Cybersecurity is no longer a matter of protecting against mere nuisance. Over the past 15 years, the digital threats to our physical lives have become graver, and the perpetrators of them more capable than most people realize. As the financial rewards for breaching institutions grew, amateur hackers gave way to professionalized cyberterrorists. Nation-states are putting young people through school and then aiming them at other countries. And as we saw with the Sony Pictures hack of 2014, nation-states are even directing attacks against specific companies. It’s these major companies, in fact, that are the most attractive targets. Unfortunately, enterprises today are dangerously ill-equipped to mitigate their risk of a breach.
Many state and local agencies have security solutions in place, yet attacks continue. Others have the most basic of protections in place but realize that more is needed as the threat landscape continues to grow and change. But why is a robust cybersecurity solution so hard to find? The use of the domain name system, a core internet protocol, is a common element exploited in many attacks. Any time an internet user types in a web address like www.example.com, the request is resolved by the recursive DNS infrastructure to recognize the IP address of the physical web server that hosts example.com. A kind of phone book for the internet, DNS translates easy-to-remember resource names into the IP addresses of the server where that resource is located.
In the ultra-competitive information security market, vendors are known to sprinkle hyperbole among their claims and sling some mud. But the strategy has backfired for Denver-based DirectDefense, which mistakenly cast endpoint protection vendor Carbon Black as a contributor to a "data exfiltration botnet." The result has been a widespread backlash against DirectDefense.
The blog post has been quickly picked apart by security experts for its inaccuracy and tone. The tangle kicked off with a blog post published Wednesday by DirectDefense CEO Jim Broome. DirectDefense analysts found terabytes of data containing sensitive information that leaked because of how Carbon Black's endpoint protection platform, called Cb Response, is architected, he contended.
While online thieves have long targeted banks for digital holdups, today's just-in-time manufacturing sector is climbing toward the top of hackers' hit lists. Production lines that integrate computer-imaging, barcode scanners and measuring tolerances to a hair's width at multiple points are more vulnerable to malevolent outsiders. "These people who try to hack into your network know you have a set schedule. And they know hours are meaningful to what you're doing," Peterson said in an interview. "There's only a day and a half of inventory in the entire supply chain. And so if we don't make our product in time, that means Toyota doesn't make their product in time, which means they don't have a car to sell on the lot that next day. It's that tight."
It's a common question here in the land o' Android — and unfortunately, it's become a tough one to answer. After years of missed deadlines and broken promises, most Android manufacturers have just stopped making specific commitments altogether. (Hey, that's one way to handle it, right?) And most of 'em, as I've learned from closely tracking upgrade delivery performance since Android's earliest days, do a pretty shoddy job at getting new software into users' hands. So what can you expect when Android O rolls out into the world? The truth, by and large, is that no one can say for sure. What we can do, however, is look to the various device-makers' recent performance with Android upgrades as a general guide to what sorts of timelines seem likely.
Much has already been written and much will be written about James Damore and his “The Google Manifesto.” (I’ve also written about how organizations can mitigate and detect bias.) As for Damore, his screed is the kind of recycled garbage that has already been studied and refuted. It flies in the face of history and ignores the data right in front of Damore’s face. For writing this dammed illogical dribble, no developer has ever been more rightly fired. Beyond the moral confusion Damore shows, he also doesn’t seem to actually understand engineering, as former Googler Yonatan Zunger wrote in a brilliant response to Damore’s manifesto. Zunger is right: Damore isn’t a good engineer or software developer. Software development is more than knowing what APIs to call or basic syntax.
“Periodic ego searches demonstrate to them that they are a target,” says Jason Taule, CSO at FEI Systems, a provider of health-related technology. Once they’ve done this they can see how a hacker could easily find out all kinds of information about the executive, and launch an attack by leveraging that knowledge. Another way to demonstrate to executives how much of a target they are is to have them look in their email spam filters to see how many phishing emails have been sent to them, Taule says. Fortunately, these emails didn’t reach the inbox and trigger an attack, but the sheer volume of these attempts should get the point across. The best and most effective way to make the case for security is to put on a challenge, Siciliano says. “Most people, especially Americans, think ‘it can't happen to me’, which is a societal norm based on myths that these things only happen to other people in other places,” he says.
Eye scanning isn't brand new in banking: Wells Fargo has been testing it in commercial banking with EyeVerify, which is now owned by Ant Financial, for more than a year. But where EyeVerify analyzes each person's unique pattern of eye veins to verify their identity, the Samsung technology measures the customer's iris, which requires an infrared camera. Samsung is the only phone manufacturer that embeds this type of camera in some of its phones. The British bank TSB recently announced plans to roll out iris scanning technology for its mobile banking app in September, also with Samsung. But few, if any, U.S. banks have tried this. So, getting a large bank like Bank of America to sign up for this is a coup for Samsung. Samsung’s first foray into iris scanning was unfortunately with the Galaxy Note 7.
Covering terrorism liability exposures under a stand-alone policy can provide separate, added protection to policyholders that have a large self-insured retention or deductible on their general liability program, he said. “Or you treat it like a catastrophe risk and you want to protect your general liability program from a shock loss, like some people silo off excess flood or have a separate placement for California earthquake or Florida wind. Those are the things from a risk management point of view that one has to consider,” Mr. Leverick said. Third-party terrorism liability coverage programs are purchased through the stand-alone terrorism insurance markets mainly in New York and London, said Tarique Nageer, terrorism placement and advisory practice leader for Marsh USA Inc., in New York.
Machine learning is increasingly being introduced to help enterprise defenders fight attackers who are after information or money. E-commerce fraudsters fall into the latter category. “Fraudsters are highly motivated to outsmart our system. To beat them with artificial intelligence, we have some big challenges,” Lin told Help Net Security. “Currently, we have access to lots of information about suspect fraudsters, including their purchase activities, online browsing activities, social networks, and even street pictures of their neighborhood and fake identification they submit to get their orders approved. The real challenge is how we can make sense of this unstructured data and then make good approve/decline decisions for thousands of merchants in real-time.” That’s because humans are good at handling unstructured information, but today’s machine learning technology is optimized to deal with mostly structured data.
Quote for the day:
"In between goals is a thing called life, that has to be lived and enjoyed." -- Joubert Botha