News from yesterday’s Cybersecurity Deep Dive
Author: Derek Kerton, Managing Partner of Kerton Group and Chairman of Telecom Council of Silicon Valley, @derekkerton
At our Cybercrime, Security, and Privacy Meeting, hosted by Microsoft, we had more than a full day’s worth of issues to tackle, and a half-day to cover them. Cybercrime, Security, and Privacy (CSP) are probably the hottest topics in tech this year. Just this week alone, we’re dealing with top headlines of the CISA Bill passing Congress, the UK ISP TalkTalk being hacked and held ransom, the SXSW conference being cyberbullied into cancelling two panels, and a Raytheon JLENS military surveillance blimp going rogue on the eastern seabord. CSP is dominating the news, not just the tech news.
Our meeting started with Glenn Colby, of L-3 Communications, taking on the role of Analyst to set the stage for the meeting. Glenn laid out the sheer scope and size of the threats, to national security, corporate security, and to privacy…and the data was daunting. According to Glenn, hacking tools – as a software sales category – is an $11 Billion dollar industry. The threat is so real, it’s getting “meta” like the film Inception: 1) Hacking Team, a group which sells surveillance tools to government, was itself hacked; 2) SXSW was bullied into not talking about bullying. Among the insights L-3 shared with the audience was the notion of using classic warfare strategies against cyber-attacks, such as the use of decoys, counter-attacks, and ideas as old as Sun Tzu.
Glenn’s speech segued nicely into the Keynote from Doug Clare, VP of Product Management at FICO. Doug leveraged years and years of FICO experience in the classic cybercrime target, credit cards. FICO uses analytics and real-time analysis to reduce fraud. Clare explained how a second-order level of intelligence was necessary to reduce false alarms, such as when an unusual pattern is noticed, but there is also an unusual factor at play that might mean the original pattern is entirely legitimate. Example: a rush on gasoline purchases of over $100 might be considered fraud, but if there had been a news report predicting a gasoline price surge, it probably is not fraud. Clare explained how FICO has learned to offer reduced risk of fraud, while also reducing the inconvenience false-positives cause to customers.
Andre Brisson of Whitenoise showed us that existing 256-bit encryption is not as secure as we think, and he proposes a different architecture. Brisson explained that PKI was 50 years old, and more vulnerable than widely thought. He proposed a DDKI, Dynamic Distributed Key Infrastructure with one distributed key per individual, which would increase security, but maintain continuous identity management and provenance information.
To wrap up the meeting, some useful security advice for individuals:
- avoid being a target (calling un-necessary negative attention to your online self)
- use different IDs and passwords on different sites and accounts
- use encryption when that option is available, but still never fully expect anything digital to be completely secure.
Advice for corporations:
- expect to get hacked. Have a reaction plan. Design technology to minimize impact.
- consider security at each phase of product design, not just as an afterthought
- build multi-layer security
- use conventional pattern-based threat detection, but don’t stop there, because these tools lag the newest threats
- incorporate real-time analytics to seek out unusual red flag behavior
- take advantage of Big Data, machine learning, AI, and other modern technologies to identify threats
- Getting users’ personal data may have positive ROI for advertising and personalization, but also has a cost in terms of liability. Reduce this risk by only storing the information that is truly useful. Don’t store data by default.
- Anonymize users’ data whenever possible. Many times the informational value can be maintained even when disconnected to an individual identity.
- Comply with lawful intercept, but only when required by a court order
And congrats to each of the rapid fire pitch presenters for a job well done: Whitenoise, Mobolize, VisualThreat, ZeroDB, LoopAI, AnchorFree, Sift Security, and KoolSpan. Presentations are available in the Member’s Library.