State of Cybercrime

Summer is approaching, and of course, that’s when we feel the most heat. However, for cybersecurity managers, they feel the heat all the time. They must be right every time because cybercriminals only have to be right once. So summer can potentially feel like it’s year-round for cybersecurity pros and it can cause job burnout. Another problem that managers face is the potential ineffectualness of cybersecurity awareness training. Learning and sharing interesting security information in a class is really wonderful and expansive for a user’s mind. However, if it doesn’t change a user’s behavior and he continues to click on links he shouldn't be clicking on, training might not be as helpful as it claims to be. Other articles discussed: Airbnb and 23 and Me team up Baltimore ransomware strikes again When your car knows when you get fast food Tool of the week: htrace.sh - simple Swiss Army knife for http/https troubleshooting and profiling. Panelists: Cindy Ng, Mike Buckbee, Kris Keyser, Kilian Englert Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Searching a traveler’s phone or laptop is not an extension of a search made on a piece of luggage. As former commissioner of Ontario Ann Cavoukian said, “Your smartphone and other digital devices contain the most intimate details of your life: financial and health records.” In general, it’s also dangerous to connect laws made in accordance with the physical world to the digital space. But even with GDPR that’s aimed to protect consumer data, the law hasn’t taken action against any major technology firms such as Google or Facebook. It seems our relationship with technology might get worse before it gets better. Other articles discussed: How YouTube engineers eviscerated IE6 Attackers hosted phishing kits on GitHub Tool of the week: Ghidra is a software reverse engineering (SRE) framework Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Lately, we’ve been hearing more from security experts who are urging IT pros to stop scapegoating users as the primary reason for not achieving security nirvana. After covering this controversy on a recent episode of the Inside Out Security Show, I thought it was worth having an in-depth conversation with an expert. So, I contacted Angela Sasse, Professor of Human-Centred Technology in the Department of Computer Science at University College London, UK. Over the past 15 years, she has been researching the human-centered aspects of security, privacy, identity and trust. In 2015, for her innovative work, she was awarded the Fellowship of the Royal Academy of Engineering(FREng) for being one of the best and brightest engineer and technologist in the UK. In part one of my interview with Professor Angela Sasse, we cover the challenges that CISOs have in managing risk while finding a way to understand what’s being asked of the user. And more importantly, why improving the usability of security can positively impact an organization’s profits. Transcript Cindy Ng: Since 1999, Professor Angela Sasse has researched and promoted the concept of having security that works with and for users and their organization. She accomplishes this by appealing to the bottom line. Her hallmark paper, "Users Are Not the Enemy," argues that security frameworks designed with the users are dangerous approach creates barriers that users must overcome in order to do their jobs, which makes it a resort intensive administrative burden for their organization. For her exceptional work in 2015, Professor Angela Sasse was awarded the Fellowship of the Royal Academy of Engineering as being one of the best and brightest engineers and technologists in the UK. I think what you're doing is multilayered, multifaceted, and you're targeting two very different fields where you're trying to think about how to design innovative technologies that are functional while driving the bottom line. So that's B2B and then also improve the well-being of individuals and society and that's B2C and the strategies of those two things are very different. So maybe to just peel the layers back to start from the beginning, your research focuses on human usability of security and perhaps privacy too. Maybe it might be helpful to define what usability encompasses. Angela Sasse: Okay. So, usability, there's a traditional definition, there's an, you know, International Standards Organization definition of it, and it says,"Usability is if a specified user group can use the mechanism to achieve their goals in a specified context of use." And that actually makes it really quite, quite complex, because what it's really saying is there isn't a sort of, like, hard-line measure of what's usable and what isn't. It's about the fit, how well it fits the person that's using it and the purpose they're using it for in the situation that they're using it. Cindy Ng: Usability is more about the user, the human and not necessarily the technology, it's, after all, just a tool. And we have to figure out a way to fit usability into the technology we're using. Angela Sasse: Yes, of course, and what it amounts to is that, of course, it's not economic. It wouldn't be economically possible to get a perfect fit for a 120 different types of interactions in situations that you do. What we generally do is we use four or five different forms of interaction, you know, that work well enough across the whole range of interactions that we do. So their locally optimal and globally optimal, so you could make a super good fit for different situations. But if you don't want to know about 120 different ways of doing something, so globally optimal is to have a limited set of interactions and symbols and things that you're dealing with when you're working with technology. So, security, however, one of the things that a lot of people overlook when it comes to security and usability is that from the user's point of view, security is always what usability people call a secondary task or enabling task. So this is a task I have to do to get to the thing I really want to do, and so the kind of tolerance or acceptance that people have for delays or difficulty is even less than with their sort of primary interactions. Cindy Ng: It's like a chore. For instance, an example would be I need to download an app, perhaps, in order to register for something. Angela Sasse: Yeah, and so what you want to do is, you know, you want to use the app for a particular purpose, and then if you basically have...if the user perceives that in order to be able to use the app, you know, all the stuff you have to do to get to that point is too much of a hurdle, then most of them would just turn around and say, "It's not worth it. I'm not going ahead." Cindy Ng: When it comes to the security aspect how does a CISO or an IT security admin decide that users are dangerous, and that if they only had the same knowledge that I have, th

Over the past few weeks, Kaiser Fung has given us some valuable pointers on understanding the big data stats we are assaulted with on a daily basis. To sum up, learn the context behind the stats — sources and biases — and know that the algorithms that crunch numbers may not have the answer to your problems. In this third segment of our podcast, Kaiser points out all the ways the stats can trick us through its inherently random nature — variability in stats-speak. Transcript Cindy Ng: In part one and two with our interview with Kaiser Fung, we discussed the process behind a numerical finding, then focused on accuracy. In our last installment, Kaiser reveals one last way to cultivate numbersense. Your third point is to have a nose for doctored statistics. And for me, it's kind of like…if you don't know what you don't know? Kind of like I was surprised to read in the school rankings chapter in Number Sense that different publications have different rules in ranking. And then I didn't know that like reporting low GPAs as not available, it's a magic trick that causes a median GPA to rise. And so if I didn't know this, I would just use any number in any of these publications and use it in my marketing. How do I cultivate a nose for doctored statistics? Kaiser Fung: Well, I think...well, for a lot of people, I think it would involve like reading certain authors, certain people who specializes in this sort of stuff. I'm one of them but there are also others out there who have this sort of skepticism and they will point out how...you know, I mean I think it's all about figuring out how other people do it and then you can do it even to just follow the same types of logic. Often times, it involves sort of like, there are multiple stages to this. So there's the stage of can you smell something fishy? So it's sort of this awareness that, "Okay, do I want to believe this or not?" And then there's the next stage of, do you...once you smell something, do you know where to look, how to look, how do you investigate it? So usually when you smell something that means that you have developed an alternative hypothesis or interpretation that is different from what the thing you're reading. So in sort of this scientific method, what we want to do at that point is to try to go out and find cooperating evidence. So then the question becomes do you have this notion of what kinds of things I could find that could help you decide whether you're right or whether the original person is right? And here the distinction is really around if you're more experienced, you might be able to know if I am able to find this information that will be sufficient for me to even validate this or to fortify that. So you don't necessarily go through the entire analysis. Maybe you just find a shortcut to get to a certain point. And then the last stage is, that's the hardest to achieve and also not always necessary but it's sort of like okay if you no longer believe in what was published, how do you develop your alternative argument? So that requires a little more work and that's the kind of thing that I try to train my students to do. So often times when I set very open-ended type problems for them, you can see these people in different stages. Like there are people who don't recognize where the problems are, you know, just believe what they see. There are people who recognize the problems and able to diagnose what's wrong. Then there are ones that can diagnose what's wrong and they will have...you know, whether it's usually through looking at some other data or some other data points, they can decide, okay, instead of making the assumptions that the original people made which you no longer believe, I'm going to make a different set of assumptions. So like make this other set of assumptions, what would be the logical outcome of the analysis? So I think it's something that can be trained. It's just difficult in the classroom setting in our traditional sort of textbook lecture style. That type of stuff is very difficult to train. Andy Green: Something you said about sort of being able to train ourselves. And one thing that, it comes up in your books a lot, is that a lot of us don't have the sense of variability in the data. We don't understand what that means or what it...if we were to sort of put it out on a bar chart, we don't have that picture in our mind. And one example that you talk about I think on a blog post in something as marketers, we do a lot is A/B testing. And so we'll look at, we'll do a comparison of changing one website slightly and then testing it and then noticing that maybe it does better, we think. And then when we roll it out, we find out it really doesn't make too much of a difference. So you talked about reasons why something might not scale up in an A/B test. I think you wrote about that for one of the blogs. I think it was Harvard Business Review, Kaiser Fung: ...I'm not sure about whether we're saying the same things. I'm

It’s great to be Amazon to only have one on-call security engineer and have security automated. However, for many organizations today, having security completely automated is still an aspirational goal. Those in healthcare might would love to upgrade, but what if you’re using a system that’s FDA approved, which makes upgrading a little more difficult. What if hackers were able to download personal data from a web server because many weren’t up-to-date and had outdated plugins. Meanwhile, here’s a lesson from veteran report, Brian Krebs on how not to acknowledge a data breach. By the way, would you ever use public wifi and do you value certificates over experience? Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

In part oneof our interview with Kaiser, he taught us the importance of looking at the process behind a numerical finding. We continue the conversation by discussing the accuracy of statistics and algorithms. With examples such as shoe recommendations and movie ratings, you’ll learn where algorithms fall short. Transcript Cindy Ng: In part one, Kaiser taught us the importance of looking at the process behind a numerical finding. And today, we’ll to continue in part two on how to cultivate numbersense. Kaiser, do you think algorithms are the answer. And when you’re looking at a numerical finding, how do you know what questions to ask? Kaiser Fung: So I think...I mean, they are obviously a big pile of questions that you ask but I think that the most important question not asked out there is the question of accuracy. And I've always been strucken, I keep mentioning to my blog readers this, is that if you open up any of the articles that are written up, whether the it's the New York Times, Wall Street Journal, you know all these papers have big data articles and they talk about algorithms, they talk about predictive models and so on. But you can never find a quantified statement about the accuracy of these algorithms. They would all qualitatively tell you that they are all amazing and wonderful. And really it all starts with understanding accuracy. And in the Numbersense book, I addressed this with the target example of the tendency models. But also in my previous book, I talk in the whole thing around steroids and also lie detector testing, because it's all kind of the same type of framework. It's really all about understanding the multiple different ways of measuring accuracy. So starting with understanding false positive and false negative. But really they are all derived with other more useful metrics. And you'll be shocked how badly these algorithms are. I mean it's not that...like for a statistical perspective, they are pretty good. I mean, I try to explain to people, too. It's not that we're all kind of snake oil artist that we...these algorithms do not work at all. I mean, usually, they work if you were to compare with not using the algorithm at all. So you actually have incremental improvements and sometimes pretty good improvements over the case of not using an algorithm. Now, however, if the case of not using the algorithm leads to, let's say 10% accuracy, and now we have 30% accuracy, you would be three times better. However, 30% accuracy still means that 70% of the time you got the wrong thing, right? So there's an absolute versus relative measurement here that's important. So once you get into that whole area, it's very fascinating. It's because usually the algorithms also do not really make decisions and they are specific decision rules that are in place because often times the algorithms only calculate a probability of something. So by analogy, the algorithm might tell you that there's a 40% chance of raining tomorrow. But somebody has to create a decision rule that says that, you know, based on...I mean, I'm going to carry umbrella if it's over 60%...So there's all these other stuff involved. And then you have to also understand the soft side of it which is the incentive of the various parties to either go one or the other way. And the algorithm ultimately reflects the designer's because the algorithm will not make that determination of whether you should bring an umbrella since … however, it's over 60% or under 60%. All it can tell you is that for today it's 40%. So I think this notion that the algorithm itself is running on its own, it's false anyway. And then so once you have human input into these algorithms, then you have to also have to wonder about what the humans are doing. And I think in a lot of these books, I try to point out that what also complicates it is that in every case, including the case of Target, there will be different people coming from this in angles where they are trying to optimize objectives that are conflicting. That's the beginning of this...that sort of asking the question of the output. And I think if we start doing that more, we can avoid some of this, I think a very reticent current situation that runs into our conversation here is this whole collapse of this…company. I'm not sure if you guys have been following that. Well, it's an example of somebody who's been solving this algorithm people have been asking. Well, a lot of people have not been asking for quantifiable results. The people have been asking for quantifiable results have been basically pushed back and, you know, they refused all the time to present anything. And then, at this point, I think it's been acknowledged that it's all...you know, empty, it's hot air. Andy Green: Right, yeah. You had some funny comments on, I think it was on your blog about, and this is related to these algorithms, about I guess buying shoes on the web. On, I don't know, one of the website. And you were always saying, &quot

Recently in the security space, there’s been a spate of contradicting priorities. For instance, a recent study showed that programmers will take the easy way out and not implement proper password security. Antidotally, a security pro in a networking and security course noticed another attendee who covered his webcam, but noticeably had his bitlocker recovery code is printed on a label attached to his screen. When protocols and skills compete for our attention, ironically, security gets placed on easy mode. In the real word, when attackers can potentially create malware that would automatically add “realistic, malignant-seeming growths to CT or MRI scans before radiologists and doctors examine them.” How about that time when ethical hackers were able to access a university’s student and staff personal data, finance systems and research networks? Perhaps more education and awareness might be needed to take security out of easy mode and bring it in real-time alerting mode. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

In the business world, if we’re looking for actionable insights, many think it's found using an algorithm. However, statistician Kaiser Fung disagrees. With degrees in engineering, statistics, and an MBA from Harvard, Fung believes that both algorithms and humans are needed, as the sum is greater than its individual parts. Moreover, the worldview he suggests one should cultivate is numbersense. How? When presented with a numerical finding, go the extra mile and investigate the methodology, biases, and sources. For more tips, listen to part one of our interview with Kaiser as he uses recent headlines to dissect the problems with how data is analyzed and presented to the general public. Transcript Cindy Ng: Numbersense essentially teaches us how to make simple sense out of complex statistics. However, statistician Kaiser Fung said that cultivating numbersense isn’t something you can learn in a book. But there are three things you can do. First is you shouldn’t take published data as face value. Second, is to know what questions to ask. And third is to have a nose for doctored statistics. And so, the first bullet is you shouldn't take published data at face value. And so like to me, that means it takes more time to get to the truth that matters, to the matter, to the issue at hand. And I'm wondering also like to what extent does the volume of data, big data, affects fidelity because that certainly affects your final result? Kaiser Fung: There are lots of aspects to this. I would say, let's start with the idea that, well it's kind of a hopeless situation because you pretty much have to replicate everything or check everything that somebody has done in order to decide whether you want to believe the work or not. I would say, well, in a way that's true but then over time you develop kind of a shortcut. Then part of it is that if you have done your homework on one type of study, then you could apply all the lessons very easily to a different study that we don't have to actually repeat all that. And also organizations and research groups tend to favors certain types of methodologies. So once you've understood what they are actually doing and what are the assumptions behind the methodologies, then you could...you know, you have developed some idea about whether if you're a believer in the assumptions or their method. Also the time, you know I have certain people who's work I have come to appreciate. I've studied their work, they share some of my own beliefs about how do you read data and how to analyze data. And it's this sense of, it also depends on who is publishing the work. So, I think that's part one of the question is encourage people to not just take what you're told but to really think about what you're being told. So there are some shortcuts to that over time. Going back to your other issue related to the volume of data, I mean I think that is really causing a lot of issues. And it's not just the volume of data but the fact that the data today is not collected with any design or plan in mind. And often times, the people collecting the data is really divorced from any kind of business problem or divorce from the business side of the host. And the data has just been collected and now people are trying to make sense of it. And I think you end up with many challenges. One big challenge is you don't end up solving any problems of interest. So I just had a read up my blog, that will be something just like this weekend. And this is related to somebody's analysis of the...I think this is Tour de France data. And there was this whole thing about, "Well, nowadays we have Garmin and we have all these devices, they're collecting a lot of data about these cyclists. And there's nothing much done in terms of analysis," they say. So which is probably true because again, all of that data has been collected with no particular design in mind or problem in mind. So what do they do? Well, they basically then say, "Well, I'm going to analyze the color of the bike that have actually won the Tour de France over the years." But then that's kind of the state of the world that we're in. We have the data then we try to portrait it by forcing it answer some questions that we’re supposed to create. And often times these questions are actually very silly and doesn't really solve any real problems, like the color of the bike is. I don't think anyone believe it impacts whether you win or not. I mean, that's just an example of the types of problems that we end up solving. And many of them are very trivial. And I think the reason why we are there is that when you just collect the data like that, you know, let's say you have a lot of this data about...I mean, let's assume that this data measures how fast the wheels are turning, the speed of your bike, you know, all that type of stuff. I mean, if the problem is that when you don't have an actual problem in mind, you don't actually have all of the pieces of the data that you

Should CISOs use events or scenarios to drive security, not checklists? It also doesn’t matter how much you spend on cybersecurity if ends up becoming shelfware. Navigating one’s role as a CISO is no easy feat. Luckily, the path to becoming a seasoned CISO is now easier with practical classes and interviews. But when cybersecurity is assumed to not be not very important. Does that defeat the leadership role of a CISO? Panelists: Cindy Ng, Sean Campbell, Mike Buckbee, Kris Keyser Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Scott Schober wears many hats. He's an inventor, software engineer, and runs his own wireless security company. He's also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN. We continue our discussion with Scott. In this segment, he talks about the importance of layers of security to reduce the risks of an attack. Scott also points out that we should be careful about revealing personal information online. It's a lesson he learned directly from legendary hacker Kevin Mitnick! Transcript Andy Green: So speaking of the attack that the Mirai...I'm not sure if I'm pronouncing that right...attack from last week, I was wondering if, can cell phones be hacked in a similar way to launch DDoS attacks? Or that hasn't happened yet? I was just wondering if...with your knowledge of the cellphone industry? Scott Schober: Absolutely. I mean, to your point, can cell phones be attacked? Absolutely. That's actually where most of the hackers are starting to migrate their attacks toward a cell phone. And why is that, especially they're aiming at Android environment. Excuse me. It's open-source. Applications are not vetted as well. Everybody is prone to hacking and vulnerable. There are more Android users. You've got open-source, which is ideal for creating all kinds of malicious viruses, ransomware, DDoS, whatever you want to create and launch. So that's their preferred method, the easiest path to get it in there, but Apple certainly is not prone to that. The other thing is that mobile phone users are not updating the security patches as often as they should. And that becomes problematic. It's not everybody, but a good portion of people are just complacent. And therefore hackers know that eventually, everybody's old Windows PC will be either abandoned or upgraded with more current stuff. So they'll target the guys that are still using old Windows XP machines where there's no security updates and they're extremely vulnerable, until that dries up. Then they're gonna start migrating over to mobile devices...tablets, mobile phones...and really heavily increase the hacks there. And then keep in mind why. Where are you banking? Traditionally everybody banked at a physical bank or from their computer. Now everybody's starting to do mobile banking from their device...their phone. So where are they gonna go if they want to compromise your credit card or your banking account? It's your mobile device. Perfect target. Andy Green: Yeah. I think I was reading on your blog that, I think, your first preference is to pay cash as a consumer. Scott Schober: Yes. Yes. Yep. Andy Green: And then I think you mentioned using your iPhone next. Is that, did I get that right? Scott Schober: Yeah, you could certainly..."Cash is king," I always say. And minimize. I do...I probably shouldn't say it...but I do have one credit card that I do use and monitor very carefully, that I try to use only at secure spots where I know. In other words, I don't go to any gas station to get gas and I don't use it for general things, eating out. As much as I can use cash, I will, to minimize my digital footprint and putting my credit out there too much. And I also watch closely, if I do hand somebody my credit card, I write on the back of it, "Must check ID." And people sometimes...not always...but they'll say, "Can I see your ID?" Hand them my license. "Thank you very much." Little things like that go a long way in preventing somebody, especially if you're handing your credit card to somebody that's about to swipe it through a little square and steal your card info. When they see that, they realize, "Oh, gosh, this guy must monitor his statement quickly. He's asking for ID. I'm not gonna try to take his card number here." So those little tips go a long, long way. Andy Green: Interesting. Okay. So in the second half of the "Hacked Again" book, you give a lot of advice on, sort of, security measures that companies can take and it's a lot of tips that, you know, we recommend at Varonis. And that includes strong passwords. I think you mentioned strong authentication. Pen testing may have come up in the book as well. So have you implemented this at your company, some of these ideas? Scott Schober: Yes, absolutely. And again, I think in the book I describe it as "layers of security," and I often relate that to something that we physically can all relate to, and that's our house. We don't have, typically, a single lock on our front door. We've got a deadbolt. We've got a camera. We've got alarm stickers, the whole gamut. The more we have our defenses up, the more likely that a physical thief will go next door or down the block to rob us. The same is true in cyber-security. Layered security, so not just when we have our login credentials. It's our user name and a password. It's a long and strong password,

Scott Schober wears many hats. He's an inventor, software engineer, and runs his own wireless security company. He's also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN. In the first part of the interview, Scott tells us about some of his adventures in data security. He's been a victim of fraudulent bank transfers and credit card transaction. He's also aroused the wrath of cyber gangs and his company's site was a DDoS target. There are some great security tips here for both small businesses and consumers. Transcript Andy Green: Scott Schober wears more than a few hats. Scott is President and CEO of Berkeley Varitronics, a company that makes wireless test and security solutions. He is also an inventor. The gadget that enforces no cell phone policies, that's one of his. He's a sought-after security speaker and has been interviewed on ABC News, Bloomberg TV, CNBC, CNN. And he's been on the other side of the security equation, having been hacked himself, and writing that experience in his book, "Hacked Again." So, we're excited to have Scott on this podcast. Thanks for coming. Scott Schober: Yeah, thanks for having me on here. Andy Green: Yeah, so for me, what was most interesting about your book "Hacked Again," is that hackers actively go after small, medium businesses, and these hacks probably don't get reported in the same way as an attack on, of course, Target or Home Depot. So, I was wondering if you could just talk about some of your early experiences with credit card fraud at your security company? Scott Schober: Yeah, I'd be happy to. My story, and what I'm finding, too, is not necessarily that different than many other small business owners. What perhaps I'm finding is more different is many small businesses and medium size business owners are somewhat reluctant to share the fact that they actually have had breach within their company. And often times, because they perhaps are embarrassed or maybe there's a brand that they don't wanna have tarnished, they're afraid customers won't come back to the well and purchase products or services from them. In reality... And I talk about this often about breaches, pretty much every week now, trying to educate and share my story with audiences and I always take a poll. And I am amazed, almost, now, everybody raises their hand that they've had some level of having their business compromised or personally compromised be it a debit card or credit card. So, it's something now that resonates, and a lot more people realize that it's frequent, and it almost becomes commonplace. And another card gets issued, and they have to dispute charges, and write letters, and go through the wonderful procedure that I've had to do. I think, with myself, it's happened more frequently unfortunately because, again, sharing tips and how-to and best practices with individuals, it kinda gets the hackers a little bit annoyed and they like to take on a challenge to see if they could be disruptive or send a message to those that are educating people how to stay safe, because obviously it makes their game a lot harder. And I'm not alone, I'm in good company with a lot of other security experts out there and in the cyber world that had been targeted. And we all share war stories and we're always got the target on our back, I guess it's safe to say. And with myself, it started with debit card, credit card, then eventually the checking account. Sixty-five thousand dollar was taken out. And I realized this was not just a coincidence. This is a targeted, focused attack against me, and it really hasn't stopped since. I wish I could say it has, but every week I'm surprised with something I find. Andy Green: Right. Scott Schober: Very scary. I have to just keep reinforcing what we're doing in making it safer to run our business and protect ourselves and our assets. Andy Green: Right. So, I was wondering if you had just some basic tips because I know you talked a lot...you had some credit card fraud early on. But some basic advice for companies that are using credit cards or e-commerce. Is there something like an essential tip in terms of dealing with credit card processing? Scott Schober: Yeah, yeah, absolutely. There's actually a couple things that I always share with people. Number one, a lot of it has to do with how well do you manage your finances, and this is basic 101 finances. When you have a lot of credit cards, it's hard to manage and hard to keep on top of looking at the statements or going online and making sure that there's no fraudulent activity. Regular monitoring of statements is essential. I always emphasize, minimize the number of cards you use. Maybe it's one card that you use, perhaps a second card you use for online purchases. Again, so it could be very quickly isolated and cleaned up if there is a compromise. It's ironic, the other day I was actually presenting

With data as the new oil, we’ve seen how different companies responded. From meeting new data privacy compliance obligations to combining multiple data anonymized points to reveal an individual’s identity – it all speaks to how companies are leveraging data as a business strategy. Consumers and companies alike are awakening to data’s possibilities and we’re only beginning to understand the psyche and power of data. Tool of the Week: Zorp Panelists: Cindy Ng, Kilian Englert, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

By now, we’ve all seen the wildly popular internet of things devices flourish in pop culture, holding much promise and potential for improving our lives. One aspect that we haven’t seen are IoT devices that not connected to the internet. In our follow-up discussion, this was the vision Simply Secure's executive director Scout Brody advocates, as current IoT devices don’t have a strong foundation in security. She points out that we should consider why putting a full internet stack on a new IoT device will help an actual user as well as the benefits of bringing design thinking when creating IoT devices. Transcript Cindy Ng: I also really liked your idea of building smart devices, IoT devices, that aren't connected to the internet. Can you elaborate more? Scout Brody: Yes, you know, I like to say, when I'm talking to friends and family about the internet, there are a lot of really interesting, shiny-looking gadgets out there. But as someone who has a background in doing computer security, and also someone who has a background in developing production software in the tech industry, I'm very wary of devices that might live in my home and be connected to the internet. I should say, low power devices, or smaller devices, IoT devices that might be connected to the internet. And that's because the landscape of security is so underdeveloped. We think about where...I like to draw a parallel between the Internet of Things today and desktop computers in the mid-90s. When desktop computers started going online in the 90s, we had all sorts of problems because the operating systems and the applications that ran on those machines were not designed to be networked. They were not designed, ultimately, with a threat model that involved an attacker trying to probe them constantly in an automated fashion from all directions. And it took the software industry, you know, a couple of decades, really, to get up to speed and to really harden those systems and craft them in a way that they would be resilient to attackers. And I think that based on the botnet activity that we've seen in just the past year, it's really obvious that a lot of the IoT systems that are around the internet full-time today, are not hardened in the way that they need to be to be resilient against automated attacks. And I think that with IoT systems, it's even scarier than a desktop, or a laptop, or a mobile phone because of the sort of inevitable progression toward intimacy of devices. We look at the history of computing. We started out with these mainframe devices or these massive god awful things that lived in the basement of the great universities in this country. And we progressed from those devices through mainframes and, you know, industry through personal computers and now the mobile phones. With each step, these devices have become more integrated into our lives. They have access to more of our personal data and have become ever more important to our sort of daily existence. And IoT really takes us to the next step. It brings these devices not just into our home, but into our kitchens and into our bathrooms, and into our bedrooms, and our living rooms with our children. And the data they have access to is really, frankly, scary. And the idea of exposing that data, exposing that level of intimacy, intimate interaction with our lives, to the internet without the hardening that it deserves, is just really scary. So, that's, you know, a bit of a soapbox, but I'm just very cautious about bringing such devices into my home. However, I see some benefits. I mean, there are certainly...I think that a lot of the devices that are being marketed today with computer smarts in them are, frankly, ridiculous. There are ways that we could, sort of, try and mediate their access or mediate a hacker's access to them, such that they were a little less scary. One way to do that is, as you mentioned, and as we discussed before, to not have them be just online. You know, have things be networked via less powerful protocols like Bluetooth low energy, or something like that. That poses challenges when it comes to updating software or having, you know, firmware or software on a device, or having a device being able to communicate to the outside world. If we want to be able to turn our light bulb on the back porch on from our phone when we're 100 miles away, it's difficult. More difficult if the light bulb is only really connected to the rest of our house by Bluetooth, but it's still possible. And I think that's something that we need to explore. Cindy Ng: Do you think that's where design comes in where, okay, well, now we've created all these IoT devices and we haven't incorporated privacy and security methodologies and concepts in it, but can we...it sounds like we're scrambling to fix things...are we able to bring design thinking, a terminology that's often used in that space, into fixing and improving how we're connecting the device with the data with security and privacy? Sc

With the spring just a few short weeks away, it’s a good time to clean the bedroom windows, dust off the ceiling fans, and discard old security notions that have been taking up valuable mind space. What do you replace those security concepts with? How about ones that say that security systems are not binary “on-off” concepts, but instead can be seen as a gentle gradient. And where user experiences developed by researchers create security products that actually, um, work. This new world is conceived by Scout Brody, executive director of Simply Secure, a nonprofit dedicated to leveraging user interface design to make security easier and more intuitive to use. “UX design is a critical part of any system, including security systems that are only meant to be used by highly technical expert users,” according to Brody. “ So if you have a system that helps monitor network traffic, if it’s not usable by the people who are designed to use it or it’s designed for, then it’s not actually going to help them do their jobs.” In the first part of my interview with Scout Brody, we cover why security systems aren’t binary, the value of user interface designers, and how to cross pollinate user personas with threat models. Transcript Cindy Ng: Scout Brody has long been passionate about improving the usability of security tools. Rather than a tech and product only mindset, she advocates a human first or empathy first mindset. Processes such as user experience and human centered design can help improve the way humans and security technologies interact. As a former product manager at Google, she worked on projects such as 2-Step Verification and the Android operating system. Now she's an executive director at Simply Secure, a nonprofit dedicated to crafting usable and secure technologies, while making them available to everyone. The cornerstone of your work, Scout, you say consumers abdicate their security and privacy for ease, convenience and because sometimes they're strong-armed to yielding all their personal information in order to download an app or use a piece of technology because that's how technology is being developed. And the way you describe how security and privacy technologies are being developed, that they're not binary concepts but gradient, and can you elaborate more on what that means? Scout Brody: Well, Cindy, I think that as a security professional in our field we tend to think of things in absolutes and we tend to be constantly striving for the ideal. So if you're an I.T. professional working in a corporate environment, you are trying to do your utmost to make the settings as secure as it possibly can be because that's how you define success as a security professional. When it comes to thinking about security for end-users however, it's important to recognize that not everyone has the same definition of what security they need to meet their needs or what privacy means to them. So one good example might be that you have, say you know a government worker who lives in Washington, D.C., and is very concerned they might have what we call in the security business, a particular threat model or they're worried about those people accessing their information, for professional purposes. They might be concerned about organized crime or foreign governments or all sorts of different things. And that's a very different threat model than someone who is a stay-at-home dad in Minnesota for example, who you know may not have those same concerns when he's going and posting adorable photos of his kids on Facebook, that that information might be compromised or used to hurt him or his professional life in any way. So I think this notion that there is no one definition of what is secure but I like to talk about usability and design as being gradient in the same way that security is. So in security, although we tend to think of it as an absolute, when we get down to the practice of security, and we very rarely say "Oh, this system is secure." No, we say "This system is secure against threats A, B and C," it's secure in the face of a particular threat model. And similarly when you talk about a system being usable or useful to end-users, we have to say, "This is usable and useful to these users in these contexts." Cindy Ng: I like what you mentioned about threat model and context. Can you provide us an example of how you would align a threat model alongside with the technology you have, what would that look like? Scout Brody: Well, I think that it depends, I think I want to clarify that when you say design, we're talking not just about a system architecture design but we're really talking about the design of the entire piece of software, including the user-interface or as you like to say in the design side, the user experience or U.X. And a U.X. design, I maintain, is a critical part of any system, including security systems, even security systems that are really only meant to be used by highly technical e

The combination of business and technology-related challenges and the requirement to meet regulatory compliance obligations as well as managing risk is no easy feat. European officials have been disseminating information on how to prevent online scams, general tips as well as warning signs. Other attorneys have been reflecting on legislative developments to prepare for the year ahead. Meanwhile, businesses like Facebook and Reddit are finding their rhythm as they dance between running their business, meeting compliance requirements and keeping their users’ data safe and secure. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Tiffany C. Li is an attorney and Resident Fellow at Yale Law School’s Information Society Project. She frequently writes and speaks on the privacy implications of artificial intelligence, virtual reality, and other technologies. Our discussion is based on her recent paper on the difficulties with getting AI to forget. In this second part, we continue our discussion of GDPR and privacy, and then explore some cutting edge areas of law and technology. Can AI algorithms own their creative efforts? Listen and learn. Guidance for GDPR Right to be Forgotten Cindy Ng We continue our discussion with Tiffany Li who is an attorney and Resident Fellow at Yale Law Schools Information Society Project. In part two, we discuss non-human creators of intellectual property and how it could potentially impact the right to be forgotten, as well as the benefits of multi-disciplinary training where developers take a law class and lawyers take a tech class. Andy Green So do you think the regulators will have some more guidance specifically for the GDPR right to be forgotten? Tiffany Li The European regulators typically have been fairly good about providing external guidance outside of regulations and outside of decisions. Guidance documents that are non-binding have very helpful in understanding different aspects of regulation. And I think that we will have more research done. I would love to really see though is more interdisciplinary research. So one problem I think that we have in law generally, in technology law, is the sort of habit of operating in a law and policy only silo. So we have the lawyers, we have the policymakers, we have the lobbyists, everyone there in a room talking about, for example, how we should protect privacy. And that's wonderful and I've been in that room many times. But what's missing often is someone who actually knows what that means on the technical end. For example, all the issues that I just brought up are not in that room with the lawyers and policymakers really, unless you bring in someone with a tech background, someone who works on these issues and actually knows what's going on. So this is something that's not just an issue with the right to be forgotten or just with EU privacy law, but really any technology law or policy issue. I think that we definitely need to bridge that gap between technologists and policymakers. AI and Intellectual Property Cindy Ng Speaking of interdisciplinary, you recently wrote a really interesting paper on AI and intellectual property, and you describe the future dilemmas of what might arise in IP law specifically involving works by non-human creators. And I was wondering if you can introduce to our listeners the significance of your inquiry. Tiffany Li So this is a draft paper that I've been writing about AI and intellectual property. Specifically, I'm looking at the copyright ability of works that are created by non-human authors, which could include AI, but could also include animals for example, or other non-human actors. Getting back to that same difference I mentioned earlier where we have one from an AI that is simply machine learning and super advanced statistics, and we have one from an AI that may be something close to a new type of intelligence. So my paper looks at this from two angles. First, we look what current scholarship says about who should own creative works that are created by AI or non-humans. And here we have an interesting issue. For example, if you devise an AI system to compose music, which we've seen in a few different cases, the question then is who you should own the copyright or the IP rights generally over the music that's created? One option is giving it to the designer of the AI system on the theory that they created a system which is the main impetus for the work being generated in the first place. Another theory is that the person actually running the system, the person who literally flipped the switch and hit run should own the rights because they were provided the creative spark behind the art or the creative work. So other theories prevail or exists right now. Some people say that there should be no rights to any of the work because it doesn't make sense to provide rights who are not the actual creators of the work. Others say that we should try to figure out a system for giving the AI the work. And this of course is problematic because AI can't own anything. And even if it could, even if we get the world where AI is a sentient being, we don't really know what they want. We can't pay them. We don't know how they would prefer to be incentivized for their creation, and so on. So a lot of these different theories don't perfectly match up with reality. But I think the prevailing ideas right now are either to create a contractual basis for figuring this out. For example, when you design your system, you signed a contract with whoever you sell it to, that lays out all the rights neatly in the contract so you bypass a legal issue entir

On the last week of the year, the Inside Out Security panelists reflected on the year’s biggest breaches, scams and fake everything. And is computer security warfare? Well, it depends on who you ask. A 7th grader trying to change her grades isn’t an enemy combatant. But keep in mind as another argues, “There's an opponent who doesn't care about you, doesn't play by the rules, and wants to screw you as fully as possible.” Panelists: Cindy Ng, Mike Buckbee, Kilian Englert, Kris Keyser Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Tiffany C. Li is an attorney and Resident Fellow at Yale Law School’s Information Society Project. She frequently writes and speaks on the privacy implications of artificial intelligence, virtual reality, and other technologies. Our discussion is based on her recent paper on the difficulties with getting AI to forget. In this first part , we talk about the GDPR's "right to be forgotten" rule and the gap between technology and the law. Consumer Versus Business Interests Cindy Ng Tiffany Li is an attorney and resident fellow at the Yale Law School Information Society Project. She is also an expert on privacy, intellectual property, law and policy. In our interview we discuss the legal background in GDPR's right to be forgotten, the hype and promise of artificial intelligence, as well as her paper, "Humans forget, machines remember." The right to be forgotten, it's a core principle in the GDPR, where a consumer can request to have their personal data be removed from the internet. And I was wondering if you can speak to the tension between an individual's right to privacy and a company's business interest. Tiffany Li So the tension between the consumer right to privacy and a company's business interest really happens in many different spaces. Specifically, here we're wrote about the right to be forgotten, which is the concept that an individual should be able to request that data or information about them be deleted from a website or a search engine, for example. Now, there's an obvious tension there between a consumer's rights or desire to have their privacy unstated and the business or the company's business interest in having information out there and also in decreasing the cost for compliance. Before the right to be forgotten in particular, there is that interesting question about whether or not we should be protecting the personal privacy rights of whoever's requesting that their information be deleted, or should we protect this concept that the company should be able to control the information that they provide on their service, as well as a larger conceptual ideal of having free speech and free expression and knowledge out there on the internet. So one argument outside of this consumer versus business tension, one argument really is simply that the right to be forgotten goes against the values of speech and expression, because by requesting that your information or information about you be taken down, you are in some ways silencing someone else's speech. AI and the Right to Be Forgotten Andy Green Right. So, Tiffany, I wanted to follow up a little bit. I was wondering if you can give some of the legal background behind the GDPR's right to be forgotten, specifically referring to the Spain versus Google case that you mentioned in your paper on AI and the right to be forgotten. Tiffany Li The main important case that we discuss the right to be forgotten is the Spanish case that started in 2010. In that year, a Spanish citizen, along with the Spanish DPA, the Data Protection Agency, sued both the Spanish newspaper as well as Google, the American internet company that is now part of Alphabet. So the Spanish citizen argued that Google infringed on his right to privacy because the Google search results included information related to things that he didn't want to be in the public realm any longer. That's the basic legal framework. Eventually, this case went up to the ECJ, which in 2014 ruled in favor of the Spanish citizen and against Google. Essentially, what they ruled was that the right to be forgotten was something that could be enforced against search engine operators. Now, this wasn't a blanket rule, indicating a few searching conditions. A few conditions have to be met in order for search engine operators to be forced to comply with the right to be forgotten, and there are various exceptions that apply as well. And I think what's interesting really is that even then people were already discussing this tension that we mentioned before. Both the tension between consumer rights and business interests but also the tension between privacy in general and expression and transparency. So it goes all the way back to 2010, and we're still dealing with the ramifications of that decision now. Andy Green Right. So one thing about that decision that maybe a lot of people don't understand is that the Spanish newspaper that originally ran this story still has that content. The court decided, and correct me if I'm wrong, that that had to be still available. It's just that Google's search page results could not show it. Tiffany Li Yes. I think that there have been instances in a few other cases that have had similar past patterns, and there has been discussion of, you know, whether we can actually force newspapers to delete their archives. I know one person mentioned this, and really, what to me is kind of frightening framing that the right to be forgotten, taken to an ultimate endpoint...what essentially mean b

The CIO is responsible for using IT to make the business more efficient. Meanwhile, the CISO is responsible for developing and executing a security program that’s aimed to protect enterprise systems and data from both internal and external threats. At the end of the day, the CISO makes security recommendations to the CIO has the final say. Perhaps it’s time that the CISO gets a seat at the table. Meanwhile, good Samaritans such as Chris Vickery and Troy Hunt help companies find leaked data and hopes the company seal the leak before cybercriminals find it. Other articles discussed: Donald Knuth, the Yoda of Computer Programming ISP blocks internet: on purpose or because it was law? Email’s evolution Earn a CPE with a live Varonis Cyber Attack Workshop Panelists: Cindy Ng, Kilian Englert, Mike Buckbee, Matt Radolec Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

We need to do better. Exhausting. Dramatic. That’s how the Inside Out Security panelists described our 2018 security landscape. We see the drama unfold weekly on our show and this week was no different. As facial recognition software becomes more prevalent, we’re seeing it used in security to protect even the biggest stars like Taylor Swift. Her security team set up a kiosk replaying rehearsal highlights. Meanwhile, onlookers who stopped were cross checked against their database of stalkers. What a stealthy way to protect one of our favorite singers in the world! And here’s a story that’s less wholesome. A few years ago, we thought it was a major threat when ransomware gained prominence. Cybercriminals upped the ante and threatened victims with a note that someone planted bombs in the building unless a bitcoin ransom is paid. Kris is right, we do need to do better. Kilian is right, it’s all exhausting. Tool of the Week: BloodHoundAD Panelists: Cindy Ng, Kilian Englert, Mike Buckbee, Kris Keyser Other articles discussed: How data transformed the NBA Android malware tricks use PayPal to steal funds Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

There’s a yin and yang to technology. For instance, the exchange for convenience and ease with our data. Unfortunately Facebook is getting most of the blame, when many companies have collect many points of data as the default setting. Meanwhile, as quickly as diligent security pros are eager to adopt and advance security solutions with biometrics, cybercriminals are equally determined to thwart these efforts. Other articles discussed: • Google’s plan to mitigate bias in their algorithm • Australia approves bill, requiring tech companies to provide data upon request Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

We’ve completed almost 100 podcast panels and sometimes it feels like we’re talking in circles. Over the years, the security and privacy landscape have gotten more complex, making baseline knowledge amongst industry pros ever so more important. Old concepts are often refreshed into current foundational security concepts. Technological advancements as well as decline also bring forth new challenges. When there’s a decline, we need to reserve the right to change our strategy. For years, users were blamed and labeled as the enemy, but our infrastructure wasn’t built with security in mind. So, perhaps the weakest link in cybersecurity isn't human, but the infrastructure. When there are advancements, security and privacy need to be baked in from the very beginning. Concerns are already arising with DNA and fitness testing kits as well as what constant surveillance is doing to our brains. Other articles discussed: BGP mishap redirects traffic to a state sponsored site Cybersecurity prime minister has never used a computer before Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Passwords are easy to use. Everyone knows how it works. However, many security pros point out the inherent design flaw in passwords as a safe form of authorization and authentication. The good news is that we can reflect upon what old technologies can teach new technologies as we’re creating new products and services. One vital concern to keep in mind are terms and conditions, particularly with DNA ownership rights. Other articles discussed: How did Iran find CIA spies? They Googled It Panelists: Cindy Ng, Kilian Englert, Forrest Temple, Matt Radolec Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Troy Hunt, creator of “Have I been pwned”, gives a virtual keynote that explores how security threats are evolving - and what we need to be especially conscious of in the modern era. In this keynote, you’ll learn: Real world examples of both current and emerging threats How threats are evolving and where to put your focus How to stem the flow of data breaches and protect against malicious activity and much more! Transcript Cindy Ng: Troy Hunt is a world-renowned web security expert known for public education and outreach on security topics. And we recently invited Troy to give a keynote on the modern state of insecurity. Troy Hunt: So, let's move on and talk a little bit detection because this is another interesting thing where we're seeing adversaries within environments, or data breaches having occurred, and then long periods of time passing before anyone realizes what's going wrong. And I think probably one of the most canonical examples of long lead time for detection is Sony Pictures. So, if everyone remembers Sony Pictures, so this was back in about 2014. Folks came into the office one day, sat down at their PC and got, this is what appeared on the screen. Hacked by GOP, Guardians of Peace. Evidently not so peaceful. And then you can see a whole bunch of hyperlinks down at the bottom as well. And this was Sony's data. And the data that was leaked was massively extensive. So, the attackers claimed that they'd been in the network for a year and taken about 100 terabytes of data. I've not seen anything to verify it was quite that long or quite that much, but what we do know is that there was a huge amount of data taken. So, things like unreleased films, sensitive internal emails, some of those emails caused a huge amount of embarrassment because they were disparaging towards Obama, which wasn't a great move. Also, things like employee data with social security numbers and they're kind of important in the U.S. And one of the things that I find really fascinating about those three different classes of data, the unreleased films, sensitive internal emails, and employee data is that it's not like these are just all sitting on a shared folder somewhere. They're not there in one location. These are the sorts of assets, particularly in a large organization, like Sony Pictures, which would have been distributed into very, very different corners of the organization. So, it's from all over the place. And someone's had enough time to go and retrieve very large amounts of data from different locations within the network, exfiltrate them, and then eventually upload them to those locations. So, this was really devastating. And it's really interesting now to look at just how much stuff is exposed in organizations which causes things like this. So, I'll give you a bit of an example here. Varonis produced a report earlier this year, ''The 2018 Global Data Risk Report''. And they found that 21% of all folders in an organization are open to everyone. So, if you're in a corporate environment, just have a look around you, like have a look at just how much stuff is open. I spent a lot of years in a corporate environment. And I would see this all the time, folders that were open to everyone. And why do people do it? Well, because it's easy. They're taking the shortcuts. Fifty-eight percent of those have over 100,000 folders open to everyone. A hundred thousand folders that are open to everyone. Now, obviously, these are large organizations. And of course the larger organization, the harder it is to manage this sort of stuff as well. But that is just a staggeringly high number. So, I remember back in my corporate role, some of you know where that was, I would find these open folders. And I'd go to my leadership and I'll say, ''Look, we've got a lot of open folders. Like we've got to stop doing this. This is going to work out badly.'' And the fix was always to secure the folder. And what this ultimately was, it was always just treating the symptom. It's like, ''Hey, we found something. It's been open, let's close it.'' And I would drive and drive and drive to say, ''Look, there is an underlying root cause which is causing these folders to be opened in the first place.'' And then what it boiled down to was a whole bunch of people having the ability to open them in the first place that shouldn't have. A whole bunch of people had server admin rights to places they shouldn't have. And those are harder problems to solve. But if your only means of detection is some bloke having a browse around the network in spare time and finding too much stuff open, well, then that's probably not a good place to be in. So, we're saying way too much stuff, way too open, for way too long. So, time and time again in running ''Have I Been Pwned'', I find that I'm the vector by which organizations learn of a data breach. And this shouldn't be the way. Very often, this is very large amounts of data as well. This can be many tens of gigabytes worth of data

We had a unique opportunity in talking with data privacy attorney Sheila FitzPatrick. She lives and breathes data security and is recognized expert on EU and other international data protection laws. FitzPatrick has direct experience in representing companies in front of EU data protection authorities (DPAs). She also sits on various governmental data privacy advisory boards. During this first part of the interview with her, we focused on the new General Data Protection Regulation (GDPR), which she says is the biggest overhaul in EU security and privacy rules in twenty years. One important point FitzPatrick makes is that the GDPR is not only more restrictive than the existing Data Protection Directive—breach notification, impact assessment rules—but also has far broader coverage. Cloud computing companies no matter where they are located will be under the GDPR if they are asked to process personal data of EU citizens by their corporate customers. The same goes for companies (or controllers in GDPR-speak) outside the EU who directly collect personal data – think of any US-based e-commerce or social networking company on the web. Keep all this in mind as you listen to our in-depth discussion with this data privacy and security law professional. Transcript Cindy Ng Sheila FitzPatrick has over 20 years of experience running her own firm as a data protection attorney. She also serves as outside counsel for Netapp as their chief privacy officer, where she provides expertise in global data protection compliance, cyber security regulations, and legal issues associated with cloud computing and big data. In this series, Sheila will be sharing her expertise on GDPR, PCI compliance, and the data security landscape. Andy Green Yeah, Sheila. I'm very impressed by your bio and the fact that you've actually dealt with some of these PPA's and EU data protection authorities that we've been writing about. I know there's been, so the GPDR will go into effect in 2018, and I'm just wondering what sort of the biggest change for companies, I guess they're calling them data controllers, in dealing with DPA's under the law. Is there something that comes to mind first? Sheila FitzPatrick And thank you for the compliment by the way. I live and breathe data privacy. This is the stuff I love. GPR ...I mean is certainly the biggest overhaul in 20 years, when it comes to the implication of new data privacy regulations. Much more restrictive than what we've seen in the past. And most companies are struggling because they thought what was previously in place was strict. There's a couple things that stick out when it comes GDPR, is when you look at the roles of the data controller verses the data processor, in the past many of the data processors, especially when you talk about third party outsourcing companies and any particular cloud providers, have pushed sole liability for data compliance down to their customers. Basically, saying you decide what you're going to put in our environment, you have responsibility for the privacy and security aspects. We basically accept minimal responsibility. Usually, it's around physical security. The GDPR now is going to put very comprehensive and very well-defined regulations and obligations in place for data processors as well. Saying that they can no longer flow responsibility for privacy compliance down to their customers. And if they're going to be... even if they... often times, cloud providers will say, "We will comply with the laws in countries where we have our processing centers." And that's not sufficient under the new laws. Because if they have a data processing center say in in UK, but they're processing the data of a German citizen or a Canadian citizen or someone from Asia Pacific, Australia, New Zealand, they're now going to have to comply with the laws in those countries as well. They can't just push it down to their customers. The other part of GDPR that is quite different and it's one of the first times it's really going to be put into place is that it doesn't just apply to companies that have operations within the EU. It is basically any company regardless of where they're located and regardless of whether or not they have a presence in the EU, if they have access to the personal data of any EU citizen they will have to comply with the regulations under the GDPR. And that's a significant change. And then the third one being the sanction. And the sanction can be 20,000,000 euro or 4% of your global annual revenue, whichever is higher. That's a substantial change as well. Andy Green Right, So that's some big, big changes. So you're referring to I think, what they call 'territorial scope'? They don't have to necessarily have an office or an establishment in the EU as long as they are collecting data? I mean we're really referring to social media and to the web commerce, or e-commerce. Sheila FitzPatrick Absolutely, but it's going to apply to any company. So even if for instance

Learning about the CIA’s tips and tricks on disguising one’s identity reminded us that humans are creatures of habit and over a period of time, can illuminate predictable behavioral patterns, which are presented as biometric data. As a result, businesses can leverage and integrate these data points with their operations and sales process. For instance, businesses are buying data about one’s health and also creating patents to measure a user’s pulse and temperature. Others are learning about the psychology about a user and making it difficult for a user to cancel a service. Other articles discussed: A trolley problem’s ethical dilemma Humans, not algorithms, hired to curate Apple News Panelists: Cindy Ng, Kris Keyser, Mike Buckbee, Sean Campbell Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Vulnerability after vulnerability, we’ve seen that there’s no perfect model for security. Hence, the catchphrase, “If you can’t build in security, then build in accountability.” But history has also shown that even if there was enough political will and funding, consumers aren’t interested in paying a huge premium for security when a comparable product with the features they want is available much more cheaply. Will that theory hold when it comes to self-driving cars? At the very least, safety should be a foundational tenet. What’s the likelihood that anyone would enter a self-driving car knowing that a number of things could go wrong? Other articles discussed: Students pay with their data for free coffee Financial institutions that sell your data Panelists: Cindy Ng, Kris Keyser, Kilian Englert Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Troy Hunt, creator of “Have I been pwned”, gives a virtual keynote that explores how security threats are evolving - and what we need to be especially conscious of in the modern era. In this keynote, you’ll learn: Real world examples of both current and emerging threats How threats are evolving and where to put your focus How to stem the flow of data breaches and protect against malicious activity and much more! Transcript Cindy Ng: Troy Hunt is a world-renowned web security expert known for public education and outreach on security topics. And we recently invited Troy to give a keynote on the modern state of insecurity. Troy Hunt: Then moving on another one I think is really fascinating today is to look at the supply chain, the modern supply chain. And what we're really talking about here is what are the different bits and pieces that go into modern-day applications? And what risks do those bits and pieces then introduce into the ecosystem? There's some interesting stats, which helps set the scene for why we have a problem today. And the first that I want to start with, the average size of webpage, just over 700 kilobytes in 2010. But over time, websites have started to get a lot bigger. You fast forward a couple of years later and they're literally 50% larger, growing very, very fast. Go through another couple of years, now we're up to approaching 2 megabytes. Get through to 2016 and we're at 2.3 megabytes. Every webpage is 2.3 megabytes. And when you have a bit of a browse around the web, maybe just open up the Chrome DevTools and have a look at the number of requests that come through. Go through on the application part of the DevTools, have a look at the images. And have a look at how big they are. And how much JavaScript, and how many other requests there are. And you realize not just how large pages are, but how the composition is made up from things from many, many different locations. So, we've had this period of six years where we've tripled the average size of a webpage. And of course, ironically, during that period we've become far more dependent on mobile devices as well. Which very frequently have less bandwidth or more expensive bandwidth, particularly if you're in Australia. So, we've sort of had this period where things have grown massively in an era where we really would have hoped that maybe they'd actually be a little bit more efficient. The reason I stopped at 2016 is because the 2.3-megabyte number is significant. And the reason it's significant is because that's the size of Doom. So, remember Doom, like the original Doom, like the 1993 Doom, where if you're a similar age to me or thereabouts, you probably blew a bunch of your childhood. When you should've been doing homework, just going through fragging stuff with BFG. So, Doom was 2.3 megabytes. That's the original size of it. And just as a reminder of the glory of Doom, remember what it was like. You just wander around these very shoddy looking graphics, but it was a first-person shoot-em-up. There were monsters, and aliens, and levels, and all sorts of things. Sounds. All of that went into two floppy disks and that's your 2.3 megabytes. So, it's amazing to think today when you go to a website, you're looking at the entire size of Doom, bundled into that one page, loaded on the browser. Now, that then leads us into where that all goes. So, let's consider a modern website. The U.S. Courts website. And I actually think it's pretty cool looking government website. Most government websites don’t look this cool. But, of course, to make a website look cool, there's a bunch of stuff that's got to go into it. So, if we break this down by content type, predictably images are large. You've got 1.1 megabytes worth of images, so almost half the content there is just images. The one that I found particularly fascinating though when I started breaking this apart is the script. Because you've got about 3/4 of a megabyte worth of JavaScript. Now keep in mind as well, JavaScript can be very well optimized. I mean, we should be minimizing it. It should be quite efficient. So, where does 726 kilobytes worth of script go? Well, one of the things we're seeing with modern websites is that they're being comprised of multiple different external services. And in the case of the U.S. Courts website, one of those web services is BrowseAloud. And BrowseAloud is interesting. So, this is an accessibility service made by a company called Texthelp. And the value proposition of BrowseAloud is that if you're running a website, and accessibility is important to you...and just to be clear about what we mean by that, if someone is visually impaired, if they may be English is second language, if they need help reading the page, then accessibility is important. And accessibility is particularly important to governments because they very often have regulatory requirements to ensure that their content is accessible to everyone. So, the value proposition of a service like B

Troy Hunt, creator of “Have I been pwned”, gives a virtual keynote that explores how security threats are evolving - and what we need to be especially conscious of in the modern era. In this keynote, you’ll learn: Real world examples of both current and emerging threats How threats are evolving and where to put your focus How to stem the flow of data breaches and protect against malicious activity and much more! Transcript Cindy Ng: Troy Hunt is a world-renowned web security expert known for public education and outreach on security topics. And we recently invited Troy to give a keynote on the modern state of insecurity. Troy Hunt: Where I'd like to start this talk is just to think briefly about some of these, sort of, conventional threats that we've had, and in particular some of the ways in which some of the just absolute fundamentals of InfoSec we're still struggling with today just as we were yesterday. And I wanted to kind of set a bar, and this will be...as you will see in a moment, it's kind of like a very, very low bar. And then we'll have a look at some of the newer things. I was looking around for examples and I actually...it's always nice to talk about something in your own country where you've come from, so I wanted to try and find an example that showed where that bar was. And very fortuitously, not so much for them, we had a little bit of an incident with CommBank. CommBank are pretty much the largest bank in the country, certainly one of our big four banks. As part of our royal commission into banking at the moment, where all the banks are coming under scrutiny, there was a little bit of digging done on the CommBank side and they discovered that there had actually been an incident which they needed to disclose. One of the reasons it's fascinating is because banks are, sort of, the bastions of high levels of security. So we have this term, we literally have a term, bank-grade security, which of course people imply means very, very good security, not always that way but that's the expectation. So CommBank had to disclose a bit of an incident where they said, "Look, we're decommissioning a data center, moving from one data center to another and as part of the decommissioning processes, what we needed to do was take all the tapes with the customer data on them and send them for destruction. And what they've done is they've loaded all of the tapes up onto a truck, I've got some file footage, here's the Commonwealth Bank truck. So all of the tapes are on the truck, the truck's driving along, they're taking all the data from this one data center and they're going to go and securely destroy it. Now, there's about 12 million customer records on the back of the truck, and it's driving along and it turns out they may have put just a few too many datas on the truck and some of it fell off. And this was the disclosure, like, there was some data that was lost, it might have fallen off the back of the truck. And there was literally a statement made by the auditors, I think it was KPMG that audited them, they said, "Forensic investigators hired to assess the breach, retraced the route of the truck to determine whether they could locate the drives along the route but were unable to find any trace of them." And I just find it fascinating that in this era of high levels of security in so many ways and so much sophistication, we're still also at the point where data is literally falling off a back of a truck. Not metaphorically, but literally falling off the back of a truck. Possibly, they couldn't find it again so maybe it didn't fall off but they were the headlines we were faced with a few months ago. So it's interesting to sort of keep that in mind and you'll see other, sort of, analogous things to data falling off the back of a truck, perhaps in a more metaphorical sense, every single day online. I mean the canonical one at the moment is data exposed in open S3 buckets. Going back to late 2016, early last year it was constantly data in exposed MongoDBs with no passwords on it. So we're leaving data lying all over the place, either digitally or potentially even physically in the case of CommBank. Now, moving back towards some more sort of traditional InfoSec threats as well, one of the interesting things to start thinking about here is the monetization of pipleline. So what are the ways in which our data gets monetized? And this is where, I think, the history is quite interesting as well because we often think about things like ransomware as being a very modern-day problem. Particularly, I think, last year was probably a bit of a peak for ransomware news just seeing consistently everything from hospitals to police departments to you name it, was getting done by ransomware. We're seeing this happen all the time and we do think of it as a modern internet-driven problem, but ransomware also goes back a lot further than that as well. And this was the AIDS Trojan. This dates all the way back to 1989

After the latest Microsoft Ignite conference, the enduring dilemma of how CISOs explain security matters to the C-Suite bubbled to the surface again. How technical do you get? Also, when the latest and greatest demos are given at one of the world’s most premier technology show, it can be easy to get overwhelmed with fancy new tools. What’s more important is to remember the basics: patching, least privilege, incident response, etc. Other articles discussed: Engineer fined for not disclosing a vulnerability responsibly Young Mirai botnet authors avoid jail time Is public shaming bad security a good idea? Tool of the week: cspparse - A tool to evaluate Content Security Policies Panelists: Cindy Ng, Kilian Englert, Matt Radolec, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Reminder: it's not "your data".It's the patients' dataIt's the taxpayers' dataIt's the funder's data-----------------If you're in industry or self-fund the research & don't publish, then you have the right not to share your data. Otherwise, it's not your data.— Lenny Teytelman (@lteytelman) July 16, 2018 We continue our conversation with Protocols.io founder Lenny Teytelman.In part two of our conversation, we learn more about his company and the use cases that made his company possible. We also learn about the pros and cons of mindless data collection, when data isn’t leading you in the right direction and his experience as a scientist amassing enormous amount of data. Transcript Lenny Teytelman: I am Lenny Teytelman, and I am a geneticist and Computational Biologist by training. I did graduate school in Berkeley and then postdoctoral research out at MIT. And since 2012, I have been the co-founder and CEO of Protocols.io, which is a GitHub Wikipedia-like central repository of research recipes. So for science methods detailing what exactly scientists have done. Cindy Ng: Welcome Lenny. Why don't you tell us a little bit more about what you do at Protocols and some of the goals and use cases? Lenny Teytelman: So I had no entrepreneurial ambitions whatsoever. Actually, I was in a straight academic path as a yeast geneticist driven just by curiosity in the projects that I was participating in. And my experience out at MIT as a postdoc was that literally, the first year and a half of my project went into fixing just one step of the research recipe of the protocol that I was using. Instead of a microliter of a chemical, it needed five. Instead of an incubation for 15 minutes, it needed an hour and the insane part is that at the end of the day, that's not a new technique. I can't publish an article on it because it's just a correction of something that's previously published and there is no good infrastructure. There's no GitHub of science methods. There's no good infrastructure for updating and sharing such corrections and optimizations. So the end result of that year and a half was that I get no credit for this because I can't publish it and everybody else was using the same recipe is either getting completely misleading results or has to spend a year or two rediscovering what I know, what I would love to share, but can't. It led to this obsession with creating a central open access place that makes it easy for the scientist to detail precisely what the research steps were, what are the recipes, and then after they've published, giving them the space to keep this current by sharing the corrections and optimizations and making that knowledge discoverable. Cindy Ng: There's a hole in the process and you're connecting what you can potentially do now with what you did previously and not lose all the work. That's brilliant. Lenny Teytelman: I shouldn't take too much credit for it because a lot of people have had this same idea over the last 20 years and there have been several attempts to create a central place. One of the hard things is that this isn't just about technology and building a website and creating a good UI, UX for people to share. One of the hard things is that it's a culture change, right? So if we are used to publishing a scientist's made brief methods that have things like context author for details, or we roughly follow the same procedure as reported in another paper and then good luck figuring out what that roughly means, what are the slight modifications, but then one of the hard things as the culture change and getting scientists to adopt platforms like this. Cindy Ng: So it sounds like the scientists prior who wanted to create something like Protocols, they were ahead of their time. Lenny Teytelman: I think yes. I know of a number of efforts to create exactly what we've done. Some of the people from those have actually been huge supporters and advisors, partners helping us avoid the mistakes and helping us succeed. So, it's a long quest, a long journey towards this, but a lot of them I give them credit for the same idea and it's exactly what you said, being ahead of your time. Cindy Ng: Because you're a scientist and have a lot of expertise collecting enormous amount of data, a lot of companies nowadays because data's the new oil, they think that, "Oh, we should just collect everything. Well, we might be able to solve a new business problem or we might be able to use it much later on." Then actually research has been done about that, that that's not a good idea because then you end up solving really silly problems. What is your approach? Lenny Teytelman: There are sort of two different camps. One argues that you should be very targeted with the data that you collect. You should have a hypothesis, you should have a research question that's guiding you towards an experiment and towards the data that you're collecting. And another one is, let's be more descriptive. Let's just get data and

We’re in an impermanent phase with technology where circumstances and cyberattacks are not always black or white. Here’s what we’re contending with: would you prefer a medical diagnosis from a human or machine? In another scenario, would a cyberattack on a state’s power grid be an act of war? Officially, it’s not considered so, yet. Or, perhaps a scenario less extreme where you buy a video and then 5 years later, it disappears from your library bc the company where you bought your video from loses the distribution rights. Data ownership is an important part of data security and privacy, but there are no hard and fast rules. Panelists: Cindy Ng, Mike Thompson, Kilian Englert, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Reminder: it's not "your data".It's the patients' dataIt's the taxpayers' dataIt's the funder's data-----------------If you're in industry or self-fund the research & don't publish, then you have the right not to share your data. Otherwise, it's not your data.— Lenny Teytelman (@lteytelman) July 16, 2018 A few months ago, I came across Protocols.io founder Lenny Teytelman’s tweet on data ownership. Since we’re in the business of protecting data, I was curious what inspired Lenny to tweet out his value statement and to also learn how academics and science-based businesses approach data analysis and data ownership. We’re in for a real treat because it’s rare that we get to hear what scientists think about data when in search for discoveries and innovations. Transcript Lenny Teytelman: I am Lenny Teytelman and I'm a geneticist and computational biologist by training. I did graduate school in Berkeley and then post-doctoral research out at MIT. And since 2012, I have been the Co-founder and CEO of Protocols.io, which is a GitHub Wikipedia-like central repository of research recipes, so for science methods detailing what exactly scientists have of found. Cindy Ng: Welcome, Lenny. We first connected on Twitter through a tweet of yours, and I'm going to read it, it says, "Reminder: it's not 'your data.' It's the patient's data, it's the taxpayers' data. It's the funders' data. And if you're in an industry or self-funded the research and don't publish, then you have the right not to share your data. Otherwise, it's not your data." So can you tell us a little bit more about your point of view, your ideas about data ownership, and what inspired you to tweet out your value statement? Lenny Teytelman: Thank you, Cindy. So this is something that comes up periodically, more so particularly, in the past 5, 10 years in the research community as different funders and publishers starting more and more intentions of reproducability challenges and published research, and including guidelines and policies that encourage or require the sharing of data as a prerequisite for publication or as a condition of getting funding. So we're seeing more and more of that, and I think the vast majority of the research community, of the scientists, are in favor of those then this time that it's important, then this time that it's one of the pillars of science to be able to reproduce and verify and validate out the people's results and not just to take them at their word. We all make mistakes, right? But there is a minority that is upset about these kinds of requirements and I, periodically, either in person or someone on Twitter will say, "Hey, I've spent so long sailing the oceans and collecting the data. I don't want to just give it away. I want to spend the next 5, 10 years publishing and then it's my data." And so that's the part that I'm reacting to it. There are some scientists that forget who's funding them and who actually has the rights to the data. Cindy Ng: Why do they feel like it's their data rather than the patients' data or the taxpayers' data or the funder's data? Lenny Teytelman: So it's understandable because, particularly when the data generation takes a long time, so imagine you go on an own expeditions two, three months away from family, sampling bacteria in oceans or digging in the desert, and it can take a really long time to get the samples, to get the data, and you start to feel ownership, and it's also the career, your career, the more publications you get on a given dataset, the stronger your resume, the higher the chances of getting fellowships, faculty positions, and so on. People become a little bit possessive and take ownership of the data, if you like, put so much into it, "It's mine." Cindy Ng: Prior to digitalizing our data, who owned the data? Lenny Teytelman: Well, I guess, universities can also lay some claim to the intellectual property rights. I'm not an attorney so it's tricky. But I think there was always the understanding in the science world that you should be able to provide the tables, the datasets that you're publishing on request. But then we got paper journals, there really just wasn't space to make all of that available. And we're now in a different environment where we have repositories, there's GitHub focal, there are many repositories for the data to be shared. And so, with the web, we're no longer in that contact author for details and we're now in a place where journals can say, "If you want to publish in our journal, you have to make the data available." And there are some that have put in very stringent data requirement policies. Cindy Ng: Who sets those parameters in terms of the kind of data you publish and the stringency behind it? Do a bunch of academics come together, chairman, scientists decide best practices, or they vary from publication to publication? Lenny Teytelman: Both. So it depends on the community. There are some communities, for e

Systems engineering manager Mike McCabe understands that State, Local and Education (SLED) government agencies want to be responsible stewards of taxpayer’s funds. So it makes sense they want to use security solutions that have proven themselves effective. For the past six years, he’s brought awareness on the tried and true efficacy of how Varonis solutions can secure SLED’s sensitive unstructured data. In our podcast interview, he explains why data breaches are taking place, why scripts aren’t the answer, and how we’re able to provide critical information about access to SLED’s sensitive data. We also make time to learn more about what Mike does outside of work and he has great advice on figuring out what to eat for dinner. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Our community is finally discussing whether computer science researchers should be required to disclose negative societal consequences of their work to the public. Computer scientists argue that they aren’t social scientists or philosophers, but caring about the world isn’t about roles, it’s the responsibility of being a citizen of the world. At the very least, researchers ought to be effective communicators. We’ve seen them work with law enforcement and vulnerability announcements. There must be more they can do! Tool of the week: Wget, Proof of Concept Panelists: Cindy Ng, Mike Thompson, Kilian Englert, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

While some of our colleagues geeked out at Blackhat, some of us vicariously experienced it online by following #BHUSA. The keynote was electric. They’re great ideas and we’ve seen them implemented in certain spaces. However, the reality is, we have a lot more work to do. There was also a serious talk about burn out, stress, and coping with alcohol as a form of escape. We learned that mental health is growing concern in the security space. As more organizations rely on technology, security pros are called on at all hours of the day to remediate and prevent disasters. Other articles and tweets discussed: Random car notifications Dangerous algorithms DNA testing dilemmas Panelists: Cindy Ng, Kris Keyser, Forrest Temple Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Over the past six years, Colleen Rafter has been educating Varonis customers on the latest and greatest data security best practices. Share or NTFS permissions? She has an answer for that. Aware that security pros need to meet the latest GDPR requirements, she has been responsibly reading up on the latest requirements and developing course material for a future class. In our podcast, Colleen advises new Varonis customers what to do once they have our solutions and which classes to take and in what order. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

This week’s podcast was inspired by chief information security officer Wendy Nather’s article, The Security Povery Line and Junk Food. It’s 2018 and we’re still struggling to get a proper security budget. Is it a mindset? Is that why when we hire pen testers to identify vulnerabilities, they’re usually able to gain admin access? On the bright side, a company with a bigger budget, Google recently declared victory with a USB key that prevented phishing for an entire year. Other articles discussed: Dangers of biometric data ACLU falsely matched 28 members of congress with mugshots Panelists: Cindy Ng, Kilian Englert, Kris Keyser, Sean Campbell Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Dr. Gemma Galdon-Clavell is a leading expert on the legal, social, and ethical impact of data and data technologies. As founding partner of Eticas Research & Consulting, she traverses in this world every day, working with innovators, businesses, and governments who are are considering the ethical and societal ramifications of implementing new technology in our world. We continue our discussion with Gemma. In this segment, she points out the significant contribution Volvo made when they opened their seat belt patent. Their aim was to build trust and security with drivers and passengers. Gemma also points out that we should be mindful of the long-term drawbacks if you ever encounter a data breach or a trust issue - unfortunately, you’re going to lose credibility as well. The Business Urgency to Be First Gemma Galdon-Clavell: My name is Gemma Galdon Clavell and I work on the legal, social, and ethical impact of data and data technologies. I started a company six years ago now that works precisely on this. And so, we're one of the very few companies that have been helping the public and the private sector in the last six years developing better technologies, but also understanding better how technology have impacted societies. So, taking the point of view of the consumer and the citizen into design of the technology, and avoiding bad data practices as we see all the time, unfortunately. Cindy Ng: Welcome, Gemma. When companies come to you with a new product or service, they understand that going to market and dominating the entire space is almost everything. There's a huge tension between the organization as well as regulatory pull, making sure that you meet the legal requirements. Companies are trying to bring products to market as fast as possible. That's an industry problem. Gemma Galdon-Clavell: Well, that tension exists and it will continue to exist. I think that we are currently working with pioneers and we're very aware of that. We don't hope to work with everyone tomorrow. We need to work with the ones that are gonna change the rules and that's what we find fascinating about our work. We don't wanna mass produce ethical impact assessments. We wanna help the world come up with better technological solutions to its problem. So, of course, we experience that tension. We are contacted sometimes by some people that don't really believe in what we do. So, they have been told by somebody else who does see their problem that they should work with us, but then maybe that person was higher up and then the person who contacted us is legal management. And they're very skeptical about our work. I think that in all of our projects in the end, they do realize that there's value in what we bring in. But again, we are working with the ones that wanna shape the future and not do things that we're not interested in. Just, I mean, think about Volvo, for instance, and cars. I usually use the analogy of cars because cars were not conceived with seat belts, for instance, or speed limits. These are things that, as a society, we agreed over time that these were the necessary precautions that we wanted to make the most of cars and vehicles, while at the same time protecting society. And when society start thinking about what the limits your cars be, seat belts were not immediately on the table. And then there was a company, Volvo, that came up with this innovation and thought, "Well, if we offer seat belts in our cars, then we can create more trust and provide more security to our customers." And what they did was they released the patent. They did not just put seat belts in their cars, but they said, "We actually want the industry to adopt this. We want this to be the standard." And they gave it away for free. Today, all cars have seat belts. No one would dream of buying a car without a seat belt and Volvo is still seen as a company that sells security. So, these are the people we wanna work with. We wanna work with people that are willing to be disruptive in their industries, not the people that just wanna do same old, same old. The Breach of Trust Cindy Ng: When companies do engage you after they've experienced enormous embarrassment through the media, it's not necessarily a data breach, but there's certainly a breach of trust with the public, has anyone done the research to quantify the cost of that? Gemma Galdon-Clavell: I think they've tried. I wouldn't be able to tell you whether they were right. We have seen some clients be very clear in saying that they realize how much they've lost. That they have lost a lot of money by not doing things well. And not just money in terms of what I said before, you know, you're coming up with a pilot that doesn't sell is hugely costly. It might not be as visible as a data breach, but if you produce something that in the end no one wants because you didn't take into account people's stress or acceptability, then you're gonna lose a lot of money. And if there’s a da

I wanted to better understand how to manage our moral and business dilemmas, so I enlisted data & ethics expert Dr. Gemma Galdon-Clavell to speak about her leadership in this space. As founding partner of Eticas Research & Consulting, she traverses in this world every day, working with innovators, businesses, and governments who are are considering the ethical and societal ramifications of implementing new technology in our world. In the first part of our interview, Gemma explains why we get ethics fatigue. Unfortunately, those who want to improve our world are consistently told that they're not doing enough. She also gives us great tips on creating products that have desirability, social acceptability, ethics, and good data management practices. On Ethics Fatigue Gemma Galdon-Clavell: My name is Gemma Galdon Clavell and I work on the legal, social, and ethical impact of data and data technologies. I started a company six years ago now that works precisely on this. And so, we're one of the very few companies that have been helping the public and the private sector in the last six years developing better technologies, but also understanding better how technology have impacted societies. So, taking the point of view of the consumer and the citizen into design of the technology, and avoiding bad data practices as we see all the time, unfortunately. Cindy Ng: Welcome, Gemma. What caught my eye was a quote you said that if we keep talking about our moral obligations and ethical concerns in technology not offering solutions, people are gonna zone out. We want security and privacy. We want economic prosperity and sustainability. We want safety, but not willing to sacrifice some freedoms. Can you talk a little bit about ethics fatigue and some might also call it moral overload? Gemma Galdon-Clavell: Working in this field, we've been saying what's wrong for a long, long time. But you don't see that many voices out there that are offering solutions. And it seems like any effort you make is never good enough. And that is really frustrating. That can be really frustrating for someone who has really good intentions and their willingness to improve their practices. So, I think that when you're maybe doing academia or just commenting on things, it's easy to take that position. I think it's really good to have people that say what is going wrong, but it's also important that we have ways of defining what it means to do it well, and spaces, organizations, individual that help you do it better. And hopefully over time, as a society, we will agree on what kind of compromises we want to make or whether we wanna make those compromises. But I think that there has to be some ability to improve and not just always be subject to criticism. When you speak out and you're willing to recognize that you have vulnerabilities, if everyone comes down on you, then you will not be motivated to improve your practices. And I think that's what ethics fatigue will be. So when people are like, "Listen, you had my ear for some time. I was willing to do things better, but if all you have is just more criticism and say that if there's no way to improve this, then people are just gonna shut off." And I think that's the worst outcome we could hope for. So, I'm hoping that through presenting actual practices in ways of doing things better and in doing things well, we can avoid that scenario. Recovering from Privacy Mishaps Cindy Ng: I like what you created with Eticas because you've gone beyond the philosophy of ethics and created a framework and methodology that the public and private sector can really get behind. And you recognized that your expertise is sought out after a privacy disaster happens. And by the time they seek out help, they'll probably have collected all the data, analyzed the data. So, the opportunities are already diminished by the time there's an intervention. And you've mentioned in a previous talk that the media already knows the creepy thing you've done and clients want assisting in voicing what they're already doing well, not what they've failed tremendously on. Can you speak some of your experiences when businesses often seek out your counsel after a privacy disaster? Gemma Galdon-Clavell: Sure. I think we're very lucky that at the very beginning of my work, I was asked by actual people with real problems to see how my knowledge and the things that I have experienced on could help them improve understandings and practices. And so, that forced me to become very practical from day one. And initially when I started working with those actors, I thought, you know, "I'm sure there's gonna be some methodology out there in some book, or people that know a lot more than me that have this before." And what I found was that there was no methodology that was adequate to assess data and privacy risk. There was not enough there that was structured that would fit these things. There was a lot on the impact of techn

When we create new technologies, we want security and privacy, economic prosperity and sustainability, accountability but insist on confidentiality. The reality is that it is difficult to embed all of these values in one pass. As technologies get built, it also elucidates some values we hold to a higher regard than others. To cope with moral overload, some have suggested that we start designing security and privacy controls as a gradient. Or perhaps certain controls get a toggle on/off switch. We’re also seeing this moral dilemma in AI – is the technology too volatile or perhaps proper data governance is the answer? Other articles discussed: Facebook gives scholars a petabyte of anonymized data to research Firefox Monitor: Users input their email address and the service will run it by the HIBP database Security firm sued Panelists: Cindy Ng, Mike Buckbee, Kris Keyser, Mike Thompson Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

For years, technologists wondered why the law can’t keep pace with technology. Instead of waiting for the government to pass a regulation, should we enlist private companies to regulate? However, in a recent interview with privacy and cybersecurity attorney Camille Stewart, she said that laws are built in the same way a lot of technologies are built: in the form of a framework. That way, it leaves room and flexibility so that technology can continue to evolve. While technologists and attorneys continue that debate, the US Federal Trade Commission is hard at work. They recently announced, “If a company chooses to implement some or all of GDPR across their entire operations, and makes promises to U.S. consumers about their specific practices,” they must live up to those commitments, otherwise the FTC could initiate an enforcement action if the company does not comply with” the EU data protection promises for U.S. customers. Other articles discussed: Why your brain never runs out of problems to find A bug in Samsung’s default texting app AZ and CA’s breach notification law Tech’s ‘Dirty Secret’: The App Developers Sifting Through Your Gmail Tool of the week: Apfell Panelists: Cindy Ng, Mike Buckbee, Forrest Temple, Kris Keyser Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

There are many advantages to being first, especially in the business world. Securing a first place finish usually rewards the winner with monopoly-like status and securing the largest and most dominant market share. A byproduct, however, of the winner takes all mentality is sacrificing security. That’s what Thomas Dullien, Google Project Zero presenter suggested in his latest presentation on the relationship between complexity and failure of security. He is onto something because we’re seeing strange incidents occur that we would have never imagined. A Melbourne man got shot because his image in Google’s database is associated with criminals. A contractor’s access passes were revoked because his direct manager didn’t perform his entitlement reviews. What’s going on? Other articles discussed: Verizon to stop sharing customer location with 3rd parties Amazon urged not to sell facial recognition technology to police Panelists: Cindy Ng, Matt Radolec, Kilian Englert, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

In part two of my interview with Allison F. Avery, a Senior Diversity & Inclusion Specialist at NYU Langone Medical Center, she clarified common misconceptions about Diversity & Inclusion (D&I) and offered a framework and methodology to implement D&I. She reminded me, “You should not be doing diversity for diversity sake.” Transcript Cindy Ng: Should we be hiring for skill set or for diversity? Allison Avery: I'm going to challenge your question a little bit, because I think that people dichotomize those two things as, you know, do you either want diversity, or do you want "quality"? And I think that those two things get pitted against each other as though they're one mutually exclusive or in competition with each other, and that you have to choose. And I think that even looking at it that way puts people into a mind pretzel, and makes diversity seem antithetical to being a top talent place, and being a top talent institution. And I think it gives diversity a bad name, but it also kind of feeds in this kind of mythology that somehow diversity is lowering standards, or diversity is compromised. And I think that whenever we get into this bind of doing things differently, our brains get into this idea that somehow, whenever we go against the grain, that all of a sudden we're compromising our standards. But all we're doing is one, either changing our standards for something that we have prioritized for a different reason or rationale. One, we need to fully understand what that rationale is, and if we don't that's when we tend to dichotomize, because we don't really understand the value of diversity, and what the sort of actual benefits of having a socially diverse workforce is, and you know the fact of the matter is it does lead to greater creativity, greater financial gains, and greater innovation, and greater research. I mean, that has been substantiated in multiple research, pervasive throughout different industries and in multiple different ways from innovation creativity to financial gains. That's just kind of time and time again. There is a big financial case for diversity, and how it does literally make you smarter, more creative and more conscious. Julie Peeler who's the foundation director of the International Information Systems Security Certification Consortium, you know, was sort of citing in March how there's...you know, there's about 30,000 open positions in U.S. information security, and how the gap is growing wider and wider. It's actually easier and we've noticed this actually in medical school as well. It's easier at times to train people in skill development, than it is in human skill development, and what we've noticed that is that certain areas of aspects of diversity, and what should be needed for tech in the 21st century, and tech for the next coming 50 plus years are the communication and analytical skills, and participation decision making. Women in leadership positions tend to be more engaged in being able to do that. They tend to be able to be more collaborative. We've also noticed that in medical school, that it's easier to teach somebody some of the hard "skills" and it's harder to teach somebody some of the soft skills. Harder to teach somebody some of the needs of a diverse community, but it's easier to teach them some of the hard skills that they're going to need. So if they have somewhat of an orientation, if they have potential, if they have capacity, if they have the ability to learn, and those are things that you can test for if you look at some psychometrics testing, if you look at some actual like organizational development testing. You can utilize that or leverage that within your hiring system. So looking at a person's aptitude for learning, as opposed to just being a hard and fast person on a skill acquisition. So the potential for a person to be able to learn a new skill, or to be able to acquire a new skill, you can test for that through some psychometric testing. You get somebody who's good at like organizational development, or organizational psych, and you input that within your structural system in your hiring manager, and you can test for that and that might increase aspects of your diverse workforce, as opposed to being hard and fast about you need to know this still today. As opposed to we can teach you this skill, but you're coming in with some of these other desired skills, and be more competency based. So we've noticed that when we switched to a more competency-based...so this person has the ability to deal with ambiguity. This person has better communication skills, this person has the capacity for critical thinking, so when we switch to what kind of culture do we want, what type of learner do we want, what type of capacities do we want and competencies do we want, then that changes the methodology and changes are hard and fast orientation to you need to know this, this, this, this and this skill. It's like we can teach yo

We continue our conversation with cyber and tech attorney Camille Stewart on discerning one's appetite for risk. In other words, how much information are you willing to share online in exchange for something free? It's a loaded question and Camille takes us through the lines of questioning one would take when taking a fun quiz or survey online. As always, there are no easy answers or shortcuts to achieving the state of privacy savvy nirvana. What's also risky is that we shouldn't connect laws made in the physical world to cyberspace. Camille warns: if we start making comparisons because at face value, the connection appears to be similar, but in reality isn't, we may set up ourselves up to truly stifle innovation. Choosing Convenience over Privacy Camille Stewart Hi, I'm Camille Stewart. I'm a cyber and technology attorney. I am currently at Deloitte working on cyber risk and innovation issues, so identifying emerging technologies for the firm to work with. Prior to that, I was a senior policy advisor at the Department of Homeland Security working on cyber infrastructure regarding to foreign policy in the Office of Policy. I was an appointee in the Obama Administration. And then prior to that I was in-house at a cybersecurity company. So I've worked in both the public sector and the private sector on cyber issues. Cindy Ng Thanks, Camille. Can you talk a little bit about privacy conceptually? Everybody wants privacy, it seems like a good thing, but why aren't people picking privacy over convenience? Convenience, yes, it's easy but what about privacy is not getting through to people? Camille Stewart I don't think people are looking at the long-term ramifications, right? I know very recently we had the genetic testing case that helped lead to a killer, which is wonderful in that specific instance. But I doubt that anybody who sends in their genetic information, had it tested and figured out their heritage has thought about how that data might be used otherwise, has read the disclaimer that tells you how your data will be used whether it's for research, whether it will be used by the police, whether it will be used to create new things. And if anybody remembers Henrietta Lacks, her data was used to create all of these things that are very wonderful but she never got any compensation for it. Not knowing how your information is used takes away all of your control, right? And a world where your data is commoditized and it has a value, you should be in control of the value of your data. And whether it's as simple as we're giving away our right to choose how and when we disburse our information and/or privacy that leads us to security implications, those things are important. For example, you don't care that there's information pooled and aggregated from a number of different places about you because you've posted it freely or because you traded it for a service that's very convenient until the moment when you realize that because you took the quiz and let this information out or because you didn't care that your address was posted on like a Spokeo site or something else, you didn't realize that all of the questions to your banking security information are now all easily searched on the internet and probably being aggregated by some random organization. So somebody could easily take and say, "Oh, what's your mother's maiden name? Okay. And what city do you live in? Okay. And what high school did you go to? Okay." And those are three pieces of information that maybe you didn't post in the same place but you posted and didn't care because you traded it for something or you posted it and you didn't think it through and now they can aggregate it because you use those two things for everything and now someone has access to your bank account, they've got access to your email, they've got access to all of these things that are really important to you and your privacy has now translated into your security. Cindy Ng I was just talking to my coworkers about this that it doesn't come naturally to know not to answer these questions because you can online somewhere and let's say you’re a part of a community you trust and you answer these innocuous questions and then you won't necessarily have the foresight to know that it's gonna come back and hurt you. How did you come up with the reasoning behind, "Oh, I probably shouldn't answer those questions?" Because you kinda have to be a little skillful and have a bit of foresight or some knowledge to even think in the way that you do. Camille Stewart No, you're right, there is a level of savvy that has to happen for you to think that way and a level of, like you said, foresight or a level of reaction, right? Most people aren't thinking that way because they knew it before it happened but now that the information's out there, they're taking action. And I think there are a lot of people who are neglecting that. So we all, just like organizations, just have to press it, have to

Data breaches keep on happening, information security professionals are in demand more than ever. Did you know that there is currently a shortage of one million infosec pros worldwide? But the solution to this “man-power” shortage may be right in front of and around us. Many believe we can find more qualified workers by investing in Diversity & Inclusion programs. According to Angela Knox, Engineering Director at Cloudmark, "We're missing out on 50% of the population if we don't let them [women] know about the job." For skeptics: creating a more diverse workplace isn't about window dressing. It makes your company more profitable, notes Ed Lazowska, a Professor of Computer Science and Engineering at the University of Washington-Seattle. "Engineering (particularly of software) is a hugely creative endeavor. Greater diversity — more points of view — yields a better result." According to research from Center of Talent Innovation, companies with a diverse management and workforce are 45 percent more likely to report growing market share, and 70 percent likelier to report that their companies captured a new market. I wanted to learn more about the benefits of a D&I program, and especially how to create a successful one. So I called Allison F. Avery, Senior Organizational Development & Diversity Excellence Specialist at NYU Langone Medical Center, to get the details from a pro. She is responsible for providing organizational development consultation regarding issues such as diversity and inclusion, performance improvement, workforce engagement, leadership development, and conflict resolution. In part one of our interview, Ms. Avery sets the foundation for us by describing what a successful diversity & inclusion program looks like, explaining unconscious bias and her thoughts on hiring based on one's social network. Transcript Cindy Ng: Allison Avery is a senior organizational development and diversity specialist at NYU's medical center. She is responsible for providing organizational development, consultation regarding issues such as diversity and inclusion, workforce engagement, leadership development and conflict resolution. In our interview, Allison demystifies common misperceptions about diversity and inclusion, offers a successful framework and methodology to implement D&I and, yes, confirms that diverse organizations do make more money. Can you define for us what diversity and inclusion means? Allison Avery: The way that I like to define, or the way that I'm going to talk about diversity, is really referring to the richness of human differences. And so, that can mean anything from socio-economic status, race, ethnicity, language, nationality, sexual orientation, religion, all the way to learning styles and life experiences. I know, for the context of this conversation. We're really going to target specifically on a lot with regard to race, and ethnicity and gender because that's really who's primarily underrepresented in the tech field. We're going to talk a lot about that, but diversity in and of itself primarily just means, really, difference, and it's sort of a naturally-occurring phenomenon. And then, inclusion is the way in which we engage that diversity. So, it refers to active, intentional and ongoing engagement with that diversity. It's the way that we foster belonging, that we value and encourage engagement and that we really connect individuals throughout. Whether it's an organization or institution, to leverage their excellence, leverage their skills, leverage their skill sets and promote them to grow into the climate and the culture that we're trying to cultivate within an organization, within an institution and even within an industry. So, it's the way that we intentionally, and ongoingly and actively engage the diversity at hand. Cindy Ng: Describe for us the kinds of diversity and inclusion programs you've implemented and what has been successful. Allison Avery: There are a couple of different arenas that I think diversity and inclusion programming gets parsed into. One is primarily along the lines of recruitment and retention. Now, in medical school, we tend to not have any general issue with retention, but that tends to be in the domain of professional development. And that's pervasive throughout any industry, and I see that within a lot of the articles I was reading in the tech industry. There are some initiatives going on through Google and Twitter of trying to recruit individuals from different industries to companies, and that's just a pervasive element. So, we do a lot of recruiting here at the medical school for students from the educational pipeline. So, we go to undergraduate institutions, we have summer programs for students that are rising juniors and seniors to come and spend the summer to do basic science research, primarily targeted for Blacks and Latinos because those targeted minority groups are underrepresented in medicine. Only about 6% of

While reading about our latest technological advances, such as digital license plates and self-driving cars, I wondered about our industry’s core security principles that set the foundation for all our innovation. However, what about user agreements? We’re able to create incredible new advances, however we can’t get our user agreements right. Even though the agreements are for the users, it’s rare that they want to read the legalese. It’s just easier to click ‘accept’. As the author suggests, there must be a better way for end users to interact with tech companies. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Many want the law to keep pace with technology, but what's taking so long? A simple search online and you'll find a multitude of reasons why the law is slow to catch up with technology - lawyers are risk averse, the legal world is intentionally slow and also late adopters of technology. Can this all be true? Or simply heresy? I wanted to hear from an expert who has experience in the private and public sector. That's why I sought out the expertise of Camille Stewart, a cyber and technology attorney. In part one of our interview, we talk about the tension between law and tech. And as it turns out, laws are built in the same way a lot of technologies are built: in the form of a framework. That way, it leaves room and flexibility so that technology can continue to evolve. Frameworks Reign in Law and Tech Camille Stewart Hi, I am Camille Stewart. I'm a cyber and technology attorney. I'm currently at Deloitte working on cyber risk and innovation issues, so identifying emerging technologies for the firm to work with. Prior to that, I was a Senior Policy Advisor at the Department of Homeland Security working on cyber infrastructure, and foreign policy in the office of policy. I was an appointee of the Obama administration. And then prior to that, I was in-house at a cybersecurity company. I worked in both the public sector and the private sector on cyber issues. Cindy Ng Today, we're gonna be talking about the tension between law and technology, where a law takes a lot of time and inquiry to create something that makes sense and hopefully is impactful for years to come, whereas technology, it's really about ideation and creating and bringing product and service to market as quickly as possible. Tech people, they want law to catch up with technology. Lawyers wished tech people would understand the law a little bit more. And some have even criticized that the law doesn't move as quickly as technology, and you have a lot of experience both as a cybersecurity attorney in Washington and in the private sector. And I'm wondering if there's a deeper divide between the two entities, and I'm wondering if you can share your experience with us in working with lawmakers as well as your experience in the private sector. Camille Stewart Yeah, so, I mean, I think one misconception is you don't want the law to keep pace with innovation. There's no way for you to legislate for future occurrences and for the ideation and innovation we've talked about. You want the law to leave room and flexibility so that technology can continue to evolve. And so that's kind of what has to happen. It's frustrating that there are no legal recourses when an issue comes up, but you almost have to test those boundaries to figure out a framework to fit your bill to address issues that are coming. So even the laws that we do build tend to be framework because we need to leave room for that innovation and ideation. And part of the tension between technology communities and lawyers and technology communities and the general public or the government is trust. So technologists don't trust the government with the information that they have, and the government wants to build that trust desperately so that we can leverage the resources that are at the disposal of both. You know, the government has a lot of insight and intelligence that they can layer over the tools and capabilities in the private sector, and if they came together, it's great, but there's this base level of trust and understanding of what each is trying to do that if we could bridge that gap, so much more could be done. Cindy Ng Is there a think tank or a non-profit or some kind of institution that can bridge that gap that you've seen develop over the past few years? Camille Stewart Yeah, so there are a number that are working on this, whether it's issue-specific, right, "So let's talk about surveillance and bringing people together around that." "Let's talk about a given issue and discuss that." Also the government is trying that. Organizations like DHS that work with the private sector quite a bit are trying to build those bridges and find ways to share information in a way that's valuable to both the private sector and the government through things like AIS, the Automated Indicator Sharing system. And it's gonna be a slow process. Those trusts are bolted tight. Private sector has coalesced together to build trust circles with their peers and people that they know doing work that they understand, and they're sharing information that way. And those mechanisms have become pretty robust and helpful, but the government has to be able to be a part of that for us to really complete the picture, and that's the work that's being done, some through non-profit organizations, NGOs, but also through the government and the private sector starting to get into a room. And then, as people move back and forth across lines, right, traditionally people were govies for life, or they were in the private sector. Now

In April of 2013, after a short stint as a professional baseball player, Sean Campbell started working at Varonis as a Corporate Systems Engineer. Currently a Systems Engineer for New York and New Jersey, he is responsible for uncovering and understanding the business requirements of both prospective and existing customers across a wide range of verticals. This involves many introductory presentations, proof of concept installations, integration expansion discussions, and even the technical development of Varonis channel partners. Sean also leads a team of subject matter experts(SME) for our innovative DatAlert platform. According to his manager Ben Lui: Sean Campbell is one of the most talented engineers on my team. He is the regional DatAlert SME and bridged valuable feedback from both customers and the field back to product management. Sean is also an excellent team player and excels at identifying critical data exposure during customer engagements. Overall, Sean is a key contributor to the Varonis organization.” The fast paced environment, challenge of data security, and the fact that the sales cycle is far from “cookie cutter” is what Sean enjoys most about his role here. He also values the relationships he has been given the ability to build up over the years on both the Varonis and customer side. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Data protectionism - restricting the movement of data between countries - will be an option that governments will elect to implement in the upcoming months and years. As the world economy become more data-driven, impacting global GDPs, they will soon find their way into trade deals, requiring data to be held in servers inside certain countries. It’s not just a business decision. Exporting data on individuals is also heavily restricted because of privacy concerns. And we saw a Belgian legislator voice this concern during a discussion with Facebook’s CEO on his value as a user. Other articles discussed: CISOs are still cloud skeptics Orlando police and Amazon partner up Junior infosec professionals want promotions Tool of the week: Dark Surgeon Panelists: Cindy Ng, Kilian Englert, Mike Thompson, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/