Select Page

Month: December 2017

If 2017 could be described as ‘cyber-geddon’, what will 2018 bring?

Scenarios once the province of thriller writers are now anything but fiction in the world of cyber-security. That is the lesson of the past year. It’s a process one British official describes as “Hollywoodisation”. And if 2017 was notable for the escalation and the proliferation of cyber-attacks, it’s left everyone asking what will happen in 2018? The so-called WannaCry attack in May was perhaps the best example. The idea that we could see hackers – perhaps linked to Russia – steal code from America’s National Security Agency, publish it, and then have North Korean hackers repurpose it before using it to take down a significant part of Britain’s National Health Service, would previously have been dismissed as fantasy. And yet that is exactly what many people think happened. The best guess is in this case, the attack was actually a money-making scheme gone wrong, which spread far faster than expected. But it showed how ransomware – locking a machine – could be used as a weapon, and just how vulnerable many parts of our society are to this threat. The fear for the future is that more high-end attack tools could be stolen, shared and made use of. The other high-profile attack came the following month. Widely dubbed “NotPetya”, it hijacked the update service of a Ukrainian tax software firm that had to be used by everyone doing business in the country, and...

Read More

Baked-in cybersecurity approach needed to repel attacks

One of the more memorable conversations I had this year was with Tony Arcadi, associate CIO for enterprise infrastructure at the U.S. Department of the Treasury. I met him at Gartner’s annual gathering of IT leaders, Symposium/ITxpo, at Walt Disney World in October. We had a long discussion about new technologies such as blockchain, the cultural changes brought on by cloud computing and how plain exhausting it is to hike from one far-flung Disney resort to another in the Florida heat. Also, cake. Arcadi served up the baked confection as a metaphor for the cybersecurityapproach organizations should be taking in an age marked by increasingly sophisticated attacks. Cybersecurity should be present from the start of any tech initiative. “It’s not an ingredient you can add to the top; it’s not frosting on top of the cake,” Arcadi said. “It’s got to be an ingredient that you put in a cake and mixes in with all the other ingredients.” Cybersecurity should be blended into an organization’s operations — like an egg stirred into cake batter, Arcadi said — and everyone, not just the CISO and the IT security team, should work to maintain it. “I think that’s where we need to move our cyber to versus the current approach.” (Arcadi stressed that his remarks did not represent the views of his employer, the Treasury Department.) I spoke to Arcadi barely a month after credit-reporting...

Read More

Risk & Repeat: Cybersecurity predictions for 2018

As 2017 comes to a close after a tumultuous and eventful year, SearchSecurity editors stare into their crystal balls for some cybersecurity predictions for 2018. In this episode of the Risk & Repeat podcast, SearchSecurity editors Rob Wright and Peter Loshin discuss their expectations for next year. Their cybersecurity predictions for 2018 include forecasts for more sophisticated cryptojacking campaigns and big swings for the value of bitcoin, the potential for data breach notification legislation to be passed by Congress, severe penalties for a major American company that violates the European Union’s General Data Protection Rule and even more potent DDoS attacks generated by threats like the Mirai botnet. In addition, they address some pressing questions for the security industry, such as: Will an arrest or indictment be made in the case of the Shadow Brokers? When will the final specification of TLS 1.3 arrive? Will we finally find out who the creator of bitcoin...

Read More

The Disconnect Between Cybersecurity & the C-Suite

Most corporate boards are not taking tangible actions to shape their companies’ security strategies or investment plans, a PwC study shows.  Despite all the attention that massive hacks and other breaches have attracted in recent years, organizations everywhere still struggle to comprehend the scale of and manage emerging cyber-risks. Of the more than 9,500 senior executives in 122 countries who participated in PricewaterhouseCoopers’ Global State of Information Security Survey (GSISS) 2018, only 39% say they are very confident in their attribution capabilities — that is, their ability to detect and trace cyberattacks. As highlighted in the GSISS report, US infrastructure is still susceptible to what the World Economic Forum (WEF) deems in its Global Risk Report 2017as the prime business risk in North America: “large-scale cyber-attacks or malware causing large economic damages, geopolitical tensions, or widespread loss of trust in the internet.” “All organizations, no matter how prepared they think they might be, need to verify whether strategic cybersecurity goals are being executed,” Grant Waterfall, partner at PwC and global leader of its cybersecurity and privacy practice, told me in an interview. “The UN’s 2017 Global Cyber-Security Indexranks the United States among the member states most committed to cybersecurity, second only to Singapore. And yet the White House’s National Infrastructure Advisory Council wrote in an August 2017 report that many US infrastructure companies are not practicing basic cyber hygiene despite the availability of...

Read More

2017 in Review: Cyber-Security Funding Reveals Risks and Opportunities

There were no shortage of security vulnerabilities disclosed and companies breached in 2017. For venture capitalists, all that security news provided further incentive to invest in cyber-security startups, as the opportunity and demand for new technologies continued to grow. Over the course of the year, eWEEK has chronicled the flow of new money into cyber-security vendors in a series of end-of-the-month slideshows, listing the investments made. The companies that raised money in 2017 represent a diverse cross-section of technologies that serve to illustrate the different areas of demand for new types of cyber-security products and services. A few obvious trends emerge from looking at all the cyber-security vendors that raised money in 2017. The Internet of Things (IoT)  is one key area of investment where venture capitalists are placing their bets. Cloud security continues to be a hot area with multiple vendors raising new funds and the emerging world of container security was another area of active growth. The money that poured into cyber-security startups in 2017 varied based on the maturity of the company and the perceived market opportunity. While early-stage startups raised typically raised $5 million or less, there multiple vendors in 2017 that raised $100 million or more. The $100M Club Prior to 2017, there were few cyber-security vendors that had ever raised $100 million or more in a funding round. In contrast, over the course of 2017 at least...

Read More