cybersecurity

now browsing by tag

 
 

Four #cybersecurity #tips for #travelers

Do you sacrifice convenience for security when you’re traveling on vacation or on business? A University of Phoenix survey says very few people take precautions to safeguard their data while traveling.

“You need to practice the same cybersecurity precautions that you take at home or at work when you are on business trips or vacations,” says Dennis Bonilla, executive dean at the College of Information Systems and Technology School of Business, University of Phoenix. “That’s when you are less secure because you are accessing networks that are not as protected and have a lot of public access. That’s where the hackers are lurking to figure out how to get your information.”

Bonilla shares four ways to protect yourself when traveling on business or vacation:

Avoid public Wi-Fi

Using public Wi-Fi at the airport or local coffee shop is certainly convenient. However, Bonilla says many of those networks aren’t encrypted. That means the data you are transmitting can be easily accessed. Hackers now have sophisticated tools that can intercept the data you are transmitting. Not only can they log keystrokes; they can also download your data onto their own device.

Don’t access Bluetooth

Do you enjoy listening to music on your Bluetooth device? Bonilla says the same way you access Bluetooth to get music from your device to your headphones, hackers can use the same technology to steal data from you. In late 2017, security company Armis published details of a new Bluetooth vulnerability in which hackers can take complete control of targeted devices in only 10 seconds. Bonilla’s advice is to always keep your Bluetooth capability off when traveling.

Stop using your personal device for business purposes

A University of Phoenix survey found a majority of travelers mistakenly believe their devices are just as safe on vacation as at home. Bonilla says you should never let your guard down. Using your personal device for business purposes not only puts your information at risk but also your employer’s. Imagine the amount of information that could get into the wrong hands! There may be financial data, intellectual property or other sensitive information you don’t want the general public to see. He says it’s important to avoid using common passwords for both devices.

Stay away from a hotel’s shared office space

Thinking about stopping by the hotel’s business center to print out your airline boarding pass? Bonilla says those computers are extremely vulnerable to cyber criminals, especially if you use them to check your personal or work emails. He says a lot of hotels don’t have any protection or encryption on their computers, putting your information at risk.

Bonilla says criminals are always a couple of steps ahead of the average person. No longer do hackers need a deep amount of knowledge to carry out their crimes. All they need is a laptop and an internet connection. He says it’s important for the average person to be educated on the ways hackers can target their information.

“Don’t be lazy,” says Bonilla. “Cyber-attacks are at an all-time high. We are more connected than ever. You’ve got to take precautions. Take the simple steps of updating the software on your phone, disabling Bluetooth, GPS, and Wi-Fi – stay off those network spaces. That’s where they are waiting to attack.”

advertisement:

The post Four #cybersecurity #tips for #travelers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Diversifying #IT #investment: It’s not #just #cyber-security

It is important that the company continues to look at all areas of the business in order to build a robust IT infrastructure.

Investing in a company’s IT systems is now a regular part of planning. However, it is easy for the team to focus on only a few areas of the business instead of taking a holistic approach. An overemphasis on data protection, for example, can overshadow other areas of the business; this has been seen most recently with Deloitte’s decision to increase its cyber-security investment to $600 million. In order to avoid this scenario, it is important that the company continues to look at all areas of the business in order to build a robust IT infrastructure.

When it comes to improving IT, many businesses are put off by the challenge of migrating legacy systems and platforms. It is a time-consuming process, especially if the business has expanded through M&A activity or partnerships. In most cases, data will be stored on different systems and in different formats, so a consolidation exercise is quite significant and will inevitably require a sizeable investment.

advertisement:

This issue can often go ignored as staff grow used to working with disparate data sets and systems. However, the impact on productivity and output is severely hampered as employees navigate through multiple programs to find client information or historical data. It is also likely that mistakes can be made when the data does not exist on a single accessible platform. Through well-thought migration and consolidation, processes will be streamlined, and the business can focus on delivering results rather than searching for and manipulating information.

Bringing on help

To achieve the best possible results, IT investment often needs to go beyond in-house systems and tools. As competition increases, businesses need to improve both their output and processes; this is where investment in outsourcing providers can prove invaluable. This solution is often overlooked, however, largely due to how outsourcing is historically viewed by IT and the business as a whole.

It is important for these groups to remember that outsourcing does not mean removing the internal team and replacing them with a third party – that is an option but is by no means the only choice available. More often than not, outsourcing is used to provide enhanced support on projects and services, alleviate the burden of certain processes or simply get advice on current business practices. If outsourced effectively, the IT team will have more time to develop and improve processes and applications for the business, while the third party can deal with the other day-to-day Business as usual (BAU)tasks.

Planning for the worst

IT investment typically aims to improve current technology or streamline certain processes, but there can be a huge gap when it comes to planning. Businesses are so familiar with using technology they often forget to strategically plan how to mitigate risks and unforeseen issues that can occur when things go wrong – be it a sudden office closure, a system failure, a catastrophic security incident or transport strikes. At a simple level, when the company is hit by an unexpected event, staff can often scramble to continue their working day. Without a clear strategy in place, the business risks losing vast sums of money due to the inability for staff to work effectively and efficiently. This doesn’t even take into account areas, such as reputational damage and regulatory penalties the company may face.

 

IT has a vital role to play in providing a comprehensive, structured and strategic business continuity plan that is able to respond to any challenges that can impact company operations. A key barrier to making improvements in this area is due to how the company views its IT priorities. Regulation, data protection and the general running of the hardware can seem like the most important parts of the business. However, if the day-to-day is not accounted for, these large-scale IT challenges will not matter – the business will simply suffer from lack of planning.

Here’s What’s at Stake for Companies That Don’t Comply With GDPR

IT investment is a vital part of how a company operates. However, it cannot be focused on a single area or aspect of the business. Simply investing in cyber security alone will not improve internal processes or streamline activity. As such, there needs to be a balanced approach to this activity, one that takes into account all aspects of the business in order to build a comprehensive and fully functioning IT operation.

The post Diversifying #IT #investment: It’s not #just #cyber-security appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity #experts #agree — expect more #ransomware this #year

Ransomware is one of the easiest cyberattacks to detect because it comes with an actual ransom note. However, 2017 gave way to new propagation mechanisms, which automated worming and increased infection rates.

Employee-facing services and technologies are a top concern to cybersecurity professionals. About 40% of employees use personal devices to send work emails and share or access company data without the IT department’s oversight.

The bring your own device policy is challenging for IT departments to combat. Ultimately, the policy leads to unintended shadow IT, which is often the Achilles heel of solid security practices.

Negligent employee actions can cost a company about $280,000 per incident. If the cost were not enough, companies need to come to terms with the fact that 64% of security breaches are caused by ignorant employee actions.

To help companies better track the most high-risk employees​, in terms of their cybersecurity incompetencies, vendors like Microsoft are including simulated ransomware or phishing attacks in their services.

Hackers will always take advantage of human error and poor judgment, so it’s up to security teams to educate line of business employees.

advertisement:

The post Cybersecurity #experts #agree — expect more #ransomware this #year appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Top #global #cybersecurity #challenges and #how to #overcome #them

Imagine the havoc wreaked on your company’s servers if they were infected by a distributed denial of service (DDoS) bot that is bundled with a ransomware payload, or the damage to your brand if a phishing attack targeting your users and customers resulted in the theft of personal information.

Whatever the kind of cyberattack, there can be serious consequences for the company. It could be forced to pay big money to rescue its systems from the clutches of cybercriminals, lose the trust and confidence of customers and users, and even be liable to pay fines and penalties for failing to comply with data privacy laws such as the EU’s Global Data Protection Regulation (GDPR).

As the size and type of cyberattacks continue to exand, many organizations struggle to focus their efforts on what matters most to their unique business. Here are some of today’s top global cybersecurity challenges and how companies can overcome them to strengthen their cyber defense:

Managing both content security and performance

Customer data is one of your company’s most important assets and is a significant investment for your business. When there’s a breach, you’ll lose customer trust because they’ll start to worry about other vulnerabilities in your network.

To protect against such an attack, companies must ensure their security solutions and software are always up to date. However, with so many types of new attacks cropping up every day, it’s best to use a comprehensive, cloud-based suite vs. a one-off solution. Doing so will help protect your business against new and emerging threats and allow you to employ preventive mitigation measures without adding latency to the delivery experience.

Safeguarding against DDoS attacks

A DDoS attack is one where a network of zombie computers sabotage a specific website or server by fictitiously boosting the volume of traffic causing it to shut down. Such attacks cause businesses to lose millions in revenues.

Another reason for DDoS to be a growing concern is the frequency and sophistication of attacks along with their duration and size, which has increased over the past few years.

To protect yourself against the financial and reputational damages caused by such an attack, you could use a product that can proactively intercept and mitigate a DDoS attack.

This provides much faster scrubbing performance since traffic isn’t moved off your Content Delivery Network (CDN), the network of proxy servers and data centers that distributes your data, for cleaning.

Limelight Network’s solution is effective because when it detects an attack, it passes the traffic to one of several globally distributed scrubbing centers to filter it before passing it back to your origin.

Protecting web applications

As a business, the idea behind launching a web application is usually to improve the customer experience. However, unless you protect your web applications appropriately, they’ll just expose you and your customer to unwarranted cyberthreats.

According to Limelight Networks, retail and financial sectors in Southeast Asia suffered the most from web app attacks. Over the past year alone, there has been a significant increase in attack incidents, with websites containing consumer data being the target of 60 percent of attacks.

To combat such threats effectively, business leaders are now turning to cloud-based security solutions instead of on-premise equipment.

Using a Web Application Firewall (WAF) to secure your web-apps as it inserts its nodes between origin servers and the CDN does the heavy work of content caching, web acceleration, and delivery of static content.

Web app attacks are dynamic, so if your WAF only accepts traffic from your CDN, it can minimize the performance impact of WAF protection and lock down IP traffic.

When a new vulnerability is identified, a new security rule should be created and pushed to all WAF nodes. Doing so makes the solution so secure that it can even close “zero-day” attacks prior to app vendor patches being deployed.

You should also make sure your chosen security solution offers protection against malicious bots. They’re the ones that crawl the internet looking for vulnerabilities for cyberattacks.

Staying ahead of the curve

If you’re a business that aims to empower customers through your digital presence, you’ll need to implement (and update) cybersecurity measures at your organization immediately.

Failing to do so puts a lot at risk on your business – including your reputation and the future prospects of your company.

Implementing a cybersecurity solution created and backed by a company such as Limelight Networks, for example, helps you secure your business on all fronts.

The company’s DDoS Attack Interceptor combines a global CDN with in-network detection and attack mitigation to facilitate situation-aware detection and mitigation via on network scrubbing centers.

Its CDN protection offers several features such as geo-fencing, IP whitelisting and blacklisting, which help you fend off even the most seasoned cybercriminals. The same is also true for its DDoS protection and WAF solution, both of which give you the best-in-class cyber protection.

The company’s scalable cloud-based architecture also allows you to reduce the total cost of protection by leveraging its massive global private infrastructure.

Limelight Networks also boasts world-class features such as a dedicated global network, proactive, intelligent threat detection using behavior-based analysis, and cloud-based scrubbing of traffic – which reassures even the most concerned consumer. Act now, because hackers won’t spare your systems while you’re still wondering what to do next.

advertisement:

The post Top #global #cybersecurity #challenges and #how to #overcome #them appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Why #trust is the #essential #currency of #cybersecurity

Cisco trust strategy officer Anthony Grieco spoke with TechRepublic’s Dan Patterson about how organizations can improve security by building trust.

Watch the video or read their conversation:

Patterson: Humans remain the intractable cybersecurity problem. They also represent a cybersecurity potential solution … I wonder if we could start with that premise, that trust is, and that humans are the challenge for cybersecurity and trust is one way to solve that problem.

Patterson: When a company, when an enterprise company engages with partners and other enterprise companies or even other SMB’s and start ups, cybersecurity can emerge as a big, big threat to intellectual property, to potential hacking and upstream challenges. How do you encourage organizations, or how can we build trust amongst partners and encourage communication and collaboration in ways that would tamp down on hacking and other cyber problems?

Grieco: Yeah, Dan it’s good to be back with you again. You know it’s a really critical set of conversations that we need to be having as an industry. This notion of the role that humans play and how companies need to be thinking about cybersecurity and the role that trust plays around their business is really critical. We see so many of those companies that have traditionally not been digital companies, are now becoming and using digital technologies in ways that are transforming their businesses.

Humans are a critical component to that. I spoke to a bank the other day and it’s a major bank, and they describe themselves in a few years they were going to be just a technology company with a bank logo on the outside of their building. So, this use of technology and digitalization is really transforming the business landscape and the use of and the building on the notion of trust that has been built in many of those brands for years, is a really critical component to where businesses need to go.

So we think about that and we think about the role that trust plays and we think about how digital businesses and those legacy businesses that are transforming, need to explicitly think about how security, data protection and privacy really play a foundational role in continuing to build that trust that businesses have built over the years.

Patterson: Trust is really a currency and it can accrue over time. Especially as businesses are undergoing what you describe which is digital transformation. So many companies now think of themselves as that, the bank that you described, a technology firm that happens to do their industry vertical.

What are some of the risks of trust building or after you’ve built trust, of eroding some of the trust equity that’s been built?

Grieco: Yeah, the currency analogy and the currency of trust is, I think is a really important thing for businesses to think about. Trust is liquid, it can come and go. It can be destroyed, it can be created in the context of your customers and how it is you’re thinking about these discussions. Ultimately trust must be backed by something as well. This is really foundationally what we see our customers really beginning to grapple with.

For many years in this notion of businesses have treated the digital technologies as implicitly trusted, and today more and more we see this notion of explicit trust. What we see, many times, and you talk about what the risks are around trust and the digital transformations, we see trust being destroyed when there’s not the clear notion of being transparent with the customers about expectations.

Ultimately we think this notion of explicitly giving customers artifacts and evidence and reasons why they should be trusted as a third party, as a provider, as a partner, really becomes foundational to the notion of building trust, continuing to build that currency.

Ultimately fulfilling the expectations of your customers. You know, when we think about that for us, we think about it quite a bit in making sure that we’re transparent with our customers about how we do security in our development processes. How we’ve built a culture around security data protection and privacy as it relates to the overall discussions with our company.

Ultimately we really tell our customers and encourage our customers to understand the behaviors and expectations of us as a business and look to provide evidence to build that trust. Without those things, we see customers beginning to worry. So the risks, from a business perspective are really transparent today. Today, there’s friction in this market space.

Customers are worried about this conversation, they’re worried about security, they’re worried about data protection, they’re worried about privacy. Being proactive, from a business perspective and being transparent about how you’ve built trust into what you’re producing and delivering from a digital perspective can give you an advantage from a business. Both to differentiate yourself and to remove that friction that’s existing in the market space today.

Obviously if you fail in these fundamental areas you risk destroying the trust that you’ve built. The destruction of that trust is not necessarily just tied to the digital world. It can be tied to that legacy of trust that you’ve built across your business for many years.

Patterson: I love the idea of exchanging of artifacts or doing the things that we do just as humans that accrue trust over time, but when enterprise companies have a real concern over exchanging of intellectual property or sharing protocols and procedures that may be inappropriate to share outside of the company, how do you exchange or in what ways have you seen a good examples of companies exchanging trust artifacts or behaving in a way that will accrue trust that other companies could learn from? Even if they have these types of sensitive protocols or data.

Grieco: Yeah I think there’s a tiered approach that we’ve taken and we’ve seen many take in the context of this conversation. First we think it’s really important to be broadly public about the overall approach to how your building explicit trust. For us, that’s talking about our secure development life cycle, or vulnerability disclosure policy.

All of those things are really broad and public facing and frankly meant to be consumed by all of our customers to help them understand the breath and depth of the things that we’re doing as a company. There’s next layers of things, more advanced customers may ask us more advanced questions and indeed, non-disclosure agreements and limited environments in which you display that information can be techniques that are used in many cases to help do these things.

In many cases we share for instance, testing results with our products, of how we’ve security tested our products. In limited environments with customers to help them build confidence in what it is we’re doing as a company to implement those practices that we’ve talked about in our secure development life cycle and many others.

In some limited instances it may even make sense to go even deeper, into a deeper relationship, a deeper partnership with those customers that are really looking at you as a critical provider of technology and capability to them, in order to get into really deep conversations about design and architecture and many of those sorts of things.

We look at it from a risk perspective every time we do this. We look at risk as it relates to ourselves, we look at risk as it relates to all of our customers. So when we think about those trade-offs that we make in the context of exposing that information, it is really critical that we understand not only the risk to us as a company but the risks and the secondary risks to everyone of our customers when we take on these activities.

I will say though, the trend in this conversation is one that is more towards public disclosure. More towards openness and more towards transparency in all aspects of these businesses because there’s such a hunger from the marketplace to really understand what’s going on in this space.

SEE: Hiring kit: IT audit director (Tech Pro Research)

Patterson: I’d love to go back to what you mentioned a moment ago, as well as that hunger for transparency. So when we see a consumer facing data leaks, like what happened with Facebook and Cambridge Analytica, there is this changing of, going from implicitly trusting everything to maybe I should pull back a little bit. Although that’s in the consumer space, have you seen a similar reaction in the enterprise or the B2B data space in terms of how customers think about data, data availability and changing the default motion of implicit trust true to, or implicit trust to trust building or actions that accrue trust equity over time?

Grieco: 100%. It’s begun well before any of the events that you described and it’s been led up to by high profile breeches that have been well documented that have really created the awareness to what businesses in particular need to be thinking about and beginning to explore when it comes to risks that they’re taking around trusting implicitly in the ICT space and the connected technology space.

So the trends and the sets of questions that we get from customers is really only accelerating when it comes to complexity and depth that we’re being interrogated at as a critical provider of technologies to customers.

Indeed, I think the awareness that is being raised by all of the high profile breeches and the behavior change that we see from our customers reflects the importance and awareness that we now see in the context of this discussion.

For so many years we’ve really though about cybersecurity as an awareness problem, I would tell you that I think this conversation that we’re having around trust and explicitly being trusted as an artifact of the fact that we’re no longer in the need to raise awareness to cybersecurity.

The awareness is there, the need and understanding from a customer, it can, increasingly from consumers but especially from businesses and enterprises, they all understand what they’re, what they need to be, … they all understand they need to be thinking about it.

What we see them struggling with the most today is how to effectively and efficiently address those concerns. That’s again, where the notion of being proactive in the context of explicit trust is important. Putting those pieces of artifacts of data that really give the evidence to build those confidence and capabilities with those entities.

Whether it’s about data as you mention, how it’s protected, how it’s gathered, how it’s used, all of those sorts of really critical fundamental ideas around data, and more importantly and increasingly the resilience of the capabilities that are there. Are they going to be when they’re under attack? Are they going to be there when you need them to be?

Those two key topics are ones that we find really actively being engaged by our customers and I do believe it is an outcropping and an outcome of many, many of the recent high profile breeches that we’ve seen. Not just in the past six months, but frankly building over the past five years.

advertisement:

The post Why #trust is the #essential #currency of #cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

We’re all a #bit of #Trump when it #comes to #cybersecurity

President Trump reportedly sees security procedures as too inconvenient. Unfortunately, he’s not alone.

Let’s face it folks: Security can be “too inconvenient” and when your boss doesn’t want to adhere to your security policy it’s going to be difficult to enforce. Just ask President Trump.

Politico reported that Trump could be the biggest cybersecurity risk to the U.S. government. Why? We all know he likes to Tweet. And he’s not too enthusiastic about staffers who want to put better security around his phone use.

Trump reportedly noted that security procedures are “too inconvenient.”

We’ll stop there with the Trump talk because there are bigger lessons to be learned here: Humans are the weakest security link and there’s a trade-off between usability and thwarting threats. In an ideal world, even bosses would listen to the security pros, but the reality is a bit different.

Do you honestly think Trump is the only CEO who rebuffs his cybersecurity team?

The average enterprise has multiple employees going rogue when it comes to security. Toss in mobile devices and social media accounts and you have the fodder for cybersecurity headaches. Trump just illustrates the point. And when the boss isn’t following procedure the whole food chain ignores security.

To anyone following enterprise security this realization isn’t a newsflash. Social engineering aimed at humans–always good for a cybersecurity incident–have led to a rise in ransomware, according to Verizon.

Meanwhile, securing mobile devices is an increasingly huge headache. Insider errors were at the heart of 17 percent of data breaches, according to Verizon.

Now you can argue that Trump should be following protocol given all the state actors that would find him a compelling target. But the reality is that all of us have a bit of Trump in us when it comes to cybersecurity. In the Trump example the stakes are simply higher.

advertisement:

The post We’re all a #bit of #Trump when it #comes to #cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How #Design #Thinking Can #Change #Cybersecurity

Design thinking has emerged as a new area in cybersecurity. Chief information security officers (CISOs), in particular, need to know how to apply design thinking to deliver more user-focused security solutions in their organization.

What Is ‘Design Thinking’ Anyway?

While design thinking can produce creative solutions, it is not primarily about being creative in an artistic sense. It’s not about making great visuals for a product’s graphical user interface (GUI). It’s not even about unlocking creativity to come up with a totally out-of-this-world solution.

Instead, at its heart, design thinking means one thing — breaking down a designer’s approach to building a solution and then applying that approach to fields we traditionally don’t consider “design” or even “creative.” Specifically, design thinking places humans — not technology — at the center of both a problem and that problem’s potential solutions.

For cybersecurity, we can break design thinking into three principles:

1. Begin with empathy for the end user.

2. Focus on the solution, not the problem.

3. Iterate.

Design Thinking Principle One: Begin With Empathy For The End User

Focusing on the customer sits at the center of every management model out there, but design thinking takes it one step further. It places the user at the center of the solution. It considers their “hard” technical and functional needs, but it also considers the user’s “soft” behaviors, beliefs and emotions. Finally, it thinks about how they will deploy their solution in their unique real-world work context and not in a best-case environment where everything goes right and where they could perfectly implement a complex solution.

This design thinking principle fits naturally into information security. After all, nearly 90% of breaches are caused by negligent user behavior. Design thinking tells us to seamlessly blend cybersecurity controls into a user’s environment and to pay particular attention to smoothing out any complications or personal considerations that might complicate adherence. It takes these concerns seriously and designs a solution that corrects them, instead of wishing users would just follow technically perfect security controls that never survive contact with the real world.

Design Thinking Principle Two: Focus On The Total Solution, Not The One-Off Problem

As information security professionals, we tend to deploy an analytical problem-solving model. We define the technical problem, break out the technical ramifications and then devise a technical solution to solve that problem. This is a powerful, and necessary, approach to information security. We need to “firefight” and put out the crisis of the day. We need to quickly develop and deploy new products and security measures. This approach creates its own problems, though — namely a constant state of reactivity and a pipeline of one-off products and programs that add up to an unmanageable jigsaw puzzle where no piece fits perfectly with any other.

Design thinking encourages us to think beyond the crisis of the day. It helps us develop long-term end goals for our security actions and a long-term roadmap to reach that state. It tells us to develop thoughtful solutions that add up to an integrated whole, where each product and program works in harmony with all others.

Don’t mistake developing a long-term vision for taking years to develop and roll out solutions. Design thinking teaches how to act small and fast. To build small prototypes. To refine what’s working. To break what isn’t. To embrace experimentation to prove (or disprove) ideas quickly and to constantly adjust to user feedback. Design thinking asks you to think long-term, but to then focus on quickly building small steps to reach that goal.

This principle also fits nicely into information security. In risk management, there’s already an iterative cycle — PDCA (Plan Do Check Act). This model is built on many rigid assumptions. Design thinking replaces it with a more flexible model: IPTR.

• Ideate — think up what might work

• Prototype — make a small version of that idea

• Test — determine if people will actually use it

• Refine — change it based on user feedback

IPTR gets you to PDCA, but with the confidence born from first proving your solution in the real world with real humans.

Bring These Design Thinking Principles To Your Information Security

Design thinking comes down to one central idea: Build solutions that users will actually use. Imagine a security posture held firm by natural adoption and not by rule enforcement. If that scenario looks favorable to you, then you are ready to apply design thinking to information security.

advertisement:

The post How #Design #Thinking Can #Change #Cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

ZTE #Kerfuffle Shows #Cybersecurity Doesn’t #Operate in a #Vacuum

Lawmakers have decried the president’s efforts to reverse a ban on a Chinese telecom, citing security fears, but there’s a lot more at stake.

President Donald Trump’s signal last week that he might loosen restrictions that effectively shuttered Chinese phone maker ZTE drew intense criticism from national security-focused lawmakers who worry the company could be used as a Chinese spying tool.

Sen. Marco Rubio, R-Fla., in particular, struck back at the president, charging that the U.S. would be “crazy to allow [ZTE] to operate in U.S. without tighter restrictions.”

Taking a tough line on ZTE over security, however, could have cascading consequences that the U.S. will come to regret, cyber and China policy watchers warn.

The bottom line, they said, is that even if Chinese tech companies pose cyber risks to U.S. consumers, that threat must be viewed within the nations’ broader, bilateral relationship.

It’s an Extremely Complicated Relationship

The president’s efforts to halt the ZTE ban stand in stark contrast to how the Trump administration treated another foreign company that officials said could be a launching pad for cyber espionage: Russia’s Kaspersky Lab.

In that case, in addition to banning Kaspersky from federal networks, Trump Homeland Security and national security officials have acknowledged urging major corporations and critical infrastructure owners to similarly jettison the Russian anti-virus firm.

When it comes to a major Chinese company, however, the calculus is more complicated. China has a massive tech sector and major U.S. brands, including Apple, Cisco and Juniper Networks have major Chinese operations.

That means that a conflict that starts with cybersecurity could end with a slate of unrelated consequences including higher prices for consumers.

“Unwinding the U.S.-Russia tech relationship is not very hard,” said Adam Segal, a China and cybersecurity expert at the Council on Foreign Relations. “It’s Kaspersky and it’s hard to think of many other Russian companies that provide any type of tech to the U.S.”

China’s tech sector is not only much broader, but officials’ and lawmakers’ chief concern about the company—that the Chinese government could force it to cooperate with cyber espionage against U.S. targets—is basically true of any Chinese company, Segal said.

There’s also a danger that China, which during recent decades has been a major player in the global economy, could shift to focus more on its domestic market if it sees too many roadblocks to U.S. sales, said Tim Maurer, co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace. That could severely hamper global trade.

“I think security concerns are secondary to broader political goals,” Maurer said, assessing Trump’s decision.

Where does security fit in?

Trump’s pledge to help loosen restrictions on ZTE, offered in a May 14 tweet, did not appear to have anything to do with security.

The Commerce Department’s decision in April to ban ZTE from using U.S. products for seven years was sparked when the Chinese company violated a settlement agreement by selling telecom equipment with U.S. components in it to Iran. ZTE ceased major operations following the Commerce Department decision but said it was working to get the ban reversed or modified.

Trump’s official reason for trying to revisit the ban, as stated on Twitter, was that it produced “too many jobs in China lost.” The unstated subtext was that reversing the decision would give Trump a carrot to offer in U.S.-China trade negotiations that began last week as the nations exchange a series of escalating tariff threats.

The Commerce Department’s decision was also damaging to U.S. companies that supply materials to ZTE, including Qualcomm, a San Diego firm worth over $85 billion, which supplies most of ZTE’s computer chips.

Critics, however, were quick to seize on security concerns.

Rubio, who has sponsored legislation that would ban ZTE from U.S. government contracts, declared on Twitter that the “problem with ZTE isn’t jobs & trade, it’s national security & espionage.”

Rep. Ted Lieu, D-Calif., declared that: “By promising to help Chinese tech company ZTE, the President isn’t just prioritizing Chinese jobs over the U.S.’s wellbeing, he’s jeopardizing our national security.”

The Senate appropriations committee unanimously passed an amendment from Rep. Dutch Ruppersberger, D-Md., on Thursday, that would block Trump from reversing the ZTE ban. The amendment was included in the House version of a funding bill that covers the Commerce Department among other agencies.

It’s Not Black and White

It’s important to draw a distinction, cyber and China watchers say, between protections that apply to the U.S. government—which holds a bevy of secrets and reams of citizens’ personal information that would be of intense interest to Chinese government spies—and those that apply to consumer devices.

“The government can do what it wants and that’s not a big factor in the broader market,” said Bruce McConnell, a former top cybersecurity official at the Homeland Security Department, who’s now global vice president at the EastWest Institute, a non-partisan think tank.

“If the government’s intention is to put Chinese companies out of business for security reasons,” however, “that doesn’t seem to me to be a good road to go down,” McConnell said, noting that U.S. companies might come out behind in a tit-for-tat conflict with China.

Betsy Cooper, a cybersecurity researcher at the University of California-Berkeley, warned against taking a “black and white, full access or no access” approach to foreign companies that pose potential risks to U.S. networks.

“I think it’s very hard to imagine a world in which we allow full and open access of these companies to American markets because of backdoor concerns that do exist,” Cooper said. “But, I do think we have a tendency to swing too far in the other direction.”

Context is Key

The nations announced the broad outlines of a deal over the weekend by which the U.S. will back away from its tariff threats and China will purchase more U.S. goods to lower the nations’ trade imbalance. Yet it remains unclear whether the government will reverse the ZTE ban.

Trump declared in his initial tweet that the “Commerce Department has been instructed to get it done!” but Press Secretary Sarah Sanders seemed to backpedal Thursday, saying only that the president had asked the department “to look into it.”

Security concerns about ZTE go back many years. The House Intelligence Committee issued a 2012 report outlining the danger ZTE and another Chinese telecom Huawei posed to U.S. national security systems in 2012, when Ruppersberger was the panel’s ranking Democrat.

More recently, the Pentagon banned Huawei and ZTE phones from being sold on military bases and the Federal Communications Commission has forwarded a plan that would bar federal subsidies to Huawei and ZTE or to U.S. companies that include them in their supply chain.

Intelligence officials have also espoused their distrust of Huawei and ZTE in congressional hearings at the urging of Rubio and other lawmakers.

If the government does reverse the ban, it will be a contrast to the administration’s general approach to the Chinese cyber threat.

The administration has been more vocal, for example, about Chinese hackers stealing U.S. companies’ intellectual property and trade secrets than the Obama administration was during its final years in office.

The Obama administration was highly critical of Chinese hacking during its early years and even indicted five members of China’s People’s Liberation Army for the hacking in 2014. The Obama team stepped down its criticism, however, after a 2015 deal between Obama and Chinese President Xi Jinping that neither nation would hack the other for purely commercial reasons.

While Chinese commercial hacking didn’t cease after that deal, it did decrease significantly, according to FireEye and other private-sector cybersecurity firms.

It’s not clear if the Trump administration’s surge in criticism over Chinese hacking is responding to an uptick in the actual hacking itself.

It’s also not clear if the U.S. government believes China has engaged in purely commercial hacking—the subject of the Obama-Xi deal—or if much of the hacking is focused on industries that can yield both commercial and national security insights, such as aviation and energy.

What is to be done?

Bruce McConnell, the former Homeland Security cyber chief, suggests a two-part solution to government concerns about the security of ZTE and other foreign tech firms.

First, the U.S. government—which routinely refuses to share the data undergirding its conclusions about cyber threats out of fear of revealing intelligence sources and methods—must figure out a way to be more transparent, he said.

“It’s a problem that we’re basing our policy off classified information and the general public doesn’t have a clue what the evidence is,” McConnell said.

Second, the U.S. and other governments should work toward a common and transparent process for governments to vet technology for spying backdoors and other vulnerabilities, he said.

Microsoft, for example, has agreed to software reviews to operate in China and built custom versions of software for the Chinese market.

After the British government raised concerns about Huawei, the company agreed to build a British cybersecurity testing center where the code for all British Huawei products is poked and prodded by the nation’s intelligence agency, GCHQ.

The U.S. could consider a similar model, McConnell said.

In an effort to urge the Homeland Security Department to reverse its Kaspersky ban, the Russian anti-virus company similarly offered to open up its source code for review. The government did not respond to that offer, but should have accepted it, McConnell said.

Code inspections aren’t perfect and there’s no guarantee a backdoor might not slip through during such a review, McConnell said. But, a government’s pronouncement after such a review would carry more weight.

“It’s about creating a transparent and open, crowdsourced evaluation of product security,” he said. “If you put something out in the public domain or through an inspection program, allow the code to be inspected across the board, it would have a lot more credibility.”

advertisement:

The post ZTE #Kerfuffle Shows #Cybersecurity Doesn’t #Operate in a #Vacuum appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

US #cybersecurity firm #McAfee eyes #digital #wallets as users #pile in for #e-payments

US cybersecurity software-maker McAfee is now turning its attention to digital wallets as a new revenue stream, against the backdrop of more and more people signing up for these services, The Economic Times reported.

According to the report, McAfee, which has over 25% of its global workforce based in its Bengaluru office, is targeting the space as the number of digital wallet users spiked after the government’s demonetisation initiative.

“India has a large number of digital wallets compared to other countries. While these wallets are expanding to the nether regions of the country, the number of scams is also increasing by the day,” Anand Ramamoorthy, managing director, South Asia, McAfee, was quoted as saying.

“The scale is quite large and so building security features becomes difficult,” he said. “There are various issues a user faces starting from fake apps, fake transactions and a lot more, which are unique cases in India. Looking at all these cases, we are trying to build security that solves it all levels,” he added.

The Economic Times had earlier reported that several scammers were committing fraud by sending false payment confirmation messages to merchants.

Explaining digital wallet security, Ramamoorthy said that the company first tracks how apps are reading into personal data of users on the phone such as address book and photos and then secures that data. He said that in order to add another layer of security, McAfee tries to find the device on a map faster than usual and then backs up the data, locks the device and wipes out the data from the device.

The company is already working with mobile wallet companies but is now sharpening focus to secure the back-end as well as the front-end for consumers.

In another strategic move in March, the company had said that it was extending its cloud security platform to protect Microsoft’s Azure platform that provides cloud services.

Interestingly, this was McAfee’s first joint solution following its acquisition of Skyhigh Networks, a specialist in the cloud security, in November 2017. According to McAfee’s 2017 cloud adoption and security report, nearly 93% of organisations use some form of cloud services.

advertisement:

The post US #cybersecurity firm #McAfee eyes #digital #wallets as users #pile in for #e-payments appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How to #improve #cybersecurity with #machine #learning

Leveraging machine learning for cybersecurity
Data breaches and cyber attacks have become harder to deter over the last few years. According to Cisco’s 2018 Annual Cybersecurity Report, for example, the expanded volume of both legitimate and malicious encrypted traffic on the web has made it more difficult for security professionals to recognize and monitor potential threats. As a result, many security professionals are looking to leverage machine learning to advance cybersecurity.

What is machine learning?
Before exploring the ways machine learning can improve cybersecurity, it is important to first understand what machine learning actually is. To begin with, machine learning is not one in the same with artificial intelligence (A.I.), which is part of a broader initiative to enable computers to reason, solve problems, perceive and understand language. Rather, machine learning is a branch of A.I., and involves training an algorithm to learn and make predictions based upon data input. Netflix, for example, uses machine learning and algorithms to make show recommendations, while search engine giant Google uses the technology to collect signals for better search quality.

Monitoring and responding to suspicious traffic
One way machine learning can be used to improve cybersecurity is by monitoring network traffic and learning the norms of a system. A well-trained machine learning model will be able to spot atypical traffic within a network and quarantine an anomaly. Most machine algorithms typically send an alert to a human analyst to determine how to respond to a threat; however, some machine learning algorithms are able to act on their own accord, such as thwarting certain users from accessing a network.

Automating repetitive tasks
Another way machine learning can help propel cybersecurity is by automating several repetitive tasks. For example, during a data security breach, an analyst has to juggle multiple responsibilities, including determining what was exactly stolen, how it was taken and fixing the network to stop similar future attacks. With machine learning, many of these tasks can be automatically deployed, significantly reducing the amount of time it takes to fix the vulnerability in return.

Complementing human analysis
Machine learning can also be used to complement human analysis. For example, in a paper published in 2016, MIT and PatternEx researchers demonstrated an A.I. platform could predict cyber attacks significantly better than existing systems by continuously incorporating input from human experts. Specifically, the team illustrated the platform could detect 85% of attacks, which was approximately three times better than previous benchmarks. It also reduced the number of false positives by a factor of five. Generally speaking, machine learning technologies can be used to provide around the clock analysis, or assist junior analysts who have higher error rates in their ability to assess a threat.

Preventing zero-day exploits
Additionally, machine learning can be leveraged to combat zero-day exploits, which occur whenever a cyber criminal is able to seize upon a software vulnerability before a developer is able to release a patch for it. IoT devices are largely targeted by zero-day exploits since they often lack basic security features. Vendors are typically given a certain amount of time to patch the vulnerability before it is publicly disclosed, depending upon its severity. Machine learning could be used to narrow in on and prevent these sorts of exploits before they have a chance to take advantage of a network.

Limitations
None of this is to stay machine learning will make cybersecurity perfect. Like any technology, machine learning is a double edge sword. Both cybersecurity professionals and criminals are in an arms race to outsmart each other with machine learning. Although machine learning is effective at preventing the same attack from occurring twice, the technology is challenged to predict new threats based upon previous data. Nor are all machine learning systems created equal. Different machine learning systems have different error rates in pinpointing and responding to threats. And while machine learning can be used as part of a company’s overall cybersecurity strategy, it shouldn’t be relied upon as a sole line of defense.

advertisement:

The post How to #improve #cybersecurity with #machine #learning appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures