This article was a Q&A with a health data security expert named Mac McMillan – the CEO and co-founder of CyngergisTek Inc. – and it addressed some interesting topics in terms of the future of cybersecurity. One of which was reducing the risk of outsiders gaining elevated privileges by storing them in a “vault:” meaning that access to elevated privileges could not be granted as in a typical system (assigned by other users), but rather “rented” via the system and tracked in a log of who the renter was, etc. The other topic was how the healthcare industry, which has been the target of multiple attacks / breaches as of late, has increased awareness of attacks and the need for increased IT solutions, but many organizations still have yet to even dedicate a cybersecurity team, or engage experts to assists them.
I found this article and thought it was an interesting take on how advanced cyber security threats can only be defended against if man and AI work together (not one or the other). The article explains that the data is just too much for a human to process (which we have discussed in class before), and that many threats go undetected because of this. On the other hand, AIs are algorithm-to-situation based, and can catch many of those threats, but produce just as many (if not countless more) false positives – which, again, takes your company back to humans processing data. The trick is to combine the talents of both man and AI to focus on data-mining; this balance, if achievable, is the only way to effectively and efficiently secure an organization, while being able to add value you to the business. When humans and AIs work together, and clear-cut objectives are identified, the right data can be allocated for the right reasons, and truly become beneficial.
This article projects that – as technology grows within the household (smart TVs, smart phones, watches, appliances, etc.) – the targets for ransomware attacks will be move from big business to John Q. Consumer. As we discussed in class this past week, ransomware attacks are usually paid off in small amounts, under the assumption that it is not worth it to fight via some form of a risk or cost analysis. That small amount of money extrapolated over 100 or so businesses adds up, but it is time-consuming and requires effort.
However, when you shift the focus to the average person, and reduce the amount of the ransom, but add in the ease it takes to hack your everyday person – the amount of potential income for these hackers appears to be greater. The article even suggests that the personal connection to the said personal data might mean that consumers would pay more to get their photos and videos back – and I have to agree.
I thought the tone of this article was interesting, as it seems that companies are turning to AIs in terms of cyber security. Amazon is now using a recently acquired AI platform to assist in its cyber security defenses. They have bought-out a company known as Harvest.ai and have begun using its algorithms to identify its critical data, and monitor activity against said data with both behavioral analytics and loss prevention techniques.
This Harvest.ai company is known for its MACIE program, which essentially analyzes a company’s network in real-time to discern when unauthorized users access critical data. Amazon Web Services is considering deploying MACIE into its suite of hosting products, which would bolster an already impressive package of securities. IBM has also announced that the popular Watson AI will be available to assist customers with their cyber security needs. It seems that more and more companies are coming to the conclusion that AIs are how to defend against cyber criminals, as the ability to process mass amounts of data and apply it to situations in real-time makes them far more suitable for IT security than humans.
I came across this article and felt that it was a very unique, comprehensive “handbook” on how to secure an organization, based on the lessons learned from the never-ending Yahoo breach, and Target’s. It showed how much money it cost Yahoo (i.e. Verizon cutting the deal by $350M), and then provided a general outline for how companies should tackle the ever-changing, incredibly difficult task of securing their organization.
From steps as simple as determining your greatest digital assets, to something as complex as designing a PR cyber incident fire drill, it is a pretty decent snapshot of concepts to consider. I particularly enjoyed how they called out the importance of not just spending money on cyber security, but actually practicing it. Analyzing the enemy, deploying countermeasures to alert your team of a breach, and encouraging innovation in terms of making it difficult for outsiders to access your organization’s critical information were all suggested by the author.
“Today, instead of writing a bigger check to build a bigger fortress, design an adversarial-based approach to protecting your organization. Find them before they find you.”
This article dives into social engineering and what we discussed in last week’s lecture. It shows how most companies underestimate how effective social engineering can still be, despite excessive training. Markus Jakobsson, Chief Scientist at Agari, said it best: “What I am continuously surprised by is that people believe you can teach end-users to watch out,” Jakobsson, said.
“Because my experience is that you can teach people about one particular attack but when the attack changes just a little bit they will be absolutely be unaware of this being an attack. I am not saying people are dumb I’m saying this is a complex topic.”
The article continues by pointing out that many credit union banks do not have any defenses against these type of email / phishing attacks, stating that the top five credit unions in the U.S. have no active protection against email attacks that use identity deception (e.g. spoofs, look-alike domains, display name deception); three have adopted a domain-based message authentication, reporting and conformance strategy, an email authentication protocol, but haven’t fully implemented it (no quarantine or reject policy in place); and two haven’t yet adopted DMARC at all.
I thought this was a good article coming off of the discussion we had last week in terms of just how much of your personal data is out there (amongst others) that is being used by companies. Vice president and America’s practice leader for Insight & Analytics at Hitachi Consulting, Dorman Bazzel sums it up best by saying, “The challenge with big data is not the data. There is plenty of data. The challenge with big data is developing a set of meaningful use cases that address key business challenges.”
As you read on, the article highlights what we all know – there is a tremendous amount of data out there – but focuses on the trick (dilemma) of figuring out how it all applies to one company’s business / mission. It echoes some of the points that have been made in previous articles (and I apologize for that), but I thought the take on IT as a commodity was interesting – now business have to learn exactly how to value this intangible asset that was never deemed “profitable” in the past.
I thought another good quote that helps summarize the article was from Luc Ducrocq, director of the Insight and Analytics Practice at Clear Peak, who described the relationship that is now needed between IT and business as symbiotic, stating: “If a data initiative is driven by IT and the business side is not involved, you might as well shut it down because it isn’t going to succeed. You have to understand the business problem or challenge you are attempting to solve, who cares and why they care, and what is the cost of doing nothing.”
I chose this article because it is a great example of how a lack of controls can get overlooked when an organization thinks “nothing is wrong.” Here is a guy who is the associate athletic director at the University of Toledo, and had virtually no oversight to his operation because no one ever bothered to look into it (a lot of trust, no verification). The article details that this opportunity was exploited for a loss of approximately $12,000.00 – which doesn’t seem like much compared to most cases – however, that was all the Internal Audits team could account for thus far.
Apparently, the processes in the finance operation were so diluted that the associated AD, Anthony Zaworski, was the sole owner of athletics spending, receiving, expensing, depositing and reconciling. In this day in age, there wasn’t a trace of segregation of duties in UT’s athletics finance department. The article revealed that most of the day-to-day cash-handling / expensing was done out of a desk drawer in Zaworski’s office, and there we deposits that came 3-6 months after events happened, or – my personal favorite – before events took place. Best of all, his superiors were giving him high marks on his performance evaluations all the while this is going on. I know it doesn’t fit in to this week’s class, but I read this and couldn’t believe it – so I wanted to share it with the class.
Many small businesses who do not have access to the vast resources that larger businesses do will face similar challenges to the one that “Phoon Huat,” faced (and is still facing), as the baking supply company out of Singapore was recently hacked by ransomware. Erick Chng, head of IT at Phoon Huat, claimed that there were no financial losses, but that the hack was devastating enough to significantly delay the launch of the company’s new eCommerce site. Citing outdated and unpatched IT security systems, Chng explained that the IT department only consists of himself and two other people, and with the high usage of web-enabled phones, small businesses are a greater risk for breaches.
After feeling the effects of the breach, Phoon Huat enlisted the services of Darktrace, a UK-based security vendor that integrates machine learning into its cybersecurity tool. Chng stressed the importance of the machine learning and how can assist small businesses, and how being proactive in the fight to bolster cybersecurity is key. “Many business owners don’t understand why IT exists until they feel the pain,” he explained, and that “it was up to the IT professionals in these companies to advise the owners.”
I know that this goes back to Week 2, but with all the talk about how organizations (and people) have almost become numb to the idea of being breached, I thought this article was a good indicator of why that is, and how that mindset could not be more wrong. The author uses the Yahoo! hack as its basis, and explains that many corporate leaders think that cyber insurance is all they need to be protected. Director of Global Legal Technology Solutions at Navigant, Donald Good, summed cybersecurity up nicely by saying “There needs to be a balance among the right people, the right technology, and the right processes in place.”
Furthermore, I found it interesting that – according to Juniper Research – the average cost of a data breach will exceed $150M by 2020, and won’t be limited to just business data. The author speculates that financial, health, safety and security information will also be at risk in future breaches. I was particularly intrigued by the quote that “We are rapidly entering the age where free credit reporting as a consumer-facing recovery strategy will do more harm to brands than good.” If that is the case, what recovery options will consumers rely on if / when businesses realize that these tactics are no longer cost-effective?
I particularly liked how the article ended, as it is the basis for what we will all face, regardless of which track we are on – so I will end my summary with it:
“Is the CEO and the board committed to cybersecurity or is it just another line item that will get funded, but without the personal leadership that’s required?”
-Jim Trainor, senior VP for Aon Risk Solutions and former assistant director for the cyber division at the Federal Bureau of Investigation (FBI).