Avast blog: Enhancing threat intelligence using STIX and TAXII standards

For many years, cybersecurity companies have invested in building sensor networks and detection capabilities to build a greater understanding of adversaries’ tactics, ever-changing techniques, and the threats posed to the world’s internet community.

One of the critical foundations of protecting all uses of the internet is for the security defenders to better understand what malicious activities look like and how to stop them. With that backstory of gaining greater insight, many security companies must not only understand their own data but also learn and share with others doing the same.

In my latest blog post for Avast, I take a closer look at two threat data sharing standards, STIX and TAXII.

It is 2021. Stop running your IT like it is 2019.

I had a moment to catch up with a friend of mine, Adam, who is an IT director for a DC-based global trade association. Adam and I go way back — so far back that I was present when we turned off a small IBM mainframe in favor of a Novell LAN back in 1995. Those were the days.: that machine had 16 MB RAM and 7.5 GB of disk. My watch has more than that.

Adam has been working remotely for the past 18 months, and actually had to manage to move his office to a new location and plan for the eventual return to the new place.

He told me that “working in the office is so 2019, it is time to start thinking of the future and assume that many people won’t be in their offices full-time. Why do you have to use a domain controller and a VPN when you should be preparing for a virtual environment, whether or not you actually need one?” Good questions.

He used the pandemic as an opportunity to throw some gas on technology changes that he wanted to make happen. “Only instead of taking five years, we managed to do this in a little over a year. The pandemic was a great accelerant to adopting new cloud-based technologies.”

His core IT stack is Microsoft-based, including five critical technologies: Teams, Azure AD, Defender ATP, Intune and Autopilot.

Early on, the focus was on Teams Chat and Video Conferencing as well as migrating an old fashioned file server to Teams/SharePoint. Before the pandemic, Adam was begging staff to abandon audio-conferencing and switch to Teams for internal and external scheduled calls. Then in March 2020 the association had its first remote all-hands meeting via Teams. Over 50 staff joined the call and it went flawlessly. After that first call Teams adoption soared. 

Adam then switched his focus to move the association’s endpoints to Azure Active Directory. In the future, Autopilot, for example, will make it easier to drop ship a new computer and have it onboarded without anyone from IT actually laying their hands on it. Think of it as touchless installation. “The potential is that we can deliver most of our apps without ever seeing the PC.” Remember when IT used disk imaging tools to set up new PCs? That has gone the way of those IBM mainframes.

“Before the pandemic, we did patch management of our endpoints based on the machine being in our office, where they could physically talk to the WSUS server. All of a sudden, that premise-based connection was severed. In the future, we hope to decommission our on-premises Domain Controllers and run all IT infrastructure in Azure AD. The only server left will be a NAS with 8TB of video, audio and photos. It is just too much to put into the cloud at this time.”

Migrating from Active Directory to Azure AD isn’t simple, and their MSP, DelCor, is helping with the back-end transition. Adam and his staff are touching each endpoint themselves. The goal is to make it easier to manage their endpoints, whether they are in an office or dispersed in the homes of staff worldwide. “Companies that still have their AD controllers in a closet someplace should put migrating to a cloud based directory system, whether Azure AD or some other flavor, on their roadmap.” 

For an MFA security solution, his MSP insisted on using Duo’s MFA. “It made their jobs – and mine – much easier, and much more secure.”

As Adam’s team migrates users to Azure AD and Defender ATP, the IT Team is getting better visibility into the threat assessment of each endpoint. “IT directors are in a war, and we have to be continually improving our infrastructure and security footprint. Let’s face it, the most dangerous virus is the one you don’t know about that has been living on your network for months.”

Adam is using the paid Defender ATP license and replacing his Trend Micro AV installation, so he can get a single management screen to see which of his users’ PCs are in need of security updates. “Gone are the days of Windows 10 being stuck in the 2019 release.”

Adam is just a microcosm of the sea changes that IT is going through these days. Whether you are returning to your office or have adopted some hybrid solution, you might want to take a look at what you can to manage more remote workers.

Linode blog: Three app security guides

I have written a series of blog posts to help developers improve their security posture.

As developers release their code more quickly, security threats have become more complex, more difficult to find, and more potent in their potential damage to your networks, your data, and your corporate reputation. Balancing these two megatrends isn’t easy. While developers are making an effort to improve the security of their code earlier in the software life cycle, what one blogger on Twilio has called “shifting left,” there is still plenty of room for improvement. In this guide, I describe what are some of the motivations needed to better protect your code.

Many developers are moving “left” towards the earliest possible moment in the application development life cycle to ensure the most secure code. This guide discusses ways to approach coding your app more critically. It also outlines some of the more common security weaknesses and coding errors that could lead to subsequent problems. In this post, I look at how SQL injection and cross-site scripting attacks happens and what you can do to prevent each of them.

Application security testing products come in two basic groups and you need more than one. The umbrella groups: testing and shielding. The former run various automated and manual tests on your code to identify security weaknesses. The application shielding products are used to harden your apps to make attacks more difficult to implement. These products go beyond the testing process and are used to be more proactive in your protection and flag bad spots as you write the code within your development environment. This guide delves into the differences between the tools and reviews and recommends a series of application security testing products.

 

 

Infosec Institute blog: How to design the best cybersecurity training program for your enterprise

One of the best ways to retain your staff is to invest in their further education and what is now called upskilling. But corporate skills training often has a hard time getting the respect that it deserves. Training budgets tend to be the first ones to be cut in any economic downturn and often don’t get fully funded even when the economy is improving. But training can also have a significant impact on an enterprise: it can increase the pool of available skills, help pave the way for a department to take on new challenges, improve morale and create a sense of purpose for workers.

In my blog post for the Infosec Institute, I look at how to determine the return on any training investment and how to design the right program that fits your particular needs, whether it uses public college-style courseware or a curriculum that you develop yourself.

 

Can AI help you get your next job?

There is an increasing number of AI-based tools that are being used in the hiring and HR process. I am not sure whether this is a benefit to job seekers and to the employment business. Certainly, there are plenty of horror stories, such as this selection from 2020’s most significant AI-based failures such as deepfake bots, biased predictions of pre-criminal intent, and so forth. (And this study by Pew is also worth reading.)

I would argue that AI has more of a PR than HR problem, with the mother lode being traced back to the Terminator movies and Minority Report, with Asimov’s Three Laws of Robotics thrown in for good measure. In a post that I did for Avast’s blog last fall, I examined some of the ethical and bias issues around AI. Part of the issue is that we still need to encode human judgment into some digital form. And people aren’t as consistent as machines — which sometimes is a useful thing. I will give you an example at the end of this post.

But let’s examine what is going on with HR-related AI. In a study done last year by HRExaminer, identified a dozen hiring-based AI tools, with half of them focusing on the recruiting function. I would urge you to examine this list and see if any of them are being used at your workplace, or as part of your own job search and hiring process.

One of the ones on the list is HiredScore, which offers an all-purpose HR solution using various AI methods to rank potential job candidates, recommend internal employees for open positions, and measure inclusion and diversity. That is a lot of places where the doomsday “Skynet” scenario of the machines taking over could happen, and is probably one of the few plot lines that Philip K. Dick never anticipated. Still, the company claims they have trained their machine learning algorithms with more than 25M resumes and twice as many job postings.

There are other niche products, such as Xref’s online reference checking or the testing prowess of TestGorilla. The latter offers a library of more than 135 “scientifically validated tests” for job-specific skills like coding or digital marketing, as well as more general skills like critical thinking. That one struck another nerve for me. The reason I put that phrase in quotes is because I can’t validate its claim.

As many of you who have followed my work have found out, my first job in publishing was working for PC Week when it was part of the Ziff Davis corporation. ZD had a rule that required every potential hire to submit to a personality test before getting a job offer. I have no recollection of the actual test questions all these years later, but obviously I passed and so began my writing career.

In the modern era, we now have vendors that use AI tools to help screen applicants.  I am not sure I would have passed these tests if ZD had them available back in the day. That doesn’t make me feel better about using AI to help assist in this process.

Let me give you a final example. When I went to visit my daughter last month, I was given a specific time period that I was allowed to enter Israel. Only it wasn’t specific: the approval was granted for “two weeks” but not starting from any specific time of day. I interpreted it one way. The German gate agents at Frankfort interpreted another way. Ultimately, the Israeli authorities at the airport agreed with my point of view and let me board my final flight. If a machine had screened me, I would have probably not been allowed to enter Israel.

In my post for Avast’s blog last year, I mention several issues surrounding bias: in the diversity of the programming team creating the algorithms, in understanding the difference between causation and correlation, and in interpreting the implied ethical standards of the actual algorithms themselves. These are all tricky issues, and made even more so when you are deciding on the fate of potential job applicants. Proceed with caution.

Avast blog: It ain’t easy to remove your personal data from the brokers

I tried to remove my own data recently and found it to be a very frustrating online rabbit hole. You will find either task to be nearly impossible and, sadly, this is by intent and by design: They charge by the gigabyte and aren’t paid for being accurate. And you don’t pay them anything, so you aren’t really the customer; you are just the unwilling victim. 

Note: these brokers are the legitimate side of selling your data, and not to be confused with the dark web illegal side, such as the recent scraping of 700M LinkedIn users. FIghting that is for another post.

I started out my own quest by submitting removal requests for my data to three places: Epsilon, Experian, and Intelius. I picked these somewhat at random, but the trio gives you a good idea of what you are in for. My journey through this looking glass is chronicled for my latest blog post for Avast here.

Avast blog: Fighting unpredictable existential threats

Earlier in June, CogX Festival brought together representatives from business and government to discuss innovation. I watched a panel session on dealing with unpredictable existential threats. The panelists included Robert Hercock, the Chief Research Scientist at BT Security, Clarissa Rios Rojas, a research associate at the University of Cambridge’s Centre for the Study of Existential Risk, and Avast CISO Jaya Baloo. Rojas and her colleagues spend a lot of time looking at a wide range of global risks that could lead to human extinction and other dire circumstances. You can watch the session here and can read my synopsis of the conference session on Avast’s blog here.

Wanna read books for free? Here’s how.

For those of you who are avid readers, you might want to investigate a service called NetGalley. I have been using them for seven years and have read hundreds of books for free. The only catch? I have to read them on my Kindle (or Nook or equivalent device) and then write a short review that I then post to Amazon, B&N, Goodreads, and other bookselling websites.

It is a terrific service which publishes the pre-publication versions of books, which used to be called galleys back in the days of Gutenberg, to a select audience of what they call “professional readers.” These versions often have small editing mistakes but are otherwise close to the actual text that you will see in the finished book.

The workflow is as follows. Once you join the service, you will get weekly notifications in your email about upcoming new books. Sometimes there is a short description, and you can click on that and get a longer one that will give you an idea if you are interested in reading the book. The service is used by both new authors and established ones alike, and there are tens of thousands of readers and authors using the service. Some books are immediately available for download; some will require the publisher to approve your request. Sometimes I get turned down, but usually within a day or so I have a new book waiting for me in my NetGalley account. I then send the digital file to my Kindle reader, and within minutes I can be reading a new book. Pretty neat, this whole internet thing, right?

I would say over the past several years I go through phases where I read more books on my Kindle than in print, and then the reverse. Given that bookstores have been mostly closed for browsing under the pandemic, I have gone back to using my Kindle more.

The NetGalley service keeps track of when the book is actually available for sale on the book ecommerce sites and sends you a tickler so you can post your review accordingly. That appeals to me, because I like to be in the first batch of folks posting my review.

There is a wide range of books available on the service, and this also includes audiobooks as well as the traditional printed text. You can set your subject matter preferences and other parameters for your account. If you don’t want to wait for the weekly notifications, you can browse for new titles at any time.

If you really like a book and want to get to interview the author, NetGalley will help facilitate that relationship. They also make it very easy to take your review and get it put on the bookselling sites with a couple of clicks.

As I said, the service is free for readers. They make their money from publishers (and self-published authors) who pay a fee to post their galleys on the service for a specific time period. The fees vary from a single book for $450 for six months to discounts for multiple books for publishing houses or members of various publishing associations.

I will be giving a seminar on NetGalley in September for the St. Louis Publishers Association. Email me if you are interested in seeing this presentation.

The role of mutual trust when you resume international travel

I recently spent two weeks in Israel visiting my daughter’s family. Making the arrangements was an interesting exercise and exposed how broken our mutual trust relationships have become in the Covid era. There are several weak points, especially under the strain of crossing international borders:

— Crossing borders (customs and immigration procedures). Before the pandemic, there were fairly well-defined rules on how one could enter another country. Some places, such as the EU, had complete trust and no actual physical barrier between countries: it was more a line drawn on a map. But that trust has broken down, and now the rules are in flux, seemingly with daily changes.

In my previous visits to Israel, I didn’t need a visa as an American citizen. But I was interrogated by a customs official as to my purpose. That in-person conversation was replaced by a pre-flight application process that was maddening. I had to provide all sorts of documents to the Israeli embassy (in Miami, which covers my part of the US). My application was questioned several times before getting approval. Once I arrived at the Tel Aviv airport, I was able to gain entry to the country by just scanning my passport, and a quick conversation with a health ministry representative that wanted to see the documentation about my negative Covid PCR test. The passport scan had previously only been available to those holding Israeli passports, and is similar to our Global Entry process.

— Proof of vaccination. The issue for any American traveling abroad is that our cardboard proof of vaccination isn’t trustworthy. I had to get a blood test in Israel that proved it: the locals have an app that is tied to their HMO’s system that used to be a condition for entering public places like shopping malls and sports stadiums. While I was there the restrictions were removed: that is what happens when sufficient folks have gotten vaccinated. But without the blood test, I would have had to stay in isolation at my daughter’s home during my entire visit.

— Passenger behavior (inflight). The news media is filled with stories about misbehaving passengers who have been arrested and removed from flights. The vast majority of these cases were from domestic US flights. The international flights that I was on saw no trouble. And when I interviewed my flight attendants, they also said that the cases were overstated by the media.

— Passenger behavior (on the ground). The five airports that I was in (St. Louis, Houston, Frankfurt, Tel Aviv and Newark) all had vastly different experiences. The most crowded airport was Houston and most of the passengers were masked and the airport shops were open and busy. In Tel Aviv’s airport, few people wore masks and donned them just before boarding their flights. Frankfurt was a ghost town and few shops and airport lounges were open, although I did find one where I could take a shower. Newark was busy, and had frequent PA announcements that any passengers without masks would be subject to a $50 fine.

I am glad that I got an opportunity to see my family. The bottom line for those of you that want to travel internationally in 2021: plan ahead and be prepared to roll with sudden and inexplicable changes.

Avast blog: Should you just walk away from Amazon’s “Just Walk Out” tech

If you’ve been following Amazon’s move towards having physical storefronts, you probably have seen the news about a series of different types of retail stores they have created, including bookstores, grocery stores, general merchandise stores, and shops selling prepared food. Add to this along with the fact that they’ve owned Whole Foods Markets for the past four years. In my blog post for Avast, I take a closer look at the way that these Amazon outlets collect customers’ money, how they access their data, and some of the privacy implications tied to Amazon’s “Just Walk Out” technology. These stores and technology take the collection of shopper data to the next — and perhaps creepier — level.