of defense is needed. In research published recently in Future Generations Computer Systems, my co-researchers and I propose a framework harnessing the power of machine learning to accurately predict attacks and identify perpetrators.

Outdated Tactics

The current manual security models are quickly becoming obsolete for a number of reasons. For one, there is simply too much data for human analysts to manually sift through. Hail-a-TAXII, a repository of Open Source Cyber Threat Intelligence feeds, provides more than one million threat indicators. IBM X-Force reports thousands of malware weekly. Verizon’s Data Breach Investigations Report details millions of incidents. These are just a few of the many data sources analysts have at their fingertips.

Another problem is that current cyber threat intelligence (CTI) tactics look only at low-level indicators, small attack signatures such as IP addresses, domain names and file hashes. Low-level indicators are easy for companies to block by plugging them into firewalls and security devices. Unfortunately, they’re also easy for hackers to change. Using only low-level indicators to stop a cyberattack is a little like trying to prevent thieves from robbing your home by enforcing only one window. The thief will just find another window.

The glut of data and preoccupation with low-level indicators contribute to a serious lag in identifying threats. The median time for an organization to determine it is under attack is 46 days. Attacks can go undetected for much longer, the massive data breach at Equifax in 2017, involving nearly 150 million pieces of personal data, went undetected for 76 days.

Relying on low-level indicators simply doesn’t make sense given what we now know about hackers: They use common patterns of attack that can be identified by looking at high-level indicators, otherwise known as Tactics, Techniques and Procedures (TTPs).

Examples of tactics common to certain threat groups involving the compromise of victims’ credentials include:

  • the exploitation of the victim’s remote access tools and the network’s endpoint management platforms by threat group TG-1314.
  • employing key loggers and publicly available credential dumper toolkits by TG-3390.
  • spear phishing using URL shortened links pointing to malicious websites by TG-4127, which targets government and military networks for espionage and cyber warfare.

Typically, hackers will specialize in one attack tactic and gradually evolve the tactic over time. Consider what’s happened with RAM scrapers: malware that enters servers and combs through the memory to find a distinctive code pattern, such as a credit card’s 16 digits. A RAM scraper was behind the 2013 Target data breach that compromised 40 million credit cards, as well as the 2018 Marriott and Hyatt breaches and many others in between.

While the tactic has remained the same, what has changed is how the malware transfers data to the attacker, advancing from FTP to the web protocol and finally to encrypting the information and moving on its own, no longer reliant on a human to copy and transfer the data. Fifty different families of RAM scrapers for stealing personal data currently exist.

The cyber intelligence community already maintains databases detailing high-level indicators. More than 130 adversary technique documents exist. As of late 2018, there were 45 known threat actors and 123 known software tools included in the ATT&CK taxonomy, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK taxonomy shows that the number of TTPs used in threat incidents range from one to 34, with an average of six.

If so much is known about TTPs, why aren’t analysts relying on them for cyber defense? Again, the problem is the massive amounts of data. Manually searching for correlated TTPs is tedious, error-prone and a nearly impossible task. That there is no commonly used vocabulary to describe attacks and attack tactics compounds the problem. TTPs are mostly reported as unstructured textural descriptions, which makes it difficult to correlate attack incidents of the same threat group based on similar TTPs due to synonyms and polysemous words. The same style of attack can be labeled one thing in one database and something completely different in another.

Building a New Framework

The framework we propose in Future Generations Computer Systems is based on our knowledge of TTPs and the problems plaguing the cyber intelligence community, too much data and no automated way to rely on more effective high-level indicators.

The framework creates a network of Threats, TTPs and Detection (TTD) mechanisms. To accomplish this, data was collected from related cyber breach incidents and reliable source threats in the public domain.

In total, more than 327 unstructured documents from about two dozen sources were used. Although machines will likely one day be able to deal with all the nuances of human language, we’re not there yet. This means the data had to be curated and semantically correlated before it could be analyzed by machines: we used ATT&CK […] Read more »..