Articles

 

  • The Who and What of Email Security

    In the days of circuit-switched telephony, when Grandma dialed Grandpa, the phone company could easily determine that the caller’s identity was, in fact, Grandma. Such confidence melted away, however, with TCP/IP and the Internet. That is, when Kahn and Cerf decided to allow senders, instead of the network, to specify their identity, they created a flexible Internet protocol – but also one that required add-on overlays for authentication.

  • Chained Breach Simulation

    The first time I saw signatures used to detect attacks more than two decades ago, I knew that intrusion detection systems (IDS) would become a new protection category. It was thrilling to see a new security control come to life, and I give credit to the Air Force Information Warfare Center for leading the way on practical implementation. I became so enthused with IDS that I spent a year writing a textbook on the topic.

  • Tough Love for Israeli Cyber Start-Ups

    There’s an awesome scene in an old Michael J. Fox movie where he’s asked if he’s ever been to Italy. His clever response is this: “Wear the shoes, eat the food, never been.” Such dialogue illustrates what can happen when a country like Italy becomes a stereotypical caricature of its better-known products. Just add olive oil to the shoes and pasta, and for many observers – this is the sum of the entire Italian economy.

  • How China Will Achieve Global Cyber Superiority by 2025

    Daran habe ich gar nicht gedacht. (I did not even think about that). This was Einstein’s reaction when Leó Szilárd explained that a chain reaction in uranium could be used to produce a bomb. A letter was quickly dashed to FDR – and just six years later, the United States would detonate two nuclear weapons over the Japanese cities of Hiroshima and Nagasaki. Had the President been too busy to heed this warning, German physicists might have altered the course of history.

  • Cracking Open Soft Cell

    For banks, it’s accounts. For factories, it’s assembly. For retail, it’s inventory. And for telecoms, it’s call detail. In each case, some critical asset must be protected from hackers at all costs. Banks cannot allow accounts to be deleted, retail firms cannot allow inventory to be corrupted, and telecom firms absolutely, positively cannot allow call detail records to be compromised. Period. This just cannot happen.

  • Addressing Magecart

    The notorious hacking group Magecart surfaced back in 2018, terrorizing websites with an attack known as card skimming. Normally, hacking groups tend to come and go quickly, but Magecart hit a serious nerve with their targeted breaches of enterprise websites and web applications. Wide ranges of companies saw their sites formjacked, and solutions were not immediately evident to most victims. So, I’ve been intrigued by Magecart for some time.

  • An Intelligent Approach to Resolving IT Support Issues

    There’s been a lot of buzz in the HMG member-CIO community around an emerging company called Moveworks that’s tackling an age-old problem in IT: resolving employee support issues. In fact, many of these members happen to be Moveworks customers and they are bragging about the company’s ability to solve their support tickets autonomously.

  • A Process for Testing Email Security

    Mimecast’s recent Email Security Risk Assessment (ESRA) is a great read on the topic of threats to email (not to mention including a nice infographic suitable for printing and framing). Let me provide here a brief summary of how the Mimecast team executes ESRA tests, which it has been doing for the past couple of years. Their fine process illustrates how source selection or review might be performed for any number of email security offers.

  • Book Review: Malware Data Science by Joshua Saxe with Hillary Sanders

    One perk of teaching is the free books. Lots of them. They usually come with a lovely letter suggesting that the new edition of The Grand Handbook of Cyber Security – and they all sound like that – would be just perfect for your graduate or undergraduate students. I usually hand these freebies, unopened, to the nearest student I can find. I’m not saying the books are always terrible, but I prefer to select books on my own, thank you.

  • Risk-Based Vulnerability Lifecycle - Prediction and Validation

    When an enterprise examines its cyber risk, an attack surface emerges. This is the set of entry points where vulnerabilities can be exploited by malicious actors. Viewing cyber risk in this way results in the strategic objective to reduce that attack surface, generally through discovery of vulnerabilities, combined with purposeful action designed to reduce the risk of exploits to such weak points. Prediction and validation are key activities in this regard.

  • Cyber Purple Teaming

    As someone whose eyes cannot distinguish properly between colors, I always shudder at the thought of mixing up red and blue teams during a cyber exercise. And now, with the advent of purple teaming in the enterprise, I surrender all hope that my cones can keep up. That said, I heartily endorse this new purple strategy of evaluating cyber control effectiveness to detect intrusions, bot activity, malware actions, lateral movement, and data exfiltration.

  • Crowdsourced Security Testing

    Identifying exploitable vulnerabilities in enterprise environments is a difficult pursuit – one that CISOs and their security teams spend considerable time and effort trying to accomplish. An important resource that can be unleashed to drive progress in this area is the collective power of vetted and skilled security experts – sometimes referred to as ethical hackers or white hats – to identify problems before a malicious adversary can do so.

  • Roadmap to Zero Trust

    The first portable traffic monitors were introduced in 1936. Referred to as electronic eyes, these weatherproof road strips were laid across the pavement and connected to a battery-operated recorder. When your Hudson or Packard passed over the strip, the recorder would increment the car count by one. It also printed the results, along with the time, onto a roll of paper that lasted for about 24 days. The clock required winding every eight days. So cool.

  • AI-Based Identity Analytics

    In the late 1970’s, there was no better computing lab than at Xerox. Yes, dear Millennials, I do mean that Xerox. Sadly, despite a great flagship product, a company name that became a verb, and stupendous research (they invented the mouse), Xerox gradually slid from #39 to #291 on the Fortune 500 list between 1978 and 2018. (By the way, it’s interesting that Google is also a single-product company with great research and a verbed name).