Category Archives: cloud computing

Seven Impactful Cyber-Tech Trends of 2020 and What it Means for 2021.

Every year I like to research and commentate on the most impactful security technology and business happenings from the prior year. This year is unique since the pandemic is partly the catalyst for most of these trends in conjunction with it being a presidential election year like no other. All these trends are likely to significantly impact small businesses, government, education, high tech, and large enterprise in big and small ways.

Fig 1. Stock Mashup, 2020.

1) Disinformation Efforts Accelerate Challenging Data and Culture:

Advancements in communications technologies, the growth of large social media networks, and the “appification” of everything increases the ease and capability of disinformation. Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies, and control public opinion (Shelly Banjo, Bloomberg, 05/18/2019). Today’s disinformation war is largely digital via platforms like Facebook, Twitter, iTunes, WhatsApp, Yelp, and Instagram. Yet even state-sponsored and private news organizations are increasingly the weapon of choice creating a false sense of validity. Undeniably, the battlefield is wherever many followers reside. 

Bots and botnets are often behind the spread of disinformation, complicating efforts to trace it and to stop it. Further complicating this phenomenon is the number of app-to-app permissions. For example, the CNN and Twitter apps having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting on Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and source, but it also weakens privacy and security due to the many authentication permissions. 

We all know that false news spreads faster than real news most of the time, largely because it is sensationalized. Since disinformation draws in viewers, which drives clicks and ad revenues – it is a money-making machine. If you can control what’s trending in the news and/or social media, it impacts how many people will believe it. This in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion. For example, in late 2020 there were many cases of fake COVID-19 vaccines being offered in response to human fear (FDA, 12/22/2020). This negatively impacts culture by setting a misguided example of what is acceptable.

There were several widely reported cases of political disinformation in 2020 including misleading texts, e-mails, mailers, and robocalls designed to confuse American voters amid the already stressful pandemic. Like a narcissist’s triangulation trap these disinformation bursts riled political opponents on both sides in all states creating miscommunication, ad hominin attacks, and even derailed careers (PBS, The Hinkley Report, 11/24/20). Moreover, huge swaths of confused voters aligned more with speculation and emotion/hype than unbiased facts. This dirtied the data in terms of the election process and only begs the question of which parts of the election information process are broken. This normalizes petty policy fights, emotional reasoning, lack of unbiased intellectualism – negatively impacting western culture. All to the threat actor’s delight. Increased public to private partnerships, more educational rigor, and enhanced privacy protections for election and voter data are needed to combat this disinformation.

2) Stalkerware Grows and Evolves Reducing Mobile Privacy:

The increased use of mobile devices in conjunction with the pandemic induced work from home (WFH) growth has produced more stalkerware. According to one report, there was a 51% increase in Android spyware and stalkerware from March through June, vs the first two months of the year (Avast, Security Boulevard, 12/02/20); and this is likely to be above a 100% increase when all data is tabulated for the end of 2020. Inspired by covert law enforcement investigation tactics, this malware variant can be secretly installed on a victim’s phone hiding as a seemingly harmless app. It is not that different from employee monitoring software. However, unlike employee monitoring software, which can easily be confused with this malware; stalkerware is typically installed by fake friends, jealous spouses and partners, ex-partners, and even concerned relatives. If successfully installed, it relays private information back to the attacker including the victim’s photos, location, texts, web browsing history, call records and more. This is where the privacy violation and abuse and/or fraud can start yet it is hard to identify in the blur of too many mobile apps.

3) Identity & Access Management (IAM) Scrutiny Drives Zero Trust:

The pandemic has pushed most organizations to amass WFH posture. Generally, this improves productivity making it likely to become the new norm, albeit with new rules and controls. To support this, 51% of business leaders are speeding up the deployment of Zero Trust capabilities (Andrew Conway, Microsoft, 08/19/20). Zero trust moves organizations to a need to know only access mindset with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), improved need to know policies, group membership reviews, and state of the art PAM tools for the next year.

4) Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries:

This increased WFH posture blurs the security perimeter both physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. This raises the criticality of good data analytics and dashboarding to define the digital boundaries in real-time. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set default disable for badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored in real-time, and the related exception policies should be revaluated.

5) Data Governance Gets Sloppy Amid Agility:

Mass WFH has increased agility and driven sloppy data governance. For example, one week after the CARES Act was passed banks were asked to accept Paycheck Protection Program (PPP) loan applications. Many banks were unprepared to deal with the flood of data from digital applications, financial histories, and related docs, and were not able to process them in an efficient way. Moreover, the easing of regulatory red tape at hospitals/clinics, although well-intentioned to make emergency response faster. It created sloppy data governance, as well. The irony of this is that regulators are unlikely to give either of these industries a break, nor will civil attorneys hungry for any hangnail claim.

6) The Divide Between Good and Bad Cloud Security Grows:

The pandemic has reminded us that there are two camps with cloud security. Those who have a planned option for bigger cloud-scale and those that are burning their feet in a hasty rush to get there. In the first option, the infrastructure is preconfigured and hardened, rates are locked, and there is less complexity, all of which improves compliance and gives tech risk leaders more peace of mind. In the latter, the infrastructure is less clear, rates are not predetermined, compliance and integration are confusing at best, and costs run high – all of which could set such poorly configured cloud infrastructures up for future disasters.

7) Phishing Attacks Grow Exponentially and Get Craftier:

The pandemic has caused a hurricane of phishing emails that have been hard to keep up with. According to KnowBe4 and Security Magazine, there has been a 6,000% increase in phishing e-mails since the start of the pandemic (Stu Sjouwerman, KnowBe4, 07/13/20 & Security Magazine, 07/22/20). Many of these e-mails have improved their approach and design, appearing more professional and appealing to our emotions by using tags concerning COVID relief, data, and vaccines. Ransomware increased 72% year over year (Security Magazine, 07/22/20). With many new complexities in the mobile ecosystem and exponential app growth, it is not surprising that mobile vulnerabilities also increased by 50% (Security Magazine, 07/22/20).

Take-Aways:

COVID-19 is the catalyst for digital transformation in tech automation, IAM, big data, collaboration tools, and AI. We no longer have the same office and thus less badge access is needed. Single sign-on (SSO) will expand to personal devices and smartphones/watches. Geolocation based authentication is here to stay with double biometrics likely. The security perimeter is now more defined by data analytics than physical/digital boundaries, and we should to dashboard this with machine learning and AI tools.

Education and awareness around the review and removal of non-essential mobile apps is a top priority. Especially for mobile devices used separately or jointly for work purposes. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. A bring your own device (BYOD) policy needs to be written, followed and updated often – embracing need to know and role-based access (RBAC) principles. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web/IT risk. Mapping the mobile ecosystem components in detail is a must.

Cloud infra will continue to grow fast creating perimeter and compliance complexity/fog. Organizations should preconfigure cloud scale options and spend more on cloud trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add-ons. It also mitigates risk and makes vendors bid more competitively.  IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about it because if we are then our organizations will stay weak and insecure and we will be plied by the same political bias that we fear confronting. As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. More social media training is needed as many security professionals still think it is mostly an external marketing thing. Public-to-private partnerships need to improve and app to app permissions need to be scrutinized. Enhanced privacy protections for election and voter data are needed. Everyone does not need to be a journalist, but everyone can have the common sense to identify malware inspired fake news. We must report undue bias in big tech from an IT, compliance, media, and a security perspective.

About the Author:

Jeremy Swenson is a disruptive thinking security entrepreneur and senior management tech risk consultant. Over 15 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is also a frequent speaker, published writer, and even does some pro bono consulting in these areas. He holds an MBA from St Mary’s University of MN and MSST (Master of Science in Security Technologies) degree from the University of Minnesota.

Abstract Forward Podcast #10: CISO Risk Management and Threat Modeling Best Practices with Donald Malloy and Nathaniel Engelsen!

Fig. 1. Joe the IT Guy, 10/17/2018

Featuring the esteemed technology and risk thought leaders Donald Malloy and Nathaniel Engelsen — this episode covers threat modeling methodologies STRIDE, Attack Tree, VAST, and PASTA. Specifically, how to apply them with limited budgets. It also discusses the complex intersection of how to derive ROI on threat modeling with compliance and insurance considerations. We then cover IAM best practices including group and role level policy and control best practices. Lastly, we hear a few great examples of key CISO risk management must-dos at the big and small company levels.

Fig. 2. Pasta Threat Modeling Steps (Nataliya Shevchenko, CMU, 12/03/2018).

Donald Malloy has more than 25 years of experience in the security and payment industry and is currently a security technology consultant advising many companies. Malloy was responsible for developing the online authentication product line while at NagraID Security (Oberthur) and prior to that he was Business Development and Marketing Manager for Secure Smart Card ICs for both Philips Semiconductors (NXP) and Infineon Technologies. Malloy originally comes from Boston where he was educated and has M.S. level degrees in Organic Chemistry and an M.B.A. in Marketing. Presently he is the Chairman of The Initiative for Open Authentication (OATH) and is a solution provider with DualAuth. OATH is an industry alliance that has changed the authentication market from proprietary systems to an open-source standard-based architecture promoting ubiquitous strong authentication used by most companies today. DualAuth is a global leader in trusted security with two-factor authentication include auto passwords. He resides in southern California and in his spare time he enjoys hiking, kayaking, and traveling around this beautiful world.

Nathaniel Engelsen is a technology executive, agilest, writer, and speaker on topics including DevOps, agile team transformation, and cloud infrastructure & security. Over the past 20 years he has worked for startups, small and mid-size organizations, and $1B+ enterprises in industries as varied as consulting, gaming, healthcare, retail, transportation logistics, and digital marketing. Nathaniel’s current security venture is Callback Security, providing dynamic access control mechanisms that allow companies to turn off well-known or static remote and database access routes. Nathaniel has a bachelor’s in Management Information Systems from Rowan University and an MBA from the University of Minnesota, where he was a Carlson Scholar. He also holds a CISSP.

The podcast can be heard here.

More information on Abstract Forward Consulting can be found here.

Disclaimer: This podcast does not represent the views of former or current employers and/or clients. This podcast will make every reasonable effort to verify facts and inferences therefrom. However, this podcast is intended to entertain and significantly inform its audience based on subjective reason-based opinions. Non-public information will not be disclosed. Information obtained in this podcast may be materially out of date at or after the time of the podcast. This podcast is not legal, accounting, audit, health, technical, or financial advice. © Abstract Forward Consulting, LLC.

Three Unique Tech Trends in 2017 and Implications for 2018

Minneapolis – 12/24/2017

Each year we like to review and commentate on the most impactful technology and business concepts that are likely to significantly impact the coming year. Although this list is incomplete, these are three items worth dissecting.

3. The Hyper Expansion of Cloud Services Will Spur Competition and Innovation:
Cloud computing is a utility that relies on shared resources to achieve a coherent economy of scales benefit – with high-powered services that are rapidly provisioned with minimal management effort via the internet (Fig. 1). It presently consists of these main areas: SaaS (software as a service), PaaS (platform as a service), and IaaS (infrastructure as a service). It is typically used for technology tool diversification, redundancy, disaster recovery, storage, cost reduction, high powered computer tests and models, and even as a globalization strategy. Cloud computing generated about $127 billion in 2017 and is projected to hit $500 billion by the year 2020. At this rate, we can expect many more product startups and consulting services firms to grow and consolidate in 2018 as they are forced to be more competitive thus bringing costs down.

The line between local and cloud computing is blurry because the cloud is part of almost all computer functions. Consumer-facing examples include: Microsoft OneDrive, Google Drive, GMAIL, and the iPhone infrastructure. Apple’s cloud services are primarily used for online storage, backups and synchronization of your mail, calendar, and contacts – all the data is available on iOS, Mac OS, and even on Windows devices via the iCloud control panel.

Fig. 1. Linked Use Cases for Cloud Computing.
Cloud Infra

More business sided examples include: Salesforce, SAP, IBM CRM, Oracle, Workday, VMware, Service Now, and Amazon Web Services. Amazon Cloud Drive offers storage for music, images purchased through Amazon Prime, as well as corporate level storages that extends services for anything digital. Amazon’s widespread adoption of hardware virtualization, service-oriented architecture with automated utilization will sustain the growth of cloud computing. With the cloud, companies of all sizes can get their applications up and running faster with less IT management involved and with much lower costs. Thus, they can focus on their core-business and market competition.

The big question for 2018 is what new services and twists will cloud computing offer the market and how will it change our lives. In tackling this question, we should try to imagine the unimaginable. Perhaps in 2018 the cloud will be the platform where combined supercomputers can use quantum computing and machine learning to make key breakthroughs in aerospace engineering and medical science.  Additionally, virtual reality as a service sounds like the next big thing; we will coin it (VRAAS).

2. The Reversal of Net Neutrality is Awful for Privacy, Democracy, and Economics:
Before it was rolled back, net neutrality required service providers to treat all internet traffic equally. This is morally and logically correct because a free and open internet is just as important as freedom of the press, freedom of speech, and the free market concept. The internet should be able to enable startups, big companies, opposing media outlets, and legitimate governments in the same way and without favor. The internet is like air to all these sects of the economy and to the world.

Rolling back net neutrality is something the U.S. will regret in coming months. Although the implications of it are not fully known, it may mean that fewer data centers will be built in the U.S. and it may mean that smaller companies will be bullied out of business due to gamified imbalances of cost in internet bandwidth. Netflix and most tech companies dissented via social media resulting in viral support (Fig 2).

Fig 2. Viral Netflix Opposition to Rolling Back Net Neutrality.
Netflix Twitter

Lastly, it exacerbates the gap between the rich and the poor and it enables the government to have a stronger hand in influencing the tenor of news media, social norms, and worst of all political bias. As fiber optic internet connectivity expands, and innovative companies like Google, Twitter, and Facebook turn into hybrid news sources, a fully free internet is the best thing to expose their own excesses, biases, and that there are legitimate conflicting viewpoints that can be easily found.

1. Amazon’s Purchase of Whole Foods Tells Us the Gap Between Retailer and Tech Service Company is Closing:

For quite a long time I have been a fan of Amazon because they were anti-retail establishment. In fact, in Amazon’s early days, it was the retail establishment that laughed at them suggesting they would flounder and fail. “How dare you sell used books by mail out of a garage”. Yet their business model has turned more into a technology and logistics platform than a product-oriented one. Many large and small retailers and companies of all types – employ their selling, shipping, and infrastructure platform to the degree that they are, in essence, married to Amazon.

Magazine Business Insider said, “The most important deal of the year was Amazon’s $13.7 billion-dollar acquisition of Whole Foods. In one swoop, Amazon totally disrupted groceries, retail delivery, and even the enterprise IT market” (Weinberger, 12/17/17). The basis for this acquisition was that grocery delivery is underserved and has huge potential in the U.S. as the population grows, less people own cars, and people value not wasting time walking around a retail store so much (getting socialized to a new level of service) (Fig 3).

Fig. 3. How Amazon Can Use Whole Foods to Serve High Potential Grocery Delivery.
Amazon Whole Foods

By Jeremy Swenson and Angish Mebrahtu

Mr. Swenson and Mr. Mebrahtu meet in graduate business school where they collaborated on global business projects concerning leadership, team dynamics, and strategic innovation. They have had many consulting stints at leading technology companies and presently work together indirectly at Optum / UHG. Mr. Swenson is a Sr. consultant, writer, and speaker in: business analysis, project management, cyber-security, process improvement, leadership, and abstract thinking.  Mr. Mebrahtu is a Sr. developer, database consultant, agile specialist, application design and test consultant, and Sr. quality manager of database development.

 

 

Jeremy Swenson
Angish Mebrahtu