Inside Out Security

With one sensational data breach headline after another, we decided to take on the details behind the story because a concentrated focus on the headline tends to reveal only a partial dimension of the truth. For instance, when a bank’s sensitive data is compromised, it depends on how as well as the what. Security practitioner Mike Buckbee said, “It’s very different if your central data storage was taken versus a Dropbox where you let 3rd party vendors upload spreadsheets.” We’re also living in a very different time when everything we do in our personal lives can potentially end up on the internet. However, thanks to the EU’s “right to be forgotten” law, the public made 2.4 million Google takedown requests. Striking the perfect balance will be difficult. How will the world choose between an organization’s goals (to provide access to the world’s information) versus an individual’s right to be forgotten? And when organizations want to confidently make business decisions based on data-driven metrics, trusting data is critical to making the right decision. Our discussion also reminded me what our favorite statistician Kaiser Fung said in a recent interview, “Investigate the process behind a numerical finding.”

Today even if we create a very useful language, IoT device, or software, at some point, we have to go back to fix the security or send out PSAs. Troy Hunt, known for his consumer advocacy work on breaches, understands this very well. He recently delivered a very practical PSA: Don’t tell people to turn off Windows update, just don’t. We also delivered a few PSAs of our own: cybercriminals viewour linkedin profiles to deliver more targeted phish emails, whether we’d prefer to deal with ransomware or cryptomalware, and the six laws of technology everyone should know.

IT pros could use a little break from security alerts. They get a lot of alerts. All. The. Time. While alerts are important, a barrage of them can potentially be a liability. It can cause miscommunication, creating over reactivity. Conversely, alerts can turn into white noise, resulting in apathy. Hence the adage: if everything is important, nothing is. Instead, should we be proactive about our security risks rather than reactive?

Regular listeners of the Inside Out Security podcast know that our panelists can’t agree on much. Well, when bold allegations that IT is the most problematic department in an organization can be, ahem, controversial. But whether you love or hate IT, we can’t deny that technology has made significant contributions to our lives. For instance, grocery stores are now using a system, order-to-shelf, to reduce food waste. There are apps to help drivers find alternate routes if they’re faced with a crowded freeway. Both examples are wonderful use cases, but also have had unforeseen side effects.

It’s our first show of 2018 and we kicked off the show with predictions that could potentially drive headline news. By doing so, we’re figuring out different ways to prepare and prevent future cybersecurity attacks.

The emergence of Chief Data Officers(CDO) demonstrates the growing recognition of information as an asset. In fact, Gartner says that 90% of large organizations will have a CDO by 2019. To understand the CDO role more deeply, I turned to Richard Wendell. I met Mr. Wendell last year at the Chief Data Officer Summit and […]

Self-quantified trackers made possible what was once nearly unthinkable: for individuals to gather data on one’s activity level in order to manage and improve one’s performance. Some have remarked that self-quantified devices can hinge on the edge of over management. As we wait for more research reports on the right dose of self-management, we’ll have to define for ourselves what the right amount of self-quantifying is. Meanwhile, it seems that businesses are also struggling with a similar dilemma: measuring the right amount of risk and harm as it relates to security and privacy. Acting FTC Chairman Maureen Ohlhausen said at a recent privacy and security workshop, “In making policy determinations, injury matters. ... If we want to manage privacy and data security injuries, we need to be able to measure them."

The end of the year is approaching and security pros are making their predictions for 2018 and beyond. So are we! This week, our security practitioners predicted items that will become obsolete because of IoT devices. Some of their guesses - remote controls, service workers, and personal cars. Meanwhile, as the business world phase out old technologies, some are embracing the use of new ones. For instance, many organizations today use chatbots. Yes, they’ll help improve customer service. But some are worried that when financial institutions embrace chatbots to facilitate payments, cyber criminals will see it as an opportunity to impersonate users and take over their accounts.

Recently the Food and Drug Administration approved the first digital pill. This means that medicine embedded with a sensor can tell health care providers – doctors and individuals the patient approves – if the patient takes their medication. The promise of this new approval are enormous. It will ensure a better health outcome for the patient, giving caretakers have more time with the ones they love. What’s more, by learning more about how a drug interacts with a human system, researchers might find a way to prevent illnesses that was once believed impossible to cure. However, as security pros there are some in the industry that believe that the potential for abuse might overshadow the promise of what could be.

Last week, I came across a tweet that asked how a normal user is supposed to make an informed decision when a security alert shows up on his screen. Great question! I found a possible answer to that question at New York Times director of infosecurity, Runa Sandvik’s recent keynote at the O’Reilly Security Conference. She told the attendees that many moons ago, Yahoo had three types of infosecurity departments: core, dedicated and local. Who knew that once upon a time dedicated and local security teams existed?! It would make natural sense that they would be the ones to assist end users on security questions, why don’t we bring them back? The short answer: it’s not so simple.

Long before data breaches became mainstream, Rita Gurevich CEO of SPHERE Technology Solutions, built a thriving business on the premise of assisting organizations secure their most sensitive data from within, And because of her multi-faceted experiences interacting with the C-Suite, technology vendors, and others in the business community, we thought listening to her singular perspective would be well worth our time.

Critical systems once operated by humans are now becoming more dependent on code and developers. There are many benefits to machines and automation such as increased productivity, quality and predictability. But when websites crash, 911 systems go down or when radiation-therapy machines kill patients because of a software error, it’s vital that we rethink our relationship with code and as well as the ethical and moral obligations of machines and humans.

Outlined in the National Cyber Security Centre’s “Cyber crime: understanding the online business model,” the structure of a cybercrime organization is in many ways a lot like a regular tech startup. There’s a CEO, developer, and if there are enough funds, an IT department.

By now, we’re all aware that many of the platforms and services we use collect and store information about our data usage. Afterall, they want to provide us with the most personalized experience. So when I read that an EU Tinder user requested information about her data and was sent 800 pages, I was very intrigued with the comment from Luke Stark, a digital technology sociologist at Dartmouth University, “Apps such as Tinder are taking advantage of a simple emotional phenomenon; we can’t feel data. This is why seeing everything printed strikes you. We are physical creatures. We need materiality.” He is on to something. We don’t usually consider archiving stale data until we’re out of space. It is often through printing photos, docs, spreadsheets, and pdfs that we would feel the weight and space consuming nature of the data we own.

While some regard Infosec as compliance rather than security, veteran pentesters Sanjiv Kawa and Tom Porter believe otherwise. They have deep expertise working with large enterprise networks, exploit development, defensive analytics and I was lucky enough to speak with them about the fascinating world of pentesting.