Articles

CIOs say security must adapt to permanent work-from-home

lead centered=”no”
Both private- and public-sector CIOs see many more employees permanently working remotely, and say security needs to adapt to new threats and how they communicate.
/lead

The entire US economy and government were forced to shut down in-person facilities and operations almost overnight in March as COVID quarantines began. The new conditions forced organizations to quickly find ways to secure tens of millions of new, vulnerable endpoints created by at-home workers. Now, six months later, technology leaders are taking stock of what happened and considering how a post-COVID landscape might look.

COVID has resulted in a lot of forward-looking changes, Jim Weaver, CIO of Washington State, said at the second day of the annual Cybersecurity Summit hosted by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). “COVID has been our chief innovation officer. Now as a state we’re pivoting to change our service methodologies while in the middle of a pandemic and economic downturn.” Washington was the first state with a positive COVID case on January 14.

“Governor Inslee has been a big proponent for remote work for a lot of reasons and so we did have a culture and mindset in place already enabled to support it,” Weaver said. Washington had to jump from an average of 3,000 to 4,000 remote concurrent connections to 65,000 to 70,000 almost overnight. “That went pretty flawlessly, I’m pleased to say.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Charles Deluvio on Unsplash

 

Articles

Ransomware attacks growing in number, severity: Why experts believe…

lead centered=”no”
Law enforcement and federal experts discuss recent ransomware trends and challenges of fighting the attacks.
/lead

Ransomware has become the most chronic and common threat to digital networks. At a time when 41% of all cybersecurity insurance claims flow from ransomware attacks, it’s no surprise that ransomware is top of mind for leading security experts, government officials and law enforcement leaders.

“I think ransomware is going to get worse and I hate to say it, but it’s almost the perfect crime,” Mark Weatherford, chief strategy officer and board member of the non-profit National Cyber Security Center, told attendees at the third annual Hack the Capitol event. “It’s easy to pull off and it’s almost impossible to get caught.”

While major ransomware events grab all the headlines, Weatherford worries about the smaller victims of ransomware attackers. “Small- and medium-sized businesses simply don’t have the resources or the technical acumen to understand the threat environment that they live in,” he said.

Sometimes it can seem like a ransomware attack is inevitable. “A lot of my friends in companies that I talk to on a regular basis literally are waiting for that shoe to drop when they are the victim of a big ransomware event,” Weatherford said.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Michael Geiger on Unsplash

Articles

Election security status: Some progress on ballot integrity, but…

lead centered=”no”
With the election less than two months away, government and election officials say voting itself is more secure, but Russian disinformation remains largely unaddressed.
/lead

The presidential election in 2016 was a wake-up call that the security of the country’s election infrastructure can never again be considered a sure thing. During the last presidential campaign, Russia hacked into the Democratic National Committee’s network and stole emails from Clinton campaign officials while also breaking into at least two county voting systems in Florida. Those digital security attacks took place alongside destructive disinformation campaigns that ran on vulnerable and unprepared social media networks.

At this year’s Billington Cybersecurity Summit, 55 days before the next presidential election, experts weighed in on the progress, or lack thereof, that the US has made in securing America’s elections since 2016.

Chris Krebs, head of the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA), told attendees that three-and-a-half years after he joined the agency it has “turned the corner in a really meaningful way” on cybersecurity. “We’re working in all 50 states on a regular basis to share information, to secure their systems, to ensure that they have all the resources they need to be prepared, whether it’s a COVID environment or non-COVID environment.”

Matthew Masterson, senior cybersecurity advisor at CISA, says his group is hard at work on supporting the more than 8,800 officials who run the country’s elections. Many of the voting jurisdictions are small but many election offices represent the largest IT operations in their counties in terms of total number of assets.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Kari Sullivan on Unsplash

Articles

TLS attacks and anti-censorship hacks

lead centered=”no”
Despite safeguards in TLS 1.3, China is still censoring HTTPS communications, according to a new report. There are workarounds to this. Plus, how TLS can be used as an attack vector.
/lead

The Transport Layer Security (TLS) protocol emerged as a focal point of attention for the information security world during August as the Chinese government updated its censorship tool, the Great Firewall of China, to block HTTPS traffic with the latest TLS version. The topic got even more attention when security researchers offered workarounds to TLS-enabled censorship and demonstrated potential TLS-based attacks at DEF CON: Safe Mode.

TLS is a widely adopted protocol that enables privacy and data security for internet communications, mostly by encrypting communications between web applications and servers. TLS 1.3, the most recent version, was published in 2018. TLS is the foundation of the more familiar HTTPS technology and hides communications from uninvited third parties, even as it does not necessarily hide the identity of the users communicating.

TLS 1.3 introduced something called encrypted server name indication (ESNI), which makes it difficult for third parties, such as nation-states, to censor HTTPS communications. In early August, three organizations — iYouPort, the University of Maryland and the Great Firewall Report — issued a joint report about the apparent blocking of TLS connections with the ESNI extension in China.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Hybrid cloud complexity, rush to adopt pose security risks,…

lead centered=”no”
Organizations rushing to adopt hosted cloud infrastructure alongside on-premises systems might not fully understand or address potential security threats.
/lead

As enterprises race to adopt cloud technology, they also encounter a combination of new possible threats from the rapid and frequently unorganized deployment of different cloud-based technologies. Particular concerns surround the adoption of so-called hybrid cloud technologies, Sean Metcalf, founder of cloud security advisory company Trimarc told the attendees of DEF CON Safe Mode last week.

The hybrid cloud is a blend of on-premises infrastructure combined with cloud-hosted infrastructure (infrastructure-as-a-service, or IaaS) and services (software-as-a-service, or SaaS). The IaaS providers are usually giants such as Amazon’s AWS, Microsoft’s Azure or Google’s Cloud Platform. Extending on-premises data centers into the cloud basically means the cloud is effectively operating as a virtualization host like VMware or Microsoft Hyper V, Metcalf said.

Because of this effective virtualization, any attacks that are associated with those cloud data center elements are similar to how you would attack VMware and Hyper V “but with the additional overhead of ‘well, it’s hosted by Microsoft or it’s hosted by Amazon, or it’s hosted Google,’” Metcalf tells CSO.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

CISO Q&A: How AvidXchange manages COVID-related threats and risk

lead centered=”no”
Like many CISOs, Christina Quaine’s team is supporting the payment processor’s work-at-home employees and managing internal pandemic-specific risks. It also helps its mid-market customers meet new security challenges.
/lead

CSO caught up with Christina Quaine, the CISO of AvidXchange, a North Carolina-based payments processor that focuses on mid-market companies. We talked to her about how this mid-sized company, with 1,400 or so employees, has dealt with the changes wrought by the COVID pandemic. Given the company’s role in financial transactions, we were particularly keen to hear how the rise in coronavirus fraud instances were affecting her job. Below is a transcript of our conversation, edited for length and clarity.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

18 (new) ways attackers can compromise email

lead centered=”no”
Researchers have discovered eighteen new vulnerabilities in how email systems authenticate senders, making it even easier for criminals to fool users.
/lead

All organizations wrestle with chronic phishing attacks that are the primary vectors through which malicious actors breach systems and spread malware.

Most phishing attackers deliver their payloads on networks by crafting spoofed emails that look like they come from legitimate, authoritative senders. Those look-alike emails instead derive from domains deployed solely for malicious purposes. It’s virtually impossible for most email recipients to detect the differences between real and spoofed email accounts, making phishing an intractable and seemingly never-ending problem for users and organizations alike.

Now computer science researchers have discovered eighteen new vulnerabilities in how email systems authenticate senders. Vern Paxson, Professor of Computer Science at UC Berkeley and Co-Founder and Chief Scientist at Corelight, Jianjun Chen, Post-Doc researcher at the International Computer Science Institute and Jian Jiang, Senior Director of Engineering at F5 (Shape Security), presented the result of their research at Black Hat last week in a talk entitled “You Have No Idea Who Sent That Email: 18 Attacks on Email Sender Authentication.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Mathematical Mesh alpha release promises better end-to-end encryption

lead centered=”no”
Web pioneer proposes a new cryptographic system that relies on threshold key infrastructure to improve end-to-end encryption.
/lead

One of the main challenges posed by the internet has been the need to secure communications across a massive tangle of public and private networks. Security experts agree that end-to-end communication encryption is the best means of defending users against third-party interception or breaches that could expose the potentially sensitive content.

End-to-end encryption, however, has been more of a dream than a reality, particularly given the rise of “walled gardens” led by internet giants such as Google, Facebook and Amazon. Each always maintains some form of access to their users’ communications.

A new approach to end-to-end encryption called Mathematical Mesh was quietly introduced at this year’s HOPE (Hackers of Planet Earth) conference by esteemed cryptographer Phillip Hallam-Baker, who is currently a principal scientist at Comodo and was formerly a member of the CERN team that designed the World Wide Web, among many other accomplishments.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Many Cyberspace Solarium Commission recommendations expected to become federal…

lead centered=”no”
Dozens of cybersecurity measures designed to protect US businesses and infrastructure are part of the National Defense Authorization Act. Budget, political concerns might eliminate some.
/lead

Several cybersecurity proposals are advancing in both the US House and Senate that flow from the prolific work of the public-private brainstorming initiative called the Cyberspace Solarium Commission. The Commission was formed in 2019 to break through the seemingly intractable barriers blocking the path to devising and implementing practical solutions to the most challenging cybersecurity problems.

The vehicle through which the commission hopes to enact several dozen of its legislative recommendations (out of 75 recommendations included in its inaugural report this past spring) is the National Defense Authorization Act (NDAA), an annual “must-pass” federal law that sets the budget and expenditures for the US military. The commission’s executive director Mark Montgomery estimated earlier this month that each chamber’s bills would feature eight to 20 of the commission’s recommendations.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Twitter hack raises alarm among government officials, security experts

lead centered=”no”
The recent account takeover attack underscores how Twitter and other social platforms have become a critical component of political systems worldwide.
/lead

A hack of Twitter last week shook the foundations of the internet, cybersecurity, and political worlds. A gang of young people purportedly obsessed with OGusers, early Twitter adopters with one or two characters in their handles, ostensibly targeted 130 high-profile accounts and reset passwords and sent messages from the accounts of 45 “celebrities.” The hacks appear financially motivated, with the attackers fleeing with $121,000 worth of bitcoin generated through the scam messages they sent from the accounts of Joe Biden, Barack Obama, Bill Gates, Elon Musk and other personages.

Coming as they did during a period of high paranoia just a few months from the 2020 presidential election, the hacks seem somehow intermixed with the ongoing fear of the kinds of nation-state digital attacks that took place during the 2016 elections. The take-over of what has become a vital political platform attracted the attention of lawmakers, including James Comer (R-KY), the ranking member of the House Committee on Oversight and Reform, who sent a letter to Twitter CEO Jack Dorsey demanding a briefing no later than July 24.

This article appeared in CSO Online. To read the rest of the article please visit here.