POPULARITY
A aplicação do conceito de Zero Trust nas empresas amadureceu ao passo que as ameaças cibernéticas evoluíram. No entanto, uma pesquisa recente do Ponemon Institute indica que boa parte das companhias ainda têm dúvidas sobre como implementar corretamente os princípios de Zero Trust em suas estratégias de defesa. Neste RedCast #84, Matheus Borges, nosso diretor comercial, e Milton Freitas Jr., nosso diretor de Service Delivery, receberam Tiago Couto, CISO do Grupo Accor para a América Latina e Robson Santos, gerente de cibersegurança na Livelo Brasil, para discutir os desafios da jornada de implementação do conceito de Zero Trust nas empresas.
IBM Security today released its annual Cost of a Data Breach Report, showing the global average cost of a data breach reached $4.45 million in 2023 - an all-time high for the report and a 15% increase over the last three years. Detection and escalation costs jumped 42% over this same time frame, representing the highest portion of breach costs and indicating a shift towards more complex breach investigations. According to the 2023 IBM report, businesses are divided in how they plan to handle the increasing cost and frequency of data breaches. The study found that while 95% of studied organisations have experienced more than one breach, breached organisations were more likely to pass incident costs onto consumers (57%) than to increase security investments (51%). The 2023 Cost of a Data Breach Report is based on in-depth analysis of real-world data breaches experienced by 553 organisations globally between March 2022 and March 2023. The research, sponsored and analysed by IBM Security, was conducted by Ponemon Institute and has been published for 18 consecutive years. Some key findings in the 2023 IBM report include: · AI Picks Up Speed - AI and automation had the biggest impact on speed of breach identification and containment for studied organisations. Organisations with extensive use of both AI and automation experienced a data breach lifecycle that was 108 days shorter compared to studied organisations that have not deployed these technologies (214 days versus 322 days). · The Cost of Silence - Ransomware victims in the study that involved law enforcement saved $470,000 in average costs of a breach compared to those that chose not to involve law enforcement. Despite these potential savings, 37% of ransomware victims studied did not involve law enforcement in a ransomware attack. · Detection Gaps - Only one third of studied breaches were detected by an organisation's own security team, compared to 27% that were disclosed by an attacker. Data breaches disclosed by the attacker cost nearly $1 million more on average compared to studied organisations that identified the breach themselves. Elaine Hanley, Security Services, IBM Ireland, said: "Across the globe, and very similar to the UK, this report confirms what we are seeing as ordinary citizens in Ireland. Across all industries studied, customer personally identifiable information was the most commonly breached record type and the costliest. In Ireland, we are seeing a surge in phishing emails and texts in recent months. Globally, we are seeing that firms with a smaller number of employees were disproportionally affected by higher breach costs, which in the context of Ireland, means that most of the indigent industries operating here need to pay attention to cybersecurity. Globally, we saw that only about half of those who suffered a breach actually plan to invest more in their cybersecurity programme post-breach. The pandemic has accelerated digital transformation in Ireland, and although this can be seen as generally positive, it does incur additional cybersecurity risks. However, AI and automation had the biggest impact on speed of breach identification and containment for studied organisations. So now is the time to understand the technologies and strategies that best protect your data." Additional findings in the 2023 IBM Data Breach report include: · Breaching Data Across Environments - Nearly 40% of data breaches studied resulted in the loss of data across multiple environments including public cloud, private cloud, and on-prem - showing that attackers were able to compromise multiple environments while avoiding detection. Data breaches studied that impacted multiple environments also led to higher breach costs ($4.75 million on average). · Costs of Healthcare Breaches Continue to Soar - The average costs of a studied breach in healthcare reached nearly $11 million in 2023 - a 53% price increase since 2020. Cybercriminals have started making stolen data more accessi...
For over 25 years Bryant has held responsibilities as an entrepreneur and senior executive in all aspects of risk management including thought leadership in the area of cyber security, award winning development of security solutions, managing large global enterprises. Bryant has held executive leadership positions in multinational consulting firms and been involved in several startups. Recently he was the Chief Security Officer for CSC's Financial Services Group securing 143 applications in 52 countries. Currently Bryant is the Chief Security Officer of Leapfrog Services. In that capacity he and his team assist clients with complete security programs from strategy, governance and operations. acting as CSO to help manage risk with our “Ring of Security” methodology. Bryant has served in several leadership positions across the security industry including the Department of Homeland Security Sector Coordinating Council, ISSA, ISACA and InfraGard National Members Alliance board member and vice president. He is recognized as a Distinguished Fellow by the Ponemon Institute, the industry's leading research organization. Bryant has published several books and articles on cyber security topics and has received several awards including “Governor's Office of Homeland Security Award for Exceptional Contribution in Recognition of Outstanding Support of Tennessee's Counter Terrorism Program. Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/ Support the show on Patreon: https://patreon.com/mspradio/ Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on: Facebook: https://www.facebook.com/mspradionews/ Twitter: https://twitter.com/mspradionews/ Instagram: https://www.instagram.com/mspradio/ LinkedIn: https://www.linkedin.com/company/28908079/
IBM and the Ponemon Institute have reported that the average breach cost in 2022 was $4.24 million. If that is used as a rough estimate, data breaches in state and local governments can be very expensive. There is a lot at risk and budgets are tight. State and local governments really have to look at leveraging what funds they have. Today's discussion provides recommendations for sources of information on hardening systems, coming up with action plans, and the role of insurance. There is no lack of help if you are seeking guidance when it comes to making your system secure. Guides from CISA and NIST give specific information. Most suggest starting with an accurate evaluation of what is on your system. There may be situations where people sign up for services with a credit card without informing system managers. System surveys are difficult when one has to look for shadow IT. Action plans normally start with ways to respond to an incident. One weakness in a backup playbook is the time it takes to restore one system vs. ten systems. System managers may have to get ideas on unexpected circumstances. Best practice is to harden your system and have an action play. The unintended benefit of documenting your security is qualifying for cyber insurance. Risk assessment can vary in size of organization. Insurers try to limit exposure – excluding certain events. One certain bet is that it will become more and more expensive to get cyber insurance. You may not realize that a cyber insurance package can be an 11 page application combination of entire system – every environment will have a different footprint. Tony Lauro Akamai mentions that an insurance plan must never be considered to be a substitute for a hardened system.
According to PwC, “only 33% of directors say they think their board understands the company's cybersecurity vulnerabilities very well.” This comes as no surprise given 63% of CISOs don't report to the board at all, according to a Ponemon Institute report. This general lack of top-down cybersecurity knowledge, or even desire to understand, makes a CISO's job extraordinarily difficult. So, vulnerabilities amass and organizations are left flat footed when those vulnerabilities get exploited. Now is the time to bridge the gap between CISOs and the board by elevating the security and operational benefits of Zero Trust principles across the greater organization to build a culture of readiness and resilience.Guests:Jawahar Sivasankaran, President and COO, Appgate; Leo Taddeo, CISO, Appgate President, Appgate FederalModerator:George Wilkes, VP of Demand Generation, Appgate
Every year we review the Ponemon Institute's Cost of a Data Breach report. It's always interesting because we learn that it's not just about the money. We learn what really makes a difference in our privacy and security program, what we can do that can make the biggest positive impact in the overall cost or a data breach and, more importantly, what things make the biggest negative impact. More info at HelpMeWithHIPAA.com/375
Guest post by Lee Bristow, Chief Technology Officer at Phinity Integrated Risk Management As the value of personal data increases, so too does the consequence of data breaches. The responsibility of ensuring client and supplier data is kept safe, has become tantamount to a bank securely holding our cash. This is an ethical Catch-22. The business case for ethics and robotics Most businesses, from global giants to SMEs, are more reliant on third parties to provide core business services. This is dependent on the sharing of essential client data with these parties. Hence, as a user, when signing away your data, you could be handing it over to unknown entities. Who is responsible for this data? A client signs a deal with the contracting company, and it's up to them to take ethical and legal responsibility to protect their clients' information. It's also the contracting business that will shoulder the dire consequences of resulting bad press and reputational damage for compromised data. It's no longer time that's money Data leads to money, one way or another. The old chestnut that ‘data is the new oil' springs to mind. As data value increases, so too does its desirability. More people want it. And more people are willing to go to criminal lengths to get it. The convenience that the internet offers to us average users has also created leverage for scoundrels, who don't even need to organise a getaway car anymore. Bonnie and Clyde robbing banks have been replaced with scammers and hackers hidden deep within the internet. Data is less secure than ever April 2020 saw an unusually high increase in cyber-attacks as people worked remotely, thanks to Covid. In that year, there was a general upsurge in data security breaches in the EU and UK of 10% (Lexology). A survey in 2021 by the Ponemon Institute found that 51% of organisations experienced a data breach caused by third parties, resulting in the misuse of sensitive data. There's no doubt that using third parties massively increases risk. And as more operations are outsourced, the complexity of relationships intensifies. So you've got a wobbly combination of greater relationship complexity and increased risk. Third party risk management (TPRM) Historically, the procurement department was responsible for third party contracts. Made sense. But as the convolutions of these relationships become ever more intricate, and the risks spread their tendrils across the organisation, does it still do so? An example of this was one of South Africa's largest banks, Nedbank. Using the services of SMS marketing provider, Computer Facilities, it experienced a data breach affecting 1.7 million of Nedbank's clients. While the press pointed at Netbank, it wasn't in fact the bank's information security provision that was at fault. However, Nedbank had engaged the supplier. This begs the question: who was accountable? IT? Procurement? Marketing? Client services? The list goes on. It's no longer just one division's problem. From an information security issue, TPRM has become a privacy issue. Large organisations tend towards rigidity in managing third parties. Their size simply doesn't allow for flexibility in dealing with smaller start-ups. The only mitigation here, really, is for a more ethical attitude towards TPRM, and the use of automation. More than just the law While legal contracts are essential to third party relationships, they won't repair the damage when the horse has bolted. There are a few considerations when looking at mitigation strategies for data breaches: organisation size, jurisdiction, and types of service being supported. Organisations must do thorough due diligence on third party vendors, which it seems they're not. In the Ponemon survey, it was found that 51% of companies had not been assessing security and privacy practices and processes before granting access to sensitive and confidential data. Deloitte ran some research on the current approaches to TPRM and the findings are grim. Fo...
Hello, and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G. Mark Hardy, and today we're going to try to balance the impossible equation of better, faster, and cheaper. As always, please follow us on LinkedIn, and subscribe if you have not already done so. Shigeo Shingo, who lived from 1909-1990, helped to improve efficiency at Toyota by teaching thousands of engineers the Toyota Production System, and even influenced the creation of Kaizen. He wrote, "There are four purposes for improvement: easier, better, faster, cheaper. These four goals appear in order of priority." Satya Nadella, the CEO of Microsoft, stated that, “Every company is a software company. You have to start thinking and operating like a digital company. It's no longer just about procuring one solution and deploying one solution… It's really you yourself thinking of your own future as a digital company, building out what we refer to as systems of intelligence.” The first time I heard this I didn't really fully understand it. But after reflection it makes a ton of sense. For example, let's say your company couldn't send email. How much would that hurt the business? What if your company couldn't use Salesforce to look up customer information? How might that impact future sales? What if your core financial systems had database integrity issues? Any of these examples would greatly impact most businesses. So, getting high-quality software applications that enable the business is a huge win. If every company is a software or digital company, then the CISO has a rare opportunity. That is, we can create one of the largest competitive advantages for our businesses. What if we could create an organization that builds software cheaper, faster, and better than all of our competitors? Sounds good right? That is the focus of today's show, and we are going to teach you how to excel in creating a world class organization through a focused program in Secure Software Development. Now if you like the sound of better, faster, cheaper, as most executives do, you might be thinking, where can I buy that? Let's start at the back and work our way forward. We can make our software development costs cheaper by increasing productivity from developers. We can make our software development practices faster by increasing convenience and reducing waste. We can make our software better by increasing security. Let's first look at increasing productivity. To increase productivity, we need to under stand the Resistance Pyramid. If you know how to change people and the culture within an organization, then you can significantly increase your productivity. However, people and culture are difficult to change, and different people require different management approaches. At the bottom of the pyramid are people who are unknowing. These individuals Don't know what to do. You can think of the interns in your company. They just got to your company, but don't understand what practices and processes to follow. If you want to change the interns, then you need to communicate what is best practice and what is expected from their performance. Utilize an inquiry approach to decrease fear of not knowing, for example, "do you know to whom I should speak about such-and-such?" or "do you know how we do such-and-such here?" An answer of "no" allows you to inform them of the missing knowledge in a conversational rather than a directional manner. The middle part of the pyramid is people who believe they are unable to adapt to change. These are individuals that don't know how to do the task at hand. Here, communications are important, but also skills training. Compare your team members here to an unskilled labor force -- they're willing to work but need an education to move forward. If you give them that, then the unskilled can become skilled. However, if you never invest in them, then you will not increase your company's productivity and lowers your costs. At the Top of the resistance pyramid are the people who are unwilling. These individuals Don't Want to Change. We might call these folks the curmudgeons that say we tried it before, and it doesn't work. Or I'm too old to learn that. If you want to change these individuals and the culture of an organization, then you need to create motivation. As leaders, our focus to stimulate change will be to focus on communicating, educating, and motivating. The first thing that we need to communicate is the Why. Why is Secure Software Development important? The answer is money. There are a variety of studies that have found that when software vulnerabilities get detected in the early development processes, they are cheaper than later in the production phases. Research from the Ponemon Institute in 2017 found that the average cost to address a defect in the development phase was $80, in the build phase was $240, in the QA/Test Phase was $960, and in the Production phase was $7,600. Think of that difference. $80 is about 1% of $7,600. So if a developer finds bugs in the development code then they don't just save their time, they save the time of second developer who doesn't have to do a failed code review, they save the time of an infrastructure engineer who has to put the failed code on a server, they save the time of another tester who has to create regression tests which fail, they save the time of a wasted change approval board on a failed release, and they save the customer representatives time who will respond to customers when the software is detected as having issues. As you see there's a lot of time to be saved by increasing productivity, as well as a 99% cost savings for what has to be done anyway. Saving their own time is something that will directly appeal to every development team member. To do this we need to do something called Shift Left Testing. The term shift left refers to finding vulnerabilities earlier in development. To properly shift left we need to create two secure software development programs. The first program needs to focus on is the processes that an organization needs to follow to build software the right way. This is something you have to build in house. For example, think about how you want software to create a network diagram that architects can look at in your organization. Think about the proper way to register an application into a Configuration Management Database so that there is a POC who can answer questions when an application is down. Think about how a developer needs to get a DNS entry created for new websites. Think about how someone needs to get a website into the various security scanning tools that your organization requires (SAST, DAST, Vuln Management, Container Scanning, etc.) Think about how developers should retire servers at the end of life. These practices are unique to your company. They may require a help desk ticket to make something happen or if you don't have a ticketing system, an email. We need to document all of these into one place where they can be communicated to the staff members who will be following the processes. Then our employee has a checklist of activities they can follow. Remember if it's not in the checklist, then it won't get done. If it doesn't get done, then bad security outcomes are more likely happen. So, work with your architects and security gurus to document all of the required practices for Secure Software Development in your company. You can place this knowledge into a Wikipedia article, a SharePoint site, a Confluence Page, or some kind of website. Make sure to communicate this frequently. For example, have the CIO or CISO share it at the IT All Hands meeting. Send it out in monthly newsletters. Refer to it in security discussions and architecture review boards. The more it's communicated the more unknowing employees will hear about it and change their behavior. The second program that you should consider building is a secure code training platform. You can think of things such as Secure Code Warrior, HackEDU (now known as Security Journey), or Checkmarx Code Bashing. These secure code training solutions are usually bought by organizations instead of being created in-house. They teach developers how to write more secure code. For example, "How do I write JavaScript code that validates user input, sanitizes database queries, and avoids risky program calls that could create vulnerabilities in an application?" If developers gain an education in secure programming, then they are less likely to introduce vulnerabilities into their code. Make these types of training programs available to every developer in your company. Lastly, we need to find a way to motivate the curmudgeons. One way to do that is the following:Let's say you pick one secure coding platform and create an initial launch. The first two hundred people in the organization that pass the secure developer training get a one-time bonus of $200. This perk might get a lot of people interested in the platform. You might even get 10-20% of your organization taking the training in the first quarter of the program. The second quarter your organization announces that during performance reviews anyone who passed the secure software training will be viewed more favorable than their peers. Guess what? You will see more and more people taking the training class. Perhaps you see that 50% of your developer population becomes certified. Then the following year you say since so many developers are now certified, to achieve the rank of Senior Developer within the organization, it is now expected to pass this training. It becomes something HR folks look for during promotion panels. This gradual approach to move the ball in training can work and has been proven to increase the secure developer knowledgebase. Here's a pro tip: Be sure to create some kind of badges or digital certificates that employees can share. You might even hand out stickers upon completion that developers can proudly place on their laptops. Simple things like this can increase visibility. They can also motivate people you didn't think would change. Now that we have increased productivity from the two development programs (building software the right way and a secure code training platform), it's time to increase convenience and reduce waste. Do you know what developers hate? Well, other than last-minute change requests. They hate inefficiencies. Imagine if you get a vulnerability that says you have a bug on line 242 in your code. So you go to the code, and find there really isn't a bug, it's just a false positive in the tool. This false bug detection really, well, bugs developers. So, when your organization picks a new SAST, DAST, or IAST tool, be sure to test the true and false positive rates of the tool. One way to do this is to run the tools you are considering against the OWASP Benchmark. (We have a link to the OWASP Benchmark in our show notes.) The OWASP Benchmark allows companies to test tools against a deliberately vulnerable website with vulnerable code. In reality, testing tools find both good code and bad code. These results should be compared against the ground truth data to determine how many true/false positives were found. For example, if the tool you choose has a 90% True Positive Rate and a 90% False Positive Rate then that means the tool pretty much reports everything is vulnerable. This means valuable developer time is wasted and they will hate the tool despite its value. If the tool has a 50% True Positive Rate and a 50% False positive rate, then the tool is essentially reporting randomly. Once again, this results in lost developer confidence in the tool. You really want tools that have high True Positive Rates and low False Positive Rates. Optimize accordingly. Another developer inefficiency is the amount of tools developers need to leverage. If a developer has to log into multiple tools such as Checkmarx for SAST findings, Qualys for Vulnerability Management findings, Web Inspect for DAST findings, Prisma for Container Findings, Truffle Hog for Secrets scanning, it becomes a burden. If ten systems require two minutes of logging in and setup each that's twenty minutes of unproductive time. Multiply that time the number of developers in your organization and you can see just how much time is lost by your team just to get setup to perform security checks. Let's provide convenience and make development faster. We can do that by centralizing the security scanning results into one tool. We recommend putting all the security findings into a Source Code Repository such as GitHub or GitLab. This allows a developer to log into GitHub every day and see code scanning vulnerabilities, dependency vulnerabilities, and secret findings in one place. This means that they are more likely to make those fixes since they actually see them. You can provide this type of view to developers by buying tools such as GitHub Advanced Security. Now this won't provide all of your security tools in one place by itself. You still might need to show container or cloud findings which are not in GitHub Advanced Security. But this is where you can leverage your Source Code Repository's native CI/CD tooling. GitHub has Actions and GitLab has Runners. With this CI/CD function developers don't need to go to Jenkins and other security tools. They can use a GitHub Actions to integrate Container and Cloud findings from a tool like Prisma. This means that developers have even fewer tools from CI/CD perspectives as well less logging into security tools. Therefore, convenience improves. Now look at it from a longer perspective. If we get all of our developers integrating with these tools in one place, then we can look in our GitHub repositories to determine what vulnerabilities a new software release will introduce. This could be reviewed at Change Approval Board. You could also fast track developer who are coding securely. If a developer has zero findings observed in GitHub, then that code can be auto approved for the Change Approval. However, if you have high/critical findings then you need manager approvals first. These approvals can be codified using GitHub code scanning, which has subsumed the tool Looks Good To Me (LGTM), which stopped accepting new user sign-ups last week (31 August 2022). This process can be streamlined into DevSecOps pipelines that improve speed and convenience when folks can skip change approval meetings. Another key way we can make software faster is by performing value stream mapping exercises. Here's an example of how that reduces waste. Let's say from the time Nessus finds a vulnerability there's actually fifteen steps that need to occur within an organization to fix the vulnerability. For example, the vulnerability needs to be assigned to the right team, the team needs to look at the vulnerability to confirm it's a legitimate finding, a patch needs to be available, a patch needs to be tested, a change window needs to be available, etc. Each of these fifteen steps take time and often require different handoffs between teams. These activities often mean that things sit in queues. This can result in waste and inefficiencies. Have your team meet with the various stakeholders and identify two time durations. One is the best-case time for how long something should go through in an optimal process. The second is the average time it takes things to go through in the current process. At the end of it you might see that the optimal case is that it takes twenty days to complete the fifteen activities whereas the average case takes ninety days. This insight can show you where you are inefficient. You can identify ways to speed up from ninety to twenty days. If you can do this faster, then developer time is gained. Now, developers don't have to wait for things to happen. Making it convenient and less wasteful through value stream mapping exercises allows your teams to deploy faster, patch faster, and perform faster. OK last but not least is making software better by increasing security. At the end of the day, there are many software activities that we do which provide zero value to the business. For example, patching operating systems on servers does not increase sales. What makes the sales team sell more products? The answer is more features on a website such as product recommendations, more analysis of the data to better target consumers, and more recommendations from the reporting to identify better widgets to sell. Now, I know you are thinking, did CISO Tradecraft just say to not patch your operating systems? No, we did not. We are saying patching operating systems is not a value-add exercise. Here's what we do recommend. Ask every development team to identify what ike patching. Systems that have a plethora of maintenance activities are wasteful and should be shortlisted for replacement. You know the ones: solutions still running via on-premises VMWare software, software needing monthly java patching, and software if the wind blows the wrong way you have an unknown error. These systems are ripe for replacement. It can also be a compelling sell to executives. For example, imagine going to the CIO and CEO of Acme corporation. You highlight the Acme app is run by a staff of ten developers which fully loaded cost us about $250K each. Therefore, developing, debugging, and maintaining that app costs our organization roughly $2,500,000 in developer time alone plus hosting fees. You have analyzed this application and found that roughly 80% of the time, or $2,000,000, is spent on maintenance activities such as patching. You believe if the team were to rewrite the application in a modern programming language using a serverless technology approach the team could lower maintenance activities from 80% to 30%. This means that the maintenance costs would decrease from $2 million to $750K each year. Therefore, you can build a financial case that leadership fund a $1.25 million initiative to rewrite the application in a more supportable language and environment, which will pay for itself at the end of the second year. No, I didn't get my math wrong -- don't forget that you're still paying the old costs while developing the new system.) Now if you just did a lift and shift to AWS and ran the servers on EC-2 or ECS, then you still have to patch the instance operating systems, middle ware, and software -- all of which is a non-value add. This means that you won't reduce the maintenance activities from 80% to 30%. Don't waste developer time on these expensive transition activities; you're not going to come out ahead. Now let's instead look at how to make that maintenance go away by switching to a serverless approach. Imagine if the organization rewrote the VMware application to run on either: A third party hosted SaaS platform such as Salesforce or Office 365 or A serverless AWS application consisting of Amazon S3 buckets to handle front-end code, an Amazon API Gateway to make REST API calls to endpoints, AWS Lambda to run code to retrieve information from a Database, and Dynamo DB to store data by the application This new software shift to a serverless architecture means you no longer have to worry about patching operating systems or middleware. It also means developers don't spend time fixing misconfigurations and vulnerabilities at the operating system or middleware level. This means you made the software more secure and gave the developers more time to write new software features which can impact the business profitability. This serverless approach truly is better and more secure. There's a great story from Capital One you can look up in our show notes that discusses how they moved from EC-2 Servers to Lambda for their Credit Offers Application Interface. The executive summary states that the switch to serverless resulted in 70% performance gains, 90% cost savings, and increased team velocity by 30% since time was not spent patching, fixing, and taking care of servers. Capital One uses this newfound developer time to innovate, create, and expand on business requirements. So, if you want to make cheaper, faster, and better software, then focus on reducing maintenance activities that don't add value to the business. Let's recap. World class CISOs create a world class software development organization. They do this by focusing on cheaper, faster, and better software. To perform this function CISOs increase productivity from developers by creating documentation that teaches developers how to build software the right way as well as creating a training program that promotes secure coding practices. World Class CISOs increase the convenience to developers by bringing high-confidence vulnerability lists to developers which means time savings in not weeding out false positives. Developers live in Source Code Repositories such as GitHub or GitLab, not the ten different software security tools that security organizations police. World Class CISOs remove waste by performing value stream exercises to lean out processes and make it easier for developers to be more efficient. Finally, World Class CISOs make software better by changing the legacy architecture with expensive maintenance activities to something that is a winnable game. These CISOs partner with the business to focus on finding systems that when re-architected to become serverless increase performance gains, promote cost savings, and increase developer velocity. We appreciate your time listening to today's episode. If this sparks a new idea in your head. please write it down, share it on LinkedIn and tag CISO Tradecraft in the comment. We would love to see how you are taking these cyber lessons into your organization to make better software for all of us. Thanks again for listening to CISO Tradecraft. This is G. Mark Hardy, and until next time, stay safe out there. References https://www.sixsigmadaily.com/who-was-shigeo-shingo-and-why-is-he-important-to-process-improvement/ https://news.microsoft.com/speeches/satya-nadella-and-chris-capossela-envision-2016/ Galpin, T.J. (1996). The Human Side of Change: A Practical Guide to Organization Redesign. Jossey-Bass https://www.businesscoaching.co.uk/news/blog/how-to-break-down-barriers-to-change Ponemon Institute and IBM. (2017) The State of Vulnerability Management in the Cloud and On-Premises https://www.bmc.com/blogs/what-is-shift-left-shift-left-testing-explained/ https://www.securecodewarrior.com/ https://www.securityjourney.com/ https://checkmarx.com/product/codebashing-secure-code-training/ https://owasp.org/www-project-benchmark/ https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security https://medium.com/capital-one-tech/a-serverless-and-go-journey-credit-offers-api-74ef1f9fde7f
A new Ponemon Institute study reveals that, as cloud adoption grows across diverse environments, 60% of IT and security leaders aren't confident that their organization can ensure secure access to cloud environments. Dr. Larry Ponemon, the institute's founder and chairman, illuminates key findings from the Global Study on Zero Trust Security for the Cloud including factors that make cloud security complex and how Zero Trust security can mitigate distributed infrastructure risks and accelerate cloud transformation objectives.Get a copy of the Global Study on Zero Trust Security for the Cloud here.Guest:Larry Ponemon, Chairman and Founder of the Ponemon InstituteModerator:George Wilkes, VP of Demand Generation, Appgate
This week on the podcast we discuss the shifting landscape of phishing attacks in the wake of Microsoft's efforts to block malicious Office macros. We then cover a private organization that has been found not just selling exploit tools but also participating in offensive cyber operations. We end the episode with a review of IBM and the Ponemon Institute's Cost of a Breach Report for 2022.
This week our guest is Keith Cheresko, Principal of Privacy Associates International LLC and former general counsel of the Ponemon Institute, a privacy research organization, to discuss the increasing tangle of contractual compliance obligations in privacy laws. From mandated contractual obligations to standard contract clauses for forward transfers, companies are finding it increasingly difficult to manage — and meet — contractual obligations associated with privacy laws and regulations.
We are joined by Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute and considered a pioneer in privacy auditing. He was appointed by the White House to the Data Privacy and Integrity Advisory Committee for the Department of Homeland Security. He was appointed to the Advisory Committee for Online Access & Security for the United States Federal Trade Commission. He was also appointed to two California State task forces on privacy and data security laws.There has always been speculation that the global COVID-19 pandemic forced many IT departments into a scramble and forced the issue of many cloud application migration, often way earlier than planned to support ongoing business operations. But to what extent and to what benefit has always been a guess, until now. Anitian and The Ponemon Institute teamed up and implemented a study to help quantify exactly this. You can download the full report at www.anitian.com/ponemon.The Security on Cloud podcast is brought to you by Anitian, the leading cloud security and compliance automation provider delivering the fastest path to security and compliance in the cloud.
Five Minute Forecast for the week of January 31st. All the cyber security news you need to stay ahead, from Proofpoint's Protecting People podcast. The U.K. echoes U.S. warnings over destructive cyber attacks A prominent banking Trojan gains some new defensive tricks U.S. consumers lose over $700 million to social media fraud Joining us is founder and chairman of the Ponemon Institute, Larry Ponemon, to discuss the growing cost of insider threats.
Of course, every week should be "data privacy week", but we do set aside a specific time each year to focus on privacy - particularly educating as many people as possible about it. Until this year, we only dedicated one day for this - but as of 2022, it's been promoted to an entire week! Data Privacy Week runs from January 24-28, so today I'm going to prep you for it with several of my top privacy protection tips! In the news: the FBI uses foreign intelligence services to sidestep US surveillance restrictions; Russia takes down the REvil ransomware outfit as the United State's request; Google gives Android users the ability to disable insecure 2G cell connections; Subaru is sued in Illinois for capturing driver's biometric information with consent; lawmakers propose legislation to simplify and standardize terms of services agreements; and the Ponemon Institute releases the results of a recent poll on what people worry about with relation to privacy and what they feel should be done about it. Article Links Using Foreign Nationals to Bypass US Surveillance Restrictions https://www.schneier.com/blog/archives/2022/01/using-foreign-nationals-to-bypass-us-surveillance-restrictions.html Russia's FSB says it has taken down REvil hacker group at US request https://www.theverge.com/2022/1/14/22883675/russia-fsb-revil-hacker-group-ransomware-us-request-fbi-doj VICTORY: Google Releases “disable 2g” Feature for New Android Smartphones https://www.eff.org/deeplinks/2022/01/victory-google-releases-disable-2g-feature-new-android-smartphones Class action: Subaru DriverFocus system improperly scans driver's faces, eyes https://cookcountyrecord.com/stories/613746211-class-action-subaru-driverfocus-system-improperly-scans-driver-s-faces-eyes Lawmakers Come After Companies' Terms of Service With New TLDR Bill https://www.gizmodo.com.au/2022/01/lawmakers-come-after-companies-terms-of-service-with-new-tldr-bill/ New Ponemon Institute Report Indicates Major Consumer Privacy Gap https://www.cpomagazine.com/data-privacy/new-ponemon-institute-report-indicates-major-consumer-privacy-gap/ Further Info Data Privacy Week: https://staysafeonline.org/data-privacy-week/about-dpw/ My Data Privacy checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ DNA service impacts: https://thenib.com/its-all-relatives/ Annual listener survey: https://bit.ly/Firewalls-survey-2022Hunting for Stingrays podcast: https://podcast.firewallsdontstopdragons.com/2021/04/19/hunting-for-stingrays-part-1/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/
If you own a cannabis based company there's a good chance you've never thought about cyber security. In this interview with Scott Lyons, CEO & Co-founder of Red Lion, he discusses how data is the new gold. Scott is a "white hat" hacker who is bringing cyber security to the cannabis industry. Why does cyber security matter to cannabis companies - from the smallest operator to the largest enterprise? Are you aware of how much data about you and your company are being leaked right now? The cannabis industry needs to stay ahead of the hackers. The cannabis industry is booming with new businesses being created everyday. New businesses are ideal targets for cyberattacks due to them not being aware of potential threats and the fact it can take time before they realize they should put cyber security best practices in place. What would be the impact to your business if a cybercriminal was able to attack successfully?A study by IBM and the Ponemon Institute determined that the average cost of a data breach exceeded $3 million. Plus, the potential to lose trade secrets, millions of dollars in lost cannabis crops, data breach of customer's sensitive information, ransomware attacks, and much more.... Check out this podcast to learn how the best practices to keep your cannabis company safe.About Red Lion:Red Lion offers a wide range of cyber security consulting services. Visit their website for information: www.redlion.io Red Lion - Home (facebook.com)Red Lion Twitter
¿Está protegido el sitio web de su negocio? ¿Está protegido el sitio web de su negocio? Esta es una pregunta que muchos pequeños empresarios no se hacen, pero que en estos tiempos es fundamental debido a los peligros que existen en el mundo digital y que pueden afectar seriamente su negocio en línea. Para convertir a los visitantes del sitio web en clientes de pago, debe mostrarles que su página es segura frente a piratas informáticos, recomienda el Better Business Bureau (BBB). Para ello, la organización sin fines de lucro presenta 5 razones por las que un sitio web no seguro es malo para su negocio: Los navegadores de Internet identifican su sitio web como una amenaza para la seguridad. Un certificado TLS / SSL válido le dice a los navegadores de Internet que su sitio web cumple con los protocolos de seguridad estándar. Sin él, los visitantes del sitio web no vean una página de inicio perfecta, si no vienen a un mensaje que advierte a los usuarios que podrían ser susceptibles al phishing. Los clientes no se arriesgarán a perder dinero o que les roben su identidad para usar su sitio web, por lo que esta advertencia es suficiente para alejar a los clientes potenciales de su sitio web para siempre, señala el BBB. Los clientes son víctimas de estafadores. Según el BBB, un certificado TLS vencido pone a sus clientes en riesgo de fraude y robo de identidad. El certificado hace más que mantener su sitio web libre de mensajes de advertencia, también ayuda a protegerse de algunas de las mayores amenazas digitales: piratas informáticos e impostores. Lo hacen verificando la identidad de su sitio web y encriptando la información confidencial. Cuando un certificado TLS vence, los datos del usuario corren el riesgo de exponerse y usted es más vulnerable a los estafadores que pueden usar su identidad comercial para robar a los clientes. Los compradores que acceden y utilizan sitios web de impostores podrían sufrir el robo de su identidad, su información financiera comprometida e incluso perder dinero a manos de los estafadores. Si un impostor usa la identidad de su empresa, los clientes asociarán esa experiencia negativa con su empresa. Su reputación comercial se ve afectada. Si lo primero que ve un cliente cuando visita su sitio web es una advertencia, inmediatamente identificará su empresa como no confiable. Incluso si toma medidas rápidamente para corregir la falta de seguridad, es probable que la confianza con ese cliente se pierda para siempre, de acuerdo con el BBB, que cita un estudio del Ponemon Institute que estima que un tercio de los visitantes se niegan a volver a visitar un sitio web donde la seguridad haya fallado. Se pierde la confianza con la clientela establecida. "Los clientes confían rápidamente en las empresas que han hecho negocios con ellos en el pasado y los estafadores lo saben. Es probable que un cliente existente que sea víctima del robo de identidad a través de su negocio lleve su negocio (y sus referencias) a otra parte, poniendo en peligro el aumento del 25% en las ventas que la lealtad del cliente proporciona a su negocio", señala la organización. En cambio, los compradores hacen negocios con la competencia. En última instancia, el resultado de permitir que su certificado TLS caduque en cualquier momento podría ser un daño significativo a su reputación, ventas y lealtad del cliente, advierte el BBB. "Cada cliente que pierde debido a un certificado caducado es un cliente que su competencia podría ganar. Para preparar su negocio para el éxito a largo plazo, debe tomarse en serio la seguridad de los datos y anticiparse a cualquier riesgo potencial". En su sitio web, el BBB ofrece una serie de recursos sobre ciberseguridad.
Rebecca Herold is CEO and co-founder of Privacy and Security Brainiacs. She's also a Ponemon Institute fellow and the CEO and founder of Rebecca Harold LLC, a cloud-based privacy and security firm. She is currently finishing her 20th published book on information security and privacy. In this episode of Cybersecurity Unplugged, Herold discusses: The gap in cybersecurity education and how to incorporate information and cybersecurity, as well as privacy, into public school curriculum; How to fully and successfully address privacy whether from the lens of compliance, governance or the intersection between the need for privacy and the need for security; The Internet of Medical Things, deadly exposure of connected medical devices and predictions for the future of medical device security.
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Largest ransomware attack on record impacts 1,500 businesses via third-party Kaseya supply chain breach over the holiday weekend Several large ransomware providers call it quits due to increased scrutiny and pressure Ransomware attack on Ireland health system exceeds $600m in costs and remains active six weeks into the attack Ukrainian police arrest members of CLOP ransomware gang NIST releases draft guidance for Ransomware Risk Management & CISA releases a ransomware self-assessment tool President Biden's summit with Vladimir Putin and directive for a “no hack” list of US critical infrastructure DOJ charges network security executive with hacking a Georgia health system for personal gain One billion CVS records exposed in cloud configuration error breach Details of the Ponemon Institute's new third-party cloud compromise report OIG and FDA updates on medical device security guidance and new GAO cybersecurity recommendations Bipartisan data breach notification bill drafted which includes a 24-hour breach notification requirement Meditology Services was ranked the #1 healthcare security and privacy consulting firm according to a new survey reported by Becker's and Healthcare IT Security magazines
What would you do if your digital assets stopped talking to each other? Are you confident that you could find them all if they vanished from a network map, from large machines to tiny remote sensors? Ellen Boehm is VP of IoT strategy and operations at Keyfactor, which along with the Ponemon Institute recently released the first-ever State of Machine Identity Management report. Ellen spoke recently with Plant Services Chief Editor Thomas Wilk about how this new dimension of asset management is expanding traditional maintenance responsibilities.
There has always been a need for protecting private data, but long gone are the days when sensitive customer documents were locked on a filing cabinet at the end of the workday. In our digital world, customers share more information about themselves than ever, across a variety of platforms. We often hear in media and at conferences about advances in technology to catch up with regulations on data protection. Yet we also continue to read about breaches like the Colonial Pipeline breach of May 7, 2021 and AXA Asia a week later. In this PodChats for FutureCIO, we speak to John Grimm, Vice President of Strategy and Business Development, Data Protection Solutions, Entrust, on the topic of data privacy, data protection and what enterprises are doing right and wrong to comply with regulations and customer expectations.Topics covered:1. The idea of data protection started as far back as 1890 when US lawyers, Samuel Warren and Louis Brandeis, wrote the Right to Privacy. Arguably one of the biggest developments around privacy is GDPR in 2018. Three years, where is the holdup when it comes to upholding personal data privacy? 2. Before we go further, let's start off with definitions. What is data protection? In a typical large enterprise, what does it encompass, and what is its relationship to data encryption?3. We continue to hear about high profile cyberattacks like the Colonial Pipeline and more recently AXA Asia. Why do organisations seem to struggle with their data protection strategies?4. Speaking of encryption, is there a magic number in terms of how many encryption tools is enough? You spoke of between 8 to 10 as average. 5. Environments have become more complex. Today enterprises operate in hybrid multi-cloud environments covering on-prem, private, public and edge. The same goes for data encryption and data protection tools. How do you manage and effectively use this growing complexity that is the cloud and protecting it?6. Specific to the Ponemon Institute report, can you cite reasons why Southeast Asia ranked lowest globally in terms of encryption adoption (50% global average vs 36% in Southeast Asia)?7. How do you see encryption evolving? What can organisations do to better leverage encryption as the foundation for a more holistic data protection strategy?8. Gartner predicts that by 2023, 65% of the global population will have their personal information protected by data privacy laws. Given all the breaches that are occurring today, what needs to happen for this prediction to become a reality?9. In the digital economy, who owns the data? Is it the CIO, the CDO, the marketing department or the customer?10. What must enterprises do to rein back the perceived loss of control in data protection? And what should CIOs be doing to own part of the solution?11. Simplification vs the sprawl of solutions – what is Entrust's USP (standout)?
I know that I have been telling you about this course that I have been making for you -- Guess what it is done and this week, I will be making it available. It has taken a lot of work for both my wife, Karen and me but it is well worth it to get you this information on how you can Improve your Windows security. I walk you through all the basics of tightening up your security on Windows 10 and not only that but why you have to. his week was quite busy for me with meetings and presentations for my business. If you have not yet signed up for my email list do so today and you will be getting a large discount coupon for the course. This will be the only time that we offer this type of discount so be sure you are on my list before we release the course. Craig Welcome! Today we will talk about Intel and its war with Apple and what they did that they believe will give them an advantage but might just backfire big time. Then we will talk about DDoS attacks, BEC attacks, and Ransomware. Then we will discuss how hackers are trying to get into Apple by trying to attack their developer's computers. If you have been breached -- what did you learn you might be surprised. Then what can you do if the Feds buy all your location data from one of their security consultants? How much do you trust your security vendors? All that and even more, so be sure to Listen in. For more tech tips, news, and updates, visit - CraigPeterson.com. --- Tech Articles Craig Thinks You Should Read: Intel hires Justin Long to mock Macs in throwback to 2000s “I’m a Mac” ads ~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet Ransom Payments Have Nearly Tripled Attackers are trying awfully hard to backdoor iOS developers’ Macs What CISOs Can Learn From Big Breaches: Focus on the Root Causes FBI: Business Email Compromise Cost $1.8B in 2020 One company wants to sell the feds location data from every car on Earth Tech Vendors' Lack of Security Transparency Worries Firms --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] Hey, I did a webinar this week for the Massachusetts society for healthcare risk management. I thought there were some things that everybody needs to know, not just healthcare providers. Hi everybody. Craig Peterson here. Thanks for joining me today. There is so much to talk about. I have such fun doing it too, which is great. We will be discussing this in some more detail and the ransomware numbers are just scary. I was approached to give this webinar. You probably know if you've listened for the long time that I have done hundreds. If not thousands of webinars over the years. I have been doing them for our friends at the FBI InfraGard program. I did them many times, two, three, four a month for years with them all on cybersecurity. Plus, I do the free webinars for. People who are on my email list. I send out little audio grams every week as well, where I do a deeper dive, three minutes or so into a specific topic. It's really fun. I enjoy doing it. So I get approached all of the time, as I'm sure you can imagine doing these webinars for different organizations. I am always glad to do them. It might take me a little bit of time to schedule it into the schedule. You know how that goes, but I always end up doing them. This particular one was about risk mitigation because that's what these guys do, right? There's this society for healthcare risk management. How do identify the cyber threats? What are they preventing unauthorized access to PHI, which is your patient health information? Now, we all have personally identifiable information that's supposed to be protected and so is our healthcare information. So that's what we talked about, it was really fun to get into some detail, but there are a few things I wanted to bring up here with you guys. We're going to be including them this week. By the way, if you haven't noticed in my emails, I've been mentioning this Improving Windows Security course that is starting this next week. If you responded to one of my emails over the last few months where I said, Hey I'm going to be doing this course on Improving Windows Security. I would have probably responded to you saying, okay great. I'm working on it. We have been for months and because of has been months, what we're going to do for people who have asked for this already in responding to the newsletter that what I am going to do is give you guys coupons for this. So keep an eye on your email box. Everybody else. Okay. You're not going to get quite the deal. Actually, if you sign up today or tomorrow and get that newsletter should be going out a Sunday morning. Just respond and say Improving Windows Security so that you can get the full course, not just the free stuff that we're going to be giving. Man, you're going to love this anyway. It's just Craig peterson.com. If you want to sign up for that. I do these all of the time. One of the things that really stood out to me and I thought I would talk about actually, there's a few things is the security breaches in healthcare, because we all have some form of health care. If it's Obamacare, and guess what? Obama isn't your doctor. He's not seeing you, right? You've got a local doc. Sure. You go in, you talk to your doctor or they examine you. Maybe you have to go to the hospital, outpatient, whatever it might be. There are records of yours that are private, and there are people who want to get their hands on those records. Why is that? First of all this statistic just absolutely blew me away. A research company called black book market research, and surveyed about 3000 security professionals from healthcare provider organizations. 96% of those people who were surveyed believed that the bad guys are outpacing healthcare security, 96% of them. Isn't that just amazing? 56% are relying on medical devices using Microsoft windows seven. Seven hasn't been supported in quite some time. Eight isn't supported 8.1 has some support for it, but nowadays you pretty much have to be on Windows 10. If you want any support that is astounding. When you get right down to it. We also have the problem of medical internet of things, devices, M I O T think about, again, all of the devices a doctor uses. Now they might have an iPad that's relatively safe, but have you noticed there are Bluetooth thermometers now that they might use to check your temperature? Did you notice that even people who are in intensive care might be hooked up to an IV those things are connected via wifi and Bluetooth? The x-ray machines, the cat scans, everything now in the doctor's offices. Practically everything is electronic is hooked up to computers. We're helping a medical office right now doing a bit of a transition on their phone system so that they have integrated with their phone system. Now, automatic text reminders. If someone calls in or the office calls out, all of that is logged in the patient records, screen pops that come up and tell them, Hey okay is calling in and it shows all of the records before they even answer the phone. 56% of healthcare providers are using unsupported operating systems. That's just on their computers. Most organizations don't even know what is inside their machines. Cause you remember almost every machine nowadays has a computer on it. Then on top of it, they're using this 20-year-old antivirus software and insecure systems. They're really not vetting things, failure to access. It's just absolutely crazy. Now the bad guys are able to get in about 86% of the time. That's according to Verizon's 2020 data breach investigations report. That's just crazy. 86% of them are about money. The attackers usually take the easiest route to obtain all this information that they need. 43% of the breaches are due to the cloud. How many of our businesses are saying Oh, I'm going to use the cloud. I'm going to use salesforce.com. This is an example. I'm not trying to pick on salesforce.com. They've had their problems, but so has pretty much everybody else it's. We're gonna use salesforce.com for all of our client records and emails going out to et cetera, et cetera. That's just a word for someone else's computer, the cloud. It is a computer. It is still existing out there. You cannot, whether you're in healthcare or you're a regular business, you cannot just push off the responsibility for your data to a third-party cloud provider. Now in the medical business, they have these business process agreements, BPA partner agreements that say, okay, you Google, I'm going to be paying you extra for this special healthcare version. So they pay extra and they get that special healthcare version. And Google says we will keep your data safe. Oh, okay. That's well and good, but you have to pay for that version. 43% almost half of the breaches were due to people trying to use. What's called the cloud. 27% were attributed to ransomware. It is running rampant and we'll get into some of those stats here in a minute. This is the part that I would think everybody needs to hear and that is your patient health information worth 20 times more than credit cards are worth. Did you hear that? 20 times more, 2000% more than credit cards. So you might ask yourself why does that matter? What's the big deal with my patient information? If they have your credit card, they can use it a few times, hopefully, you'll notice it pretty quickly. You're using something like a credit monitoring service to notice, Hey, wait a minute. What's going on here. If they've got your social security number, they could potentially buy a house or a car in your name. You don't know that they bought a car in your name until the tow truck shows up asking for the car back. Because it's now being foreclosed on, but guess what? You don't have it. It's not yours. You have to spend 300 hours trying and straighten it all out and clear up your name? But when it comes to PHI this patient's health information, probably has your social security number. Remember when you fill out those forms when you go to the doctor's office, criminals can pull off stealing your identity that can go undetected for months, but it's even worse than that, frankly, because if they have a child's information, Oh, so again, we're talking about a birthday to name and address a social security number because you remember the government's forcing us to get social security numbers for all of our babies as they're born. Yeah. So they've got that social security number, which will never be used to track us. Will only ever be used for social security and can not be asked by anyone outside of the federal government and the social security administration. Another promise from the federal government was completely ignored. That child's personal information can now be used for at least 10 years, probably closer to 15 years by a bad guy. It can be sold to illegal aliens who now have a name social security number and maybe a fake birth date because they're really a little bit older than they appear to be on that birth certificate. That's why it's worth 20 times more. It's really something's going on. All right. You are listening to Craig Peterson. We're talking about our health care information. We're going to talk a little bit more about that. We all have healthcare records and they have some of our most personal information. That's what we're talking about today in follow-up to a webinar that I did last week for the healthcare industry. We're going to talk right now a little bit more about your privacy. Hey everybody. Thanks for tuning in, Craig Peterson here. Getting right down to the real hard stats here on our healthcare records, a lot of them have been stolen. We covered that, of course, in the last segment. If you miss that, you can catch that online on your favorite podcasting app. I'm pretty much everywhere, nowadays. It's just crazy to think about because, in reality, we have had millions of records stolen, 300 million healthcare records stolen to be exact since 2015, which is pretty bad. I'm looking at a chart right now that I showed to this healthcare industry group that showing that the hacking event has almost doubled over the last three years, year to year, every year. So in 2018, 164 major hacks, 2019, 312. That's a good double. 2020, 430, which isn't quite a double. So we are seeing a lot of data being stolen. Of course, stolen data means misused data, which is a very big problem. Now, in the healthcare industry, they've got a separate problem. That is these HIPAA rules. Now HIPAA has been in place for quite a while. It's supposed to have been provided portability of our records. Does anybody have any real luck with that? I know there are some I haven't. Portability, I don't even know where my health records have ended up. Frankly, cause my doctor ended up closing up shop and I just have no idea. But it's supposed to be portability and privacy. Well, the most common violations of these HIPAA regulations revolve around professional hackers. Then you've got business associate disclosure. Remember I mentioned that. The cloud is not an excuse for not protecting your data. You cannot hand that off to a third party. There's many more that I go into in the presentation. Of course, I talk about some of the ransomware that's been going around the fines they can get from some of these. Then here's the next thing I wanted to talk with you guys about. And that is the amount of ransomware out there. I'm going to have a little bit of a ransomware offering. Take a look in some training and stuff here. Take a look at your emails. If you get my newsletter, it'll probably, I'm going to try and get this in for tomorrow's newsletter. The one that comes out on Sunday, if you're not a subscriber right now, go to craig peterson.com/subscribe. You'll actually see it on the site @craigpeterson.com. If you scroll around, do a few things on the site, it should pop up automatically for you. I'm going to make a note to myself here about the ransomware stuff. So you guys can hop on and get more information about how to protect yourselves too. Now we're just talking about healthcare and of course, this is every business and every person out there. I talked about this Conti gang. I don't know if you've heard of them. C O N T I. Now, remember what I've said before about ransomware. It used to be that you'd get ransomware. Your computer would now have it's data encrypted, and then it would pop up this big red screen up that said you've got ransomware in order to get to all of your data back because what the ransomware did was encrypt it. You need to go to this website. You need to pay this amount of Bitcoin to this Bitcoin wallet and off it goes, right? That's the idea. According to the FBI, about half of the time, you'll get all your data back half the time. That's even if you pay the ransom. And now, too, that the. The State departments might come after you, and the FBI, if you pay a ransom because now you are supporting terrorist organizations, not just criminal enterprises very big deal. Now the other side of ransomware, and this is what just hit with a few different medical providers here. What I talked about was the Rehobeth McKinney Christian health center services, New Mexico, because now it's much more advanced instead of just getting on your computer, encrypting your files, demanding a ransom to get the decryption key. They even pre-install the decryptor for you. Isn't that handy? Yeah. What they are doing is they get onto a computer and then they start East-West spreading. Now we've seen that for years. I remember one of our clients, a car dealer, and this was five-seven years ago. They got some ransomware. Somebody clicked on something that they shouldn't have, and all of a sudden their machine gets ransomware. The machine, of course, is hooked up to the network and. It is also not just hooked up to the network, it is in fact, mounting drives from their file server. So his machine has access to all of these files. This guy was a manager over there at this car dealership. So he had access to all of the files. Think about that for a minute. What his machine did back then is it said, Oh great. Here's some network drives. It started encrypting the S drive and the H drive and the K drive. All of these different letters for these SMB mounted drives from the file server. We were in there beforehand and we installed our security stuff. When his machine got this brand new strain of ransomware, and of course he didn't want us looking at what was on his machine. So we couldn't install all of the antivirus software because then we would have access to it. We've got another client that's like that too, where the owner of the business doesn't want us installing software to really keep his machine clean. I don't know why people do that. It just, are they just trying to play their cards close to the chest? Is that what they're trying to do? Are they looking at something they shouldn't be looking at work or ever? Why do people do that? If you got hints, let me know. Cause I would love to know me@craigpeterson.com. Why do people do that? Anyhow, his machine got the ransomware. It tried to start spreading to the file server. Now, we had special hardware and software installed. So we saw that spread start. We immediately shut down. It was all automatic. It was just shut down. I shut down his network port, in fact, so his computer can go anywhere. His computer had the ransomware. We were able to just go ahead and restore from backup. The bad guys know that if all they're doing is encrypting your data, then who cares? You restore from backup. Now, hopefully, you're following a three-two-one backup scheme. Most places don't. Hopefully, you're testing it as well. We test every backup that we make for our customers every day. We usually about once a week, will, if it's a server or even a workstation, we will spin up the servers in a virtual environment and make sure that it can boot so that we know we have a good backup. I got to tell you guys, most of the time the backups are not working and it gets to be a real problem. What these guys have figured, including this Conti gang is we're not going to be able to get as much money out of them by just encrypting their discs. We need to do something else. So while they're trying to spread East-West inside, what they're doing is okay, so they got a hold of this manager's computer. They start scanning for other computers and scanning for vulnerabilities scanning for ways it can gain access. Unfortunately, the statistics show us that most of us have file share turned on our windows machines. That's one of the things I talk about in my Improving Windows Security course, what to do, how to do, how to turn that off because that is the second target of ransomware. Once it gets onto your machine. You've got to turn off those file-sharing services. So we'll tell you what Conti and these other guys do once they're there in, and they have found another machine. Maybe it has filesharing services. Maybe it's good old-fashioned vulnerability because nobody patched. Man, I can't believe how fast this computer is. We just did an upgrade on my iMac here in the studio. It is blindingly fast now. But we're talking about. Ransomware and what's the Conti gang and others doing, nowadays. Hello everybody. Craig Peterson here. Thanks for joining us today. Appreciate you spend a little bit of time and I enjoy helping to bring you guys up to speed on what is happening. There's just so much of it. You wouldn't believe what I have to filter out. The Conti gang have been very successful, but their money started to dry up fairly recently when people figured out if they had a decent backup, they could just go ahead and ignore the ransom demand. Instead of paying that ransom, just go ahead and restore from backup. So they had to do something different. What the Conti gang did, as well as pretty much everybody else in the ransomware business, is okay, what we're going to do now is we're going to find all of the other machines we can find on the network. Then we're even going to have real people get onto these computers remotely that they've compromised and have a poke about. See is there patient healthcare information? Are the bank account numbers on this machine? Are there plans on what to do? Where to go? What's the business going to do next week? But particularly stuff they can sell right away. If you take credit cards, you know that the payment card industry is all over you if credit card numbers are stolen. Those are nowhere near as valuable as patient health record information. As I mentioned a little bit earlier, we're talking about 2000% more than 20 times more value to your healthcare records. Now what happens is the Conti gang says Oh looky. We've got patient information here. It has names, addresses, social security numbers. It has birth dates. It has diagnostic information, and then they upload it. We had something like this happened with one of our clients. It wasn't a ransomware attack, ultimately may have been. They came in through an unsecured VPN and that they would not let us shutdown. We told them to shut it down and they didn't. In come the bad guys, they actually were coming up via Mexico in this case. Although I doubt they were located in Mexico. They took that VPN connection, they used it now to get on to the computer and found something interesting. So they started to exfiltrate the data. In other words, Take that data and send it out. That's exactly what the Conti gang and others are doing now. We noticed, wait a minute, this is all automatic. Why is data going out from this host at that speed to this address at this time of day? It wasn't a normal pattern. So our hardware-software that's sitting there in their network automatically shut it down hard. They were able to exfiltrate just a tad bit of data and then it was stopped instantly. That's what they're doing nowadays. So the Conti gang gets your data and then they try and say pay up from an extortion standpoint. Instead of just holding your data ransom, they're extorting you. Saying, if you do not pay us we will release this data. The Conti ransomware gang has its own website out there. It's called a leak site. There are many of them out there. If you go to that site, I'm not going to give you the URL. It's right there. There's their logo. Conti gang has a logo and it says Conti news. It's talking about how you can make your payments to them and what data was released and that this person paid up, but it was too late. We don't have the data anymore, which means it was released and too bad. So sad. I wouldn't want to be you. Here's another ransomware gang. I've talked about with the Massachusetts society for healthcare risk management in this webinar, and that's the Avedon ransomware gang. So again, they had stolen personal information. They had health information and they had not just the ransom side, but the extortion side built into it. This was in relation to an attack on the Capitol medical center in Olympia, Washington. They have leaked some of it they're threatening to leak even more. If Washington Olympia capital medical center doesn't pay up. Now, I went through here with Karen, helped me out with Karen and we got some other stats. First of all, 70% of the time now, ransomware results in data exfiltration. In other words, 70% of the time, your data is stolen prior to the file encryption. Pretty bad. Pretty bad. Things can get particularly harmful because these ransomware attacks are a growing concern. They're disrupting patient care and healthcare, right? Disabling critical systems because they have been even holding ransom some of the diagnostic equipment, MRI machines that were connected to the network. There were running Windows. Who would use Windows in the machine that's healthcare critical? Obviously interrupt revenue flow and they had to now go get involved with real expensive remedies. It really puts him in a very bad spot, very bad. We've had almost double the number of healthcare institutions attacked this year versus last year. I'm not going to go through all of these things here. I explained to them the difference between some of these real sites and fake sites and how you can get access to it. By the way, if you're interested in this, I did record this, I'd be glad to send it out to just let me know, just email me@craigpeterson.com and I can send you some of this healthcare stuff, the slide deck, or whatever you might like. Phishing campaigns, way up. You probably heard about that. I gave some examples of that emailing patient information without encrypting it. Wireless infusion pumps are, of course, compromised because they're running an operating system that hasn't been patched. Usually Windows. Think of that there's Windows in that infusion pump, but it could be a version of Linux. It's not patched. It's crazy. Vital sign equipment. Oh my gosh. We're also seeing that this patient's health information being stolen now is being used to create fake insurance claims. You might've been wondering in a previous segment here, I was talking about how. Much this is worth and it's worth a lot while this is one of the reasons it's worth a lot, your personal, private patient health information. If you have a diagnostic info and that diagnosis has been stolen, and then they can file a health insurance claim. Yeah. You see where I'm going with your information as though you received some treatment or some care for the diagnosis that was in your healthcare records. It's just that simple. The average cost of a data breach right now, by the way, if you are a regular business, it's $158 per record for non-healthcare and it's $408 per record. If you are in healthcare at all. That's a doctor's office. That's not just hospitals, it's anybody. And by the way, mobile breaches are really big 43% of healthcare organizations who reported a mobile breach, said the mobile breach caused long-lasting repercussions. Now, think about this. If you're a patient. How well are your records protected? I can tell you based on what I've seen and talked with healthcare, people have seen statistics they're not protected very well at all. People will start going to jail over this. People in the healthcare industry that is. So just in case, you were thinking that couldn't happen to you. I'm gonna spend a couple of minutes now talking about what happened a long time ago, in February. 2021 with healthcare records. This is amazing. Hi everybody. This is not the healthcare network. No, it is not. I'm looking at these slides that I had put together, of course, based on research that I did, for the Massachusetts society for healthcare risk management. It was an online webinar. I do webinars all the time. I do them for listeners where we talk about something that's hot in the news. You might see me doing various lives. I haven't done one in a little while. Do you think I should be doing Facebook lives or YouTube lives? I know a lot of people have a real problem with Facebook. That's certainly understandable from my standpoint, but do you think it's worth it? Get on and I can answer questions and things. Let me know me@craigpeterson.com. I've done them before. I usually get a handful of people on. I'm not sure how much it's worth or not. They are coming for you when we're talking about the health organization. So as healthcare organizations. So we're focusing on the bigger ones because that's who I was presenting to. I always make these slide decks. This one took me a week to put together right. Karen and I because there's so much research and I know I shouldn't spend that much time on these things, particularly if I don't charge for them, but I've got to do it. I was talking to a friend of mine who's an attorney. He said, do you know what? You would be one of the richest men in America if you did not have morals. Oh my. February 2021, we had Gore medical management out of Griffin, California, with 80,000 people affected. Nevada Orthopedic and spine center. Las Vegas, 50,000 people. UPMC life-changing medicine out of Pittsburgh and only 40,000 people there. Remember, this is February. 2021. Oh, wait. There's more Grand River Medical group out of Dubuque, Iowa, Harvard eye associates out in Laguna Hills, California, Texas spine consultant out of Addison, Texas. UPMC Health plans out of Pittsburgh, PA. Granite wellness centers, Grass Valley California. Granite is Northeast, people. Aetna Hartford, Connecticut. Isn't this something, February 2021. 12 Oaks recovery center, NAVAIR Florida. Pennsylvania Dalton teen challenge in Pennsylvania. Data Logic software, Harlington, Texas. Yeah, it goes on here. The house next door, Deland, Florida. Project Vita health center, el Paso, Texas. Just in February. Lake Charles Memorial health system, Lake Charles Louisiana. UT Southwestern medical center, Dallas, Texas. Hackley community care center out of Michigan. Rainbow Rehab center, Lavonia, Michigan. Jacobson medical hospital care center Elgin, North Dakota. Pitkin County, Colorado. Piedmont health services, North Carolina. Hope healthcare service, Fort Myers. I like Fort Myers. Jacobson Memorial hospital and healthcare in Elgin. You getting you guys getting the gist here and you pick it up what I'm putting down. Jacobson Memorial hospital. This was a data accident involving an employee email account potentially exposing current and former patient data to authorized individuals. You know what, the number one question I had. I got to put that together. Let me just jot this down so I don't forget. Gmail. Doctors. The Number one question I had was how do we stop doctors from using their Gmail accounts? That's the same type of thing that happened on February 23rd, 2021, right here, where they were forwarding email and this happens. We see this all the time. Somehow doctors think, I dunno, they're immune to these things, or it's not going to happen to them. I don't know. An email comes in and it comes into a secure email system. Then the doctor configures it to forward his email that comes into the secure clinic, his doctor's office, whatever it is, forwards it to Gmail. What happens at that point? It's now in Gmail, it may or may not be secure. If you're not paying Gmail for your account, you can be pretty sure it's not terribly secure. There is an encryption standard, an email called TLS and Gmail does not provide TLS services, guaranteed, for free accounts. In fact, I don't think they provide them at all for Gmail accounts other than the paid accounts. This is an absolutely huge problem. The FBI and the Department of Homeland security CISA came out with another warning here about healthcare. This is affecting all of us because this is our personal information. Why are healthcare records so much more valuable? I mentioned earlier a couple of things. One is they usually have a social security number, name, and address, so it can be used now to steal someone's identity. They often have diagnostic information. So that means it can be used to file fraudulent insurance claims. What else can you do with some of this medical data that is stolen? If they have your medical data, it's so much different than your credit card, because credit card you can cancel. In fact, even if you don't cancel, if you notice you get a new credit card, every what is it - three to five years, new credit card here it is. There's a new number, at least a new code on the back, right? CVC code. You look at that and say new card okay, whatever. It's such a pain because you have to go and change it on any website or with anyone that's doing an automatic ordering. But when you get right down to it, What can happen if your credit card numbers are stolen? They can run up your credit card. You can, before you pay it, file a claim and say, Hey, someone stole my credit card number. That is bad. I did not authorize these charges and they will back out the charges for you, right? You haven't put a dime of your own money out there. Now, a debit card. Yeah. They've taken your money and now you got to fight a bit to get it back, but you can get it back from all the major credit card issuers, but you get a new credit card number. What happens if your social security numbers are stolen? Did you know that the social security administration will not issue you a new social security number? Is your number stolen? Did you know that? How about the rest of your information? Most people live in a home for at least 10 years, not longer. That's a lot longer than your credit card number's going to be around so they can now again, continue to file for loans under your name, your address, your birthdate, maybe for the rest of your life. This is our personal information. And as you probably noticed early on, I was talking about how upsetting it is to me that we have a national ID stamped on our forehead effectively. We have a social security number that we now have to use for everything it's called a social security number because it was put in place for this Fake insurance program that the federal government put together because it's not an insurance program. It is not run like an insurance program. They put it together and they called it social security. They gave you a number because they had to keep track of your account. And really it was your account number. Now it's used everywhere. There's proposals out there. Hey, let's come up with a digital ID, a digital identifier. A digital passport, if you will, as though that's going to solve the problem. The problem is we now have our data stolen. It's already out there. It's everywhere. Can you imagine what China might be thinking about doing with it? China has been, it's been verified now. China has stolen the records of pretty much every federal employee, every background check record of every background check that was done for clearance via the FBI. What's going to happen if they decide they really don't like us anymore and they just let loose? What a great way to shut down our economy. Like overnight, by all of a sudden creating millions of fake accounts. Using real identities, our identities. This is just nuts, it is absolutely nuts. We've seen these hacks and we just ran through some of the healthcare hacks that happened in February of 2021 one month. These are the ones we know about. Most of them are in fact, probably not reported at all. Add on top of that, now we have doctors that are working from home that are using what we're calling loosely, telemedicine. They're getting onto platforms that were never designed to keep our data safe is not HIPAA compliant. They are exposing our data even more than ever before. I don't have the answer for this, because they are not, I can guarantee you, they are not pounding down my door to have me come and help them. I could. That's what I do. They're not. In fact, when I reach out to most of them they hardly care at all. Not a big deal, right? Not going to happen to me, can't afford it. Yet they're pushing all of this burden onto us. It is extremely upsetting. Something has to be done. Something has to be done about healthcare. We need to enforce these HIPAA rules and regulations, and people need to go to jail for blatantly ignoring what they've been saying, by signing these forms, blatantly ignoring what they've been saying. They've been doing now for what 20 years? Visit me online. Craig peterson.com. Make sure you get on that newsletter so that you don't miss a thing. I think we beat healthcare to death in the last hour. We're going to be getting into a bunch of new topics here. This whole thing about Intel hiring Justin Long has stuck in my craw too. So we'll start with that. Hi everybody, Craig Peterson here. Of course, it sounds like its a stuck in my craw week, but we got to keep you guys informed and it just really irks me, that so many businesses are trying to do the right thing. They are spending money. They're getting training for their people. They're getting the right kinds of equipment. They might be buying stuff from me or whomever. It really doesn't matter. They're trying to do it right. That costs them. There's no question about it. They are competing against people who don't care. That's what really bothers me. They're competing against people that are barely spent a dime. Maybe they bought a SonicWall firewall 10 years ago, but that's the last time they did anything for security. To me, that is a sin and should be a crime. If you've got a company, like maybe you've got a DOD contractor, and they've spent 200,000, maybe as much as a million dollars if their really quite a bit bigger on just trying to secure their networks and okay they sell to the DOD, but they sell to a lot of other companies as well. How do they compete? How do they compete against somebody that just hung up a shingle and is out there selling a competing product? Nowadays, you can't tell. This is an old one, right? Do you remember the Lycos commercials on the internet? No one can tell you're a dog. That's exactly what this is about. No one can tell going to the website. How good are you? How long have you been around? How much have you spent on cybersecurity? Is it any good? It's just nasty. It is really bad, bad stuff. We are getting attacked so much. Ransomware attacks have tripled in 2020 and remember ransomware isn't just ransomware anymore. Most of the time it's also got extortion built-in. It's just crazy. Make sure you are on my email list. If you're a home user, that's great. There's lots for you to learn. If you're a business that's great, there's lots for you to learn as well, and I'll let you sort it out. But even when I have stuff specifically for business or targeted to business concerns, there's stuff you can learn from it as an individual. I want you to pay attention to it, but you can only do that if you have my newsletter coming to you every week. Of course, the best way to do that is this go to my website, Craig peterson.com. You'll find it all there. I appreciate you guys. I, again, I just can't say it enough. You have been great. I appreciate all of the feedback I get and I answer all of the emails. Again. It might take me a little while it usually takes a few days. But I do answer them and I answer them personally. Most people are really shocked when they get a newsletter, they hit reply. I replied to them. Thinking that I must be some big internet marketer, which I'm not, I'm here for you. I appreciate everybody that signs up for the list. You guys referring to people. It's interesting. Every time I send out my weekly newsletter, I get even more people signing up for the newsletter. So you guys must be forwarding it to your friends. Who is then signing up? I really appreciate that too. Cause I want to get the word out. 99% of what I do, what I say, is absolutely free to anybody who will care to listen. It's there for you. I really do want to help. You might remember these commercials from way back in the two thousand in the double ots, triple ots. Hello, I'm a Mac and I'm a PC. Hey Mac. Did you hear the good news PC choice chat? Sorry, I didn't hear you there. What'd you say, allow me to introduce the top-of-the-line PC? Okay. What are you doing in a pizza box? Go on, rip it in half. And since it's beautiful that he needs an upgrade and I'm having a very difficult time finding pictures of my friend. I couldn't hear you through my virus-proof mask. Bongiorno. Hello. Let's go to the commercial. We are a commercial. Let's go to another commercial, your first class, all the way PC and Danesh. You are banished. I have to chuckle when I hear those. Isn't that great? Those are just excerpts from some of those commercials from years ago. Of course, get a Mac. What Apple was doing at the time performed by John Hodgman. He was the guy that did the PC side and Justin Long, who was the guy that did the Mac side saying I'm a Mac. It's fascinating to me now that Intel has decided to go ahead and hire Justin. Now what's most fascinating about it is that Intel hires Justin. Wait, what are we comparing here? A PC is when you think of it, it's Windows, right? You're not thinking about Intel inside. You're buying a Windows machine. You're not buying a computer because of the chip it has in it, most of the time, right? You might buy this is when I said faster chip or that one has a slower chip. That makes a lot of sense. You're buying a computer so you can run an application. I remember very well back when the Apple two came out, the two-plus and people bought them in droves because of an application. You could get VisiCalc on there, a spreadsheet program. It was the first, it was the best. It was the most popular at the time. Then others came out that were arguably a lot better. But it still sold. VisiCalc still sold and went over to the Windows platform. So Justin is now doing commercials talking about Intel. So he's saying on the Mac, you can't touch the screen, which by the way, you can if you get a touch screen for the Mac, No two ways about it. I have one sitting right in front of me. I use this on my Mac it's a touch screen. I use it for doing presentations. I can highlight things, move things around, touch things, open them up, click on them with my finger right there on this screen. None of those have anything to do with the fact that inside that might be an Intel processor. We've got Intel now out there with I think misleading, but potentially you could argue, that they're misrepresenting Intel. All Intel is doing is providing the main processor maybe some other support chips on there. Maybe it's using Intel memory. I don't know, but in reality, what we should be comparing is our Mac, our Intel-based Mac versus our Intel-based Windows computer. Remember Macs will still run Intel. I just gave it away. Did you catch that? What's really going on here. What's really going on is, Apple is upset with Intel for some very good reasons. Intel has been massively overcharging for its processors for a very long time. Intel processors have never been that great, frankly, but because of what was called the WinTel monopoly. Intel really went along for the ride. They went along with the ride with Microsoft because people bought Windows so they could run Excel or whatever the other applications were, that they wanted to run. So what has Apple done? When Apple came out with the iPhone, it never had an Intel processor in it. The same thing's true now, with all of the new Apple equipment that's coming out. So your I-phones don't use Intel processors, your iPads, don't use Intel processors. I have sitting right in front of me, a Mac mini that has an M1 processor from Apple. And in fact, Apple right now is trying to get rid of Qualcomm as well. It can help increase their profit margins, but these things are not easy to design and implement. It took Apple years to get to the point where they had one that was really quite a good processor. I can buy a Mac mini with an Apple processor in it that is better than a hundred percent faster than a Mac mini with an Intel processor, for less money. The Apple chip costs me less money than the Intel-based processor and it's twice as fast according to Adobe, who just released their performance metrics on illustrator and Photoshop. Intel is getting very nervous because they're seeing their business go down the tubes. Intel has not been able to deliver on lower power processors. It has not been able to deliver on faster processors other than going to multiple cores. It's also having problems with manufacturing, the smaller, thinner, and thinner processors, which help with of course, using less power that makes them faster and they have less heat. Intel is saying, Oh my gosh, we're in trouble here because even Windows runs without Intel processors now. You can get a surface tablet that doesn't have any Intel in it and run windows on it. So they're in trouble there. They're seeing to the market share that's being taken from Microsoft by these Google Chrome tablets. Chromebooks, which are laptops, which are very inexpensive, very fast, very user-friendly, and very secure. Although, Google does spy on you a bit and they don't use Intel. What does Intel do? We're going to hire Justin and make people very confused about what's really going on. Don't worry about those ads, stick with anything you need to use. If you can get out of the space of windows. Get out of this space of Apple. Go with something as simple as you can. Maybe Linux, maybe ChromeOS. Hey, it's 2021, and ransom payments have nearly tripled then targeting many factoring healthcare, construction and the average ransom is now $312,000. Hi everybody Craig Peterson here. We were talking a little bit earlier about ransom and ransomware gangs. We've talked about how it can just totally destroy somebody. If you're a home user and let's say that they get onto your computer and they encrypt all of your photos your grandpa, grandma, your parents. You've got pictures of the kids and grandkids, great-grandkids, whatever it might be on your computer. Now, they're demanding $10,000. If you ever want to see your pictures again. That is a very good reason to have your photos and other documents you care about somewhere else, not on your local computer. I know far too many people who hook up a local hard disc to their computer and then back up to it. They're backing up to a USB drive that just isn't going to cut it. That USB drive is attached to your computer. If your computer gets ransomware on it, it's going to encrypt your USB drive. That's why I advise people if you are going to have to use a USB drive, let's say you've got a database that you have to open, but you don't have to have it open all day long. Put it in an encrypted volume and only mount it up and decrypt it when you're using it. Then go ahead and re-encrypt it when you're done. That's called data at rest. The idea is when you're not using it, nobody has access to it. That's what you should be doing. Remember too that if you still have that disc plugged in, and if that disc is encrypted, they can still encrypt it and hold you ransom. But they're not going to be able to do the extortion because the data they have is encrypted. They have no idea what they have. They may not even grab it because some of this ransomware software is just that smart. Ransomware gangs now that are aiming at businesses are grabbing even more money than they've ever been able to get before. The average amount that's paid, jumped 171% in 2020. There's a new report out from Palo Alto Networks. They provide all kinds of networking equipment. You probably know, I already use Cisco primarily we've used some Palo Alto. We've stuck with Cisco. I like that integrated environment, but Palo Alto is good. Just not great. Palo Alto uses data from ransomware investigations, these data leak sites, as I mentioned earlier, where some of these ransomware gangs post to the data that they have stolen from people. Those are called data leak sites. They looked at some of those things to try and figure out what's going on out there in the industry. They found that these main industries, which are manufacturing and healthcare, construction companies had almost 40% of all ransomware attacks in 2020. It's just amazing because again, the ransomware attacks are being fine-tuned to go after organizations that have data that is very valuable. The highest ransom paid that we know of was $10 million. Isn't that amazing. The highest ransom demand was $30 million. Almost a third of the average demand paid more than $312,000. So it's just crazy. When you start looking into this and these ransomware groups are really getting ahead of the defenders. They are using all kinds of different types of innovation, which is again, why antivirus software does not work. I put that into my presentation. In fact, I had in the presentation here, some slides with John McAfee, I had him for one of them, and then I had a quote from now trying to remember what he was. He was a high-end guy in Symantec which makes Norton, and both of them said this, "their software is just useless" bottom line. It's useless because these ransomware gangs are using different techniques, different styles, they're improving things, pretty dramatically, frankly, and getting these ransoms up higher and higher. By the way, they are still being paid using cryptocurrency and that surged 311% last year. By the end of 2020, ransomware payments began to decline. A lot of that seems to be because the victims don't believe they're going to be able to get their data back, which is correct as I've mentioned before. Be very careful out there. If you are a victim of ransomware, realize guys, you're probably not going to get your data back even if you pay. Also, realize that there is another extortion coming your way in most of these cases. That extortion is to pay up or I'm going to release your data to everybody. Then you're going to have to decide what to do. Cleaning up after ransomware isn't cheap. The average cost of forensic engagement is over $73,000 for enterprises and 40 grand for small and medium businesses. It's pretty bad what they're doing right now. All right next up here. We've got attackers who are going after specific targets. Now I mentioned that just now, but in this case, what they're doing is they're trying to get back doors into iOS developers' Macs. Here's how it works. If you have an iPhone or an iPad that is running an operating system. That's based on a Unix kernel called iOS that's Apple's operating system for those mobile devices. It behaves differently than the desktop operating system. That makes sense, right? Windows trying to shoehorn in the touch screens without really considering all of the implications of that, I think was a huge mistake. If you want to go back many years in Windows eight when they introduced tiles. On my archive, you will find me saying that very thing. However, If you are a developer for iOS, you're not going to be using Windows. You are going to be using a Mac. What the Mac developers use is something called X code. This is a developer tool that Apple makes available to developers who are writing apps for iOS or Mac OS, as well. The bad guys are doing a supply chain attack and they are putting fake libraries that are being used by the developers, into the developer pool. The idea behind that is if they can get this fake little library in there, they can then take control of any machine that's running that library. I don't want to get into this too techie here and have people zone out, but it tells you something here that the bad guys, rather than attacking iOS head-on like they do with Windows. They are trying to get into the developer libraries and get in that way. Now they are, don't get me wrong, they are trying to do this with Windows. It's just usually so easy to use a new zero-day on Windows, as opposed to going into all the trouble to try to get into developers' machines in order to install these back doors. It's also known as a home watering hole attack, and they send this to targeted developers. There's a visual studio project that's available right now with a proof of concept exploit for some of this stuff, but we're aware of it. We're trying to deal with it. Apple is trying to deal with it. Windows eight is happening in that area as well. GitHub has seen a whole lot of problems with this type of injection and the whole industry is working hard to stop it. I think that makes a whole lot of sense. All right. Let's talk about selling the feds, location data from every car on earth. Does that make sense? I don't know. Apple made a change in its podcasts. We'll talk about that as well. Hey, are you somebody who listens to podcasts as well as the radio Apple figured something out to the most other podcasters really figured out some years ago? So we're going to talk about the one-word change. Apple just made it. You're listening to Craig Peterson here on news radio, WGAN AM 560 and FM 98.5. Thanks for joining me today. As we've been talking about some of the great articles out this week that I was going to say the great questions that have plagued humanity, but. I don't think that's quite true. There certainly are questions we all need to have answered and I answer your questions as well. Make sure you go to Craig peterson.com. You can right there. Sign up for my newsletter. You can send me a question if you'd like to right there, or you can just email me M E@craigpeterson.com. I'd be more than glad to answer them. It is a wonderful thing to be able to help you guys out. I appreciate you so much for spending these two hours here with me on your Saturday. Podcasts are something that Apple really kicked into gear. I've been for more than 20 years doing what today we would call podcasts, and that is making available audio from our radio show. Audio from interviews. All kinds of audio for people to listen to. Many other people do. It has become a huge thing. Now there are millions of podcasts out there covering every topic you can think of talking about long tail, just microscopic and lead nailed down different topics. Apple had the iPod. You might even remember that. And I still use an iPod to this very day. I still have my iPod classic and I that's the one I use. So it is how old now? 12, 13, 14 years old. I don't know, pretty old. And I've had to replace pieces in it. But I really liked that user interface. It's pretty easy to use. I have over the years, I've put a lot of different music on there and I've also put podcast. It is an iPod with video, which means that it can play certain videos. It has been a wonderful little device. Because of the iPod and the popularity of people listening to the audio, like my show, Apple was able to really dominate that market. They became known as podcasts because of the Apple iPod. People could carry them around with them. Nowadays we stream, for instance, you can listen to WGAN on tune-in, which is available as an app. It's a website. You can listen any time anywhere. It just couldn't get much easier for any of us. It's fantastic. You can certainly download them into the app. You can download them into the Apple podcast app that's there on your iPhone. On Android with Google play. In fact, you'll find my podcast on all of those platforms, but what is really different about all of this is that now Apple is no longer the leader. It looks like Spotify is about to take over the leadership position in the podcast if they haven't already. I've made sure my podcast was on Spotify. I hadn't had it on there. They had changed the rules. I don't know some time ago might've been last week. I really don't know. But they changed the rule since the last time I looked. It was easy enough to get mine on there. I think they wanted me to pay before. Now I have a podcast that's in the top 10% of all podcasts worldwide, which I think is pretty darn cool, frankly. We're having thousands of people listen every week and that just does my heart good. I stopped doing the podcast for a while and it really hurt me, while it was like a year and a half- two years and I wasn't releasing content. I really lost traction because I had 20 million-plus downloads of the podcast, which I can still say, because that's true, but I've only had about a quarter-million downloads in the last little while still top 10% of all podcasts worldwide. What Apple is trying to do now, is try and help people understand a little better and get rid of fear by changing one word in podcast land. If you go to Apple for instance, if you go to Craigpeterson.com/apple. That's what it is you'll see. It'll take you automatically to the Apple podcast page. Once you're on the Apple podcast page, you'll see that you can listen right there on the page. It might open your podcast app or on your Mac. It might automatically open your music player, they keep changing the names of some of these things and let you subscribe. If you do, I would really appreciate it. The word is "subscribe." That word has been a problem apparently for Apple because most people when they think of subscribing they're thinking they have to pay for something. You see where they're coming from. So a lot of people didn't want to subscribe because they didn't want to pay. Podcasts are free. No one charges you for them. Now, there are some subscription models. Don't get me wrong, but in general, podcasts are free. What Apple has done now is they changed the word, subscribe to follow. Which they think most people will understand. Following someone doesn't cost you anything. That comes from all of the social media platforms that have really changed things up for them. This change to the Apple podcasts app is going to come with the release of iOS 14.5 and. We'll see if it actually makes it in there. It was noticed by PodNews, which is a website that reports on the podcasting industry. They were showing, Hey, look at this beta version of iOS where they're changing it. So that's how we know it's coming. I think it makes sense. Edison research I've quoted them before they're a market analysis company. They found that 47% of people who don't listen to podcasts thought it cost money to subscribe to podcasts. That's true with most of these apps nowadays, you can get it for free, but they also have paid versions. In Tune-In the paid version, lets you pause, live radio, and go back and listen to it later. I used to use that a lot back in the day. You also have different features on these different podcast listening apps. Most people are confused about it. 47% think it costs money to listen. So Edison research vice president or senior VP Tom Webster said the reason for this is because of the one word subscribe. That's a huge problem with nearly half the people surveyed. Won't listen to a podcast because they think they have to pay for it. Now, Spotify, which is edging up, if not surpassing Apple with the number of people who listen to podcasts has already switched. They're using the word follow to describe the feature that adds your favorite podcasts to your playlist. Spotify has also played around with this idea of paid podcast subscriptions, which could be separate from the idea of a paid podcast offering. It's a premium paid music and everything else. So it's I think it's going to be interesting. We'll see. Apple has switched pretty clear to help get rid of some of the confusion on its platform. Have a look for me, Craig Peterson in your favorite podcast app. Sometimes the easiest way to find me is just to go to Craig peterson.com/the name of your favorite podcast app. All right we've got one more segment here before we leave for the day. So don't go anywhere. We've got one company that wants to sell the U.S. Federal government location data from every car on earth. Did you even know that was possible? We're going to talk about what's going on. Hey everybody. Thanks for listening. This is, of course, Craig Peterson. Man, we have a problem coming our way and then get another one. This has to do with our cars. You might have heard, I heard that Massachusetts decided that they would start charging attacks based on how many miles you drove in the Commonwealth, and the reason behind all of this, supposedly, and it probably is, was that we have cars that don't burn any gas, electric cars, and they are using the same roads. They need the same law enforcement people. They need the same bridge repairs as everybody else, but they're not paying any gas tax. So how do we make them pay as they should? Mass it hasn't gotten very far with that yet. There's this port in your car called an ODB port or ODB2. This is a port that was mandated by the Federal Government I think in the late seventies when they started this whole mess up. That port gives them access to the onboard computer. That's there in your car? Hint. ODB, onboard computer. Important there in your car. There's so many three-letter abbreviations that sometimes I kind of mess them up. So Mass was saying, we can just hook up your car now we're hooking it up anyways when we're checking the emissions cause your car squeals on you. It's not like the days back in the eighties where they would stick a sensor up the tailpipe. To see what your emissions were like. They just ask the computer. What are the emissions like? What's the NOx? The CO2 emissions? How fast is he accelerating? That same port has been used to give trap traffic tickets but in different areas. Yeah. OBD port, I just looked it up just to make sure I had the right name for it. And it's been used to give tickets up in Canada and Montreal. There's a report that came in of somebody that was racing up and down one of the main streets in Montreal and the police got there and nobody was racing up and down. But a car by the description was there. So they pulled the car over, they hooked up the OBD reader to the port in the car. The car said, yeah, I have been going at this speed recently. The cops gave the guy ticket just based on that. Our cars had been squealing on us for a long time. Mass wants to use it to say, how many miles has the car driven? Then there's questions about can you charge people mileage, not in your state? Obviously, they are already. If you live in New Hampshire and you happen to drive into Mass one time and you buy gas there, you are paying mass gas tax, which by the way, Charlie Baker apparently wants to double. There are some limits, but I don't know how far they go. There's a lawsuit right now in the Supreme court between New Hampshire and Mass, over Massachusetts charging income tax to New Hampshire residents that never even stepped set foot in the state of Mass. So it's really convoluted. We have over 9,000 different tax jurisdictions here in the United States, and that makes things really crazy. When you think about all these different government agencies that want to put their hands in the Till and want to do stuff. How does that tie into the cars? Our cars are getting smarter and smarter. This port that was put in decades ago was the first step. The car's squeal on ya and the tell information that should be private. Some of the cars now, these better, faster, smarter cars, like the Teslas keep track of everywhere you've gone. Where you're driving? How fast you're driving? The cameras are actually recording all of the activity, everything that they see. There's seven cameras on these cars and all of that stuff is stored and could be pulled out, certainly in a court of law. We're seeing in some jurisdictions that their police want to get their hands on it. There is something going on right now. There's a company out there called Ulysses. They are a surveillance contractor, and they're claiming that they can remotely geo-locate vehicles in nearly every country, except for North Korea and Cuba on a near real-time basis. That's from Vice motherboard. So Ulysses is obtaining vehicle telematics from data that's coming out of these embedded sensors and communication centers that are in our cars and in the roadways. Some of these cars are now sharing data. This is a technology that was pioneered by NASCAR and formula one so that the cars could avoid accidents with each other. So the cars could be much safer for the drivers. That makes sense. The cars all talk to each other on this mesh network. Now we have these companies that have these autonomous features self-driving cars if you will, that are doing much the same thing. They are looking to use mesh communications and some of them already are. By grabbing things from these connected cars, like the engine temperature, your acceleration, where you started your journey, where you're ending the journey, it is a real problem. There are more new cars now being added to cellular networks. The new cell phones. Here's an article from ARS Technica from a couple of years back, it says in particular, this Shanta Sharman Consulting noted that AT&T has been adding a million or more new cars to its network each quarter for the last 11 quarters. While they didn't break out the numbers for other service providers. It also revealed that Verizon is set to make at least $1 billion from the internet of things and telematics and previous research from Gartner suggested that in this year, a few years back, 98% of new cars will be equipped with embedded modems. It's probably close to a hundred percent by now, by the way. Our Teslas and pretty much any other self-driving car is guaranteed to be called home because they use that call home function in order to upload new software for the car in case there's some sort of a problem to upload driving data so that they can figure out why did the driver have to hit the brakes or grab the steering wheel to make it smarter? So our cars are recording all of that data is coming together. Ulysses claims it can currently access more than 15 billion vehicle locations around the world each month and estimate that by 2025, 100% of new cars will be connected and transmitting gigabytes of collectible data. Definitely a concern here. Definitely concern. Keep an eye out fo
In this “Secure in Mind” podcast episode Nick Kelly speak with Francesca Spidalieri on the need for strong female mentors is absolute in order to encourage further female proliferation within the very heavily male-weighted industry This “Secure in Mind” podcast episode sees Nick Kelly speak with Francesca Spidalieri (the Senior Fellow for Cyber Leadership at the Pell Center at Salve Regina University), an incredibly impressive young female leader and influencer in cyber security. The need for strong female mentors in the realm of the cybers Francesca's work in advising business and government leaders around the world is nothing short of inspirational for anyone in tech but especially for aspiring girls and women looking to enter the field. As Francesca points out several times during the episode, the need for strong female mentors is absolute in order to encourage further female proliferation within the very heavily male-weighted industry. Francesca is a rising global powerhouse in this field so everyone buckle up and enjoy the show! The teachings in cybersecurity of Francesca Spidalieri Francesca Spidalieri is the Senior Fellow for Cyber Leadership at the Pell Center at Salve Regina University, where she leads the Cyber Leadership Research Project and the Rhode Island Corporate Cybersecurity Initiative (RICCI). She is also a cybersecurity consultant for Hathaway Global Strategies LLC, and serves as co-principal investigator for the Potomac Institute's Cyber Readiness Index 2.0, as a subject-matter expert for the UN International Telecommunications Union (ITU), and as a distinguished fellow for the Ponemon Institute. Francesca teaches graduate courses on cybersecurity for managers and has published extensively on cyber risk management, cyber leadership development, and cybersecurity education and awareness. In addition, she lectures regularly at cyber-related events both in Europe and the U.S. and contributes to journals on cybersecurity matters affecting countries and organizations worldwide. The Secure in Mind project Our mission is to greatly increase and encourage community discussion about technological and ethical issues that have done, are and will impact society on a global scale. There is a longstanding and distinct disconnect between the way information is packaged and presented to the public and the effectiveness of this presentation in terms of generating informed, considered debate. If we can take complex, important topics and present them, as best we can, in a manner that can interests people from outside the speciality, then we have surpassed our expectations. Nick Kelly Bio Nick is someone who, in many senses, is just like you; a human being trying to make sense of this existence of ours as we hurtle around a ball of gas in a sea of infinite eternity. More relevant though are his vacillations around the world in diverse countries and environments collaborating, negotiating, elaborating and celebrating with fascinating people from all walks of life including politics, technology, activism, military and intelligence the world over. He brings this unique breadth of perspective to the table and has a dogged interest in pursuing the human story behind the title or policy, appreciating the fact that underneath all of our bravado, political correctness and dichotomous states of creation and destruction, we are, after all, merely mortals trying to make the best of it.
In this episode Dr. Larry Ponemon discusses the the Ponemon Institute's latest findings in the growing Cybersecurity and Data Privacy treats associated with COVID-19. COVID-19 has dramatically changed the workplace and has created new cybersecurity risks and exacerbated existing risks. The purpose of this research, sponsored by Keeper Security, is to understand the new challenges organizations face in preventing, detecting and containing cybersecurity attacks in what is often referred to as “the new normal”. In the new era of a remote workforce, organizations worry most about the lack of physical security in the remote worker’s work space. Almost half (47 percent) of respondents say it is the inability to control risks created by the lack of physical security in remote workers’ homes and other locations that is a significant concern for their organizations. Show Links Cybersecurity guidance for executives to stay ahead of COVID-19 risks Rethinking cybersecurity priorities amid the coronavirus pandemic Bringing to focus SMB cybersecurity needs 3 keys to a successful cybersecurity plan for the new year NCX Group Free Cybersecurity Assessment
HIPAA compliance is becoming increasingly problematic, because patient healthcare data is the most sought after by hackers, and it is the most vulnerable to cybersecurity attacks. According to the Ponemon Institute, 54% of healthcare vendors have experienced at least one data breach exposing their protected patient data. Of those who had experienced a breach, 41% had experienced 6+ data breaches over the past two years. Most alarmingly, an average healthcare data breach costs $2.75 million (more than any other industry) and exposes nearly 10,000 records. With 140+ pre-defined classification policies, Aparavi will find any unstructured data file in your organization that may be subject to HIPAA, or other regulations that your organization is subject to. In addition, you can easily locate specific files by searching patient name, ICD-10 code, medical record number, social security number, insurance policy, data containing COVID content, and much more. Aparavi, The Data Intelligence & Automation Platform is here to help you: Protect your patients' confidential and private information Comply with healthcare regulations like HIPAA and Avoid serious fines and penalties
Colin Bell, Rob Cuddy and Kris Duer from HCL Software bring you another discussion Application Security, DevSecOps and AppScan. This episode includes all the latest AppScan news, tips around Mobile cryptography, early Snow in the north , Close wild fires in the south and Irish Samhain (Sawin) traditions. Our guest this week is Dr Larry Ponemon from the Ponemon Institute who recently publish a report of Application Security in Devops. He talks to us about the report and some of the fascinating findings.For a free copy of the Ponemon report that we discussed in this episode, please visit: https://www.hcltechsw.com/wps/portal/products/appscan/ponemon-report
In this episode of Cyber Security Inside, we explore what you need to know about Confidential Computing to protect your data. Our guest, technology analyst Jack Gold shares his insights on protecting your data--at rest, in transit, or in the cloud. Tom Garrison: Hello, and welcome to the Cyber Security Inside podcast. In this podcast, we aim to dig into important aspects of Cyber Security, which can often be highly complex and intimidating and break them down to make them more understandable. We aim to avoid jargon and instead use plain language for thought provoking discussions. Every two weeks, a new podcast will air. We invite you to reach out to us with your questions and ideas for future podcast topics. I'd like to introduce my cohost, Camille Morhardt Technical Assistant, and Chief of Staff at Intel's Product Assurance and Security Division. She's a Co-Director of Intel's Compute Lifecycle Assurance, an industry initiative to increase supply chain transparency. Camille's conducted hundreds of interviews with leaders in technology and engineering, including many in the C suite of the Fortune 500. Hi, Camille, how are you doing today? Camille Morhardt: Doing well. It's autumn., beautiful time of year in Portland. Tom Garrison: It is. It's gorgeous outside. So I'm wondering, what would you like to discuss today? Camille Morhardt: Well, Tom, I remember when people used to be afraid to put their data on the public cloud and it seemed like we had to make some sort of a trade off, right. Either I'm going to keep my data on my personal device, or if I'm an enterprise on-prem maintain complete control over it and know that I'm secure. Or I'm going to go with the convenience and the economy of scale, putting it on the public cloud and I'm going to worry about how safe it is. And today increasingly I would, I would even say with COVID, I'm hearing more and more consumers and enterprises actually comfortable moving their data to the public cloud. So I'm wondering first, what are the reasons today that people are interested in moving their data to the public cloud setting security side for a moment. And second from a security perspective, did something change that's making people more comfortable now or what should I be aware of if I'm considering moving data to the public cloud? Tom Garrison: This is a deep topic for a fall day. So let's just think about this on a consumer use case and then we'll talk about corporate in a second. On the consumer use case, it's kind of interesting, cause I remember even myself years ago where we were talking about things like, you know, family pictures, wedding pictures, pick kids' pictures, and would I, or any of my colleagues ever consider putting a hundred percent of those pictures in the cloud exclusively. And without exception, everyone said no. And I think back then it was a sense of control. You know, my sense now is that people are more comfortable with the idea that these cloud providers really know what they're doing and the chances that they would lose your photos or whatever is much, much lower than you would screw up your device or your device would die at home and you would lose your pictures. Camille Morhardt: Right. You essentially have IT in the cloud, whereas at your house, you're your own IT. Tom Garrison: Exactly, but then now you get to commercial. And with commercial, there's more complexities, right? You get the cost angle because if you're going to pay somebody else to do this, there's always going to be a cost to it. And can the other people manage your data in a lower cost fashion than you can do it yourself? And then there is this sticky issue of trust. Do I trust the data will be safe, especially for enterprises where the data is sort of the crown jewels of the company? Camille Morhardt: But let's say that I want to be able to do that in a way that I can maintain either my privacy or my IP. You know, we had talked previously about not wanting to share and usage patterns of our compute devices, right. But if there were a way that my personal data could be protected and I could perhaps set the parameters for, to use or its disposal, um, and then there were a way for a company let's say a machine learning algorithm or something to come sit on my device, or maybe in the cloud where my data is also stored and run and do some learnings on that data while still maintaining protection of my privacy. I might actually be interested in that. Tom Garrison: Yeah, I think most people would. That's sort of the Holy Grail when it comes to confidential computing in the cloud, where you can protect data from any unintended intended use. And so making sure it's secure and that hackers can't get to it or other applications can't misuse that data in some way. That's the value proposition behind confidential computing. Camille Morhardt: And then there's this one other conundrum I’m thinking about it a little bit, which is, I know that a lot of enterprises are moving towards some services in the public cloud, like email say for their employees; part of the reason is they don't have to worry about the limited infrastructure that may be multiple concurrent VPNs is allowing it. Now it's just bandwidth directly from the employee to the public cloud. On the converse, don't we still have to worry about as we're moving more and more to internet of things, just exactly that same concern: getting data from a thing to the public cloud is now posing a bandwidth constraint or a latency problem that wouldn't have been there otherwise, if I were processing onsite. Tom Garrison: Sure, you're absolutely right. That is the sort of perennial challenge when it comes to huge data. Yeah. I think that's the episode for today. So I think we've got it. You good with that? Camille: I’m great. Tom Garrison: All right, let's go for it. Our guest today is Jack Gold. Jack is Founder and Principal Analyst at J Gold Associates, LLC. And has a wealth of experience and expertise in the computer and electronics industries. He conducts analytical market research and advises numerous clients on many aspects of enterprise systems, including business analysis, strategic planning, architecture, product evaluation and selection as well as enterprise application strategy. So is perfect guest for us today. I’m trying to think back, Jack, how long you and I have known each other and our best guess was about 15 years we've worked together. Jack Gold: Yeah, Tom. I think it's been that long. Of course we're all six years old when we started so it's not much of a problem. Tom Garrison: That's right. Oh boy. Yeah, it was pre-gray hair, I know that for me. We're here really wanting to talk about the concept of being able to create enclaves within the hardware that are safer relative to the rest of the system so you can do confidential code execution and other things inside these enclaves as well as the more broad topic about confidential computing. So I wonder Jack, if we just start with, you know, environmental scan on confidential computing, like where do you see it playing a larger role, an outsized role in terms of the kinds of users or usages around SGX and confidential computing? Jack Gold: Yeah. Tom, confidential computing is one of those terms that kind of means different things to different people. When we're talking about data--data about you and I, or corporate data or financial data--generally, when we talk about that data being safe because it's encrypted. And that's true. It is encrypted. It's encrypted at rest. When it's in a database it's encrypted while it's traveling over network. But generally speaking, once that data starts being processed, it's no longer encrypted. So it's available--if you can get into the processor--you can see that data essentially in the clear. Confidential computing, to me, means two kind of circles if you're looking at a Venn diagram, right?--the two circles we were just talking about encrypted data at rest, encrypted data as it's traveling over network, but the third circle needs to be safe, data being processed. And we need to be able to, to assure that well, that data might be somehow in the clear while it’s in your computer. If I have access to your computer or access to your app, or it's just a bad app, that I don't all of a sudden have access to what was encrypted data that's not right out in the open and I could make use of. So confidential computing is really all of that. Tom Garrison: That's interesting. And do you see particular users or, or industries that are embracing the concept of confidential computing more so than others or do you see this as kind of a broad appealing capability? Jack Gold: The appeal of confidential computing really is across industries. It's everywhere. When you think about what gets processed in a company that isn't confidential anymore; my social security number, my driver's license number that I give to somebody, healthcare provider has all my medical details, that's worth a lot of money to people. So we're kind of talking about servers and data centers and clouds just now, but also at the front end think about all the data that we have on our PCs and even our smartphones. So it's a broad concept that really needs to fit in the entire life cycle of computing, not just in one area. Camille Morhardt: Is this something that we worry about for just on-prem or you described, you're talking about public cloud concerns? Do consumers need to be concerned, as well? Jack Gold: Oh, absolutely. There's absolutely a need to have this in the cloud. Look, in most cloud environments, data that's running in an app is being shared on the same piece of hardware via virtual machine has probably tens, dozens, hundreds of other applications running on that same machine. And if there's no way to segment out those virtual machines to protect them from one another, if I have a bad app running, somehow I get it to run in, pick your favorite cloud, can it get access to an adjacent virtual machine and get the data out of that machine that has of great value? So when we talk about confidential computing, we're talking about individual computers, whether it's a personal computer or whether it's a server in a corporation, but we're also talking about public cloud and private cloud as well. Camille Morhardt: So basically, anybody--enterprise or consumer--who's storing any kind of a data on a public cloud or a hybrid is using a hybrid cloud environment, needs to consider what the public cloud provider is doing with respect to this protecting data, as you say, while it's being processed. Jack Gold: Yes. Look, people want data about you and me. They can get real value out of that and sell it for a lot of money. So if I don't have a way of protecting that, there's a lot that people already know about me, but there's a lot more that they could garner. So I need to be aware of where my data resides. If it's in the cloud, or if it's in Google cloud, AWS, Azure, how do I know that that data is safe? And if I'm an enterprise that has access to that data and that data gets compromised, I'm going to feel the pain in a number of ways. First of all, there are a lot of regulations against disclosing data. Look at what's going on in Europe with the privacy laws there compared to the U.S. There's some real fines going on. Secondly, if there is a data breach, IBM and the Ponemon Institute, did a study showing that in the U S a typical enterprise data breach cost that company over $8 million to mitigate. That's pretty significant amount of money to have to put out because of having a compute system that isn't completely protective of the data, Tom Garrison: You know, in preparation for this podcast today, you sent over a couple of your reports and I read through them and I just pulled out a couple of data points that I thought were fascinating and they came from the Verizon Security Report. But it said 39%t of companies have reported in 2020 that they were breached and up 6% from the year prior. But even more interesting was these behavioral, all aspects around security. 62% admitted that they sacrifice security due to expediency; 52% sacrificed due to convenience; and 46% admitted to sacrificing security because of profitability. Jack Gold: Yeah, Tom, I think the real issue with security in general is that it's hard to do it's complex. And if you're in a hurry and you need to get something out there, you're going to put it out there and probably bypass some of the best-in class security measures that you should be doing simply because of expediency. Especially because of COVID, companies needed to roll out 20,000 desktops in two days or a week, you bypass a lot of stuff to keep your company running. But even beyond that, even other companies that had the time perhaps to do it right, haven't really done it right. And the reason is because typically large companies can have two, three, 400 different security products running in their networks and in their data centers. How do you possibly manage all that stuff? The industry has made it really hard for companies to do security well. Camille Morhardt: So I guess just to get really simple, if I'm IT, what am I looking for to see if the hardware is protected? Jack Gold: So if you're IT, what you really want to know is whether the hardware that I'm working on has a vaulted area. It's called different things by different vendors--SGX with Intel, Trust Zone on Arm, it's other things with other guys. But what you really want to know is whether that's available, whether that vault is even built in. The second thing you want to know is, is the operating system interacting with it? Does Windows know that that vaulted system is there and is it working to make sure that anything it's executing in Windows is actually running in that vault rather than running in main memory, un-encrypted. It's a little harder when you're running in the cloud because you don't actually own the hardware. You're using somebody else’s hardware—you’re using Amazon's hardware or Google's hardware. And so you have to rely on them to tell you whether that's there or not. How many people are actually asking for that right now, I would guess are probably a pretty small number. We have to raise the awareness that that's even available. And then have those companies know that knowing that it's available, ask for it by name. Tom Garrison: Having this be something that is on their radar to ask for is something that would be a value for, for the listeners here. Jack Gold: If you're not asking for it, you're putting your company at risk. It's really that simple. Camille Morhardt: Hey, Jack, you're described like this Venn diagram of the three different places that data is right--at rest, in transit, or in process being processed. Why is it that we don't already have everything covered? Jack Gold: That's a great question. And the holdup has been that if you don't do it right, it really hurts it a lot. And so adding hardware that builds that protected vault, that enclave, that area where no one can get in--where bad apps aren't able to penetrate side channels, aren't able to get in--means, that you've got an area within the chip that is really kind of its own processing area. And so it has to have, has to be able to get data in and get data out and process at the same speed as the rest of the chip. That's a hardware problem. That's also a microcode problem. It's a software problem. And so it's complicated. In the past, I think a lot of people have tried to do this. TPM chips were a great example. The reason they never really took hold is because there were separate chips. They had to go over a bus. They had to go over an interconnect. And the performance hit that you took, the latency on processing that data was, was pretty large. And so if you're, if you were just processing a couple of chunks of data, it's no big deal. If you're processing a big Oracle database, it's a big deal. I think we're getting better at it. And so I think you'll see it in a lot more chips and the impact on processing will be relatively minor. Camille Morhardt: Are you saying you're going to ultimately see all of the applications that are running while they're being processed in essentially a vault or an enclave? Or are we always going to be selective about what is running in the enclave? Jack Gold: Honestly, it will depend on how good a job you do at creating the hardware and how good a job do you do at the OS level. Until we get to that point, there probably will be some selection of, “do I run it in the vault or do I not run it in the vault?” based on the performance that I need. Tom Garrison: Right. So what other opportunities do you see within the next say year or two, you would recommend sort of best practices or something along the lines of, of what we're talking about here with, you know, hardened security. Are there any other things that the listeners here should take away advice that you give them? Jack Gold: Yeah. I think there are a few things you need to think about. Number one is you need to look at the entire compute chain. You need to look at it, not just from the hardware side, but also the OS and the application side. I want to go talk to SAP or, or Oracle, or Salesforce or whoever your primary vendor is. I want to go talk to them about the fact that I understand that there are now, there is now a possibility of running in a protected, vaulted, confidential computing environment. What are you doing to support that? Do you support it today? And if you don't support it today, when will you? and how do I get my applications into that vaulted environment? The second thing I would say that you need to think about, people often have servers in place for five, seven, eight, 10 years. But those aren't the ones that are running the, you know, the heavy duty databases. Those are the email servers that kind of filtered down through the channel from high end to low end, as they got older. And people just kind of ignore them, getting new servers these days are not that expensive. And so if you're really going to run stuff on-prem, you really need to be thinking about how you're going to bring up a confidential computing environment on-prem. If you're running it in the cloud, you need to ask your cloud provider, whether they support it. And eventually, longer term, what all companies should be thinking about is having these kinds of confidential computing, vaulted systems, trusted execution environments on every piece of hardware from smartphones, through PCs, through servers and into the cloud. Cause ultimately, that's the only way you can get maximum protection. Tom Garrison: So I'd like to transition to one of these fun things that we do with all the guests. It has to do with our favorite virus, called COVID-19 now. What have you either come to love after having to go through this whole sort of working-from-home--work changes and personal changes--that you love? and, or something that you absolutely just cannot wait to get rid of? Jack Gold: Great question. So look, it's nice to be able to work from home. It's nice to be able to get up in the morning, commute about 12 feet and get to my desk--whether I had my pajamas on haven't had my coffee yet, didn't call my hair, no one knows. Now the downside of course, is that it also means that I'm sitting at my computer potentially sitting at my computer at midnight because I just thought of something I needed to do and I might as well do it now. So the balance is kind of gone. My dog does remind me every once in a while that I'm home and that he needs attention. So that's probably okay. It gets me up and walking around. Honestly, the part that I'm really getting unhappy about is the number of Zoom meetings (laughs) it's getting to be I'm Zoomed out. Look, it's just not the same as you and I sitting in a room face-to-face over a cup of coffee and. So I've, I've actually just for the most part, I just turned my camera off and just kind of do my thing (laughs) Tom Garrison: Nice. You know, it did, it did occur to me. You mentioned your dog. Imagine how neurotic our pets going to be when we finally do all go back to work? Furniture is going to get torn up, the carpet is going to get ripped up, you know, Lord knows what else is going to happen (laughs). So I think there's a business opportunity there about whether it's dog daycare or whatever it's going to be, but we have some pretty pampered dogs that are going to have a rough reentry when we finally go back to work. Jack Gold: Absolutely. I agree with you. And you know, the one nice statistic about it is that if you look at shelters, shelters are for the most part are out of pets because so many people are adopting them, which is actually wonderful. I mean, I for one--kind of a commercial message here--cause our, our guy is, uh, adopted from a shelter. So that's the good news. My fear of Tom on the negative side is that when people go back to work, they start bringing those pets back to shelters. And I sure hope that doesn't happen. Tom Garrison: Yup, agreed. Well, Hey Jack, thank you very much for spending time with us. I know it's been a great conversation and, I think there was a lot of really good insight that was included in what you shared with us. So thank you for your time and for all of our listeners, we will catch you again and a couple of weeks. Subscribe and stay tuned for the next episode of cyber security inside. Follow @tommgarrison on Twitter. To continue the conversation. Thank you for listening.
Welcome! Craig discusses the Cost of Data Breaches and IBM/Ponemon Institute Study and why Credential theft is a pre-eminent form of Cybercrime. For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: Average Cost of a Data Breach: $3.86 Million The Future's Biggest Cybercrime Threat May Already Be Here Election Interference: Google Purges Breitbart from Search Results Google Has Been Purging Breitbart Content from Search Results Since the 2016 Election Heads roll at Intel after 7nm delay Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness Three people have been charged for Twitter’s huge hack, and a Florida teen is in jail Remote Work Isn’t Working? Maybe Your Company Is Doing It Wrong FBI Releases Flash Alert on Netwalker Ransomware Electric car startup Lucid is challenging Tesla’s anti-lidar stance --- Automated Machine-Generated Transcript: [00:00:00] Welcome back, everybody we're talking right now about IBM's latest data breach report. What does it mean to businesses and you as a home user? Of course, this is Craig Peterson that you're listening to. You can get my weekly report by just going online. I have a newsletter. We have a whole ton of great information available for you. So check that out, make sure you subscribe and I've got well, it's like four different free gifts. One of them is the most coveted gift that I've given out. I've had so many great compliments on it and that's your security reboot guide, but you'll get that. If you sign up Craig Peterson.com/subscribe, I think you're really, really going to like it. So we were talking about the IBM report before the break. [00:01:00] Let's complete that. Now, this is the cost of a data breach report, 2020, and it was done by the Ponemon Institute. And then IBM did some analysis on it. So let's look at the average total cost by security automation level. Fully deployed 2.4, $5 million. So if you fully deploy your security, if you have everything, your security team tells you. Yeah, you need a breach is going to cost you about two and a half million dollars. If you've partially deployed like My customer here who had the breach coming in via Mexico. And so we had some stuff there, but not everything that we had recommended. And there is actually required by the federal regulations he's supposed to be abiding by partially deployed the cost jumps from 2.4, 5 million [00:02:00] to 4.1, $1 million, the cost of a breach. So let me see right there. You save yourself almost $2 million, which is more than what it would cost you to do this, right? If you're a small business and then not deployed at all, a breach is going to cost you about $6.03 million. Absolutely incredible. Now, where are the main parts of this cost while the customers personally identifiable information. So that's things like there, their name, their email address, their phone number, a bank account numbers, maybe social security numbers maybe credit cards. Right? All of that is called PII and it's the stuff that should not ever be disclosed. So if you're a consumer, you kind of expect the business to keep that information confidential, right? Well, Oh, [00:03:00] here we go. Breaches that have customer identifiable information account for 80% of all of the breaches. Isn't that sad? So 80% of the time when there's a breach, somebody's personal information is stolen. And the average cost per record customer record in a malicious attack is about $175 in case you're not aware of it. If you're a retailer. A retailer is to find incredible amounts. I think right now it's a minimum of $125 per credit card that they've taken. If it's breached and they have credit card information on their systems. That's a lot of money, but on average it costs about $175 per customer record. That's stolen next up here on the screen green, and you'll find this online [00:04:00] again by searching for IBM and their 2020 data breach report, compromised credentials, and cloud misconfiguration. Lead the way, well, compromised credentials. Hmm. What would those be? But how about you or username and password more and more businesses are moving to the cloud. And if you are using the same email address and you're using the same password yet, you knew what I was going to say. Didn't you for your accounts? You're in trouble. And that's why I keep reminding people that they should go to have I been poned.com to check and see if their email address has been stolen and a breach I'm playing around, by the way, I almost guarantee it has unless you've got a very, very current email [00:05:00] address. So 19% had these breaches came in through compromised credentials, other ways to do that. Obviously nowadays fishing is a very, very big way that does some of this data is stolen, but these were the most expensive initial tech vectors, compromised credentials, and cloud misconfiguration. Now, you know how much I hate VPNs right now, there is a need for them. Don't get me wrong. But. Almost always, it's more of a problem than the problem you're trying to solve using a VPN. So one of the things we were talked about here just a couple of weeks ago was how the VPN data from, I think it was eight different VPN providers. Was found online, like 1.2 terabytes [00:06:00] worth of personal information. Now, these are all VPN services that said we don't log we're not logging. Don't worry. We're great. Here. You can trust us. We're secure and we're not logging. We're not selling your data. What was discovered online in a misconfigured cloud server? All of the places you had been your password in the clear text your username. So they, they now, now that data are stolen anybody that was using one of them is free VPN services. And I caution you against the paid ones as well, but anyone that was using one of these free VPN services is out of luck because the bad guys have your username that you use and your password. So again, that's why I keep stressing, get one password. It's the best bar, none one password. I don't make a dime off of this. Right. Uh, but one password [00:07:00] and make sure you use different passwords every time and have one password generate them for you. I have one password generate passwords that are usually four or five words along. And then I have special characters between each one of the words, and those are almost impossible to crack. It would take over a hundred years in most cases unless I'm using one of these VPN services that doesn't bother encrypting my password. My day, wasn't doing some sort of a Shaw hash or an MD hash or anything? No, no, no, no clear text. Okay. Uh, so 19% were from compromised credentials. 19% were from cloud misconfiguration and 16%. We're from vulnerability in third-party software. So the costliest initial attack, vectors compromised credentials, number one. So keep that in mind, everybody on you, with your home [00:08:00] user, you're a business user on that rudder heaven forbid you're using a consumer router and firewall in a business. Don't do it. And in most cases, people never bothered to change the default username and password on their firewall. So bad guys get in 4.7, 7 million in dollars is the average cost with compromised credentials, amazing vulnerability and third party software, four and a half million dollars. And what does that tell you? Patch. Remember when you're talking about Microsoft and you've turned on the automatic updates on windows, all it's going to update is windows and the core windows utilities. It's not going to update your Adobe software, uh, you know, your photoshop and whatever third party. You know, engineering [00:09:00] software, drafting, software, whatever. It's not going to automatically update them. And then it's so many businesses are saying, well, okay, you have to run Windows XP or have to run windows seven because I can't and get the latest version of the software. The company went out of business or it's too expensive. And then number three, cloud misconfiguration. So both vulnerability and third-party software. And club misconfiguration accounts for about a four and a half million dollar breach each real big deal. So stick around, we're going to go through some more here. I enjoy being with you. Thanks for being with me. We will be right back. You're listening to Craig Peterson. --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553
Welcome! Craig discusses the Cost of Data Breaches and the IBM/Ponemon Institute Study. For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: Average Cost of a Data Breach: $3.86 Million The Future's Biggest Cybercrime Threat May Already Be Here Election Interference: Google Purges Breitbart from Search Results Google Has Been Purging Breitbart Content from Search Results Since the 2016 Election Heads roll at Intel after 7nm delay Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness Three people have been charged for Twitter’s huge hack, and a Florida teen is in jail Remote Work Isn’t Working? Maybe Your Company Is Doing It Wrong FBI Releases Flash Alert on Netwalker Ransomware Electric car startup Lucid is challenging Tesla’s anti-lidar stance --- Automated Machine-Generated Transcript: [00:00:00] We got a lot to cover as per usual. We're going to talk about data breaches today. We're gonna talk about cybercrime today. Election interference. What's going on with the big social media sites. This is Craig Peterson. I'm so glad you guys have decided to join me today. I am doing a little bit more with video today. So if you are online, you might be able to find me. I am not putting this video up until later on, you get to hear me first here on all of our radio stations and affiliates throughout the Northeast, which is really kind of cool. Now we keep expanding. Yes. And we're doing more in the Facebook realm and the YouTube realm. I got to start out with a little bit of an apology here. we were going back and looking at all of our numbers. We're trying to figure out what's going on because I was getting dozens and dozens and dozens of emails from listeners saying, why did you send me this email? [00:01:00] Cause I've been opening all your emails. And they were really confused. Well, here's, here's what goes on. Okay. If you don't open my emails for a few weeks, then I'm kind of figuring that maybe you're really busy. Something's going on. Maybe you don't like the sorts of things that I've been saying or doing. Maybe you want off the list and stuff. And so I sent out all of those emails to people. Well, it turns out we hadn't sent out an email since June 13th. And you might remember that's when one of my daughters got married and we went out to Kentucky then everything happened with the family is just been crazy. Then I've been trying to get all of this video stuff together and that's been a lot of work. Two. So my apologies to you, if I sent you that email, and you're wondering why, why is he doing this to me? Cause he knows, I like him. So I think I was able to restore everybody back to proper balance here as synergy. [00:02:00] We'll see how this all goes. And then the other thing that was messing up, this is what I get for not paying enough attention to some of these things is. All of our podcasts are definitely going out. We've been posting those and they're going out by the podcast mechanism. We've even still been including a transcript of the entire podcast. Craig Peterson: So you can go back and search and everything. Well, they had not been. Going up onto my website since also about June 13th. So I don't know that we're going to catch up on those on the website. You can definitely get them by you're going to my podcast feed, which you'll find online as well. Craig peterson.com. Slash podcast. And yeah, if you're an iTunes user, go to Craig peterson.com/itunes, uh, slash you know, wherever you'll find me on all your favorite podcast mediums. So it's there, it's not on my way website and the [00:03:00] emails didn't go out. Yes. It has been one of those summers. And then, yeah, what happened this week? We had our tornado. Two towns over from me from this, uh, latest storm. I F it's, it's a different name on, I can't remember what it is. Uh, it's like I say, uh, there are other, and, uh, we, so I ran outside. I was in a meeting. I said, Hey, listen, guys, I got to go. And I grabbed some straps and I wrapped them around the beehives and around the pallets the beehives are sitting on because I do keep rocks on top. Take help them from blowing over in the light wind, but we get wind. We lost power. I had to bring all of the equipment back up in my studio, all of the computers and stuff. It, it just, wasn't a pleasant experience. Anyhow. That was my week, Hell. How was yours? [00:04:00] Hey, I want to start by talking again about this new report that was put together by the Ponemon Institute. Now you may be familiar with these guys. You may not be familiar with these skies, but it was put together for IBM and IBM has published it. So I'm going to bring it up on the screen. For those of you who are watching this as a video. Uh, this is the cost of a data breach report for 2020. And this I'm showing here for those people who are watching for those that aren't. If you want to look it up, just go and do a search for the Cost of a Data Breach Report 2020 IBM and you'll find it. So they did a study on over 500 data breaches. Very, very big. And, and this study was done by the Institute and then it was analyzed and published by IBM securities that say right there, the data breach costs are absolutely huge when you get right down to it, right. [00:05:00] What kind of business are you with? You know, are you doing just a little guy and the data breach costs, won't be a lot while it could easily put you out of business. Most small businesses, really small businesses just fold within six months. It's bad. So this is showing us here. Yeah. That the global average total cost of a database is 3.86. Million dollars. Now that's down a little bit from last year, one and a half percent. And what is really saving people, what's really saving businesses is automation. See one of the biggest mistakes businesses make when it comes to the computer security network security VPN security is they've got a veritable plethora. [00:06:00] Of different pieces of equipment and software. So you've got what are called panes of glass. So you've got you whole five, 10 different systems that your analysts have to look at to figure out what's going on. Are the computers up to date? Did someone try to break in, is someone trying to break in right now? Did they get in what data did they have access to any data exfiltrated did we catch it right? All of those types of questions. So. Automation, where you have one pane of glass, allows you to have all of these what's from your advanced malware prevention, the intrusion detection, intrusion prevention systems, the endpoint. [00:07:00] Anti-malware that's sending on your computers, the, uh, the DNS that allows you to monitor where people are going and stop places as well as stop ransomware from getting out. Think about all of these different points inside your network. And then if you're a slightly bigger company, you know, small businesses, according to the small business administration go up to 500 employees, that is a lot of data to analyze. Yeah. A lot of data to look at false reports, false negatives, real positives that you have to drill into. Well, you don't want to have to go to half a dozen. Different pieces of glass to figure out what happened. You don't want to have to go and look at the antivirus software, which failed too, by the way, because it always does. Uh, and then look, and hopefully you can look at the firewall logs. Hopefully, you've got it. Detection, intrusion prevention. Oh, hopefully, you've got it all tied in. So it automatically, that's our fun machine. That's been compromised from the network. You know how many people have that. But what is being sent here in this IBM study is that there was a reduction in dramatic reduction when security automation was put in place. [00:08:00] So that's what I'm talking about here, where it notices something that detects something and shuts it down. So we've got a client that has a location down in Mexico and they have their networks, or I should say, had their networks tied together. Now they didn't want to separate the networks because they had people in Mexico that were VPN in and then they could get on a server locally up here in the Northeast and then do all of the work from there. And that way they don't have to keep these local servers up to date. Hopefully. Which they weren't, but, um, try and keep them up to date and control them through one exchange server. So all of the accounts and stuff would just be in one place. And, uh, what happened is one of these workstations in Mexico got infected and it hopped right, right through the network. [00:09:00] Up to here in the Northeast here in the US that happens all the time. I've done pieces of training on VPNs and the right way to configure them and the right way to use them. Obviously, this was all wrong, but we had very advanced firepower. The firewall in there that was doing intrusion detection and prevention, and it noticed data starting to be taken out exfiltrated is what it's called via this link to Mexico. And after a few megabytes, Of data going out. It might've been a gigabyte or so, uh, saying, wait, wait, wait, wait, wait. This isn't normal. And this isn't something that should be going on through to Mexico. Now they are in a different time zone. So the firewall was automatically taking that into account and figuring out how to tie it all together. [00:10:00] Uh, so it shut it down, just bam and it no longer love that machine. Any access to the network up here in the U S. Now since then we have tightened things up even more. They said, Oh, okay. Well, we'll do what you told us to do 18 months ago. And it is now really quite secure, but that is because we had a fully integrated system. That's why we use Cisco. Cisco was the only a company right now that has a soup to nuts platform and system that you can use that meat. All federal regulatory requirements. The only one, no, you look at Symantec, they got some really fun stuff. They've got some nice stuff. Doesn't meet the federal requirement. You can look at SonicWall and they, man, it's like outcomes raiser, right? They, they really walk that fine tight line in what they say and what they provide. But. Having this type of automation in place, according to IBM study here now reduced the average total cost 3.5, $8 million from somebody trying to get in or getting in. [00:11:00] Now we like to make sure they never get it in the first place, but typically all of these automated systems that we're using and that you could be used as well. We'll detect it almost immediately and we'll shut it down. So stick around. We've got more to talk about here. When it comes to this report, there are so many great stats about what's been happening. So stick around. We'll be right back. Thanks for listening and visit me online. Make sure you sign up. Craig peterson.com/subscribe and I promise, promise, promise. Just started sending out that newsletter again. We'll be right back. --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553
Without a key document, I am going to lose the Weibo audience I have worked so hard to curate in China under my Beijing offices of EASTWEST Public Relations. So what happens when all the hard work of building the platforms for PR for your business are disrupted by incompetence as in my case, or by malicious forces as I suspect was being inflicted on Zoom. The Ponemon Institute’s 2019 Cost of a Data Breach report gives some staggering figures on the cost of data loss. It quantifies the latest stats around data breaches: Average cost of a data breach—$3.92 million Each lost record represents a cost of $150 Average time to identify and contain a breach—279 days The loss of consumer trust is the biggest contributor to breach costsSometimes these are attacks, but sometimes it is incompetence which means we can lose access to our own digital files central to business continuity. Luckily there are some services to help us to keep snapshots of our digital assets so that they can be posted back online without delay, or used in the case of litigation.Preservica, for example, is changing the way organizations around the world future-proof and access critical long-term digital information – enabling companies to confidently meet compliance and legal requirements and safeguard digital content of unique cultural and brand importance.Governments and education institutions have their own initiatives too, such as the UK Government Web Archive (UKGWA) hosted by MirrorWeb, and the Stanford University Library. [Nb. I mention the WaybackMachine which is still listed and I have used in the past but today doesn't appear to be loading and so I am not linking it here.]The point is that keeping records is important for your brand story and your reputation management, especially in the case of litigation. Create and keep safe all that you do both online and offline.If you like this podcast, then subscribe to our newsletter herePlease visit our blog post on PR for business please visit our site:https://www.eastwestpr.com/blogs/I also talk about SPEAK|pr - our 5 Step Methodology for entrepreneurs to manage their own PR. Do please come and download a free copy along with our Technology Applications Director with over 100 free marketing apps listed. http://www.eastwestpr.com/speakprFind us on Twitter @eastwestprJim James is the Founder and Managing Director of the EASTWEST Public Relations Group. He recently returned to the UK after 25 years in Asia where he was an entrepreneur. Whilst running EASTWEST PR, he was the Vice-Chairman of the British Chamber of Commerce in China, he also he introduced Morgan sports cars to China, WAKE Drinks, founded the British Business Awards, The British Motorsport Festival, EO Beijing, and was the interim CEO of Lotus carsSupport the show (https://www.eastwestpr.com/podcast-speakpr)
Welcome to the "The CyberHero Adventures: Defenders of the Digital Universe" Show!
We have a great panel today including Jeff Shaffer, VP of Client Engagement and Business Development at Aon Cyber Solutions who will share stories of real-life insider threats during his time with both Aon and 25 years with the U.S. Secret Service and much more.We are SO fortunate to have Lynn Mattice, Managing Director of Mattice and Associates LLC, President of the National Economic Security Alliance and a Distinguished Fellow at the Ponemon Institute who will share best practices based upon his extensive experience in the Defense and Intelligence Community.We'll begin by hearing our guest's "origin stories" and learn about their "missions". Then, we'll cover the motivations behind insider threats and share real-life stories answering three questions:1. What happened?2. What were the consequences?3. What were the lessons learned?We'll discuss the best practices to prevent, detect and respond to insider threats and related issues.All of that and more on today's episode...
The Economic Value of Prevention in the Cybersecurity Lifecycle report was recently released by the Ponemon Institute and sponsored by cybersecurity provider Deep Instinct. The report delineates the savings that organizations could actualize per incident if effective preventative measures are implemented, which range from around $300,000 to over a million USD depending on the nature of the attack. The study uncovered an interesting discrepancy: although a whopping 70% of cybersecurity professionals believe preventative security measures improve cybersecurity posture and reduce overall security costs, only 21% of their organizations’ budgets are allocated to attack prevention. Steve Salinas joins me on the podcast to address how deep learning is making preventative cybersecurity a reality. I learn more about how Deep Learning is a fully autonomous system that can learn from all the available raw data, as an expert’s technological knowledge does not limit it. It provides the best unknown cyber threat prevention, detection, and response with the highest detection rates of unknown malware; while generating a near-zero false-positive rate. Since Deep Learning is input-agnostic, I also explore how it can protect any new type of device, endpoint, mobile or server, and type of operating system, against a broad range of file-based or fileless attacks, with a low impact on performance. The Deep Learning brain handles most of the security, in almost zero-time (milliseconds). It also provides administrators a very user-friendly management console (deployed in the cloud or on-prem) to view all of the relevant information.
In this episode, we discuss in depth the cybersecurity risks that come from insiders. What does a malicious insider threat look like? How about the accidental insider threat? How can executives become accidental insider threats? And more. Hear insights from these experts: • Dr. Larry Ponemon of the Ponemon Institute • Sudeep Venkatesh, Chief Product Officer, Egress • John Grim, Head of Research, Development, and Innovation, Verizon Threat Research Advisory Center • Dr. Chris Pierson, Founder & CEO, BlackCloak Also, Trend Micro shares mitigation techniques for PowerShell-based malware and attacks. Links from the show: • Trend Micro paper, "Tracking, Detecting, and Thwarting PowerShell-based Malware and Attacks": https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/tracking-detecting-and-thwarting-powershell-based-malware-and-attacks • SecureWorld web conference, "Are We Taking the Insider Threat Seriously Enough?": https://www.secureworldexpo.com/resources/insider-threat-giving-the-attention-it-deserves • Fireside chat with Dr. Larry Ponemon of the Ponemon Institute (podcast): https://www.secureworldexpo.com/resources/larry-ponemon-interview-podcast • SecureWorld Remote Sessions webcast briefings: https://www.secureworldexpo.com/resources?cat=remote-sessions • Deep dive web conferences: https://www.secureworldexpo.com/resources?cat=web-conferences The SecureWorld Sessions podcast gives you access to people and ideas that impact your cybersecurity career and help you secure your organization.
Episode 9 - Tammy Moskites - CISO, CIO and Board Advisor Tammy has 30 years of experience and is noted by her peers to be a results-driven and passionate executive leader with expertise envisioning and leading IT Security and Technology organizations. She was the CIO/CISO of Venafi Inc. and led their Executive Advisory Board as well. In the last four years she has traveled the globe working with 100's of CISO's/CIO's and government entities on strategy and foundational security. Amongst the many areas she is involved in; she is a member of the ISACA Cyber Security taskforce, a member of the ISSA and a Distinguished Fellow with the Ponemon Institute. Her security and leadership expertise has been in quoted, blogged and written about online, in articles and magazines around the world, including FORBES “Meet the Woman Powering the Fight Against Cybercrime”, Australia Woman of the Week and the cover of CSO Magazine. She is a highly sought after global speaker not only on security and governance, but also about career building and mentoring. Recipient of one of the top IFSEC Global CyberSecurity Thought Leaders for 2018! Tammy Moskites https://www.linkedin.com/in/tmoskites/ Website: https://www.cxounderground.com/ Hosts: Joe Topinka: https://www.linkedin.com/in/joetopinka/ Mike Charobee: https://www.linkedin.com/in/mikecharobee/
Welcome! For being locked down do to this Pandemic there is certainly a lot of technology in the news this week. So let's get into it. We are finding that managers are surveilling their employees, probably a little more than necessary and an uptick in VPN usage. Big Tech is strangling us and WordPress has a vulnerability plus much more So sit back and listen in. For more tech tips, news, and updates visit - CraigPeterson.com --- Automated Machine Generated Transcript: Craig Peterson: Hey everybody. Craig Peterson here on WGAN. Spring is in the air. I am so excited about this, you know, I love pretty much every season. I was just thinking the other day how I missed not having, you know, like crunchy snow that you can walk on. I know you might think I'm crazy, right? I know other family members of mine who absolutely think I'm crazy, but it's, maybe it's just a thing from my childhood, you know, being 40 degrees below zero and being outside and just walking in the snow and just having a crunch, crunch, crunch. [00:00:40] But you know, so wintertime makes me enjoy spring makes me enjoy summer to a bit of a lesser degree, but I love going motorcycling so that works right? In the summertime. And then I really like fall probably my favorite season and then winter is pretty good. I'm not a winter sports kind of guy. I should probably do a little bit more of that. [00:01:01] Well, if you saw me on the TV news this week, you know that I was talking a lot about this new surveillance society that we have. Yeah. I'm not just talking about general regular surveillance that we've talked about before. I'm talking about surveillance in the workplace. And now there are two sides of this. [00:01:23] Of course, there are like two sides to everything and there's the side of the employee and then there's the side of the employer. And so we're going to spend a little time right now going through some of the things on both sides. If you're an employer, why you might want to be doing surveillance. In fact, in some ways, why you should be doing surveillance, if you're an employee, what are your rights? [00:01:46] What can you do about it? We'll be talking about that. And then some of the software the businesses are using and what you can expect. So let's sort of been talking about a lot this week over on various radio stations and on television as well this week. So getting right into this, and you'll see some articles about this up on my website as well, at Craig peterson.com [00:02:10] Oh and man did I get a kick in the pants this week, you know I've been doing a little bit of work on the website because we're putting some new stuff together for people. For y'all and I, I went to CraigPeterson.com/subscribe and just tried to check it out. So guess what. It doesn't work. Slash Subscribe to me. I just hate it when that happens. [00:02:35] So if you have tried to subscribe on my website before to get my weekly newsletter or get some of my special reports because you get, I think it's four of them when you subscribe, I send those off to you and you went to CraigPeterson.com/subscribe to subscribe. It may not have worked. So I'm going to be working some more on that this week. [00:02:58] I got that problem and then I've got a problem as well with the text number, the (855) 385-5553 number. And I guess it's kind of like the cobbler's kids that have no shoes, right? Where man. There are so many things that I need to do and I've been doing for customers and lately, I've been doing even more for non-customers, is trying to help everybody out because there are so many people that are in such dire straits right now. [00:03:26] You know, all businesses have changed. Talking about the pivot and pivoting to work at home has been a very big deal. In fact, I'm going to. Probably have a little course on that coming up here in a couple of weeks. What to do if you a business and you're kind of pivoting to homeworkers maybe permanently, but certainly for the next little while. [00:03:45] What should you be doing from the security standpoint? I think it's really important for everyone to understand and to do. Many managers are turning to surveillance software and. I got this idea about a norm reminder really from the Washington Post this week now, Washington post, you know, I don't trust him at all for any of their political coverage because they haven't been honest with any of us for quite a while, but some of their technology coverage isn't bad. [00:04:14] It's kind of like the New York Times. It's such a shame because the New York times has such great. In-depth articles on so many things, and then they completely misrepresent politics all the time, like a hundred percent consistent, and it's, so, I'm just always torn. Do I pay any attention to these guys or not? [00:04:35] You know, I certainly look at their coverage too when it comes to the political stuff, cause I have to make a judgment call myself. But man, I don't mind supporting the regular things, but their editorial things are in their decisions as to which stories to run. Sometimes they're just so antithetical to everything, I believe. [00:04:55] But anyway, enough of that. So the Washington post article. Kind of got me thinking about it. So I did a bunch of research and I have one, two, three pages of a bullet point that I want to go through with you. Because I did research. I looked at a lot of things online. I looked at some of the websites of these companies making this, I don't know if you want to call it spyware, but that's kind of what it boils down to and figured out what's going on there. I had looked at some of the legal issues from the federal government side and from the state government, and here's the bottom line. When in doubt, assume you're being watched now. [00:05:36] I think that's a reasonable assumption in this day and age, right? We've all got our smart devices. We're online. We know that companies like Google and Facebook are compiling information to sell it about us, and I'm not sure that that's an absolutely horrific thing. I get more concerned when we're talking about employers surveilling us because if you have a bad boss or not so great boss, what's going to happen when that boss comes down on you for taking a break. [00:06:09] Right? Even a short break, you know? Yeah. You took a 15-minute break or whatever it was that was not, you know, necessary for them to come down on you. That's where I started getting concerned. People losing their jobs over this. Now, in some cases, if you're a transcriptionist and you're paid by the word, well, you know, why would they bother? [00:06:29] Monitoring me. I'm paid by the word, right? Who cares? You know? Obviously I have to deliver in a certain timeframe, but if it takes me all day and I have a 24-hour guarantee and I'm only typing one word a minute, it's no skin off my employer's nose. And on the other end of the scale, if you are kind of intellectual work and you're working. [00:06:52] At a higher level, if you will, right? You're not just selling your, your keystroke, your fingers. You're actually thinking about problems. You're trying to logically analyze what's going on, what should be done, what shouldn't be done. If you're that type of person while then it's a completely different thing, right? [00:07:12] Again, how do you measure that? Because you might be reading a book, you might, you might have read a book last night and now you're in the office and you're looking at that book from last night cause you want to make some notes on it because you're one implemented into the office and now your employer's looking at you saying, well why hasn't your screen changed. [00:07:31] So that's the other side. So I get really concerned with the employers somehow thinking that this type of monitoring is a panacea for them. It's not going to motivate their employees to work. It just totally reminds me of when I was a professor on faculty out at Pepperdine University, and I taught, back then it was called MIS management information systems 422 out at Pepperdine. [00:07:57] And one of the things we had to look at was something called the Hawthorne principle. And they had done a study in Hawthorne, California of workers on a manufacturing line. And the big question was do they perform better when they're being monitored or when they're not being monitored? There were some interesting studies to this looking at music in the background. [00:08:21] Do you perform better when you have music playing in the background just at a low volume or better when it's quiet? Well, in all of these cases, it depends on what you're doing. Workers tend to perform better. With music in the background when they're doing kind of a rote task when they're working on an assembly line, and it's the same thing over and over and over again, that tends to help those people. [00:08:50] But when we're talking about an intellectual worker who is planning, who's thinking things through, who's writing marketing materials, who's doing software development, in most cases. They perform worse with music in the background and they're better off just having some basic white noise going on, which could be as simple as a fan. [00:09:13] It could be office chatter, et cetera, and I actually use some things in order to put that into the background myself, and I find them to be very, very helpful. You can find all kinds of them online. If you wanted to know exactly which ones I use, send me an email and I'll let you know, just me@craigpeterson.com but I have a plugin that goes into my browser. [00:09:37] That has a coffee shop, the ring of fire, burning, you know, outside a bird chirping, wind blowing, water lapping just, it has a few of those things. And, and I can select what I want and if I need to kind of focus on something, I find that to be very, very helpful. so when it comes to monitoring in the Hawthorne effect. [00:10:04] What they found is that yes, in some cases monitoring people. Worked out better, they produce better than not monitoring people. And that kind of reminds me of a good war movie that I absolutely loved. I don't think it was a great escape. Oh, no. I remember what it was. it was Schindler's list and there were supposed to be making hinges. [00:10:28] These are, of course, prisoners, that are being used as slave labor. And. They are supposed to be making these hinges. And so the guard comes over, lets me see, we make a hinge and he makes one in a matter of just seconds or minute or whatever it is. And then under the Hawthorne. That'd be principal here. [00:10:48] If he makes one hinge in one minute, he should be able to make 60 hinges in an hour. And yet they were only making, I don't remember what any of these numbers were. It's been a long time since I saw that movie. But, he didn't make his many, so obviously he got in trouble, as did other people who were on the assembly line. You know, if there's a gun to your head, maybe you will work better, maybe you will work faster. But in most cases, that's not true. And that was certainly true of these people who were confined to slave labor. They're in the Schindler's list movie. So we're going to talk a lot more about this when we get back because nearly half of the US labor force is now. working from home. [00:11:30] That's according to a study by MIT researchers in April, so just a couple of weeks ago, stick around. We're going to talk a lot more about this when we get back. You are listening to Craig Peterson right here on WGAN, and you'll hear me every Wednesday morning, give or take at 7:30 on with Matt. [00:11:52] Stick around. We'll be right back. Craig Peterson: Hey, welcome back everybody. Craig Peterson here, on WGAN. I hope you're enjoying your Saturday, or if you're listening to me online, whatever day it is, you're listening, and of course, you can get that online experience through any podcast app. I'm on tune in. I'm on pretty much everywhere. You'll just be able to find me by looking for Craig Peterson. [00:00:28] The easiest way is just go to CraigPeterson.com/your favorite app when it comes to podcasts, whatever it is, and it'll just do a redirect for you, send you right to the right spot, whether it's iTunes or Spotify or whatever it is. So we were talking before the break about what's happening here with surveillance scene, surveilling our employees out there. [00:00:55] And we're seeing some major changes. Now, some of these started actually a few years ago because businesses are rightly concerned about their intellectual property being stolen, and they need to know if an employee is. About to leave and leave with their customer list. And I have certainly seen that happen before. [00:01:17] Unfortunately, we often get these phone calls after the fact, after the data's already been stolen, the employee's gone, or whatever it is. But you know, that's kind of the way it is, right? Most businesses and people aren't willing to do anything about it until it goes over the cliff and this case. So what do we do as employers if we want to protect our information? [00:01:41] Because it's proprietary, right? That's called intellectual property for a reason, and the reason that it's proprietary is you just don't want it stolen and it gives you the advantage that you need to have. MIT researchers, as I mentioned before, are saying the nearly half of the US workforce is now working from home, which is absolutely massive. [00:02:06] We're seeing. VPN usage way up, and you know, I have a whole course on VPNs, the free one that I've been doing, and VPNs are not a panacea at all. In fact, they can make things much worse for you if you're trying to be secure. We've got these tattle wearables. Programs out there now that are doing everything from watching what you're typing and alerting the manager if you're typing in certain words that they think might mean that you are leaving their employee. [00:02:40] Right? So going to a website and employment website could cause, could cause a phone call from your manager. But we do have to check this. We do have to be careful. If you are going to be monitoring your employees, you need to make sure it's in the employee handbook. You want to be upfront with your employees and from the employee's side, remember that some of the software will do everything, like keep track of your keystrokes, watch the websites you're visiting, which is always the case. [00:03:13] A reasonable business is going to be tracking website visits. So keep that in mind. But, They're also going to potentially be screen capturing and maybe even capturing a picture from your camera. Some of them also will listen on the microphone and I get it. You know, it can be very demoralizing. [00:03:36] You've been working for a company for years, maybe decades, and now all of a sudden you've been, you're being spied on. Right? You think you've been a good worker, so talk with them. There are no federal laws against employee monitoring. In the private sector. There are a number of state laws, but many of these employers are crossing these ethical lines by continuing to track the employees after they've clocked out for the day. [00:04:05] So if you're an employee. Your best bet may be to just turn off the computer, turn off the laptop. If you have a smartphone that's been issued by the company, turned that off as well. If you have an app that is from the company, you might want to kill it. So it's no longer tracking and make sure your settings on your iPhone are set to only allow tracking while the app is active. [00:04:32] So those are a few things. You can talk to your HR department if you think something's happening that shouldn't be. And if you filed an internal complaint and nothing is really happening, you can file the same complaint with the securities and exchange commission, the equal opportunity employment commission, or the state organizations. [00:04:53] All right? By the way, you don't have to be informed that you are being spied upon. So keep that in mind. [00:05:01] So next step here, I want to talk about something from American thinker.com there's a great article there about big tech and how it is frankly strangling us right now. We have that 1984 ad. [00:05:17] Do you remember that? where. All of these people were sitting in a kind of Orwellian room, a socialist room. Everybody's dressed the same because you only have one type of clothes you can buy. Yeah. [00:05:29] By the way, Hey, thanks, guys. For this, what has it been two months exhibition of what socialism's really like? There's nothing on the shelves right now. [00:05:38] What do you remember that they're all sitting there and they're fighting this technocratic elite. When that woman runs down and throws the hammer at the screen. And obviously it was a pretty gloomy spot that ran, and I think it didn't have first run during the super bowl if I remember. Bottom line, but the tech giants now, like Apple and Google, all of these guys have really morphed into what is now, I think, near totalitarian giants. [00:06:13] No, they are controlling our speech. You got Candace Owens, brilliant woman. She's suspended from Twitter for challenging the Michigan governor. Facebook has flagged the declaration of independence as hate speech. It's incredible what's going on. We see Aaron Renn reporting that conservative and left-wing groups are being pulled down at Twitter, and that was back in 2016 2019 YouTube has been blocking some British history teachers from. [00:06:49] YouTube entirely for uploading archival material related to Adolf Hitler. Yeah. Heaven forbid that we remember what happened with him and YouTube said that these British history teachers were breaching. Guidelines banning the promotion of hate speech, even though they weren't promoting it, they were trying to let people know, Hey, this has happened before. [00:07:15] It can happen again. It's absolutely incredible. And, and where is that line drawn with the national socialists in Germany? Right? You remember? That's what they were. That's what Nazi stood for. National socialists. So the socialists there in Germany, they put out all kinds of a propaganda film about how great they were. [00:07:35] We were only telling half-truths. Sound familiar, right? and they're these British history teachers. Apparently we're putting some of these apps so people understood what it looked like to have manipulation coming from the government. So they deleted the videos, abrupt loaded to help educate future generations about the risks of socialism. [00:08:00] It's absolutely incredible. Now, Michael Cutler wrote just a couple of years ago that Twitter has, I love this language now morphed into a means of thought control. Through the control of language. Now we have, through the government, through the legislature and the federal level, we have given these companies immunity from prosecution in most cases because we say, Hey, it's like a public bulletin board. [00:08:30] People are up there saying stuff and YouTube and Twitter, et cetera. You're not liable if someone posts, posts, hate speech, et cetera, on your site. And now they're acting as though they might be liable. And so now because they're acting this way, should we remove their, their special treatment of being basically common carrier? [00:08:57] They're, they're saying, Hey, listen, we're, we're more like the telephone company than anything else than a newspaper. We don't have editorial control over the content and we don't control the content. Well, guess what? Those days are long past us. We need to make some changes here, okay? These big internet companies know more about you than you know about yourself, frankly. [00:09:20] And there's a study that came out, this was a years ago, where average consumers are checking their smartphones 150 times a day, and that number. Has grown, so we've got to make some changes. All right, everybody, stick around. We'll be right back. We're going to talk about some attacks that are going on. If you like to go online, visit websites, or particularly if you have your own business or personal website. [00:09:46] I got some news for you about attacks that are underway right now. Stick around. You're listening to Craig Peterson on WGAN. Craig Peterson: Hey, welcome back everybody. Craig Peterson here on WGAN yeah. Big tech is strangling us. We talked about that and how laws really need to change. I know that Chairman Pai over the FCC has been trying to tighten the things up a little bit, but there's been a lot of pushback from the left end from some people in their bureaucracy. [00:00:26]We also all already talked about the managers turning to surveillance software. And I understand why many of them are doing it to protect their intellectual property more than to make sure you're working at least. That's been the case historically. Now they're doing a little bit differently. They're actually trying to make sure you're working. [00:00:46] So if you are someone that has a website and it could be just a basic website, like something that you have for your local boy scout troop, or many, many of the other ones out there, your very likely to be using some open-source software called Wordpress. [00:01:07] WordPress is a great piece of software and I've been using it for many, many years. I used to hand-roll websites, which means I was sitting there writing the HTML code and putting everything in and it just wasn't very pretty. And then I moved over to an Adobe product. To do it. And then, then I went to something called WebGui, which was another piece of software to help run websites and build them. [00:01:35] And then I ended up on WordPress and I've been there for many, many years. Basically, since WordPress started. It has been quite a great little. Tool. So if you're thinking as well, by the way of putting up a website, let's say you want to start a business. Let's say you are a brick and mortar business, and frankly, you're looking to transition from brick and mortar to online first, which is what I think every business needs to be doing. [00:02:03] I want you to have a serious look at this. You can find it online. There are two WordPress sites. There's wordpress.com that you can go to online. And WordPress dot com just takes care of everything for you. They, they're a hosting company. They have themes. You can use a, they make it really quite simple. [00:02:25] It is not the most flexible but let me just give you a little bit of warning, but. All right? In this day and age, it's like 35% of the web is built on WordPress, so I'm looking at the numbers here on their website or their pricing plan. And for personal use, it is $4 a month. That is if you are paying for a year at a time so that that's hard to beat, isn't it? [00:02:59] And for premium, which I say is best for freelancers, it is $8 a month. Again, if you pay a yearly small business, they've got $25 per month and e-commerce. $45 a month. Now, the main difference between all of these different price points for WordPress. It has to do with domain name registration. Like if you're free, you probably don't have your own domain. [00:03:28] If you're a business, you're going to need your own domain name. Some of them have live support, 24/7 some of these, the basic packages only have email support. Premium themes are only available in the higher packages. You know, the business ones, which are premium business and commerce, they've gotten marketing and monetization tools that you can use at the business level. [00:03:54] Some search engine optimization, some advertising analytics, they have just a whole bunch of things that you can do. And then, then the highest end in e-commerce, they're adding on accepting payments and 60. Plus countries. Integrations with top shipping carriers, unlimited products or services, eCommerce marketing tools, premium customizable starter themes for 45 bucks a month. [00:04:22]So then this is kind of a duh, if you are looking to start a little business and have it online, if you have a business and you're looking to move it online, we're talking about WordPress right now. So wordpress.com is where you go for all of that. Now I get more complicated, than any of these provide for. [00:04:45] So I can't just use wordpress.com and I actually use WP engine as well as I self hosts some sites. In other words, I have my own servers because of my company Mainstream, we have our own data center. So why not? Right. But in some cases, like my bigger websites, I have up at WP engine and they maintain everything for me. [00:05:10] It's actually running on a Google platform, but they will automatically size it, resize it, and I can do absolutely anything I want. So if you want to be able to do anything you want, you're not going to use a wordpress.com. You're going to go to wordpress.org. Now, wordpress.org is the software that is behind wordpress.com and it's the software that I, again, 35% or so of the web uses. [00:05:43] I actually think it's probably higher than that, and most places use WordPress nowadays, and it's just so flexible. It's no longer just a blogging platform. And they have some built-in beautiful themes. I use something called Divi, which is a page builder. There's a few of them out there, Beaver, Ellementor. [00:06:03] Those are the three big ones. And if you're interested in, in thinking, Hey Craig, maybe you should do a class on this for us. Well, let me know. I'd be glad to put something together, but you got to tell me. Right? I just don't know. Otherwise, me, Me@craigpeterson.com if you'd like a class on this, and I know some people like Nancy Fields out there who she'll help people with their sites and put them together, but wordpress.org is where you go to get the software you need to put on too. [00:06:36] Some of these hosting services that you can use, and there's a million of them out there. Really. There's a lot, and then the kind of the ultimate, if you will, as the WP engine guys, but I brought this up to let you know the basics, right? This is what you want to look at. If you're thinking about going online. [00:06:54] But on the other side, I want to warn people right now because security teams and businesses have their hands full dealing with these COVID-19 related threats that are out there, and there are a lot of them, and right now the biggest problem isn't the hackers. The biggest problem is people clicking on emails and then getting ransomware. [00:07:16] We have a client that just. Yes. No, it was earlier in the week, I think it was Tuesday, one of their employees downloaded some software and he needed some software for windows to do some screen grabs cause he wanted to just grab a few things for off of the screen and save them the, save that graphic and use it in some documents. [00:07:38] So he went online, he did some searching and he found some screen. grabbing software, and lo and behold, there's this wonderful screen grab software for free that he downloads, and guess what? It's ransomware. So because we were doing all of the stuff for them and we had the really, the top anti-malware software that's out there very advanced stuff. [00:08:03] It detected it, it stopped it, it stopped it from spreading almost. Instantly, and that was just a phenomenal thing to have happened. It stopped it and it stopped the spread right away. So right now in WordPress, we're seeing a 30 fold increase in attacks on WordPress websites out there. , this is just dramatic. [00:08:27] So if you are running a word press word site or website, you're going to want to really, really have a look at it, make sure it's completely patched up because just like windows and Mac, iOS and iOS and Android, you have to apply patches. Man. It's like a grand central station here today. People in an out. [00:08:48] Anyhow, let's see. A million websites were reported, attacked, in the week from April 28th for one week. On May 3rd alone, they counted in excess of 20 million attacks against some half a million WordPress sites. It's just absolutely crazy. And by the way, they're coming in from more than 24,000. [00:09:10] Distinct IP addresses. What that means people are your machine to have been compromised and the bad guys are using them to launch attacks against websites and other people, which is not news, but it is news to most of those 24,000 people whose computers. Are being used to launch attacks. [00:09:32] You are Listening to Craig Peterson. Stick around because we're going to be right back. Talk a little bit about Zoom and how they are going to fix their chats. Stick around. We'll be right back and of course, visit me online at CraigPeterson.com. Craig Peterson: Hello everybody. Craig Peterson here on WGAN. You can hear me here every Saturday from one till 3:00 PM and on with Matt Gagnon Wednesday mornings at 734 this week because the mayor was on, let's see, it was Friday at like eight Oh eight or something like that. So. Was very, a little bit, off. But I'm here from one til three. [00:00:31] Anyways. And for those listening online, of course, I am on pretty much every podcasting app out there. And in some ways, I'm one of the pioneers of this thing. I've been doing this podcasting stuff for over 20 years, so for a very, very long time. I don't know, it kind of makes you feel old. So, so far today we just talked about WordPress and how you can use that. [00:00:53] For your business where you can go online and order to find the right hosting environment for your WordPress site. We talked a little bit about how WordPress also has security vulnerabilities like anything else and what is going on right now. I also spoke about half an hour ago here about how big. [00:01:16] Technology is a drag, just strangling, just totally strangulating all of us with their censorship free speech just doesn't exist when you're talking about the big guys. And then, of course, we started out the show talking about surveillance software in what managers have been doing with the surveillance software over the years. [00:01:42] It's really bad, frankly. What's been going on. And right now we're going to talk a little bit about something. Pretty much I think everybody in the country's been on, and that is zoom. Now, if you have not been on zoom, let me just explain it really briefly, and that is zoom is a video conferencing. App, it's been around for a while now, was written by a couple of kids and they did a terrible job with the security side of things. [00:02:14] It works well, it's easy to use, and so they did a very good job on that. And frankly, if they hadn't, they wouldn't be kind of the premier video conferencing app right now. We just used it for mother's day. I set up a zoom conference for my mother and of course my stepfather, and we did another one for my, my father, and my stepmother, and we had the kids on there like 16 people called into it, and I chose zoom. [00:02:48] Knowing that it was easy to use, that a lot of people use zoom and really like it, but also knowing about the major security problems. Right? We're talking about mother's day, so I'm not worried about losing intellectual property. I'm not really worried about having people's zoom bombed me, and that is where zoom bombing has been going on like crazy. [00:03:12] But zoom bombing is where somebody. Gets onto your zoom conference and does something nasty. anything from sexual stuff through, I, I've heard of, swastikas coming up, you know, the good old socialist national socialist party of Germany and world war two I've heard about all just all kinds of terrible things that have been coming up. [00:03:37] So I wasn't worried about Zoom by me, so because I wasn't worried about privacy. Intellectual properties, zoom bombing. Okay. It's fine because I have a small business account on zoom. Now when I am doing something for my business, this business-related or I'm concerned about intellectual property or security, then I use WebEx because it is a, not just a regular WebEx, but a secured WebEx because it is a. [00:04:05] Very well known commodity out there, something that many people, have been looking at and the federal government uses, military uses, et cetera, et cetera. So that's kind of what I do. So zoom has had a very, very bad rap as of late and for, I think, frankly, it's for many, many good reasons. And I'm, I'm on Google right now, and you know, I recommend you use duck, duck, go. [00:04:32] But I'm going to use Google because of the fact that that's what most people are using. And I wanted to have the same results you'd see. So I just went into Google news and I said, zoom security. And it's got a, the latest updates, the highs, the lows. Here's what you need to know. Avoid the app and do this instead. [00:04:53] Here's why. It's from Forbes. Zoom five offers new security and privacy features. That's the new version of zoom, the new major version that they've released. In case you didn't get that notification, make sure you upgrade zoom. zoom settles with New York attorney general over privacy and security concerns. [00:05:13] This is just two days ago. Zooms tips for safety as recommended by video conference, express zoom issues, play security issues, plays a spotlight on other video platforms, privacy troubles. but here's the one that I think is kinda interesting. This one's from. Forbes and that is Zoom buys key base in bold, new security move. [00:05:37] How this could change everything. If you've been listening for a while, you know, I've been talking about how there are still security jobs open. You know, right now, security is kind of at the bottom of the list for most of the businesses out there because businesses are saying, Hey, we just don't know what's going to happen with our business going forward. [00:05:59] So, let's just drop security who need security, right? Yeah, yeah, exactly. That's a bit of a problem if you ask me. And so because of that. I, you know, there, there's probably been a drop, I think, in the number of security jobs that are currently open, but we were talking about two and a half million, you know, up to 3 million open cybersecurity jobs before this whole pandemic. [00:06:26] It is, frankly, we need security now more than ever as business people and at home because we're under attack more than ever. But this is Zoom's first acquisition. Now I would actually call it more of an acquire than an acquisition. And if you're not familiar with that term, it's big probably because it's a pretty new term. [00:06:52] And an Aqua hire is where you find a company that has talent in it that you need or you want. And so how do you hire those people away? You probably can't, and it is a team of people working there, so you got to figure, they probably work together. They know how to work together. They know what some of the things are they need to do to work together. [00:07:19] So you just go ahead and you buy the whole company. So they're calling it an acquisition. In reality, this seems more like an acquire and Zoom got this 90-day plan to improve their security in this whole video conferencing system. We'll see what ends up happening. The terms of this deal weren't disclosed. [00:07:41] I'm sure a part of it is usually, Hey, all of the employees have to stay, or these key people have to stay. And then as part of the acquisition, they'll pay everybody some sort of an amount. So it isn't just the stakeholders. They're stockholders that make money off of this. Everybody stays around, but this is their first acquisition zooms nine years old in case you didn't know that if you thought they just came out of nowhere. [00:08:09] It's one of these overnight successes that took nine years to get there, but they're saying that as of a couple of weeks ago, there were 300 million people. On zoom, that's dramatic. In December, it was estimated that there were 10 million people. Now for the FBI InfraGard webinars that we were running, the FBI wanted us to use Zoom. [00:08:34] I don't know why, but that's what InfraGard wanted us to use. That's what I used. So we were part of that 10 million. To up to 300 million. Can you imagine that kind of growth so you can see how they had to do something, do something fast? They could not just staff up for it, but they're planning on creating a secure private and a scalable video communication system. [00:08:58] Part of the problem they've had recently when it comes to scalability is they have been routing people's teleconferences through China and other parts of the world. And of course, those really upset people when they found out about it because of course China sits there and spies on everything that's going on now. [00:09:19] The company that they acquired is called Keybase. They spent the last six years building a secure messaging and file sharing service. And with this, users can chat and share with team members and communities knowing that the messages are end to end encrypted. So the other thing with this acquire that zoom may be getting is the ability now to have chat and file sharing, which is something that. [00:09:49]Microsoft teams have that WebEx teams have, right? That's what the team's apps have. And even Slack has built-in now some communications ability. You can have small meetings and make calls to other users. And zoom is planning on putting this encrypted end to end meeting mode in for the paid accounts. [00:10:12] So if you have a free account, you're probably not going to get it, at least not initially. And then they're going to use public-key encryption, which is something that is, say, Pattonville a little bit of a go. But it's absolutely the way to do it. So I'm glad to hear that there are some adults in the room now over at zoom and they realized, not invented here syndrome is not going to help them grow. [00:10:37] It's not going to solve their security problems. And so they, I acquired a company that has been doing this type of security for quite a while. So, okay, here we go. This is a, an article from, this is dark reading, I think. Yeah. and they're saying as part of the deal, key basis, team members will become zoom employees. [00:11:00] So there you go. Okay. they, so they are planning on publishing a draft for their cryptographic design, next Friday. So it's coming up pretty soon. So we'll keep you up to date on this. I promised I would in the past let you know what zoom is doing and how they're doing and where they're going, et cetera, et cetera, et cetera. [00:11:21] So I'm really glad to hear that zoom is pulling up their socks. So we are going to go away for a quick break. And when we come back, we're going to talk about one of these companies that has smart hubs and what they have done. And this is kind of a story about what happens at end of life. And it's something that every business needs to think about. [00:11:48] If you're using salesforce.com Microsoft, you name it. Those companies are eventually going to go out of business. What happens when they go out of business? What's going to happen to your data? Whose data is it anyway? And in many cases, these companies are saying. It's my data. We own it, and if we lose it, we don't know you. [00:12:17] Anything. Real problem. If you asked me, so stick around. We'll be back here right after the break with news, et cetera, and we'll be talking more about all of this. You're listening to Craig Peter's son, right here on WGAN, and make sure you visit me online. Go to Craig peterson.com make sure you sign up for my newsletter so you can find out about the various cool stuff we've been working on and then we'll have out for you very, very soon. [00:12:45] Take care of everybody and stick around cause we'll be right back. Craig Peterson: Hey everybody. Welcome back. Craig Peterson here on WGAN and of course online as well at craigPeterson.com. We have been talking about a bunch of stuff today and you know, if you missed any of it, you can go to my website, Craig peterson.com this includes why businesses are using surveillance software. [00:00:25] To where what you can do as an employee if you think they are spying on you and what are your rights when it comes to some of this stuff, I talked also about what is happening with big tech and censorship and it really is a big problem, WordPress and how you can use that as a business. You know, if you are brick and mortar, you probably want to try and transition to more of an online model. [00:00:53] But even if you have a little bit of both, maybe WordPress is the way to go. So we talked a little bit about that when you can get WordPress as a service and also what you can do about it yourself. And by the way, attacks on WordPress are have gone up 30 fold in just the past few days. And then just before the top of the hour, we talked about zoom. [00:01:17] And how they have acquired a company in order to have end-to-end encryption on zoom. And I bet you also because of this acquisition, who they purchased the zooms going to be seen a new feature here where they're going to be doing a little bit of conferencing and. Collaboration. So I think that's going to be a good thing. [00:01:40] It's going to give a little competition to WebEx teams and also to our friends at Microsoft teams. Now, how many of you guys out there have been using some of these services. For your internet of things devices now, internet of things, devices that I'm talking about here. My kind of definition is anything that would normally be considered just a piece of hardware, you know, something that you turn on and use. [00:02:10] A good example would be some of these thermostats many of us have right. We've got these, now it's Google nest thermostats or some of the lights that we have. Well, many of these devices require what are called bridges because they using different technologies. So for instance, in my home, I've got some. [00:02:35] Now Apple home equipment, and of course we use Apple equipment almost exclusively in my business, and we have iPhones with iOS and Apple's home. The Apple home is the most secure way of controlling near your internet of things devices. The problem is that not many people make devices for Apple home, and that is because they are a little bit more expensive to make. [00:03:05] You have to have better encryption software. You have to pay the Apple tax because Apple developed it and Apple is going to charge you as a manufacturer to use their technology. So many of these companies have kind of gone off and done their own thing. We have some hue lights as well. H U E from Phillips. [00:03:25] Great lights, by the way. And those are all, again, controlled remotely, and we've got it tied in so that our iOS devices, our I-phones can turn on and off. The hue lights can turn on and off like our family room lights, et cetera, and can change the colors of lights. But because my internet of things devices are not directly compatible with Apple home, we had to get some special hubs. [00:03:58] So we have a small hub, and that hub speaks both the hue protocol. It speaks to a protocol that is used by the light dimmers in our main rooms, and it speaks Apple's protocol. Now. Were totally geeked out. So guess what? We have Linux running on a box. It does all of that stuff for us, right? So we can maintain it, we can update it, we can upgrade it. [00:04:23] We know what's going on. Just because I'm paranoid doesn't mean they're really not after me. Right. Well, there is a company out there called Wink that many people have been using for quite a while. Wink, I should say, looks pretty darn good. It was launched first about six years ago, and the idea was to be able to connect and control all of their devices through just one master wink interface. So wink exists to really kind of simplify life for somebody, right? [00:05:00] That's really into the internet of things. You've got your lights, you got your locks, your thermostat, your cameras, your appliances. And they're all coming from different brands and they need different apps to operate. [00:05:13] Nowadays. You even see refrigerators and ovens. Man, I think I saw the first internet-connected one about six years ago as well. Our washing machines, dryers, all of these things, and they're different brands, and even though they might be using the same protocol, it doesn't mean as implemented the same way. [00:05:35] So these devices just can't speak to each other. Enter wink. Now there are a number of different devices out there that can be used as a smart hub, but speak to different, you know, different protocols, different vendors, everything else. But a lot of people went to wink because you bought it once. And that's it. [00:06:00] It was free for the rest of your life. Now, wink cost more yes than some of these others, but you did not have a monthly subscription fee that you had to pay. Well, as of this week, Wink is starting to charge on a monthly basis for their devices. The quote from Wink and obviously then they're looking for cash. [00:06:24] Now, who isn't? Wink has taken many steps in an effort to keep your hubs blue light on. That's the light on the Wink Hub. However, long-term costs and recent economic events have caused additional strain on our business. Unlike companies that sell our data to offset costs associated with offering free services, we do not. [00:06:48] Little jab there at Google. Data privacy is one of Winks core values. And we believe that user data should never be sold for marketing or any purpose. So basically what they were doing is, no grandfathering. The mandate here is to pay up or we're gonna shut you off. Here's what they said. Should you choose not to sign up for a subscription, you will no longer be able to access your wink devices from the app with voice control or through the API, and your automation will be disabled on May 13th your device connection settings and automation can be reactivated if you decide to pay up, excuse me, to subscribe at a later date. [00:07:35] So there's no warning. It's now $5 a month per device. Think about how many devices are out there and how many devices people might have. Right? I'm a little unclear as to whether it's only $5 per house because you might only have the one Wink Hub or if it's $5 per month per device. That's kind of how I read it, so it could be really, really expensive and people are very upset about it. [00:08:05] You know, on Reddit there are thousands of responses to this company's tweet that was posted there. Most people are just absolutely angry. You know, they paid a lot more to get something that had lifetime support, and here it is, no life-time support. Right? So this feels like a variation on a familiar theme because it's happened many times. [00:08:29] You know, these internet-connected light bulbs. Many of them no longer work as a company went out of business and the servers got shut down. Smart scales. Some cases they just got dumb and they show you your weight to no longer show you your history or weight loss or anything, and in some cases, they just don't work at all because the companies pulled the plug on the apps. [00:08:51] These pet feeders. We've talked about a couple of cool ones here. They've gone. Out of business, they completely stopped feeding pets. How about these vacuums that we have in our homes that are all automated? They're running around cleaning the houses. So this is nothing new. We have seen companies go out of business before, right? [00:09:12] You've seen companies go out of business, right? Tell me. You have told me I'm not crazy. And when the companies go out of business and they're providing a monthly service for you. Then what happens? This gets to be a very, very big deal, and I also want to caution businesses because it reveals a major hole in this whole cloud business. [00:09:40] You know, we look at the cloud and say, it's going to make my life simpler. It's going to keep my costs down. I don't have to worry about the side of it anymore. I'll just use this cloud service like Salesforce for instance, or, or Dropbox or whatever it might be in reality. [00:09:59] Now, remember that your core business information, your intellectual property regarding your customers, regarding your orders, regarding your sales, your inventories, all of the stuff that is now in the hands of a third party. So what's going to happen when that third party. Goes out of business, it could be really, really bad for you. And for me. [00:10:27] So one of the things that we always advise our customers is to make sure you have a third party in a place that's securing these cloud-based apps and is doing backups for you. [00:10:43] So for instance, most of them, Microsoft. Office through the, what do they call it now? Windows three 65 plans or whatever it is. Those email accounts don't have backups and there's no guarantee from Microsoft that they will not lose your data. So are you backing that up as well? That I think there's a lot of lessons for all of us in this, and be careful when you're buying something. [00:11:11] We just got a new dryer. I made sure you were not internet-connected. I don't want a dryer from a company sitting in my house on my network, even though I've got it separated out into the internet of things network. I don't want that device sitting there potentially providing a breach for the rest of my network. [00:11:34] So think about that, be careful with that. You're listening to Craig Peterson right here on WGAN. Stick around because we're going to talk about how Microsoft is getting rid of passwords. We'll be right back. Craig Peterson: Hey, welcome back everybody. Craig Peterson here on WGAN. Thanks for joining me today. I always appreciate it and I love getting your emails. I've got a couple of great ones this week. Again, Gary was out there letting me know what he was having some problems with. In fact, I even ended up getting on the phone with him to help him out a little bit with this whole tracking thing. [00:00:26] He was thinking that his GPS was being used to track him, and some people were really trying to mess with him while he's trying to make some money driving around. So I explained how the app he's using as a paid driver works, how tracks him, and how he can stop it from tracking him when he's not working. [00:00:47] So if you're driving for Uber eats or grub hub. Et cetera. That's, that's the sort of thing he's doing. And he was really kind of wondering about, because some people were changing the delivery point on deliveries and he'd show up at the new address and there's nobody there, and there's nobody at the old address. [00:01:07] And so he was really having some issues. Yeah. Obviously that can be a problem. So if you have any questions, whether it's about grub hub or anything else, by all means, just email me, ME@Craig peterson.com. Let me know how I can help. I'm always glad to give a little bit of help for absolutely nothing. [00:01:28] And obviously this is what I do for a living as well. So you know, if, if it's a lot of work, then I'm going to have to charge you. But anyhow, Microsoft. Now. passwords have been kind of the bane of my existence forever. I remember the very first time I had a password, I don't remember what it was. It would have been pretty simple back then but that was the early 1970s, and it was a non-online timeshare. [00:02:00] The Computer, an HP, I think it was like a 2000 access or 2000 after that got upgraded to an a and it was so totally cool. It was my first real computer access and we had a teletype, a TTY33 yay. Seven level. Yeah. So it was an a, it was really, really cool. [00:02:24] And that was my first major introduction to computers way back then and we had passwords now, the head of the, of the math department, and that's where was at the time I was in school then it was inside the math department. He always used some variation of his name for his password. And I still remember to this day, his name was Robert Allen Lang. [00:02:53]So, hi, Mr. Lang. If you're, if you're still around, actually, if you're listening, but He would always use a password that like R A lane or R Allen lane or, you know, you could always guess what his password was, so we would guess his password. And we'd use that to get more access. So for instance, our accounts could only have so much storage and the accounts could only have so much time per week to be used. [00:03:26] We just loved using as much time as we could. Oh, man. One of these days, I'll tell you some stories. And so we would hack into his account. And once we're in doing his account, we then gave ourselves upgraded privileges and online time and kind of everything else. So yeah, you know, that's what you do when you're a kid, but anyhow, you know, teenagers right? [00:03:54] Fast forward to today and passwords are still a problem. I've been using pretty darn good passwords for a very, very long time now, and as you probably are aware, if you sign up for my email list, I'll send you a special report on passwords, but you might be well aware that I really like one password. [00:04:16] It's by far the winner. There was some other half-decent password managers out there last pass being one of them, but 1password, absolutely the winner. And we also use DUO, which is a two-factor authentication system. So between the two of them, we're pretty secure and I have it generate passwords for me, which is really nice, and it'll generate passwords. [00:04:39] It's funny, many times I'll have a like a 20 plus character password and the website I'm on just doesn't support that. Sometimes it'll ask all, you didn't put enough special characters in, which, as you know, just doesn't count anymore. So make sure you get my password special report so you can see what the current advice is. [00:05:01] And it's really changed recently, current advice for passwords and what you should do. So we've got world password day and every year we talk about passwords and what you should do. And this is the first year I think we're seeing more people starting to really use new forms of authentication. We're working from home even at work, and people are starting to understand just how insecure and ultimately how costly passwords really are. [00:05:38] Our cybercriminals don't need advanced techniques when they can just bet on human behavior. Ponemon Institute did a survey in 2019 and this is all on security behaviors. Okay. And they found that 51% of 1700 information technology and information technology security professionals reused an average of five total passwords again and again and again across both their business and their personal accounts. [00:06:17] Now that is a very bad thing to do. There's something called password stuffing where they steal your password. And remember a couple of weeks ago I mentioned a, "have I been pawned" or powned website? And there's a feature that I put out as well. I don't think they're airing on WGAN, but they are on some other stations all about powned passwords. [00:06:41] Well, Once a password has been stolen and they know what it is and they know what your username is, they just start automatically going and checking banks, trying to log in with that email address and that password. So having the same password that you're using on more than one system is a very, very dangerous habit because if they get ahold of just one password, they know they can use it on other sites and they're probably going to be able to get in. [00:07:16] So this single compromised password can create just this chain reaction of theft and liability, frankly, on your part. And on average, one in every 250 corporate accounts is compromised each month. Think of that one in one in 22 really accounts is compromised every year. Wow. That is huge. I don't think I've ever seen that stat before. [00:07:48] So this expense of using passwords is really continuing to grow because we're using more business applications online, aren't we? I just talked about the cloud and some things she needed to be careful of with the cloud. Well, the cloud requires passwords and we're using those same passwords. Man. That is bad. [00:08:12]By the way, password reset is one of the highest support costs, especially in larger businesses. And that means that companies are dedicating 30 to 60% of the support desk calls to just resetting passwords. So. We all have to understand it better. We all need a multifactor authentication. The very least two-factor authentication and Microsoft now has this passwordless login. [00:08:43] You might've used it, you might've seen it where it's using the camera on your computer, and sometimes it's using other biometrics, like your fingerprints, et cetera. And there are new technologies out there that are being deployed, including in web browsers that we'll be talking about in the future as they get a little bit more well adopted. [00:09:03] But some of these keys, these USB authentication keys have a built-in, it's called Fido - FIDO so if you're interested, you can always dig that up and we'll be covering that. To a, you know, a future show, as I said, and I do do some training on that with my mentorship site. All right, everybody, stick around. [00:09:25] You're listening to Craig Peterson on WGAN and I'm going to talk a little bit about remote work and now. The security fight that's happening in the cloud. Make sure you join me as well. Wednesday mornings at 7:34 with Mr. Matt Gagnon morning drive time as we talk about the latest in technology. [00:09:50] Stick around. I'll be right back. Craig Peterson: Hey, good morning everybody. Craig Peterson here. We started out this whole show talking about surveillance here that managers are doing as they're surveilling their employees. I want to talk now a little bit about surveillance where we should be keeping an eye on our cloud devices. And our endpoint. [00:00:28] So let's start out with the cloud. You know, I call them devices. In some places, you might be using a server that's living up in maybe Microsoft Azure or Google's cloud, Amazon cloud, Amazon web services, et cetera. Those systems can all be compromised. And yeah, they're sitting in the data center. Yeah. You don't have to pay for the hardware or the electricity or the cooling, which is really nice. [00:00:58] Yeah. You don't have to hear all of the noise they make in the background, but many businesses have found that, wow, the cloud really isn't the panacea. I thought it was. And they're actually moving it back out of the cloud. And that's particularly true of businesses that have security concerns due to regulations because moving to the cloud does not absolve you, from these regulations. [00:01:27] Now we've got this additional problem of people working from home, so they're using either their own computers or maybe a company computer at home. They might be connecting to the office, but it's just as likely, maybe even more likely that they're connecting to a cloud service somewhere. Not, not just for collaboration or for meetings, but to do their basic work. [00:01:51] As more and more businesses are saying, Hey, why should I be paying for the software or hardware, et cetera. Let's just move it all to the cloud. And we're seeing now States and cities that are starting to lift some of these stay-at-home orders, but frankly, this increased level of employees working from home. [00:02:12] Is not going to disappear. Sure. It'll get a little smaller. Many businesses are going to be calling people back and they are going to be working from that office, but many people are in businesses that are going to continue that move over to the cloud. So what are the security challenges that come from a hybrid infrastructure? [00:02:35] Almost three-quarters of companies expect at least 5% or more of the former onsite employees to work from home on a permanent basis. That's not a lot, but 5% when you add it up over all of the small businesses, that is a lot because half of all employees in the country work for small businesses. And a quarter of businesses are planning on keeping at least 20% of their workers out of the office post-pandemic. [00:03:06] And this is according to a survey of chief financial officers by the, it's maybe you guys know Gartner right? Gartner group. They're research firm, so their numbers are usually considered gospel in the business world. With this remote work comes even more cloud usage, and that could be a problem for a lot of companies that have issues with the visibility into the security of the cloud. [00:03:33] Now. You might be as a business relying on maybe some permitter defenses or maybe some on-premise security software and appliances to help keep your systems and data safe. Now, most of the time, small businesses aren't using the right stuff. They're just using some equipment that they got from, you know, a random break-fix shop or heaven forbid at staples or where they ordered it from Amazon. [00:03:59] You can't, you just can't get the good stuff from any of those places. But that's not going to work anymore at all. When we're talking about remote workers cause people are in their homes and they're using cloud services that you just don't know the security level of, you might not know what the patch level is of windows of the software that's running on windows. [00:04:26] You might not know any of that stuff. Right. But we are going to see a major shift so. Let's talk about it a little bit here. We're just seeing, you know, massive, massive growth. I'm looking at these numbers in telecommuting. It was growing slowly before, but now many technology firms, particularly marketing companies, are relying almost exclusively on people working from home. [00:04:53] IBM had moved people to work from home and then found that experiment to be a failure and moved everybody back into the office. Now, that was back in 2017 they pulled them back in and made them work from an office in one of six cities. While IBM now has moved almost entirely to remote work and they've got 95% of its current workforce working outside of the company offices. [00:05:21] IBM, by the way, is a major player in the cloud in case you weren't aware, they were way more prepared for this problem than many companies. It com and infrastructure information security groups. Absolutely true. So coming out of this, we need to embrace the fact that we have to continually be ready for full. [00:05:43] Remote workforce. What is going to happen? And, and I'm, I'm on governors, the governor's task force here on education, on re-opening education. What are we going to do? And of course, I'm the security guy, the technology guy, actually one of the technology people on that task force. And we had a meeting this week and we were talking about it. [00:06:07] Okay, fine. So we've got the COVID-19 thing and it's eventually going to be a thing of the past. But thinking about the teachers that are 60, 65, 70 years old, what happens when there's another virus? What happens when the annual flu or curves. Are we going to be shutting down our offices again? Are we going to be shutting down our schools again? [00:06:32] Are we going to maybe try and do quarantines as we've always done in the past where we say, Hey, if you are sick. Or if you are vulnerable, you just stay home because this is happening more and more. We, we had SARS very, you know, that wasn't long ago. Right? That was another covert virus that we had. We had to MERS. [00:06:56] That was another COVID virus that we had. We've had a number of these things. I'm thinking about Ebola, which I don't think was a COVID virus. They're happening more and more. And as we have more and more people in the world, the likelihood of them occurring is going to be even greater. So if you are a business person, and then the case of where I'm on the governor's task force, looking at education, if, if we are a school, what are we going to do in the future? [00:07:30] And I really think we have to realize that we have to be able to have our businesses basically work remotely. So I want to encourage everybody to really keep that in mind as we're looking at this going forward. What can you do in order to make your business covert proof? Now, it isn't just the COVID-19 what happens if there's a fire in your building burns down. [00:08:00] What happens if there is a major lightning strike and it burns up all of your computers just zaps them. What's that all going to mean and what's going to happen with the next 12 months? Are we going to have another massive spike in the COVID virus or are you ready for that? We got to think about it. [00:08:21] The other side is the endpoint devices and we're seeing right now. Six and 10 remote workers using personal devices to do work, and almost all of these workers believe that the devices are secure. CrowdStrike had a look at this and said that people are naive. Six in 10 remote workers are using personal devices to do work and all. [00:08:48] Almost none of them. Are properly secured, and we've got attackers now focused on targeting the remote workers. They're going after VPN technology technologies, which is part of the reason I say don't use VPNs, right? It's where the people are and it's where we're getting it back. So be ca
In today's episode, we will be talking with our good friend, Stanton Gatewood. Stanton is a cybersecurity and information technology leader with 30 plus years of experience in the public and private sector. Stanton is currently a Distinguished Fellow with the Ponemon Institute. Listen in as we discuss situational awareness, user awareness and the meaning of Shokunin, among other things. You can connect with Stanton in the following ways: Email: g8infosec@gmail.com LinkedIn: https://www.linkedin.com/in/stanton-gatewood-0b70b414 At Tech & Main, we want to be YOUR technology partner. Let our 20+ years of expertise help you achieve the outcomes that are best for your business: cloud, SD-WAN, data center, security or anything else. We have engineers and project managers available to assist you. Call our office at 678-575-8515, email us at info@techandmain.com or visit us at www.techandmain.com. Thanks for listening! --- Send in a voice message: https://anchor.fm/techandmain/message
How Smart Is Your Car? The global autonomous vehicle market accounted for US $27.9 billion in 2017. Forecasters expect a compounded annual growth rate of 41.5% through 2026 which would boost the market to US $615 BILLION Autonomous vehicle could reach 15% of global light vehicle sales by 2030 This progress toward modern mobility sounds positive, it comes with complexities. Biggie Smalls once said something about dramatic infusions of capital and the subsequent results. Our friends at the Ponemon Institute did some digging… 84% of automakers and their suppliers aren’t sure cybersecurity practices are keeping pace with evolving technologies 30% of survey respondents do not have an established product cybersecurity program or team 63% test less than half of their hardware, software and other technologies for vulnerabilities. There’s plenty that the automotive industry can control. But, do you know what steps you can take to avoid the potential damage cyberthreats can cause to your organization? Well… you are in luck because today’s guest on the InSecurity Podcast is someone who knows many of those steps This week on InSecurity, Matt Stephenson chats with Jeff Davis, Head of Smart Transportation Innovation and Development at BlackBerry about the ever-changing world of connected transportation. It’s not all self-driving cars though. Want to take a deep dive into what is involved in building a smart city? Stick around… About Jeff Davis Jeff Davis (@jdavisusmc) is the Head of Smart Transportation Innovation and Development at BlackBerry. In this position, Jeff holds responsibility for the strategic innovation and development of smart transportation markets. He’s developed cybersecurity, mobility and connectivity programs that specifically focus on human interaction with advanced technologies and new concepts. About Matt Stephenson Insecurity Podcast host Matt Stephenson (@packmatt73) leads the broadcast media team at BlackBerry Cylance, which puts him in front of crowds, cameras, and microphones all over the world. He is the regular host of the InSecuritypodcast and video series at events around the globe. Twenty years of work with the world’s largest security, storage, and recovery companies has introduced Stephenson to some of the most fascinating people in the industry. He wants to get those stories told so that others can learn from what has come Every week on the InSecurity Podcast, Matt interviews leading authorities in the security industry to gain an expert perspective on topics including risk management, security control friction, compliance issues, and building a culture of security. Each episode provides relevant insights for security practitioners and business leaders working to improve their organization’s security posture and bottom line. Can’t get enough of Insecurity? You can find us at ThreatVector InSecurity Podcasts, Apple Podcasts and GooglePlay as well as Spotify, Stitcher, SoundCloud, I Heart Radio and wherever you get your podcasts! Make sure you Subscribe, Rate and Review!
Another report comes out that says insiders are a huge problem. You have to worry about the people, people. We have been saying this for years. The lastest news on that front is in the 2020 Cost Of Insider Threats Global Report released by the Ponemon Institute and sponsored by ObserveIT and IBM. It does tell us a lot of things we already knew but the details including those about how it is growing are important to note. More info at HelpMeWithHIPAA.com/242
This conversation features a discussion on security concerns specific to the rapidly growing number of Internet of Things devices and recent legislation passed in California to regulate them. Joining the discussion is friend of the show, Kathleen Glass from 2B Advice, and first-timer Ro Cammarota from the CTO office of Intel AI Research, San Diego. At Intel, he is currently working to grow the effort on Secure and Private Computing, Trustworthiness, Agile Hardware, and Standards for AI Systems.
This episode features a conversation on compliance readiness and best practices with Patti Titus, Chief Privacy and Information Security Officer at Markel Corporation. She has a background as an airman in the U.S. Air Force and became the first female CISO of a federal agency at the TSA in the early 2000s. Since then, Patti has performed the same role during stints at Symantec and Freddie Mac among several other companies before landing at Markel Corporation where she now focuses on privacy of information.
This episode features a conversation on cybersecurity training with Ed Adams, President and CEO of Security Innovation. Ed is a software quality and security expert with over 20 years of experience in the field. He has presented to tens of thousands of security professionals at reputable industry events such as RSA Conference (the US & Asia), Ponemon Institute’s RIM Renaissance, Connected Security Expo, Mozilla’s Privacy Lab, Allstate CyberCon, Applied Materials Global Technology Conference, among others.
This episodes features a conversation on security incident response methodologies with Darren Bennett, Chief Information Security Officer for the City of San Diego. Darren is a global information and cybersecurity leader with more than 20 years experience focusing on all aspects of cyber, information and physical security. As the CISO for the City of SD, he is responsible for the security of all information systems used by the City including, public utilities, police, fire, administrative systems and more.
Today's episode of the Seamless Podcast kicks off our latest partner series with Dr. Larry Ponemon, CEO/Founder of the Ponemon Institute. Darin & Mike outline the format of this new show series which will include expert guests discussing the hottest topics in CyberSecurity & Privacy. The Ponemon Institute conducts independent research on data protection and emerging information technologies. Show topics will include data collection, management and tips for enterprises on safeguarding of information assets.
Welcome! The Holidays are almost here -- Hannakah begins tonight and the middle of next week is Christmas - Boy this year has flown by. There is a lot of Tech in the News so let's get going! For more tech tips, news, and updates visit - CraigPeterson.com --- Related Articles: Signature Anti-Virus does not adequately protect you from today's Malware Lessons We Failed To Learn and Therefore Are Doomed To Repeat Business Computers Should Only Be Used For Business 5G - Not Ready For PrimeTime...Yet! Are You At Risk from Your Outsourced Software Provider Security - Knowing What You Have Is Essential Chrome 79 will continuously scan your passwords against public data breaches Getting the Perfect Tech Gift for Your Special "Techie" --- Automated Machine-Generated Transcript: Craig Peterson Hey, hello everybody, Craig Peters on here on w GAM and online at Craig peterson.com. Hopefully, you're able to join me on Wednesday mornings as well as I am on live with Ken and Matt, we always talk about the latest in technology and news and of course in security since that's primarily what I've been doing for the last 20 plus years here in the online world, man, just thinking back, it's, you know, I first got on the internet. Of course, it wasn't called that. But way back in the early 1980s. And I remember in fact when I first started doing networking professionally back in 75, and there was no worry about anything with you know, yeah, okay, we didn't want people to hack into so you'd have leased lines for your business and I was doing a bunch of work. from banks way back when right, one of my first jobs, and I was really enjoying it, I just learned a whole lot up to today. And we're going to cover this here because my gosh, it's it has changed. The Internet used to be very libertarian, everybody on it was very libertarian or conservative. Of course, that's because there were a whole ton of government contractors on the ARPANET as well as some colleges and universities. And you look at it today, and you think that really it's changed dramatically which it has. But I think the ratio is probably still about the same. You've got the silent majority that just doesn't say much about anything, right. And then you've got this hugely vocal minority who's just yelling and screaming all of the time. And then some of these tech companies that are trying to straddle somehow in the middle and not get everybody all upset with them. It's really a Much different world. But when we're talking about security, it is nothing at all like it used to be. You used to go online, and you'd have some fun you, you know, exchange emails with people, you'd share some files and some fun things. I remember this one whole thread on chases. That was just absolutely amazing. I think I came up this time of years while it was all these puns about different cheeses. It was a lot of fun. Now today, we've got a whole different internet out there and a great article by Robert Limos and he is looking at WatchGuard Technologies' latest quarterly report that was published just last week. And this network security firm found that the percentage of malware that successfully bypassed anti-virus scanners IT companies network gateways has increased Significantly, watch guard technology is saying that the amount of malware that signature-based antivirus software catches, has plummeted to about 50%. Now, I think their numbers are high because I think it's more like 20%. But they're getting specific here. They're talking about the amount of malware that comes into a network via an external source. In other words, people are accidentally pulling it from a website they visit, or perhaps it's been injected into their systems through someone who's visiting their network and using another vulnerability. But they're saying that antivirus software This is signature-based stuff, that's what you get from Norton Antivirus. That's what you get from, you know, the Symantec people from McAfee from all of these different antivirus companies out there. It is just horrific what's happening because of what's known as zero-day now you might have heard of this before you might not have but basically what zero-day malware is, is malware is nasty software and malware includes things like viruses, worms, Trojans, etc. It is this type of malicious software that has not been seen in the wild before. And what it used to me is they would, you know, some brilliant person who as my mother would say, Why don't they do something useful with their time, some brilliant PR person would come up with a piece of software, no one had ever seen a way of attacking that no one had ever seen before. And they would attack us and they would get through because there was no signature for it or the engines in the antivirus software just could not manage to handle. You know malware like this new piece of malware that just came out the problem we're having today is that the majority of malware act just like zero-day. So here's what happens with a signature-based attack. You can think of it just like your body's anti-virus system night than what you have in your body. And your body looks at something that it sees and says, Have I seen this before. And if it has seen it before, it knows to attack it before. It grows really big and kind of starts to get out of control, and then the body has to attack it after it's already really, you know, it's taken the beachhead if you will use a military term. I've been watching a lot of world war two movies lately, but it's taken that beachhead and now has control of the beach and is starting to get in further and it's very difficult to get out versus it recognizes it almost right away as a nasty virus. And goes ahead and end the Jackson You know you have more cells in inside your body inside your skin there are more cells that are foreign to your body then there are body cells when you start counting all the bacteria and everything that's in your system and on your skin. It's just incredible. So our body relies on a lot of these things. In order to keep us healthy, if we had no bacteria, you be in trouble. It's like you know if you go on antibiotics, which is an anti-bacterial, what does the doctor tell you to do? Well, you know, start eating yogurt and, and other things. Maybe take some Kombucha or various other things in order to try and stay healthy. Get that good bacteria going in your gut again. Well, when your body is attacked by something that hasn't seen before. That's what we would call in the computer world as a zero-day virus has never been seen by Your body or in the case of a computer's never been seen by this signature-based antivirus software. So what the bad guys have been doing is they figured out how Yes, indeed we are trying to block them. And they figured out that the majority of us are using these signature-based antivirus software packages. So they've designed the viruses and the malware to change itself every time. So no longer can the antivirus software, just look for certain signatures. So for instance, if you were always attacked by blonde-haired blue-eyed Norwegians, you might be cautious next time you see a blonde-haired blue-eyed Norwegian approaching towards you maybe with a baseball bat or whatever it is, they might have in their hands, right? So you get worried about it. What's the old expression? Once burn shame on me. You twice burn shame on me. Right? So we learn we respond based on how we've been attacked before. And so does the antivirus software now it can take them days or weeks, even months to get a signature out and get it all dispersed. You know, I'm talking about the old software, not the newest stuff, not the enterprise stuff we use for our business client. But the stuff that you use as a consumer and Heaven forbid if your business and you're using stuff like Norton Symantec, or McAfee or any of these other a VG antivirus software packages that are based on signatures because they just don't work. So what happens is they change themselves constantly. So it might be a Norwegian, but they dyed their hair they put on colored contact lenses, and they change their clothing. That's effectively what's happening with our computers nowadays. It may be that Viking that's approaching you but you Don't know it because it just doesn't look like they change everything about themselves at least most everything except the malicious intent and what they end up doing once they've got control of you. So watch guard is saying that this is a major change here. Now I'm going to quote directly from them. The big change is that more and more malware is becoming evasive. So the signature-based protection is no longer sufficient. There's nothing wrong with having it because it will catch 50% to two-thirds of the traffic but you definitely need something more. And that's why I've been recommending you guys do a few things you can do the free stuff. If you are not a business, you can go to my favorite right now. Open DNS and sign up for an account. They have some paid stuff. I think it's $20 a month per computer, for business to get the basic business service. It's free. For a regular home user, but it does not allow you to do any customization. And then there are a few packages in between open DNS. Now we use a commercial version of is an enterprise version called brawler. That's where the calling it now, but it's the highest level where we can, you know, watch it and maintain it. So that's step number one of what you need to do get open DNS so that if you do get one of these pieces of nastiness like ransomware, and it tries to call home, it can't get the phone number, right. He can't call home because there's another phone number. And I think that's a very important thing to do. It's free if you're home user, you might want to pay for the family plan would block certain scary sites and certain things you probably don't want your kids to see pornography and other things open dns.com and then the other thing to do, I had it in my big course this last year and that was how to harden Windows machine. It's rather involved. And I'll probably do a course early next year on this. But make sure you harden your machine, you're going to want to turn off stuff you don't need, you're going to want to make sure your firewall is set up properly to do the types of blocks that you need. You're going to want to make sure that you've got Microsoft's new malware software installed properly and running properly. So I'll have a course on this early next year that you can get. Because when you're talking about 50%, and I've seen numbers as low as 20% effectiveness with anti-virus software, you have to do something. Hey, if you're looking to buy some gifts, I'm going to be talking about some of them in today's show, including five g should you get that phone, you're listening to Craig Peterson on w GAN and online. Greg peterson.com. Stick around. We'll be right back. Craig Peterson Hey, are you thinking about buying a mobile phone? We're going to talk about that right now. You're listening to Craig Peterson on WGN and online at Craig Peterson calm. Now you've heard about 5g. You're probably using 4g LTE right now, on your phone and maybe mobile devices you may be your iPad or a tablet that you might have. Amazon has its Kindles. They do not, by the way, have 4g LTE on them, at least, for the most part, they're using some of the much older technology because frankly, all they're doing is sending books right? Which are pretty small. But it is that time of year that we're buying presents and there are only a few days left here for that holiday season, purchasing time. And we've got a lot of competition in the 5g world. So let's talk about what this is. And I'll give you some tips. But what is going on? 5g holds a lot of promise. Now I don't know if you remember I remember how shocked I was at how fast 4g was. I bought a phone. And it had 4g LTE in on it. It was an Android phone. And I vowed never again for so many reasons. And you've heard them on the show here before, but I had bought an Android phone, and I didn't have 4g up where I lived. And I drove down. We were heading down. I think it was till Pennsylvania take one of the kids to camp. And I was going through Valley and I noticed Wait a minute. There's a big city right there. I got 4g so I immediately went to speed test.net and I ran the test to see just how fast is for G. And I was just shocked. I was getting like 20 megabits a second, which was absolutely amazing. Because I've been using cell phones since they first came out. And you know, back in the day it was 14 for right? Oh, cell phone so fast. And now just to see 20 megabits was absolutely mind-blowing. But there are some major limitations to the 4g LTE network that we are using today. And those limitations are speed for one. And then the other thing is the number of devices that can be supported. And then the cost of the data and the data transfers. So 5g has been under development for quite a while. And this is not we're not going to get into Huawei and how they stole all their technology. It really appears to be from our friends up at Nortel and put the whole company out of business because of the spine that they did. And thank goodness finally, we've got a president who's trying to do something about it. But five G's real promise for us right now is that we will get two things will get a gigabit worth of data bandwidth, which means by the way, that we may not even bother with Wi-Fi in our homes if you live in an area that has full 4g or 5g coverage because it's just going to be just as fast as your cable is right now. Now the cable companies are probably going to try and compensate by lowering their prices and giving you faster and faster and faster internet. But for a lot of people, it's going to make economic sense because the cost isn't going to be high. And then the second thing that 5g is going to give us is the ability to have billions of devices connected to the 5g network. That means that everything from our cars Which really the next generation of cars self-driving cars really do need 5g so they can talk to each other. So they can continually upload data to the cloud to let all of the routing computers know about local weather conditions and, and road and where the potholes are and everything is just, it's going to be amazing, right? On the one hand, on the other hand, well, there might be some data leakage that we might not want. So the cars are going to have it but so is pretty much every device that you have. A couple of years ago, I talked about the new jacket, the new trucker jacket that Levi's hat out. And that trucker jacket was designed specifically to connect your phone to your phone and allow you to control your phone. So it had Bluetooth in it. You could touch these little wires that were embedded into the sleeve with your hand and use that to control your cell phone. You know, listen to music and Suddenly things are just kind of cool. So our clothes are going to have the internet in them. Our computers, of course, everything you buy a laptop, it's going to have 5g built-in, you're not going to need to have an external device anymore. Just list goes on and on and on. I've everything that's going to happen is going to be phenomenal. But it is not there yet. And Apple did not include 5g with the iPhone 11 this year, it will include it with the iPhone 12. That's coming out next year. And I saw a very, very good summary of what's probably going to be coming out of Apple in September next year. The guy that published it has been spot on with most everything that Apple was coming up with. And they are he's saying that they are going to be having 5G on the phone and it would make a lot of sense. But right now you can put in orders for the Samsung Galaxy Note 10 plus the one plus 70 that's There are other phones that are claimed to have 5g. But listen, everybody, it is still too early to buy a 5g phone. That is really my big tip when it comes to 5g right now, these networks have not fully standardized, they are not running, none of them are running full 5g anywhere except in a couple of major cities. The biggest problem with building out the 5g networks is that they need to have basically what we've come to know as cell towers everywhere. I mean, everywhere. These are little micro things that are not big towers like we have right now. You know, those fake trees that you see that are actually cell towers. Now, these are going to be small boxes and they're going to be on pretty much every street corner in the big cities. They'll be on the sides of buildings. They'll be on the sides of people's houses. Cell companies are going to pay us to put these on our homes so that we can now provide 5g to us and to our neighbors. And then there's going to be people who will be upset because of the radiation, even though it's non-ionizing, and it's not known to cause any harm, people will be upset about it. But these things are going to be everywhere. And that's because remember, I'm talking about one gigabit worth of bandwidth coming down to your device. Well, you cannot do gigabit service on lower frequency so they have moved to higher frequencies. The old UHF TV channels are pretty much I think they're all gone now throughout the country. And the FCC has bought back the bandwidth and has auctioned it off to all of these different companies that wanted to buy it. And it's just everything is going to change and with the high frequencies that they need in order to deliver these beads, they now have a problem and that is these higher frequencies do not penetrate glass. They don't penetrate walls very well at all. And they just don't penetrate metal at all basically, it's really bad. So it T Mobile has announced nationwide 5g available as of last Friday. That is pretty darn cool. It's got a 600 megahertz 5g network which is going to cover most of the country. That is pretty impressive. But the trade-off is it's using low band 5g which means it is good at providing slightly boosted speeds inside buildings and is available in a lot more places than what competitors offer 18 T and Verizon are offering the opposite. They have ultra-wideband networks right now superfast speeds, but very, very small footprints very small pocket, and you got to be standing near one of these towns This is kinda cool T Mobile is expecting with theirs. That actually is p mag is PC Magazine, you can expect a boost of about 15 megabits with their new 5g nationwide. And you might see 150 megabits if you have a new 5g phone or 700 megabits if you have 4g LTE. So not a huge right now, but just wait. Okay, wait until next summer next fall, when things are really going to start happening. All right, stick around. We got a lot to cover still we're going to be talking about some guests who will talk about some of the big hacks of the year. What does it mean to us? What can we do? I'm going to give you some tips and some tricks, what not to do on your work computer third party security risks and some lessons from the National Security Agency. You're getting it right here from Craig Peterson on WGA and Craig Peterson Hello, welcome back. Greg Peterson here on w GAN will be enjoying the show today. We got a lot to cover here. Awesome. Good news, some gift ideas. I've got a very cool article from Ars Technica, about nine gift ideas for the tech enthusiasts in your life. And frankly, I am totally into this. It gave me a couple of ideas in fact of things that I'm going to be getting for people. So you might want to stick around and listen to that for the enthusiast in your life. And we're going to start right now with something that I think pretty much everyone's can be interested in. If you are, you know an employee, if you work at a company, and you use computers, there is a couple of words of caution here. In this segment, Now, first of all, the business computers are owned by the business. And that's kind of where this Bring Your Own Device thing has gotten everything a little bit fuzzy, you know, so if you are using your phone, for instance, your smartphone, and you're using it for work purposes, it's not the businesses phone. So there's not a whole lot that they can say about your phone and how you use your phone. However, the business has an absolute right to its data, and kinking troll, frankly, how you use your phone for the business data, right? Well, how about the computers that are actually owned by the computer? What can you do legally? And what can't you do? What can the business tell you that you should do with it and what can they not tell you what to do? Well, the bottom line is it depends. It depends on the business and what their policies are. So overall, that's kind of the first place you should check your employee handbook. Now we've provided a lot of businesses with employee handbook sections on this and you can certainly get them from your attorney from your corporate attorney, or from HR if you're an employee there. But if you're using a work-issued computer, now that includes a desktop computer includes a laptop, it's going to include things like iPads, even phones, you've probably checked your personal email on that device, you might have stored some files on there. You, you might have used it for a number of different things. Now in many cases, it's not a big deal as far as the company is concerned. You know, if you've got kids right to have a life outside the office, so for you to be able to send an email to the BBC. Or to make a few phone calls because babysitting didn't show up or a kid is sick or whatever. Most employers say that's absolutely fine if I died personally would not work for an employer. That said, That's not fine. I think that's a very, very big deal a very bad thing, the right companies that are like that. But when you start to store your private files on the company's computer, or maybe the company's Dropbox or Google Drive, or you are maybe going down a rabbit hole, as you started with something on Cora or you started with something somewhere else, and all of a sudden before you know it, it's an hour two hours later, or heaven for Ben, you are going to Facebook or some of these other sites to poke around. Then things change. Now many of us use messenger on Facebook in order to keep in contact with family and friends. So is it legit to have a messenger window open? Is it legit to do that, right? Well, the bottom line is you probably shouldn't do any of this on a computer provided by your employer. You're not necessarily breaking the law, but you could get fired if it's against your company's policies. And also, you need to remember that employers can install software to monitor what you do on your work-issued laptop or desktop. Now we do not monitor employees and what they're doing on a computer, except to watch for things that the employees might be doing that might harm the business directly. In other words, if an employee's bringing in a file from home, we're going to check that file. If they're downloading something from the internet. We're going to check that download. We're going to check their emails are going to clean them up, we're going to stop the ransomware we're going to stop the zero-day attacks that I talked about earlier. As well as all of the known types of vulnerabilities. But remember that not everybody is like us, right? We are not interested in getting involved in the businesses Workplace Relations, a lawsuit that a business might want to bring to against an employee, right? That's not what we do. Although we've certainly been pulled into those before in the past. And you need to keep that in mind as an employee because they can monitor what you do, they might put keyloggers on there to see what you're typing, they might have a software that takes a random screenshot. We've done that before with these workers that are doing a specific project. So we outsource something, there might be a graphic or might be writing an article or something, and we're paying by the hour for that contractor to do the work. So as part of the agreement, we have software that sits on the computer and randomly takes screenshots So we have an idea that yes, indeed, they are actually working on our stuff. And it took them five hours and we spent it to take one hour. And it's because they're slow, not because they were out wandering the internet and doing research on the party that's going to be coming up next week at the office or at their home, right. So be very careful about it. And the type of surveillance and security software that's installed on the company computer is usually based on two things, one, how large the company is, and what kind of resources they have to dedicate to watching you, and what type of information you deal within your role. Now, almost all of our clients in fact, now I think of it I think all of our clients are in what are called regulated industries. So if you're a car dealer, you're in a regulated industry, because you have payment card information, you have financing information on all kinds of personal information. So that has to be monitored, right? We have doctors' offices that have HIPAA requirements personal again, personally identifiable information, healthcare information. So security numbers, phone numbers, email addresses, and under the new regulations that are coming out right now, January one in California and Massachusetts in the European Union right now, and they are working on similar regulations on the federal level, even an email address is considered to be personally identifiable information. Until the list goes on and on if you have government contracts, we have clients that have DFARs or Defense Department requirements or FINRA, which is for financial organizations, right? That's what we do. So all of these heavily regulated businesses need to have software that is going to detect that someone is trying to exfiltrate data, shut it down immediately. We need to know that employees are trying to steal information. And in many of these cases, we will work with the company if there are lawsuits and ensue because of the regulation or because of other reasons out there. So if you're working with a company like this, which is frankly, in this day and age, every company, right, what, what employer does not have security numbers of employees? How do you pay them if you don't have the social security numbers, those are all falling under the regulations nowadays. And unfortunately, a lot of businesses don't pay attention to that. So a very small company, they're probably not doing this. But larger companies are definitely going to be doing this. And there's a great little quote here from Jesse crims. He's an Information Security Analyst over the New York Times and he said Without supporting evidence at this scale, at scale, it's pretty rare that people are not doing heavy surveillance and tends to generate a lot of useless data, roped employee into liability issues and generally make the team that monitors the surveillance systems miserable. In other words, you probably don't want to know. And that's the standard we take. We make sure that all of the regulations are complied with, but whether or not someone's sending an email to the babysitter or whatever, it's just not worth it. We're worried about espionage. Okay, so there you go. There are some tips for you. And using business security or using a business computer at work. Stick around. We'll be right back. We got some more stuff to talk about, including some major updates to the Google Chrome browser. Should you be using it anymore. We'll be right back. Craig Peterson Hello everybody, Craig Peterson here. Welcome back. We're listening Of course on WGAN or online at Craig Peterson dot com, you'll find me on pretty much every podcasting platform out there. And if you really enjoy the show, you know one of the best ways to let me know is to share it. I love to see all of the people who are listening and getting feedback from everybody so send me a note as well. But here's where you can go if you would like to give me a five-star review, just go to Craig Peterson comm slash iTunes. And right there, you can give me a five-star review. on Apple, they're still kind of the 800-pound gorilla in this space. Rumor has it that the next release of iOS is going to have some major improvement to this whole podcasting stuff. Apple really kind of started it with the iPod, which is where it got the name from. I still have one of my original iPods kicking around. It was frankly, it was my favorite device for listening to music. Anyhow, let's talk a little bit about some of the browser issues that are out there right now. Many people are concerned about the web browsers you're using. We know we're being monitored. We know we're being watched right now, by these big companies. Google makes its money by what? By selling our information. Facebook's the same way. Now Google is going to sell us advertising, and so is Facebook. And frankly, I would rather know about cars and see advertisements for cars. When it is the time I'm looking to buy a car right? And I'm never going to buy a lot of from Russia, right? So why would I want to see ads for that? So I am Pro, the monitoring in that space. Right. I, you know, you kind of go back and forth about that. You look at what President Obama's team did back when he was running for election the first time where they grabbed all of Facebook's data about everyone. And then they used highly targeted advertising. And then you saw what happened eight years later with President Trump and while the Cambridge Analytica scandal that was Child's Play compared to what President Obama's team did, but somehow President Obama's team didn't get in trouble for it. But President Trump's team certainly did even though Trump's don't get into that right now. But the browsers that we're using are tracking us. And remember, again, this old adage, it's old now, right? It's relatively new frankly. But if you do not pay for service, the odds are you are the product. And Google certainly considers that. And so does Facebook, that you are the product. So when you're looking at browsers, what should you be using the biggest browser out there right now the one that any software developers going to aim at is the Google Chrome browser. Because that's what most people use. It is really a great browser. From a functionality standpoint, people are using Google's Of course search engine, which has been very, very good here over the years. They, they've just done some wonderful things. And Google has added more and more features to their browser. Now, people ask me constantly, what is it that I use? What is it that I recommend? Well, I can tell you that Craig recommends that you don't use the Chrome browser when you can avoid it. Now I do use Chrome. When I am on a website, and I'm trying to do something and one of these other browsers doesn't work quite right. I go over to Chrome because it's not the worst thing in the world. It's not as though it has a direct backdoor into Russia, at least not that we're aware of, or into the CIA or the NSA. We know that Google doesn't like to cooperate with the US military, in some of its research projects, but Google also loves to cooperate with China and has three artificial intelligence labs in China. So it's giving China our next generation of computing technology for free but won't share it with our government. Yeah. Well, anyway, I guess I do get kind of political sometimes on the show. Google's Chrome version 79 just came up with a new feature. Now you know, when it comes to password, That I highly recommend you use some software called one password. They have some free stuff, they have some paid offerings. And what one password does is it keeps all of your passwords keeps them secure. You only have to remember one password, which is, frankly a huge win. And it was great in the business environment where you can set up vaults of passwords so that you know HR can have their own vault and this software development teams can all have their own vaults, and you can have your own personal vault, and it'll create passwords for you that are highly secure, that conform to the requirements for different websites and, and you can share them within vaults. There are just all kinds of wonderful things that you can do using one password. And then if you've been around a while, a couple of years ago, you know I offered a service that we were doing internally. We did this for free for over 1000 People, but we double-checked their password to see if not passwords but email address to see if their email addresses and passwords are out on the dark web. And you know, we checked it at least a month and generated reports for people. And that might be something we decided to do in the future. Well, there is a huge database out there that we've talked about on the show before. Google has now adopted in its Chrome browser. So Chrome 79 has what they're calling as a password checkup extension. So that was what how it all started. It was for desktop versions of Chrome, and it audited your passwords when you entered them, and took a look at them to see if those passwords were known to have been breached. Now, it's not necessarily that your account was breached, although it might have been it the password in the Heres why. Here's why they looked at the password itself. What the bad guys are doing nowadays is they are comparing your password against millions, hundreds of millions, in fact, billions of known passwords that people have used. And they start with the most common passwords and then work their way out from there. So if you're using a password that has been known to been breached in the past, it isn't something you should use. So I thought that was great. They had this password checkout extension. So now what they've done is they've integrated into every Google account and on-demand audit that you can run on all of your saved passwords. And in version 79. Google has a password checkout integrated into both the desktop and mobile versions of Chrome. So what will happen now is that if you are using Chrome to save your passwords, which I do not do as a rule, except for a few accounts I don't really care about because again, I'm using one password to keep my passwords and can keep them all straight? So it is built-in now. And anytime you enter in a password, it's going to check to see if that password has been breached anywhere online. Google is calling this private set intersection, which means you don't get to see Google's list of bad credentials. And Google doesn't get to learn your credentials. But the two can be compared four matches and basically what it's doing is it's doing mild encryption on your password and comparing it against this known setup password. So it's very, very good to do. One password has this feature already built-in password will warn you if I website that you're going to has been known to have been compromised. And Google's figuring here, that since it has a big encrypted database of all your passwords, I might as well compare against, compare them against this 4 billion strong public list of compromised usernames and passwords. They've been exposed in all kinds of security breaches over the years. And little on little later on today, we're going to talk about the top half dozen or so big security breaches, what caused them and then you might want to pay attention to to see if your information was exposed. But the main reason I like to talk about this stuff is so that you can look at your position, you know, at home or at work and ask yourself, hey, listen, there is this breach something that would have worked against us, right? I think it's very, very good. So Here we go. I'm not going to get any details here on what exactly what Google is doing and how they're doing it. If you are a chrome fan, you might want to use it. So let's talk about what the alternatives to Chrome or opera is a big one. And I have heard rumors that the Opera browser, which is kind of my primary browser, I have another one will tell you about in just a second, but opera very fast. It's designed to be secure. It also blocks a lot of spyware out there. Very good. But the rumors are that it is now in the hands of the Chinese government apparently owns it. I'm not sure that's entirely true. But, you know, it's up to you whether you want to take any risks. I'll tell you also about an extension I use in all of my browsers, which makes it much more secure much safer for me. We'll probably have to wait until after the top of the hour to get into that, but I'll tell about that. So what do I use the most? And what do I trust the most? Well, Netscape, the Netscape browser. Mozilla is the next one that I use opera is number one, at least for the time being. I use Firefox as well. Both of them do a lot of blocking, oh, I have a lot of privacy enhancements. Those are the two I use the most. And then I also use Apple Safari. Apple, again, is not selling your information as Google does. So it's considered to be a little bit safer. So far, we haven't known Apple to really leak information. They've been relatively safe, they certainly aren't selling it to anyone. And that's what I use. And then if I have to all fall back to Google Now, if I wanted to be extra safe online, there is another browser out there that I do like, and it's called epic EP, I see the epic browser. And it is actually based on Google's Chrome browser underneath the hood, just as Microsoft's browser is based on Google's Chrome browser. And Google is actually using a base form from Apple's Safari browser, which is kind of interesting. They all share code nowadays. But the epic browser is the browser if you absolutely want to keep your data safe. It even has a built-in privacy VPN. So check it out as well. When we come back, I'll give you a little clue here. A couple of tips on what you can do to keep every browser just a little bit safer. We'll get into some gift ideas and more. So stick around you're listening to Craig Peterson on WGAN and online at Craig Peterson dot com. Stick around. We'll be right back. Craig Peterson Hello, everybody, Craig Peterson here. Welcome back and listening to me on WG A in an online, Craig peterson.com. Hey, if you are a new listener, I just want to let you know a little bit about my background I've been helping to develop the internet, they in fact, just called a pie in the air you the other day, which is kind of interesting to think about. But yes, indeed, I designed and made some of the very first routers and some of the very first firewalls and load balancers and stuff back in the day. Let me tell you back in the day, we had to write these things from scratch because they just didn't exist as commercial products. And, you know, there's a lot of products I could have sold over the years but I'm just wasn't that kind of guy. Anyhow, so now I do a lot of cybersecurity for businesses, government agencies, most particularly really, for anybody in a regulated business, which today in this day and age means any business because we are all regulators I talked about in the last segment. Well, we have some gift ideas. And let me just start with one here. And then we'll get into some more articles from this week. We've we're going to be talking about the NSA here and what their top recommendation is for businesses. But you know, I am a techie guy, and I love tech and tech gifts and it's all just a pretty darn cool thing. When you get right down to it, just like, you know, I just love playing with this stuff. I guess that's the way to put it. And using it and making my life a little easier and faster, more efficient, effective, etc. But I want to talk about the high-end tech gifts that you might want to give, and you might want to give for yourself. In fact, that's exactly what I'm doing with one of these this year. Well, if you have somebody who's a gaming enthusiast, there are so many things out there that you can get for them. There's this one particular mouse that is very highly rated for gamers. It's called the razor Viper. It has some very, very fast, maneuverability stuff built in. Because of course, when you're playing some of these video games interactive, you need to be able to move very quickly so anyhow, we'll leave it at that because I am not a game type person. I used to play some, some games way back when you're in a dungeon with twisty mages, mazes, remember right how things started. But let's get into this. Now. This is one of the things I think would be a great gift for almost anyone, it's great for a computer that has the USBC which is the newest version of the USB cable. It is what the new Mac books come with the new max do as well. It's the next generation of the high-speed stuff that the last generation max had. But it also works with regular USB cable has a little adapter that you can use with it. It's called SanDisk extreme portable SSD. This thing is very, very nice. It's a good option for data you need to have with you wherever you go. It's surprisingly small. It is rated for the extremely high shock it's like 500 G's or something crazy like that. And it will withstand water and dust as well as vibration. You can drop it from six feet in the air without suffering any damage at all. This thing is amazing. And right now it is half price. Over on Amazon. Just look it up there. SanDisk is the name of the company S-A-N-D-I-S-K, it's their extreme portable SSD fits in the palm of your hand that you're going to love this. It's available in 250 gig 500 gig one terabyte and two terabytes now, I would not get the 250 gig, not that it's too small. But for an extra $10 you double your space up to 500 gig. Now when you go up to the one terabyte, which again is twice the space, it's twice the cost. So the one terabyte you're gonna have to ask yourself what makes sense and two terabyte options. But this thing is so fast, or what I love this for is to have different virtual machines on it. It's the one I use when I am doing a demo or for when I need to do a client-side install. I can have every version of Windows on my need to use Mac OS all the different versions of that a few versions of Linux all right there on the drive. It's very very convenient. And very, very fast you're going to love this thing. In fact, that's one of the fastest portable storage solutions that has ever been tested. It's kind of similar you know you can get Samsung T five SSD, they have very good SSDs. Okay, don't get me wrong here. The Samsung t five is more affordable but the SanDisk extreme SSD is better. Now I got to tell you that the cost right now on Amazon for this portable drive, there's no moving parts in it. As I said it fits in the palm of your hand. The cost on that is lower on Amazon right now. It's half price is lower than I can buy it from my distributors at So just to give you an idea of what a great value that is, coming up, we're going to talk about, I think the coolest gift you can give to somebody that is truly a hobbyist in the computer world, you're going to love it. And then if you are that person when you go to someone's house for Hanukkah, Thanksgiving, Christmas birthdays, whatever it is, and they say, hey, Craig, come over here for a second. my computer's not working right can you have a look at it will will tell you about the best gift for somebody like that and maybe some need to get get for yourself as well. So I'm going to talk right now about some of the biggest security breaches we'll go over one and then we'll get to some others little later on in this our last hour. And by the way, if you want to listen to the whole show, my podcast and everything. You can just go to Craig Peterson comm slash iTunes or slash tune in if you'd like to listen to it. On tune in or slash pretty much anything well actually if you type in slash pretty much everything you need an error page right? But you'll find me Craig Peters on on most of the major podcast sites that are out there by just going to Craig Peterson comm slash, whatever it is like Sasha Hart or slash SoundCloud or slash tune in, etc, etc. Well, data aggregators are big targets that are out there and who is a data aggregator? Well, let me tell you about what happened when I was at a wedding last week I was staying with my sister in law my wife and I, and there we got home and there was a card in the door and there's from an insurance company members like all state or something and, and it asked for one of my sisters in law, who had been living in that house to call so we thought okay, well, it's just a hoax thing. You know, they're they're trying to sell some insurance or something. So we just ignore that fact, I think we just threw the card in the trash. Well, the next night, we were sitting there at home and there's a knock at the door. And it's the same insurance agent. And she wants to talk to my deceased sister in law. And we get into this a little bit more and talking and talking to her trying to figure out what, what, what, why, what's going on. It turns out that someone was involved in a fatal car accident. And that person gave my deceased sister in-law's identity as her own. Yes, indeed, the dead are, quite frequently in fact, a victim of identity theft. Now we know about the dead voting right particularly in Chicago, and but in other places around the country. Well, in this case, apparently according to the report - she had been involved in a fatal car wreck about six months after she had died, and someone was dead. Obviously, this was a case of mistaken identity, but the insurance lady who's at the door, and she's obviously, some sort of an investigator used one of these skip trace databases in case you're not familiar with those. These are databases that are put together by data aggregators and data aggregators are these companies that suck up data from every public source they possibly can. And even some paid sources. And it includes records from credit card companies, and you name it, they pull it all together, they try and make heads or tails of it. So she had this report from a data aggregator and listed my long-deceased father in law's name is part of this and, and my kids, couple of my kids that had at one point staying for a visit with their grandmother, for a few months, while going to school, etc. and include my wife's name, my name just kind of went on and on. They got a lot of data wrong. And that's what I found to typically 25 to 50%, sometimes even more the data they have is incorrect. But enough of it was correct that she could kind of start piecing things together. And she was able to figure out that this was insurance fraud. Well, these data aggregators have massive databases as frankly, you might imagine. And they have these databases online. Yeah, you know where I'm going. This was a Mongo DB Mongo database, which is used, it's kind of it's called NO SEQUEL. It's an unformatted database. It's perfect for these data aggregators, and a company called verifications.io. That provided email verification services, had a Mongo database Continued over 800 million records publicly accessible to anyone in the world with an internet connection. And they had four sets of data. They'd had email addresses, dates of birth, phone numbers, physical addresses, employer information, IP addresses, business leads and other information. Not everything was sensitive. So when we get back we'll talk about what lessons should be learned what you can pick up from this a couple of tips for you. If you are a business person of any sort, or if you have data that might be in one of these databases, so we'll talk about these big verifications Mongo DB breach from this year and some more gift ideas right area listening to Craig Peters on online and here on WGAN terrestrial radio. Craig Peterson Hello everybody Greg Peterson back here on WG and online at Craig peterson.com. If you enjoy my show, by all means, make sure you subscribe to the podcast. Pretty much everything that I do goes up there my Wednesday mornings with Matt and can during their drive time show Wednesday morning that goes up there Other appearances go up there the whole radio show goes up there as well. Craig Peters on comm slash iTunes and do leave me a review if you wouldn't mind. You know those five-star reviews help get the message out. And we just passed another hundred thousand downloads, which is kind of cool. I appreciate it. Every one of you guys for listening. We try and get as much information as we can. So let's get back to our Well actually, you know There's something I forgot to button up from the last hour. Let's get to that. And then we'll get to some, some gifts and some more risks and what the NSA is saying right now, I had been talking earlier in the show about web browsers, and which browsers you should be using, which ones I recommend, then, you know, if you missed all of that, again, you will find it at Craig peterson.com, slash iTunes, you can listen to the whole thing right there. But I was talking a little bit about a plugin that I use. This is a plugin that works with pretty much any browser out there and works differently than any plugin that you might have been familiar with before. This is from the Electronic Frontier Foundation. Now I've had my disagreements with them in the past. Overall, I agree with a lot of what they're doing. But this is a plugin that goes into Chrome Opera or Firefox or pretty much anything that is called Privacy Badger Privacy Badger. So think about badgers if you know these things, they you'll find them a lot over in England, but they're over here too. They burrow underneath hedges and they like to live in the ground. And they are mean they will fight anything way bigger than they are. They don't care. They're going to win because they go all in. Well, that's what this is all about Privacy Badger. So I am on a website. Right now I'm looking at my browser and the Privacy Badger plugin, and it's got a nine on it right now. So what that means is that Privacy Badger detected nine potential trackers on this web page that I'm on right now. And it has sliders for them up there and it says you shouldn't need to adjust the sliders unless something is broken. So what Privacy Badger does is it watches you As you go to different websites, it looks at the cookies that are placed on your browser from these websites and determines, Hey, wait a minute. Now, this is a cross-site tracker. This is another type of tracker that we probably don't want to have. So it's showing them all to me. So here we go. Here's what I have right now on this website that I'm on. And the website is otter in case you don't use otter it is phenomenal transcription service, very inexpensive. 600 minutes for free every month. otter.ai but it turns out otter is using some tracker. So the first tracker showing me that Privacy Badger blocked is graph.facebook.com. So this is Facebook gathering data about me what I do where I go, the next one that's marked yellow, which is it has three different indications here on the slider. One is a blocks it entire The next one is that it could block cookies and then the far right one is to allow a domain to do it. So graph.facebook.com was blocked automatically static.facebook.com was allowed the regular facebook.com was allowed Google Analytics completely blocked API's Google com was allowed stripe checkout was allowed stripe as a payment service. JavaScript on stripe com was allowed and stripe network usually m dot means it's a mobile site. So that was blocked and Q dot stripe com was allowed but those are tagged the one these all of the ones I mentioned that were tagged, are considered to caution level. So by adding Privacy Badger as a plugin to any of your browsers Basically is going to stop sites from tracking you and it does a very good job. It learns as you go. It is not something that is prefixed with I'm going to block this site or that site. It is absolutely dynamic. I really, really like it. So check that out. This is kind of a flashback, as I said to an earlier segment where I was talking about which browser to use, what the considerations are. And this will work with any of them out there. So just do a search for Privacy Badger, it should come up near the top of your DuckDuckGo search. And it's five the Electronic Frontier Foundation e FF, check it out online. Okay, so now let's get into gifts again. I mentioned my top gift recommendation in the last segment. This one is for total geeks. Now we are using this for actually keeping timing tracking It's called raspberry pi. So we have a special card that goes along with this that has a GPS antenna attached to it and GPS readers so that we can track the satellites in the sky. We use the timing that they provide us with, we do some advertising. So that one of the things we do for our clients is we have to track their logs and keep real detailed records on their logs. We need to know exactly when Did something happen? So that if after the fact heaven forbid, someone gets in, some piece of malware gets in when did it come in? Where did it go? What did it do, right? Because you want to be able to know after the fact Well, what does it get access to? unlike so many of these companies that have no idea what they lost? In fact, most businesses don't even know until six months later that they were even the hack versus what the best in the biz are doing right now is about six hours, not just to detected but to remediation, which is where we sit well, usually within that six-hour time frame. Well, this is called a Raspberry Pi. And they've got the newest version of Raspberry Pi four. This is a small Linux computer. So if anybody that you know likes to hack together science projects or you know, do a little bit of experimenting, this is phenomenal, absolutely phenomenal. You can turn it into a retro game console, it'll play a lot of these old video games. A smart speaker that's a DIY thing. You can build it into your Legos to make a real fancy remote-controlled car. Anything your hobbyist mind comes into mind. This is phenomenal. You can for 100 less than 100 bucks, you can get a complete kit. Okay? The Raspberry Pi fours a lot faster and the older Raspberry Pi three Model B plus faster CPU you can put up to four gigs of ram in this thing. It is a phenomenal USB 3.0 port. So if you are or you know somebody that's really into DIY hobbies, this is the way to go. Okay? The Raspberry Pi four does get closer to your general and genuine desktop PC performance. But it's not really there yet. It's not one running Windows, it does run Linux, as I mentioned. And you can write basic programs for it, which is a programming language Python. If you have a kid that wants to learn Python, this might be a nice way for them to learn because they can kind of hack it together but it's just it's basically just a motherboard, you're gonna have to put it in a case by a case forward, you're gonna have to put a keyboard on it. A mouse, you have to put a display on it, okay, all kinds of stuff, but you can get just the basic Raspberry Pi four For someone that that really, really is a total hacker here, for like 4050 bucks, it's absolutely amazing. Okay, plenty of power for your money. Very versatile. In fact, it's more versatile in many ways than your Windows PC is. And for the budding engineer in your life, they will love you for it. So stick around, we're going to come back, I've got some more ideas for tech gifts that you might like. And we're going to talk about a couple more big hacks this year, and what it means to you. We've got third party security risks, the NSA has some advice for business and we'll tell you about that too. When we get back, you're listening to Craig Peterson right here on w GAN and online at Craig Peter song.com. That's Peterson with an O. Stick around because we'll be right back. Craig Peterson Hello, everybody, welcome back, Craig Peters on here on WGAN. And we're talking about stuff we usually talk about, you know, some of the security things, some of the latest technology that's out there. We're also doing a bit of a recap here some great gift ideas for the techie people in your life, even frankly, some of the non-techie people. And the security side, which is, I think, very important, can't talk enough about that. Because it could destroy your company, it could ruin that, frankly, the rest of your life could be a bit of misery, depending on what the bad guys do to you. Oh, it's absolutely crazy. told the story a little earlier of what happened with my deceased sister in law's identity, and how it was used in a fatal car accident and it's just it's amazing what some of these people are. Doing nowadays. And by the way, one of the most valuable segments of our population. We are know already about the retired people, the older people, right, who might be a little confused, hopefully, have some assets. But one of the most valuable identities out there online is that they have a child because their social security number and their identity are going to be very useful for at least a decade, if not longer because those kids probably not going to use it until they get their first job. So keep that in mind as well. Well, I want to get into these two things before the last half hour, so we'll cover these fairly quickly. But the big one, and that is waking up to third party security risks. Now one of the big attacks this year was Capital One and that's on my list of the ones I wanted to talk about today. They had personal information blog into overall hundred million US individuals and 6 million Canadian residents. Now, this was exposed. And when a former employee at Amazon Web Services inappropriately accessed the data, we could get into all of the real details behind this but the compromised information included names addresses, dates of birth, credit scores, payment history, contact information, and other information on people who had applied for Capital One credit card dating back to 2005. also exposed where the social security numbers of 140,000 individuals and bank account data blogging belonging to 80,000 secured credit card customers. So think about this for a little minute here. How many of us are using a service like Amazon Web Services, how many of us are relying on cloud services to keep our information safe? Right? Frankly, that's most of us, isn't it? And when you're talking about somebody like Amazon Web Services, or now there's Microsoft Azure, those are kind of the two really big players. IBM also has its cloud online that they sell access to. Most businesses look at it as a way to save money. Most businesses consider, hey, I don't need to keep track of the security, because my vendor is keeping track of it for me. And what we found out is, that's not true. So the lessons learned here. We'll start with that here from Capital One is that cloud service may be attractive because it's cheaper than doing it yourself. And that's particularly true, frankly, throughout the whole range, but it's particularly true for large businesses, but even for small business. businesses, can you really afford the right kind of server? Now I know a lot of small businesses go to the local staples store and buy a computer and call it a server, right? And maybe $800,000 later, they're out of there. Whereas a real server that's going to be really reliable is going to last years, you should be looking at more like 15 to $20,000 for. So businesses say, well, I'll just do it in the cloud. I'll use Amazon Web Services for this and we'll hire a consultant who's going to help us set it up. And we're going to use maybe Dropbox for that and maybe office 365 for this and now all of a sudden, I'm safe. Well, you're not. And companies, you guys are putting your data at risk, because you haven't adopted a security infrastructure, with the vigor that you need to apply. It should be at least as good as what You're using for your on-premise stuff. But you know what so many SMEs aren't even doing it right for on-premise stuff. Okay? So you're ending up with all of the financial cost of the penalties that you rack up, and the lawsuit and the cost of those lawsuits, which will vastly outweigh any it savings that you might have down the road. So keep that in mind. And that's what Capital One just learned this year. The Why? Because we're not taking third party security risk to heart Ponemon Institute did a study here 2018 founded 60% of customers surveyed, had suffered a data breach caused by third parties or vendors in the last 12 months. So what's causing it? Well, these applications are being built very different than they were a decade ago. They are online. They're using APIs. And they are not considering the security risks. So all services are connecting internally and externally via these APIs, popular finance websites load on your browser mobile apps, you can see the results. Dozens of third party services, okay, web apps, middleware, other code. This is a real problem. So, protect your own infrastructure, Step number one. Step number two demanded the others protect their infrastructure, okay. And trust yet verify. What we do is we wrap special security software around all of these third party infrastructure Software-as-a-Service sites that are out there, okay. So be very, very careful and you have to test even more for third party sites and you know, businesses just aren't testing as much as they should. So there you go. There's a couple of tips here three tips on what to do. When you are talking about third party security risk, and that is with all of these guys, Okay, number one, make sure your infrastructure is protected that you have the right kinds of firewalls and you have the right kind of malware treatment that's in place. All the other security controls, make sure they're configured right? If you're using something like Amazon Web Services, or Sure, or office 365, make sure you have the right settings. You know, it's difficult I get it, Microsoft has over 10,000 skews 10,000 products that are available in they're all software and services. There are dozens and dozens just for office 365 based systems. So make sure you have the right stuff. Make sure that they have proper compliance and certifications. And remember too that the certifications they have just represented a point in time. Do they still have the right kind of security? And because we are running our technology in this new type of infrastructure, make sure, frankly, that we keep track of everything because a breach can happen quickly do millions of dollars of damages right away. And 20% of businesses will file for bankruptcy the very next day. All right, well, let's talk about another gift here real quick before we go to a quick break. And this is for those of us that we go to a family event, and we go anywhere, and it's a Craig come over here for a minute, I need some help and you go over there and of course, it's questions and problems about their computers. So here's what I recommend. Get that person in your life if they're fixing the computer for that for you. I fix it. Great site painting Go online to find out how to fix physical problems. But they have something called the I fix it pro tech tool kit. I have one of these my kids have one of these. My technicians in my business have one of these. It's a 64-bit driver set that has all these weird types of sockets and everything on them. Because these parts and the computers that have the special locking screws and everything else, you need this Okay, the I fix it pro tech tool kit. Stick around. We'll be back with a wrap up for today's show. And we'll talk a little bit more about some gifts right here. You're listening to Craig Peterson on w GN. And the course online Craig Peterson calm. Stick around because we'll be right back. Craig Peterson Hello everybody Craig Peterson here WGAN and online at, of course, Craig Peterson dot com. Hope you've enjoyed the show today we have covered a lot of different things we talked about third party security risks for businesses which web browser you should be using. If you want to keep safe and some of the updates that Chrome has from Google, they'll keep you safer online. What not to do on your work computer. Why it's still too early to buy a 5g phone and signature antivirus and how it is at best catching 50% of the malware out there. It's getting really, really bad. And we've talked a little bit about some of the top breaches this year and there are some pretty scary Ones out there. But how does it apply to you? And how does it apply to your business as well? And we got one more that was brought up on the website at Craig Peterson calm, you can see all of these up there, a little bit of mind commentary and links to other articles online. But this is about the NSA and what the NSA, the National Security Agency is saying that we should be doing as businesses, but this applies 100% as well, to you as an individual. And the basics are to focus on your assets. And this is a very, very big deal. W
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, talks with Tonya Hall about the various technologies that could be keeping organizations from reaching their cybersecurity goals. Follow ZDNet: Watch more ZDNet videos: http://zd.net/2Hzw9Zy Subscribe to ZDNet on YouTube: http://bit.ly/2HzQmyf Follow ZDNet on Twitter: https://twitter.com/ZDNet Follow ZDNet on Facebook: https://www.facebook.com/ZDNet Follow ZDNet on Instagram: https://www.instagram.com/ZDNet_CBSi Follow ZDNet on LinkedIn: https://www.linkedin.com/company/zdnet-com/ Follow ZDNet on Snapchat: https://www.snapchat.com/add/zdnet_cbsi Learn more about your ad choices. Visit megaphone.fm/adchoices
The SecureWorld Sessions is a new cybersecurity podcast that gives you access to people and ideas that impact your career and help you secure your organization. Our featured interview is with Dr. Larry Ponemon, Founder and Chairman of the Ponemon Institute, which does IT and cybersecurity research around the globe. Topics include: AI in security, cost of a data breach, burnout, insider threat, security awareness, and code breaking! LINKS: • Ponemon Institute: https://www.ponemon.org • Free training - SecureWorld web conferences: https://www.secureworldexpo.com/resources?cat=web-conferences • Trend Micro research on the Risks of Open Banking: http://bit.ly/TM_OpenBanking • SecureWorld conference calendar: https://www.secureworldexpo.com/events
For the third consecutive year, small and medium-sized businesses (SMBs) have reported a significant increase in targeted cybersecurity breaches. A newly released global survey found that attacks against the U.S., U.K., and European companies are growing in both frequency and sophistication. Further, nearly half (45%) of the 2,000 respondents described their organization's IT posture as ineffective, with 39% reporting they have no incident response plan in place. The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report underscores growing cybersecurity concerns best illustrated through the year-over-year trends dating back to 2016. The survey, commissioned by Keeper Security, measured responses from 2,391 IT and IT security practitioners in the U.S., U.K., DACH, Benelux, and Scandinavian. "Cybercriminals are continuing to evolve their attacks with more sophisticated tactics, and companies of all sizes are in their crosshairs," said Dr. Larry Ponemon, chairman and founder, The Ponemon Institute. "More businesses are experiencing highly-targeted, sophisticated, and severe cyberattacks than ever before, yet the results of our study show they aren't doing enough to close the gap," said Darren Guccione, CEO, and co-founder of Keeper Security. "We sponsor this annual research with Ponemon because we want SMBs to understand that no target is too small for cybercriminals, and it's not enough to simply be aware of the cyber threats that exist. It's critical that these businesses take the next step toward cybersecurity preparedness and get a strong prevention strategy in place." Continue the conversation with Neil Hughes, Darren Guccione, and Larry Ponemon for an informative webinar where you'll learn about the biggest threats to SMEs in EMEA and the three easy actions you can take to protect your company. US (Oct. 30) - https://www.keeper.io/2019-ponemon-webinar-us UK & Europe (Oct 31) - https://www.keeper.io/2019-ponemon-webinar-emea
092617 Mike Fitzpatrick, Founder & CEO NCX Group Security, Distinguished Fellow Ponemon Institute, & Keynote Speaker
The Total Tutor Neil Haley will interview Tom Kemp, Centrify CEO. About Tom Kemp: Tom Kemp is co-founder and CEO at Centrify. Under his leadership, the company has become one of the fastest growing security vendors in the industry with over 5,000 customers, including more than half of the Fortune 50. Prior to Centrify, Kemp held various executive, technical and marketing roles at NetIQ Corporation, Compuware Corporation, EcoSystems Software, and Oracle Corporation. Mr. Kemp was also an Entrepreneur in Residence at leading venture capital firm Mayfield. He holds a Bachelor of Science degree in Computer Science and History from the University of Michigan. Centrify redefines security from a legacy static perimeter-based approach to protecting millions of scattered connections in a boundaryless hybrid enterprise. As the only industry-recognized leader in both Privileged Identity Management and Identity-as-a-Service, Centrify provides a single platform to secure each user's access to apps and infrastructure through the power of identity services. This is Next Dimension Security in the Age of Access. Centrify is enabling over 5,000 customers, including over half the Fortune 50, to defend their organizations. The Ponemon study surveyed 448 individuals in IT operations and information security, 334 senior level marketing professionals and 549 consumers. The Security Effectiveness Score (SES) is determined by utilizing the Ponemon Institute's proprietary benchmark database, which consists of 2,012 separate data breach cases occurring over the past 12 years. The SES is derived from the rating of numerous security features or practices. This method has been validated from more than 50 independent studies conducted for more than a decade.
Throughout the world, companies are finding that data breaches have become as common as a cold but far more expensive to treat. With the exception of Germany, companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year. Will these costs continue to escalate? Are there preventive measures and controls that will make a company more resilient and effective in reducing the costs? Nine years of research about data breaches has made us smarter about solutions. Critical to controlling costs is keeping customers from leaving. The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. Our report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover. In the aftermath of a data breach, these companies need to be especially focused on the concerns of their customers. As a preventive measure, companies should consider having an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breach significantly. Other measures include having a CISO in charge and involving the company's business continuity management team in dealing with the breach.In most countries, the primary root cause of the data breach is a malicious insider or criminal attack. It is also the most costly. In this year's study, we asked companies represented in this research what worries them most about security incidents, what investments they are making in security and the existence of a security strategy. An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance. Global companies also are worried about malicious code and sustained probes, which have increased more than other threats. Companies estimate that they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month. Unauthorized access incidents have mainly stayed the same and companies estimate they will be dealing with an average of 10 such incidents each month. When asked about the level of investment in their organizations' security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million. This may be a tough sell in many companies. However, our cost of data breach research can help IT security executives make the case that a strong security posture can result in a financially stronger company. About the speaker: Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy, data protection and information security practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework. Security Magazine has named Dr. Ponemon as one of the "Most Influential People for Security."Dr. Ponemon was appointed to the Advisory Committee for Online Access & Security for the United States Federal Trade Commission. He was appointed by the White House to the Data Privacy and Integrity Advisory Committee for the Department of Homeland Security. Dr. Ponemon was also an appointed to two California State task forces on privacy and data security laws. He serves as chairman of the Government Policy Advisory Committee and co-chair of the Internet Task Force for the Council of American Survey and Research Organizations (CASRO).Dr. Ponemon was a senior partner of PricewaterhouseCoopers, where he founded the firm's global compliance risk management group. Prior to joining Price Waterhouse as a partner, Dr. Ponemon served as the National Director of Business Ethics Services for KPMG Peat Marwick, and was appointed Executive Director of the KPMG Business Ethics Institute.Dr. Ponemon has held chaired (tenured) faculty positions and published numerous articles and learned books. He has presented hundreds of keynote speeches or learned presentations at national or international conferences on privacy, data protection, information security, corporate governance, and responsible information management. Dr. Ponemon is an active member of the International Association of Privacy Professionals, serving as founding member of the Certified Information Privacy Professional (CIPP) Advisory Board. Dr. Ponemon earned his Ph.D. at Union College in Schenectady, New York. He has a Master's degree from Harvard University, Cambridge, Massachusetts, and attended the doctoral program in system sciences at Carnegie Mellon University, Pittsburgh, Pennsylvania. Dr. Ponemon earned his Bachelors with Highest Distinction from the University of Arizona, Tucson, Arizona. He is a Certified Public Accountant and a Certified Information Privacy Professional.
About the speaker: As a security strategist and philosopher serving in the IT Security space, Joshua Corman's cross-domain research highlights adversaries, game theory and motivational structures. A passionate advocate who "fights for the user" and the oft neglected public good, Corman's research has shifted toward the rise of hactivism, internet governance, cyber-conflict, and the growing tensions between technology and civil liberties.Prior to joining Sonatype, Corman was the Director of Security Intelligence at Akamai Technologies. He is also the former Research Director of the 451 Group. He co-founded Rugged Software and IamTheCavalry, was named a Top Influencer of IT in NetworkWorld and serves as a Fellow with the Ponemon Institute. Corman received his bachelor's degree in philosophy, graduating summa cum laude, from the University of New Hampshire.