The post How the FBI fights ransomware appeared first on CyberScoop.

This is Safe Mode, your weekly guide to everything cybersecurity and digital privacy, brought to you by CyberScoop.

The post Why pig butchering is the worst kind of online scam appeared first on CyberScoop.

Safe Mode is your guide to the murky, often bizarre, always fascinating world of cyberspace. Every week we break down the most pressing issues in technology, provide you the knowledge and tools to stay ahead of the latest threats and take you behind the scenes of the biggest stories in cybersecurity.

Our sources are the hackers poking at your systems, the technologists working at the cutting edge, and the researchers and policy makers trying to understand this strange world. Together, we’ll help you navigate what’s happening in the online world and maybe figure out how to make it a bit better.

This is Safe Mode, your weekly guide to everything cybersecurity and digital privacy, brought to you by CyberScoop.

The post Safe Mode Trailer appeared first on CyberScoop.

The days of relying on and patching separate identity, authentication and privilege access services are becoming a thing of the past, says Eric Brown, cybersecurity director for enterprise identity and access management at SAIC, a Fortune 500 technology integrator specializing in government IT modernization and engineering services.

“For professionals like me, having to deal with a single vendor that can help me secure an identity from multiple facets, whether it’s OTP (one-time password systems), smart cards and authenticator applications, that becomes very, very desirable,” he says in a new podcast produced by CyberScoop and underwritten by Axiad.

Replacing multiple existing systems with a single platform can often go against the grain of traditional practices. One reason for that, argues Bassam Al-Khalidi, co-CEO & co-founder of Axiad in the podcast, is that publications and analysts still tend to focus on best-of-breed solutions and capabilities within the identity and access management (IAM) technology market.  

“There is no category for that one platform across the board… that will address the different use cases, whether it’s privileged-non-privileged device authentication, user or application authentication,” and which can manage all levels of security across multiple cloud environments, says Al-Khalidi.

SAIC represents one of a growing number of companies that have decided to move away from multiple systems and turn to an outsourced technology like Axiad to manage their identity and access requirements.

“We took a step back… and were able to look at the dynamics of what [Axiad] had to offer, and how they could actually augment the team that performs all these functions at SAIC. And when we looked at that augmentation, we realized that it would increase the productivity of the team, allowing them to get more creative on the solutions, while maintaining a higher level of security,” Brown says.

He also saw added value in the fact that Axiad focuses on “constantly improving their platform for the maximum security allowed in the environments that we work in,” including multi-factor technologies, that can also support SAIC’s customers in ways that were proving harder to do using a combination of IAM solutions.

“Having a single dedicated platform that allows you to move to the cloud without inheriting new risks of being in the cloud… is kind of like having your own castle, rather than being an apartment in a large apartment complex,” says Al-Khalidi.

Al-Khalidi explains, “There’s a lot of cloud authentication products or services out there in the market, but [organizations often] end up getting an authentication service for their general population, maybe a different type of service for their contractors, a different solution for their admins or key stakeholders, and then another solution to manage their devices and applications,” he explains. “So even though they are moving to the cloud…they still have the burden of trying to integrate cloud to cloud. And now you’re inheriting more risk.”

He and Brown discuss some of the practical considerations for adopting a single platform approach and some of the lessons SAIC learned making the transition.

Listen to the podcast for the full conversation on preparing agency networks to support IT modernization priorities. You can hear more coverage of “IT Security Modernization” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.

This podcast was produced by CyberScoop and underwritten by Axiad.

Bassam Al-Khalidi, co-CEO and co-founder of Axiad, a leading trusted identity solutions provider for enterprises, government, healthcare and financial organizations. Bassam has had an extensive career leading identity and access management solutions teams before co-founding Axiad over a decade ago.

Eric Brown, cybersecurity director – enterprise identity and access management at SAIC, has more than 20 years of experience managing enterprise information systems, implementing disaster recovery and business continuity strategies and leading systems engineering teams in highly pressurized and challenging environments.

The post The case for transitioning to a single, multi-cloud IAM platform appeared first on CyberScoop.

In the latest in a series of podcasts, called “Cyber Everywhere,” produced by CyberScoop and underwritten by Deloitte, cybersecurity leaders Jesse Goldhammer and Sam Korta discuss the risks posed by MDM and share strategies for leaders to combat false and harmful narratives.

Jesse Goldhammer, managing director for Deloitte & Touche LLP, breaks MDM threats into three category types: disinformation, the spread of maliciously false information; misinformation, the spread of false information, but without malicious intent; and malinformation, the spread of information that is true or partially true and is being spread with the purpose of harming the public. MDM threats are not new for government intelligence and defense agency leaders, however, they may be for much of the private sector.

Samantha Korta, cyber and strategic risk advisor for Deloitte & Touche LLP, adds that malicious actors can leverage a process called information laundering to rapidly spread harmful falsehoods across multiple communication platforms and into mainstream discourse.

Further, with the rise of artificial intelligence and machine learning malicious actors can create their own false information, such as videos, images and audio that can be laundered to look and feel authentic to audiences.

“Government agencies do not have to be victims of MDM,” Goldhammer stresses. In fact, tackling this challenge doesn’t necessarily require building new technologies or business processes. Instead organizations can combine existing systems, methods and processes with specialized tools, relationships and resources to develop stronger MDM mitigation measures.

Korta and Goldhammer discuss combining tradecraft and technologies — such as social listening, open-source intelligence and cybersecurity tools — to help agencies detect, assess and respond to MDM.

Finally, organizations — especially government agencies — can prioritize strategies for understanding, building and maintaining trust with employees, constituents and the general public in order to increase the effectiveness of these measures.

Listen to the podcast for the full conversation. You can hear more coverage of “Cyber Everywhere” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.

This podcast was produced by CyberScoop and underwritten by Deloitte.

The post Cyber Everywhere: The growing threat of mis-, dis-, and malinformation appeared first on CyberScoop.

James Young, security strategist at Splunk believes so, not only because of the new demands enterprises now face supporting remote workers, but also because technology investments in recent years to capitalize on cloud services have made it easier to apply zero-trust security practices.

“Given Forrester first started talking about zero trust well over 10 years ago, it is surprising that only now is this approach really gaining mainstream attention. However, I think it’s fortuitous that we’ve got a real level of maturity from an operational and technology perspective [in place at many organizations.] That means the time is ripe for broader adoption of the zero-trust approach,” he says.

He points to several reasons why zero trust has taken longer than expected to implement, but also offers a way forward for organizations in a new CyberScoop podcast interview, underwritten by Splunk.

“Zero trust can probably seem a little daunting, given the breadth and perceived complexity of such a major shift in how security is applied to both traditional IT approaches and modern IT approaches such as cloud,” he says. “However, given the general transformation of IT, this presents a real opportunity to introduce a zero-trust approach in a way that not only improves the overall security — but also in a way that doesn’t really increase the complexity or operational overhead for the user, and IT teams as well.”

One stumbling block to moving forward with zero trust that Young and his colleagues at Splunk often encounter, he says, is “the growing misconception around what a zero-trust approach really is.” He cites specifically “the belief that zero trust is almost an all-or-nothing kind of approach — or one that focuses solely on the technology aspects or the security controls themselves.”

Given the ever-increasing attack surface most organizations now face, however, “the adoption of a zero-trust approach is really more important than ever before.”

Learning from within

Young describes Splunk’s own journey implementing zero-trust procedures, and how that led to developing a zero-trust guide that Splunk anticipates sharing with its customers soon.

“We’re developed a fairly prescriptive guide that steps through not only what [organizations] need to do from a security control perspective, but also from the perspective of monitoring and building out use cases that enable you to detect security attacks or security incidents,” he says.

Young explains Splunk developed a variety of use cases in the guide, using the MITRE ATT&CK Framework — a widely-reference collection of adversary tactics and techniques — that are relevant for zero trust. “We’ve ended up with a very useful guide that any organization can pick up and step through that’s going to be aligned to their particular requirements from a zero-trust perspective.”

Where to start

Young emphasizes the importance of focusing an organization’s zero-trust efforts on IT operations that represent the greatest risks to their enterprise, rather than taking a broader security transformation approach.

“Our belief is that you should take much more of an incremental approach, focusing on the most critical systems with the most critical assets. You need to secure them first, then step through and repeat — and adapt as required, as the business and the [threat] landscape changes,” say Young.

In addition to understanding how those systems are being accessed, and by whom, and then developing appropriate security policies and controls, Young says it’s equally important to implement the necessary types of monitoring and visibility tools around those systems to fully protect them.

“We only have to look back at the last 12 months to see how rapidly things can change,” he warns.

Download a copy of Splunk’s “Guide to Embracing a Zero Trust Security Model in Government,” and watch for the solution brief coming soon authored by James Young, Zero Trust Data Analytics Strategy for IT and Security Operations, providing practical approaches you can take to implement zero trust security practices.

Listen to the podcast for the full conversation on using zero trust and SOC modernization to respond to the changing threat landscape. You can hear more coverage of “IT Security Modernization” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.

This podcast was produced by CyberScoop and underwritten by Splunk.

James Young, security strategist at Splunk, brings more than two decades of security engineering experience, working for a variety of firms in Australia including Nokia, Fortinet , VMware, and most recently at Splunk.

The post Practical strategies to establish a zero-trust security environment appeared first on CyberScoop.

“A high-profile supply chain attack was bound to happen. But as an industry, we did not invest enough in mitigations,” says Yassir Abousselham, chief information security officer at Splunk, in a new CyberScoop podcast. Attacks like the supply chain attack via a SolarWinds application, initially revealed in December, and the Hafnium attack revealed in March, underscore the gravity of lateral threats.

“The fact of the matter here is that cyber is where the new wars are being fought and supply chain attacks are a winning playbook for the state-sponsored attackers,” he stresses.

The adversary is well funded, persistent, and highly technical; therefore, it is important for security leaders to accept that there’s no one vendor or technology that can defend against supply chain attacks.

In this podcast, underwritten by Splunk, Abousselham says CIOs and CISOs need a broad security strategy that includes a combination of doubling down on security hygiene and instituting more advanced initiatives, such as zero trust and security operations center (SOC) modernization.

Key capabilities for a successful zero-trust strategy

“Attackers rarely compromise the system containing the most sensitive information from the get-go,” he says. “They rely on lateral movement to get to high-value targets.”

The zero-trust security philosophy can be invaluable to organizations as they try to mitigate cyber risks, or at least slow down an attack, because a lateral movement typically relies on credential harvesting, or privilege escalation.

Abousselham describes several components of a strong zero-trust strategy to guide IT leaders on those security capabilities which they should be focusing on, including:

• Continuous strong authentication, so that if an attacker achieved an initial compromise, they would have to successfully authenticate multiple times which is either not possible or would trigger some alerts.
• Machine identity, to restrict access from endpoints.
• Security requirements based on least privilege access, to limit users or machine accounts from accessing the rest of the system.
• Trust boundaries that use a combination of roadblocks and detections to trigger anytime users attempt to cross those boundaries, for example placed around high-value assets.

Modernizing the SOC to prevent threats

“Effective security measures are typically multi-layered and achieve a balance between prevention and detection. The fact of the matter is that we cannot predict every single tactic that the attacker may use,” says Abousselham.

And that’s where aggressive detection is a key part to mitigate against advanced attacks spreading in the environment.

Abousselham suggests that SOC modernization should focus on increasing analyst efficiency, improving the ability to detect high-risk events, and reduce dwell time, or the time between when a compromise first occurs and when it is detected.

He discusses how technologies, like risk-based alerting and automation help take away mundane and repetitive tasks from security analysts and allow them to focus on high-value work.

“The fact of that matter is that security talent is scarce and will continue to be scarce and the attack surface will be expanding. There’s pretty much no way back,” he says. “It is extremely important that we weave security into everything that we do as an industry. But also that we aggressively go after and deploy these more advanced techniques to have a chance defending against these types of advanced attacks.”

Learn more about how Splunk brings data to every mission so that your organization can better defend itself from the next attack.

Listen to the podcast for the full conversation on using zero trust and SOC modernization to respond to the changing threat landscape. You can hear more coverage of “IT Security Modernization” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn. This podcast was produced by CyberScoop and underwritten by Splunk.

Yassir Abousselham oversees security at Splunk in addition to supporting Splunk’s customers with their data-driven security practices. Prior to Splunk, Yassir has held various CISO and security leadership roles at Okta, SoFi, Google and EY. He is an active member in the cybersecurity industry and holds two U.S. patents in trusted network communication.

The post Well-funded, organized attacks require strategic counter-defense strategies appeared first on CyberScoop.

That’s according to Renata Spinks, the acting chief information security officer in the Marine Corps, who says that the threat of digital extortion requires constant attention and diligence from network defenders. In a new CyberScoop podcast, Spinks discusses ways that federal government employees have worked to protect sensitive data during an era of widespread remote work, how information sharing actually works and to what extent ransomware attackers are similar to traditional email hackers. 

In the sponsored portion of this conversation, Cisco’s cybersecurity principle for the U.S. Public Sector, Peter Romness, delves into the evolution of the ransomware threat from 2014 until today.

The post Understanding ransomware at the Pentagon appeared first on CyberScoop.

Fortunately for Splunk, the company’s internal IT operations don’t use the network monitoring software, made by SolarWinds, that nation-state hackers used to infiltrate hundreds, if not thousands, of enterprise IT networks. Security experts, including Anne Neuberger, the new White House Deputy Security Advisor for Cyber and Emerging Technology, say it will likely take months to uncover the full impact of the attack.

“Even though we were not impacted, we wanted to make sure that we were protected, and monitoring our environment for any signs of this Sunburst malware or any other malware that looked similar to this.  We also wanted to make sure that we immediately had a response out to our customers…and that our customers, number one, knew what to do,” says Schou in a podcast interview, produced by CyberScoop and underwritten by Splunk.

“One thing that was clear early on through this experience was that Splunk… is really core and at the center of security operations centers,” in part, he says, because of the analytics tools Splunk offers that deliver “enhanced visibility, and the ability to detect and take specific action.”

Without those tools, organizations “will just not…be able to look back over three or six months’ worth of data and logs and be able to pull it up and make specific decisions on where to go or what to do and what’s a priority,” he says. “That just very, very difficult to do if they didn’t have [data analytic tools like those offered by] Splunk.”

The importance of zero trust playbooks

Events like this are reminder of how important it is for organizations — especially high-profile organizations in industry and government — to have a zero-trust architecture in place, says Schou. And in light of the nature of this most recent attack, it’s equally important to look “at more than just what you have, but also what your suppliers are using,” he says.

Schou acknowledges, “That’s tough to do, but what you can do is make sure that your overall detection and response is better than, let’s say, a year ago.”

Having a zero-trust playbook also helps when having a conversation at higher levels in the organization around investment resources to make sure that you’re protecting what’s most important first, he says.

During the interview, Schou highlights approaches that Splunk has taken internally in its own efforts to establish zero-trust practices, and what other organizations can do regardless of how far along they are in embracing zero-trust principles. He also said that having enhanced analytics tools will be even more important in the face of future attacks.

“What’s happening a lot now,” he says, “and why Splunk has definitely been involved in a lot of these conversations, is that we see a lot of organizations building out a very in-depth [set of] data analytics capabilities, as a part of a broader zero-trust strategy. And then taking advantage of those things to improve visibility and security operations.”

Learn more about how the SolarWinds cyberattack might affect your agency. Listen to the podcast for the full conversation on how zero trust helps insulate Splunk from supply chain attacks. You can hear more coverage of “IT security modernization” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.

This podcast was produced by CyberScoop and underwritten by Splunk.

Eric Schou has spent his career helping enterprises make better use of security products, having worked at Symantec, McAfee, Good Technology, HPE and Palo Alto Networks prior to joining Splunk.

The post How zero trust helped insulate Splunk from supply chain attack appeared first on CyberScoop.

In addition, as cybersecurity technology improves it has forced cyber attackers to adapt exceptionally agile operations. In response, defenders need to elevate agility beyond a design principle and make it a true end-goal, whereby agility is woven into a cybersecurity strategy and architecture.

That’s according to Phil Quade, the chief information security officer at Fortinet, a global leader in IT and OT security solutions used by telecommunication firms, financial companies, critical infrastructure operators and government. Quade has seen the emerging attack techniques up close, and from the front lines, particularly during the roles he previously held in a 34-year stint at the U.S. National Security Agency.

Attackers use agility as a strategy and a goal. Quade described in a CyberScoop podcast, underwritten by Fortinet. He reflects on the dramatic shifts this year to securing remote work and the future of an expanding digital attack surface, sophisticated threat landscape, and cyber skills gap.

Access management agility 

One way for security personnel to fend off attackers who are “living off the land” inside their networks is to recognize that wireless access and mobile connectivity are the new reality. Network defenders can no longer rely only on mainframe computers with hardwired workstations.

Hundreds of millions of internet-connected devices need to access government and corporate networks with the correct permissions and appropriate levels of trust, according to Quade.

“That’s going to take quite a bit of an agility posture, to be able to recognize what to trust and what to not trust, and which ones to maybe watch for [until] they earn your trust,” he said. “That’s an example of network access control agility. It’s really going to be pressed upon us by the flood of devices joining us at this new edge that is emerging.”

Multi-cloud agility 

Cloud technologies do a lot of things, including aiding cost savings and facilitating a simplified data oversight process. Chief among those benefits, though, is helping the shift toward agility.

Companies now need to be able to call on their own data centers for the things they do best, such as safeguarding high assurance applications or keeping up the high speed of low latency tools.

“Now, the very best organizations are going to be the ones who have enough agility on a moment’s notice to swing toward their own private data center, their own private cloud or any of the public clouds,” Quade said. “They are available. That’s multi-cloud ability, the ability to recognize what’s the most efficient and effective means to leverage this great powerful capability to do so at the right place and in the right time.”

Cryptographic agility 

Organizations are working to manage encryption and data protection while also working with large supply chains. It’s a pressing issue that demands attention from leadership, particularly as concepts like quantum computing force security leaders to consider whether new technologies will threaten existing tools.

“What that means is that a company or organization needs to have the flexibility and confidence to switch to different cryptographic algorithms, schemes or keys at a moment’s notice if there is, for example, a key compromise, or if there’s a sudden reason to change algorithms,” Quade said.

Listen to the podcast for the full conversation on the need for agility and flexibility in IT security. You can hear more coverage of “IT Security Modernization” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.

This podcast was produced by CyberScoop and underwritten by Fortinet.

Phil Quade has worked at the National Security Agency for 34 years in a variety of top leadership role before joining Fortinet nearly four years ago.

The post Defenders need to increasingly rely on agility in cyberspace appeared first on CyberScoop.