Friday, December 6, 2019

Don't Let Your Fear Of Nation-State Hackers Blind You

Mr. Magoo is an old cartoon character famous for his inflated sense of status and an extreme case of myopia, made worse by his refusal to wear corrective glasses. As a result of his poor vision and ego, Magoo would find himself in precarious — and hilarious — situations because he was unable to see the danger right in front of him. Typically, the oblivious Magoo would leave a trail of destruction behind him..

Enterprises today approach security a lot like Mr. Magoo, operating with the idea that they are more important than they really are and therefore are unable to see the real risks that beset them. The result? A lot of unnecessary damage.

Read the full article at Forbes here

Tuesday, September 24, 2019

Demystifying Criminal Hackers

As I write these pieces for Forbes Tech Council, I’ve tried to chip away at the Hollywood reputation that hackers have been given over the years. That reputation often keeps people from making good decisions about how to protect their networks and data, keeps people focused on the wrong security priorities, and causes people to give up before the game is over.

It’s important to keep in mind, however, that while criminal hackers may be smart and devious, they are also, in a sense, entrepreneurs who are in the game to make a quick buck. As such, they realize that hacking costs money and so they will do what they can to keep their operating costs low. Why, then, would you expect a criminal hacker to expend time and money developing specialized tools when there are easier ways to get to what they want?

Read the full article at Forbes here

Saturday, August 24, 2019

Defending Against Hacking's Long Game: It Ain't Over Till It's Over

In the third quarter of Super Bowl LI, the New England Patriots trailed the Atlanta Falcons by a score of 28-3. History was against the Patriots’ chances of rallying for a comeback win. No team had ever overcome such a large deficit — especially so late in the game — to capture the NFL championship. And yet, against the odds, the Patriots stormed back to earn an improbable victory and their fifth Lombardi Trophy. Their win was the embodiment of Yogi Berra’s famous saying, “it ain’t over ‘til it’s over.” It also stands as an example for organizations fighting the good fight against hackers.

You see, hackers are persistent and patient. They know they’ll lose more often than they win, but the payoff when they do win — predicted to reach $6 trillion annually by 2021 — keeps them going. Unfortunately, we are too often blinded by short-term perspective when it comes to cyberdefense. We think that if a hacker succeeds in getting past our perimeter, we’re done for and we go into damage control mode. When we understand the way our opponent operates, however, we can shift our strategy to the long game because, as we’ve learned, there are numerous steps involved in a successful attack, and each gives us an opportunity to stop the hacker’s progress and win the game.

Read the full article at Forbes here

Tuesday, June 25, 2019

Advanced Persistent Threats: Calling The Hackers' Bluffs

In poker, the key to success is not just about the cards you hold; it's also about the cards you can make your opponent think you hold. Effective bluffing with a weak hand is a strategy that every card sharp learns to master in order to hold a psychological edge over the adversary, as an appearance of strength can provoke poor decision making. That kind of subterfuge has played out throughout the history of warfare, as well.

The Bible recounts the story of Gideon, who, with a Hebrew force of just 300 men, routed a force of over 100,000 thanks to a bold bluff. More recently, as the allied armies prepared to liberate Europe during World War II, General George Patton was given command of a "ghost army" that fooled the Germans into thinking the landings at Normandy were not Operation Overlord’s main invasion force, delaying reinforcements while the allies

Read the full article at Forbes here

Saturday, May 25, 2019

When Good Tech Goes Bad

Have you ever needed to troubleshoot an issue with your computer, and your IT services pro was able to get direct access to your system from somewhere else and tackle it from their computer? While they did so, you were able to see their pointer track across the screen and go through the steps needed until ... voila! They were done, and you were back in business.

That’s a convenient ability. Giving a trusted expert direct access to your computer to take care of technical issues is a great way to facilitate IT services and quickly solve problems. That kind of support, facilitated through what is known as remote desktop protocol (RDP), has been a mainstay of technical and customer support organizations for years.

But what if that privileged access fell into the wrong hands and was abused? What if, instead of a trusted adviser, RDP was used by a criminal hacker?

Read the full article at Forbes here

Friday, March 1, 2019

Do You Do Security Due Diligence Before A Merger Or Acquisition?

If a thorough cybersecurity audit isn’t a part of your mergers and acquisitions due diligence process, I think it should be. I’m not talking about the kind of halfhearted scan that checks a box for the board of directors. There’s too much at stake to do anything less than a deep examination of all network and endpoint elements that can reveal undetected compromises and lurking threats.

Global mergers and acquisitions activity in the first three quarters of 2018 was valued at $3.3 trillion. That’s a lot of capital in play, and for every deal made, the due diligence process focuses on finances and compliance to ensure that the acquiring party knows as much about the target organization as possible. Due diligence is necessary to set a fair price, protect shareholder interests and establish confidence that the purchase makes sense — or not. Due diligence also gives management a basis from which to establish a strategy for successful business and market integration.

Read the full article at Forbes here

Wednesday, December 12, 2018

Staying One Step Ahead Of Criminal Hackers

In our efforts to stay one step ahead of the global criminal hacker cabal, my colleagues and I in the ethical hacker community try to approach our craft like our adversaries. To paraphrase Carl Spackler, we know that, in order to conquer the hacker, we have to learn to think like hackers. We’ve got to get inside the hacker’s pelt and crawl around. When you do that, you develop a begrudging respect for them.

In popular culture, however, criminal hackers can become mythologized, not unlike the way the bank robbers of old were. Despite their chosen professions, the likes of John Dillinger, Bonnie and Clyde, Baby Face Nelson and Ma Barker were sometimes regarded as modern-day Robin Hoods. They were the little guys taking on the rich and powerful with daring and panache. Even when caught, they’d often revel in the attention. When asked why he robbed banks, the infamous “Slick” Willie Sutton supposedly quipped, “Because that’s where the money is.”

That may have been true in the first half of the last century, but not anymore.

Read the full article at Forbes here