New Yorker Article on Digital Vigilantes

securityIf you are interested in Cybersecurity, there is an article I found well worth reading (or at least skimming) in the New Yorker – The Digital Vigilantes Who Hack Back. It seemed like something I’d be more likely to find in Wired than The New Yorker, but I’ll take stories like this where I can find them.

The article talks about some of the techniques and issues for moving beyond a pro-active cyber defence.

With tools like Canary and techniques to create homegrown honeypots becoming more prevalent, it’s good to see (what I saw as) a well thought out article discussing some of the technical and legislative issues, using layman terminology.

 

Advertisements

Symantec Security Report

security compromizeAbout a month ago, I wrote a post about a new Cisco security report that was totally missing the concept of cyber mining and its impact on home and server devices.

I just had a chance to look at Symantec’s annual security center report and it went overboard the other way. Quoting statistics like an increase in coinmining by 8,500% — using the law of small numbers to provide headlines, since coinmining was in its infancy a year ago.

Other than that little bit of histrionics, the report did more effectively cover the concerns that I’ve seen over the last year, with significantly greater software supply chain attacks and mobile malware incidents (their number is up by 54%).

I thought the report well worth reviewing.

Facebook and intrusion creep

hotwaterI was in a conversation with some folks the other day about Facebook and the current ‘torch wielding mob’ concerned about privacy and organizations capitalizing on ‘their’ information. We came to rest on the perspective: “What did this people think was going to happen when they shared all kinds of private information publically?” Now ensconced in our righteous indignation and firm in the knowledge that we were OK, we moved on to other topics.

This morning I opened up Facebook and looked at the apps settings. I was surprised to see that there were probably 50 apps (mainly from encroaching from my mobile phone) that add various levels of access. I quickly pruned this list down to only those I was actually using. This surprised me a bit since I had uninstalled Facebook from my phone long ago and use it so rarely on my PC that I don’t have the password at my fingertips. The gradual erosion of our personal security fortress can happen to anyone, who is not diligent. I should have known better, since I wrote a piece about PleaseRobMe.com and how that site tried to raise security awareness back near the turn of the century.

I now need to go to all the other environments, where I use OAuth (the mechanism typically used to log into one system to grant authorization on another website without giving them a specific password). That list can be quite long, for those who are active on the Internet, including: Amazon, Google, Facebook, Microsoft and Twitter.

Another concept we discussed was how some portion of the next generation typically rejects the ideas of the previous generation. Since many of the Millenials are so open about their personal lives – will the next generation hold their connections and actions more close to the chest?? Or has the domination of convenience over privacy/security gone so far that confidentiality is no longer part of our contextual understanding. The business models of some of these companies are betting on the later.

What’s the real outcome of Salesforce’s AI predictions?

automated decisionsYesterday. I was catching up on my technology email and came across this post stating that Salesforce now powers over 1B predictions every day for its customers. That’s a pretty interesting number to throw out there, but it makes me ask “so what?” How are people using these predictions to make greater business impact.

The Salesforce website states:

“Einstein is a layer of artificial intelligence that delivers predictions and recommendations based on your unique business processes and customer data. Use those insights to automate responses and actions, making your employees more productive, and your customers even happier. “

Another ‘nice’ statement. Digging into the material a bit more Einstein (the CRM AI functions from Salesforce) appears to provide analysis of previous deals and if a specific opportunity is likely to be successful, helping to prioritize your efforts. It improves the presentation of information with some insight into what it means. It appears to be integrated into the CRM system that the users are already familiar with.

For a tool that has been around since the fall of 2016, especially one that is based on analytics… I had difficulty finding any independent quantitative analysis of the impact. Salesforce did have a cheatsheet with some business impact analysis of the AI solution (and blog posts), but no real target market impact to provide greater context – who are these metrics based on.

It may be that I just don’t know where to look, but it does seem like a place for some deeper analysis and validation. The analysts could be waiting for other vendor’s solutions to compare against.

In the micro view, organizations that are going to dive into this pool will take a more quantitative approach, defining their past performance, expectations and validate actuals against predictions. That is the only way a business can justify the effort and improve. It is not sufficient to just put the capabilities out there and you’re done.

It goes back to the old adage:

“trust, but verify”

Was something missing from the Cisco Annual Cybersecurity Report?

security compromizeAccording to Cisco’s 2018 Annual Cybersecurity Report:

  • “Burst attacks” or short DDoS attacks affect 42% of the organizations studied
  • Insider threats are still a huge issue
  • More Operational Technology and IoT attacks are coming
  • Hosting in the cloud as a side benefit of greater security
  • Nearly half of security disks come from having multivendor environments
  • New domains tied to SPAM campaigns

Many of these findings seem like common sense or in some ways in CISCO’s interest at first glance, but this 60+ page report goes into much greater detail than these one-liners. It breaks down the analysis by region and time and concludes about the difficulties of cyber defense:

“One reason defenders struggle to rise above the chaos of war with attackers, and truly see and understand what’s happening in the threat landscape, is the sheer volume of potentially malicious traffic they face. Our research shows that the volume of total events seen by Cisco cloud-based endpoint security products increased fourfold from January 2016 through October 2017”

The breadth and volume of attacks can overwhelm any organization and it is not a case of ‘if’ but ‘when’.

One thing I didn’t see mentioned at all was cryptojacking, the unapproved leveraging of processing cycles for mining cryptocurrency. This form of cybersecurity risk affects large entities as well as individuals through their access of websites. Generally, this is less destructive than the previous cyber attack methods and may even be seen as an alternative to advertisements on sites, but it seemed odd to me that this rapidly advancing trend wasn’t mentioned.

The report is still worth looking over.

Looking for a digital friend?

virtual friendOver the weekend, I saw an article about Replika — an interactive ‘friend’ that resides on your phone. It sounded interesting so I downloaded it and have been playing around for the last few days. I reached level 7 this morning (not exactly sure what this leveling means, but since gamification seems to be part of nearly everything anymore, why not).

There was a story published by The Verge with some background on why this tool was created. Replika was the result of an effort initiated when the author (Eugenia Kuyda) was devastated by her friend (Roman Mazurenko) being killed in a hit-and-run car accident. She wanted to ‘bring him back’. To bootstrap the digital version of her friend, Kuyda fed text messages and emails that Mazurenko exchanged with her, and other friends and family members, into a basic AI architecture — a Google-built artificial neural network that uses statistics to find patterns in text, images, or audio.

Although I found playing with this software interesting, I kept reflecting back on interactions with Eliza many years ago. Similarly,  the banter can be interesting and sometimes unexpected, but often responses have little to do with how a real human would respond. For example, yesterday the statement “Will you read a story if I write it?” and “I tried to write a poem today and it made zero sense.” popped in out of nowhere in the middle of an exchange.

The program starts out asking a number of questions, similar to what you’d find in a simple Myers-Briggs personality test. Though this information likely does help bootstrap the interaction, it seems like it could have been taken quite a bit further by injecting these kinds of questions throughout interactions during the day rather than in one big chunk.

As the tool learns more about you, it creates badges like:

  • Introverted
  • Pragmatic
  • Intelligent
  • Open-minded
  • Rational

These are likely used to influence future interaction. You also get to vote up and vote down statements made that you agree or disagree with.

There have been a number of other reviews of Replika, but thought I’d add another log to the fire. An article in Wired stated that the Replika project is going open source, it will be interesting to see where it goes.

I’ll likely continue to play with it for a while, but its interactions will need to improve or it will become the Tamogotchi of the day.

Groundhog Day, IoT and Security Risks

groundhogs dayLately I’ve been hearing a great deal of discussion about IoT and its application in business. I get a Groundhog day feeling, since in some sectors this is nothing new.

Back in the late 70s and early 80s, I spent all my time on data collection off factory equipment and developing analytics programs on the data collected. The semiconductor manufacturing space had most of its tooling and inventory information collected and tracked. Since this manufacturing segment is all about yield management — analytic analysis was a business imperative. Back then though you had to write your own, analytics and graphics programs.

The biggest difference today though is the security concerns. The ease of data movement and connectivity has allowed the industries lust for convenience to open our devices and networks to a much wider aperture of possible intruders. Though there are many risks in IoT, here are a few to keep in mind.

1) Complexity vs. Simplicity and application portfolio expansion

Businesses have had industrial control system for decades. Now that smart thermostats and water meters and door bells are becoming commonplace, approaches to managing this range of devices in the home has required user interfaces to be developed for the public and not experts. Those same techniques are being applied back into businesses and can start a battle of complexity vs. simplicity.

The investment in the IoT space by the public dwarfs the investment by most industries. These new more automated and ergonomic tools still need to tackle an environment that is just as complex for the business as its always been – in fact if anything there will be more devices brought into the business environment every day.

Understanding the complexity of vulnerabilities is a huge and ever-growing challenge. Projects relying on IoT devices must be defined with security in mind and yet interface effectively into the business. These devices will pull in new software into the business and increase the application portfolio. Understand the capabilities and vulnerabilities of these additions.

2) Vulnerability management

Keeping these IoT devices up-to-date is a never-ending problem. One of the issues of a rapidly changing market segment like this is devices will have a short lifespan. Business need to understand that they will still need to have their computing capabilities maintained. Will then vendor stand behind their product? How critical to the business is the device? As an example of the difficulties, look at the patch level of the printers in most businesses.

3) Business continuity

Cyber-attacks were unknown when I started working in IoT. Today, denial of services and infections make the news continuously. It is not about ‘if’ but ‘when’ and ‘what you’re going to do about it. These devices are not as redundant as IT organizations are used to. When they can share the data they collect or control the machines as they should, what will the business do? IoT can add a whole other dimension to business continuity planning that will need to be thought through.

4) Information leakage

Many of the IoT devices call home (back to the businesses that made them). Are these transferred encrypted? What data do they carry? One possible unintended conscience is that information can be derived (or leaked) from these devices.  Just like your electric meter’s information can be used to derive if you’re home, a business’s IoT devices can share information about production volume and types of work being performed. The business will need to develop a deeper comprehension of the analysis and data sharing risks that has happened elsewhere, regardless of the business or industry and adjust accordingly.

The Internet of Things has the potential to bring together a deeper understanding of the business. Accordingly, security at both the device and network levels needs to develop as strongly. The same analytics enabling devices to perform their tasks can also be used nefariously or to make the environment stronger.