News from yesterday’s Cybersecurity Deep Dive

Author: Derek Kerton, Managing Partner of Kerton Group and Chairman of Telecom Council of Silicon Valley, @derekkerton

At our Cybercrime, Security, and Privacy Meeting, hosted by Microsoft, we had more than aDSC_0307 full day’s worth of issues to tackle, and a half-day to cover them. Cybercrime, Security, and Privacy (CSP) are probably the hottest topics in tech this year. Just this week alone, we’re dealing with top headlines of the CISA Bill passing Congress, the UK ISP TalkTalk being hacked and held ransom, the SXSW conference being cyberbullied into cancelling two panels, and a Raytheon JLENS military surveillance blimp going rogue on the eastern seabord. CSP is dominating the news, not just the tech news.

Our meeting started with Glenn Colby, of L-3 Communications, taking on the role of Analyst to set the stage for the meeting. Glenn laid out the sheer scope and size of the threats, to national security, corporate security, and to privacy…and the data was daunting. According to Glenn, hacking tools – as a software sales category – is an $11 Billion dollar industry. The threat is so real, it’s getting “meta” like the film Inception: 1) Hacking Team, a group which sells surveillance tools to government, was itself hacked; 2) SXSW was bullied into not talking about bullying. Among the insights L-3 shared with the audience was the notion of using classic warfare strategies against cyber-attacks, such as the use of decoys, counter-attacks, and ideas as old as Sun Tzu.

Glenn’s speech segued nicely into the Keynote from Doug Clare, VP of Product Management at FICO. Doug leveraged years and years of FICO experience in the classic cybercrime target, credit cards. FICO uses analytics and real-time analysis to reduce fraud. Clare explained how a second-order level of intelligence was necessary to reduce false alarms, such as when an unusual pattern is noticed, but there is also an unusual factor at play that might mean the original pattern is entirely legitimate. Example: a rush on gasoline purchases of over $100 might be considered fraud, but if there had been a news report predicting a gasoline price surge, it probably is not fraud. Clare explained how FICO has learned to offer reduced risk of fraud, while also reducing the inconvenience false-positives cause to customers.

Andre Brisson of Whitenoise showed us that existing 256-bit encryption is not as secure as we think, and he proposes a different architecture. Brisson explained that PKI was 50 years old, and more vulnerable than widely thought. He proposed a DDKI, Dynamic Distributed Key Infrastructure with one distributed key per individual, which would increase security, but maintain continuous identity management and provenance information.

To wrap up the meeting, some useful security advice for individuals:

  • avoid being a target (calling un-necessary negative attention to your online self)
  • use different IDs and passwords on different sites and accounts
  • use encryption when that option is available, but still never fully expect anything digital to be completely secure.

Advice for corporations:

  • expect to get hacked. Have a reaction plan. Design technology to minimize impact.
  • consider security at each phase of product design, not just as an afterthought
  • build multi-layer security
  • use conventional pattern-based threat detection, but don’t stop there, because these tools lag the newest threats
  • incorporate real-time analytics to seek out unusual red flag behavior
  • take advantage of Big Data, machine learning, AI, and other modern technologies to identify threats
  • Getting users’ personal data may have positive ROI for advertising and personalization, but also has a cost in terms of liability. Reduce this risk by only storing the information that is truly useful. Don’t store data by default.
  • Anonymize users’ data whenever possible. Many times the informational value can be maintained even when disconnected to an individual identity.
  • Comply with lawful intercept, but only when required by a court order
  • State a privacy policy, make it clear, and stick to it

And congrats to each of the rapid fire pitch presenters for a job well done: Whitenoise, Mobolize, VisualThreat, ZeroDB, LoopAI, AnchorFree, Sift Security, and KoolSpan. Presentations are available in the Member’s Library.

You may also like...

1 Response

  1. Given the scope of the security threats we are facing we have to move the discussion beyond how to use passwords when they already are in use and it isn’t working – and when they can be eliminated altogether and replaced with continuous and dynamic, cryptographic one-time pad, one time-password authentication and unbreakable one-time-pad authenticated encryption.

    We have to understand that analytics for security is by definition subjective (<100% accurate), after-the-fact, personnel and processing intensive and can only address a security problem or two at a time. Analytics is great for the right problems but shouldn’t be viewed as a frontline security.

    Security across all threat vectors is possible only with a simple, objective, cryptographic solution that repairs the framework, imposes identity on persons and components and imposes provenance on data.

    If you are serious about your own security and that of your clients it takes a little study.

    The ultimate goal is to balance security and privacy issues and to simplify the implementation, scalability and interoperability of effective security.

    The demonstrations you SAW were both significant looks at the future of cryptography and the vulnerability of the cryptography we currently rely on.

    You saw a Whitenoise exponential key being made and used at lightning speed.

    You LEARNED the estimated time to break a 128-bit public key by brute force is supposed to take a billion-billion years.

    You SAW that an NIST recommended key strength of 128-bits that is “acceptable” through 2030 was broken in a second.

    Worse, we considered whether RSA-like semi-primes might be broken with a simple prime number dictionary attack since the Internet has lists of pre-calculated prime numbers that go up to 10 ^ 18.

    But it is not all bad news.

    Dynamic Distributed Key Infrastructures work seamlessly with your existing PKI and fixes the asymmetric fatal flaws with a virtually manufactured and virtually provisioned framework that is invoked with a single call from single-sign-on for continuous, secure network access and use.

    We encourage to learn how DDKI and DIVA work and to download and conduct the demos you were shown at the Deep Dive yourselves.

    We would like to offer any TCSV member to participate in your own, self directed, unique pilot through the University of Victoria so that you can evaluate solutions to address your security needs at arms reach.

    (Please contact

Leave a Reply

Your email address will not be published. Required fields are marked *