State of Cybercrime

Outsourcing tedious tasks is a dream of many and at the latest Google Developer’s conference, the audience beamed when Google Assistant booked an appointment. However, attendees were quick to worry about potential exploits those devices might face. Medical devices are a good example of what computerized assistants might face in the future. Yes, medical devices can save lives and certainly serve a more noble cause than outsourcing tedious tasks, but the security aspect of these life-saving pacemakers and defibrillators still require firmware updates. Seems that we still haven’t learned our lesson: embed security at the initial stages of design. Other articles discussed: Scammers find an opportunity with startups without phone numbers Smartphones can soon determine if you’ll get a loan Panelists: Cindy Ng, Kilian Englert, Mike Buckbee, Forrest Temple Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

If you’ve ever seen Technical Evangelist Brian Vecci present, his passion for Varonis is palpable. He makes presenting look effortless and easy, but as we all know excellence requires a complete devotion to the craft. I recently spoke to him to gain insight into his work and to shed light on his process as a presenter. “When I first started presenting for Varonis, I’d have the presentation open on one half of the screen and Evernote open on the other half and actually write out every word I was going to say for each slide,” said Brian. From there, he improvises from the script. “I’d often change things up while presenting based on people’s reactions or questions, but the process of actually writing everything out first made responding and reacting and changing the presentation a lot easier. I still do that, especially for new presentations.” According to Varonis CMO David Gibson: Brian's high energy, curiosity, and multi-faceted skills - technical aptitude, communication skills, sales acumen, and organizational capabilities -make him an exceptional evangelist. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Sara Jodka is an attorney for Columbus-based Dickinson Wright. Her practice covers boths data privacy as well as employee law. She's in a perfect position to help US companies in understanding how the EU General Data Protection Regulation (GDPR) handles HR data. In the second part of our interview, Sara will talk about the relationship between HR data and Data Protection Impact Assessments (DPIAs). Most companies will likely have to take the extra step and perform these DPIAs but there are specific triggers that Sara will delve into. Transcript Welcome, Sara. Sara Jodka: Thank you for having me. IOS: I wanted to get into an article that you had posted on your law firm's blog. It points out an interesting subcategory of GDPR personal data which doesn't get a lot of attention, and that is employee HR records. You know, of course it's going to include ethnic, payroll, 401(k), and other information. So can you tell us, at a high level, how the GDPR treats employee data held by companies? Employee Data Covered By the GDPR SJ: Whenever we look at GDPR, there are 99 articles, and they're very broad. There's not a lot of detail on the GDPR regulations themselves. In fact, we only have one that actually carves employment data out, and that's Article 88 — there's one in and of itself. Whenever we're looking at it, none of the articles say that all of these people have these rights. All these individuals have rights! None of them say, "Well, these don't apply in an employment situation." So we don't have any exclusions! We're led to "Yes, they do apply." And so we've been waiting on, and we have been working with guidances that we're receiving, you know, from the ICO, with respect to …. consent obligation, notice obligation, portability requirements, and any employee context. Because it is going to be a different type of relationship than the consumer relationship! IOS: It's kind of interesting that people, I think, or businesses, probably are not aware of this ... except those who are in the HR business. So I think there's an interesting group of US companies that would find themselves under these GDPR rules that probably would not have initially thought they were in this category because they don't collect consumer data. I'm thinking of law firms, investment banking, engineering, professional companies. US Professional Service Companies Beware! SJ: I think that's a very good point! In fact, that's where a lot of my work is actually coming from. A lot of the GDPR compliance is coming from EU firms that specialize with EU privacy. But a lot of U.S. companies didn't realize that this is going to cover their employment aspects that they had with EU employees that are in the EU! They thought, "Well, because we don't actually have a physical location EU, it doesn't actually cover us." That's not actually at all true. The GDPR covers people that are working in the EU, people who reside in the EU, so to the extent that U.S. company has employees that are working in the EU it is going to cover that type of employee data. And there's no exception in the GDPR around it. So it's going to include those employees. IOS: So I hadn't even thought about that. So their records would be covered under the GDPR? SJ: Yeah, the one thing about the definition of a data subject under the GDPR is it doesn't identify that it has to be an EU resident or it has to be an EU citizen. It's just someone in the EU. When you're there, you have these certain rights that are guaranteed. And that will cover employees that are working for U.S. companies but they're working in the EU. IOS: Right. And I'm thinking perhaps of a U.S. citizens who come there for some assignment, and maybe working out of the office, they would be covered under these rules. SJ: And that's definitely a possibility, and that's one thing that we've been looking for. We've been looking for looking for guidance from the ICO to determine … the scope of what this is going to look not only in an employment situation, but we're dealing with an immigration situation, somebody on a work visa, and also in the context of schools as we are having, you know, different students coming over to the United States or going abroad. And what protection then the GDPR applies to those kind of in-transition relationships, those employees or students. With a lot of my clients, we are trying to err on the side of caution and so do things ahead of time, rather than beg forgiveness if the authorities come knocking at our door. GDPR's Legitimate Interest Exception is Tricky IOS: I agree that's probably a better policy, and that's something we recommend in dealing with any of these compliance standards. In that article, you mentioned that the processing of HR records has additional protections under the GDPR … An employee has to give explicit or consent freely and not as part of an employer-employee contract. [caption id="attachment_10803" align="alignnone" wi

In part two of my interview with Varonis CFO & COO Guy Melamed, we get into the specifics with data breaches, breach notification and the stock price. What’s clear from our conversation is that you can no longer ignore the risks of a potential breach. There are many ways you can reduce risk. However, if you choose not to take action, minimally, at least have a conversation about it. Also, around 5:11, I asked a question about IT pros who might need some help getting budget. There’s a story that might help. Do Data Breaches Impact the Stock Price? Guy Melamed My name's Guy Melamed, CFO and COO for Varonis. I've been with the company since 2011, in charge of all the financial statements and execution of strategic operational plans, in charge of the legal department, and IR as well. And kind of enjoying the ride. Cindy Ng There's a discrepancy online where there've been studies that say that breaches don't impact the stock price. Sure, a breach will typically lead to a one-time large expense or maybe smaller reoccurring expenses. There might be a potential decrease in revenue, but in the long term, investors tend to look past the breach, and they really just focus on the strength of the business and the value of the company. What do you think about data breaches and their impact on the stock price? Guy Melamed I'm not so qualified to talk about statistics on stock price and how a breach would affect a stock price in the short term or in the long term. What I can say is that what we've seen in so many events, in so many breaches that have taken place in the last couple of years, is that if you go back to those companies, and ask them would they have rather dealt with a breach or just buy a software, take measures that can help them in protecting or preventing or minimizing the amount and the magnitude of the breach, I think the answer is pretty obvious. So we've seen companies that have gone out of business because of breaches. We've seen companies that will have to deal with litigation for years ahead. So where's that factored in? There's just so many components. It's more of a philosophy that if you can do something active to try and minimize risk, then why not do it? I think companies, more from a philosophical perspective, should try and actively take action in order to minimize risk. And companies that are under the belief that it won't affect them and that they're going to be okay, I think are acting slightly irresponsible. Data Breaches and Breach Notification Cindy Ng Let's talk about breach notification. It's said that the time to discovery increases the cost of a data breach, and research has said that most companies take over six months to detect data breaches. If you're in the EU, article 31 of the GDPR says that data controllers, they'll need to notify authorities of a breach within 72 hours at the latest upon learning about the exposure, if it results in a risk to a consumer. If you're already protecting or in the process of protecting your data, how do you reconcile the time in figuring this element out? What do companies need to do? How much are we talking about? Guy Melamed So the surveys that we've been tracking show that 70% of the beaches are discovered within months or years. And I think a great example of a breach that affected a company years later was a Yahoo deal. This was a breach and I don't know if it was four years ago or three or five years ago, but it was discovered as part of an M&A process and had an effect, an actual quantifiable number that impacted the transaction price. So a company would obviously rather try and identify breaches as soon as possible, so they can take action, minimize some of the cost and be transparent with both the customers, the investors, and the shareholders. GDPR definitely changes the reporting requirement, and if you're breached, you have to provide that information within 72 hours. That's a short period of time, and in order to be able to comply with that regulation, and in order to have better tracking, you really have to have systems, programs, personnel in place to try to identify this. And the fines that come from GDPR, I'm talking about, you know, some of the requirements and some of the fines related to those requirements, are 4% of global revenue or $25 million, whichever is greater. That's a huge number that could affect companies in so many ways, definitely something that from our perspective what we see is causing a lot of interest, causing a lot of discussion, and companies are not ignoring the regulation because of its significance. Should You Just Pay the Fine? Cindy Ng So when you've done the risk analysis of viewing the GDPR fines, companies resigned to paying a fine because the fine isn't that costly. And so let's just pay the fine and get it over with. Guy Melamed My response is that it probably fits with an analysis or an analogy that says if I go through a red light, I know that the fine is probably minimal and I can live with

When I asked our podcast panelists about the difficulty in discerning real businesses from fake or answering innocuous questions about your first pet, it can be time consuming, mentally exhausting and not naturally intuitive. As technology gets even more difficult to navigate, think about how important it is when presenting time-to-value security solutions to C-Suite executives. A popular catchphrase amongst IT pros is: “It’s a no brainer.” When an idea presented is expressed as a no brainer, it’s assumed that the idea has obvious value, when processes and strategic decisions are more complicated than it appears. So when it comes to cybersecurity, not everything is a no brainer. Far from it. If it was simple, Atlanta wouldn’t have spent two million to recover from a ransomware attack and in 2016, the cyberinsurance market wouldn’t’ have brought in 3.5 billion in premiums globally. Other articles discussed: Monkey loses selfie copyright case Tool of the week: Algo Panelists: Cindy Ng, Kilian Englert, Kris Keyser, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Sara Jodka is an attorney for Columbus-based Dickinson Wright. Her practice covers boths data privacy as well as employee law. She's in a perfect position to help US companies in understanding how the EU General Data Protection Regulation (GDPR) handles HR data. In this first part of the interview, we learn from Sara that some US companies will be in for a surprise when they learn that all the GPDR security rules will apply to internal employee records. The GPDR's consent requirements, though, are especially tricky for employees. Transcript Welcome, Sara. Sara Jodka: Thank you for having me. IOS: I wanted to get into an article that you had posted on your law firm's blog. It points out an interesting subcategory of GDPR personal data which doesn't get a lot of attention, and that is employee HR records. You know, of course it's going to include ethnic, payroll, 401(k), and other information. So can you tell us, at a high level, how the GDPR treats employee data held by companies? Employee Data Covered By the GDPR SJ: Whenever we look at GDPR, there are 99 articles, and they're very broad. There's not a lot of detail on the GDPR regulations themselves. In fact, we only have one that actually carves employment data out, and that's Article 88 — there's one in and of itself. Whenever we're looking at it, none of the articles say that all of these people have these rights. All these individuals have rights! None of them say, "Well, these don't apply in an employment situation." So we don't have any exclusions! We're led to "Yes, they do apply." And so we've been waiting on, and we have been working with guidances that we're receiving, you know, from the ICO, with respect to …. consent obligation, notice obligation, portability requirements, and any employee context. Because it is going to be a different type of relationship than the consumer relationship! IOS: It's kind of interesting that people, I think, or businesses, probably are not aware of this ... except those who are in the HR business. So I think there's an interesting group of US companies that would find themselves under these GDPR rules that probably would not have initially thought they were in this category because they don't collect consumer data. I'm thinking of law firms, investment banking, engineering, professional companies. US Professional Service Companies Beware! SJ: I think that's a very good point! In fact, that's where a lot of my work is actually coming from. A lot of the GDPR compliance is coming from EU firms that specialize with EU privacy. But a lot of U.S. companies didn't realize that this is going to cover their employment aspects that they had with EU employees that are in the EU! They thought, "Well, because we don't actually have a physical location EU, it doesn't actually cover us." That's not actually at all true. The GDPR covers people that are working in the EU, people who reside in the EU, so to the extent that U.S. company has employees that are working in the EU it is going to cover that type of employee data. And there's no exception in the GDPR around it. So it's going to include those employees. IOS: So I hadn't even thought about that. So their records would be covered under the GDPR? SJ: Yeah, the one thing about the definition of a data subject under the GDPR is it doesn't identify that it has to be an EU resident or it has to be an EU citizen. It's just someone in the EU. When you're there, you have these certain rights that are guaranteed. And that will cover employees that are working for U.S. companies but they're working in the EU. IOS: Right. And I'm thinking perhaps of a U.S. citizens who come there for some assignment, and maybe working out of the office, they would be covered under these rules. SJ: And that's definitely a possibility, and that's one thing that we've been looking for. We've been looking for looking for guidance from the ICO to determine … the scope of what this is going to look not only in an employment situation, but we're dealing with an immigration situation, somebody on a work visa, and also in the context of schools as we are having, you know, different students coming over to the United States or going abroad. And what protection then the GDPR applies to those kind of in-transition relationships, those employees or students. With a lot of my clients, we are trying to err on the side of caution and so do things ahead of time, rather than beg forgiveness if the authorities come knocking at our door. GDPR's Legitimate Interest Exception is Tricky IOS: I agree that's probably a better policy, and that's something we recommend in dealing with any of these compliance standards. In that article, you mentioned that the processing of HR records has additional protections under the GDPR … An employee has to give explicit or consent freely and not as part of an employer-employee contract. [caption id="attachment_10803" align="alignnone" width=

Recently, the SEC issued guidance on cybersecurity disclosures, requesting public companies to report data security risk and incidents that have a “material impact” for which reasonable investors would want to know about. How does the latest guidance impact a CFO’s responsibility in preventing data breaches? Luckily, I was able to speak with Varonis’ CFO and COO Guy Melamed on his perspective. In part one of my interview with Guy, we discuss the role a CFO has in preventing insider threats and cyberattacks and why companies might not take action until they see how vulnerable they are with their own data. An interview well worth your time, by the end of the podcast, you’ll have a better understanding of what IT pros, finance, legal and HR have on their minds. Data security and the CFO: Risk and Responsibility Guy Melamed My name is Guy Melamed, CFO and COO for Varonis. I have been with the company since 2011. In charge of all the financial statements and execution of strategic operational plans. In charge of the legal department and IR as well and I am enjoying the ride. Cindy Ng Sounds great. So, today we're gonna be discussing how much it would cost if we don't invest in data security, and let's start with the role of a CFO. Right now, data breaches are one of the biggest threats that all companies face, and companies are realizing this and increasingly, they're delegating responsibilities to the CFO. According to a survey by the American Institute of CPAs, 72% of companies, they've asked the finance department to take on more of a responsibility to deal with data breaches and attacks. Why should the CFO be involved in protecting the organization's most sensitive data? Guy Melamed I think the answer is comprised of a couple of components. One of them has to do with the fact that CFOs are responsible for the financial statements and with recent events and with the amount of breaches that have taken place, there's much more emphasis on the type of disclosure the company has to provide as part of the 10-K and as part of the risk factors and even as part of the MD&A. Just to give you an example, in recent months, the SEC has provided guidance on cybersecurity, board consideration, and the amount of disclosure that needs to be provided. And just to give you a sense in the release, that, as a side note, was provided by the SEC chairman, post the breach that took place in the EDGAR system which is a system that you can log in and see all of the financial statements of all companies, and there was a breach in that system and as a result the SEC had to address from a disclosure perspective what was taken and how they're addressing that event and future events and planning to protect any future event. So, that kind of created the guidance that was provided to all of the big four accounting firms, and private, and especially public companies have to address that. That release talks about what is company doing from a risk management perspective, how are they protecting against cybersecurity? It talks about the board's role in overseeing the management and any immaterial cybersecurity risk. And it has a lot of discussion as to what type of disclosure needs to be provided in what event. So, when we received that publication in preparation for our 10-K filing, we had to have a discussion, where to put it, what is the risk, how are we addressing it, and a conversation like that takes place with the legal department. It takes place even with the HR department, with some of the regulation and protecting data. So, there's a lot of components that relate to the CFO's role in order to making sure that we address it properly. Cindy Ng I actually wanna go back to all the different departments that are involved in addressing the need for preventing data breaches. How would an organization include that in a conversation if they didn't have the structure for it? Guy Melamed Well, the organization first has to understand where the data resides and who has access to the data. And in a recent survey that we published, approximately 50% of the companies have more than a thousand sensitive files open to everyone in the company. That's an unheard of number. Think about it. If you have one sensitive file, one file that has the full payroll information for an organization, and that file gets to the wrong hands, that can destroy a company, you have a little more than a thousand sensitive files. So, the risk is very significant and approximately 20% of the data on average is open to everyone in the company. That's a risk a company must take action against. So, step number one is realize where your risk resides and if you don't have access, and you don't know who has access to what type of folder, who's opening the folder, who's deleting the folder, then you're blindsided. So, I think that's step number one. There's additional risks that take place on a day to day, and if I've given you an example from the finance department, if an employee i

In part two of my interview with Delft University of Technology’s assistant professor of cyber risk, Dr. Wolter Pieters, we continue our discussion on transparency versus secrecy in security. We also cover ways organizations can present themselves as trustworthy. How? Be very clear about managing expectations. Declare your principles so that end users can trust that you’ll be executing by the principles you advocate. Lastly, have a plan for know what to do when something goes wrong. And of course there’s a caveat, Wolter reminds us that there’s also a very important place in this world for ethical hackers. Why? Not all security issues can be solved during the design stage. Transparency versus Secrecy Wolter Pieters My name is Wolter Pieters. I have a background in both computer science and philosophy of technology. I'm very much interested in studying cyber security from an angle that either goes a bit more towards the social science, so, why do people behave in certain ways in the cyber security space. But also more towards philosophy and ethics, so, what would be reasons for doing things differently in order to support certain values. Privacy, but then again, I think privacy is a bit overrated. This is really about power balance. It's because everything we do in security will give some people access and exclude other people, and that's a very fundamental thing. It's basically about power balance that is through security we embed into technology. And that is what fundamentally interests me in relation to security and ethics. Cindy Ng How do we live in now world where you just don't know whether or not organizations or governments are behaving in a way that's trustworthy? Wolter Pieters You know, transparency versus secrecy is a very important debate within the security space. This already starts out very fundamentally from the question like, "Should methods for protecting information be publicly known or should they be kept secret because otherwise we may be giving too much information away to hackers, etc?" So, this is a very fundamental thing and in terms of encryption already, there's the principle like, "Hey, encryption algorithms should be publicly known because otherwise we can't even tell how well our information is being protected by means of that encryption and only the keys using encryption should be kept secret." This is a principle called Kerckhoff’s Principle. This is very old and information in security and a lot of the current encryption algorithms actually adhere to that principle and we've also seen encryption algorithms not adhering to that principle. So, algorithms that were secrets, trade secrets, etc. being broken very moments the algorithm became known. So, in that sense there I think most researchers would agree this is good practice. On the other hand it's seems that there's also a certain limit to what we want to be transparent there. Both in terms of security controls, we're not giving away every single thing governments do in terms of security online. So, there is some level of security by obscurity there and more generally to what extent is transparency a good thing. This again ties in with who is a threat. I mean, we have the whole WikiLeaks endeavor and some people will say, "Well, this is great. The government shouldn't be keeping all that stuff secret." So, it's great for trust that this is now all out in the open. On the other hand, you could argue all this and this is actually a threat to trust in the government. So, this form of transparency would be very bad for trust. So, there's clearly a tension there. Some level of transparency may help people trust in the protections embedded in the technology and in the actors that use those technologies online. But on the other hand, if there's too much transparency all the nitty-gritty details may actually decrease trust. You see this all over the place. We've seen it through with the electronic voting as well. If you provide some level of explanation on how certain technologies are being secured, that may help. If you provide too much detail people won't understand it and it will only increase distrust. There is a kind of golden middle there in terms of how much explanation you should give to make people trust in certain forms of security encryption, etc. And again, in the end people will have to rely on experts because physical forms of security, physical ballot boxes, it's possible to explain and how these work and how they are being secured with digital that becomes much more complicated and for most people, they will have to trust the judgment of experts that these forms of security are actually good if the experts believe so. What Trustworthy Organizations Do Differently Cindy Ng What's something an organization can do in order to establish themselves as a trustworthy, morally-sound, ethical organization? Wolter Pieters I think the most important thing that companies can do is very clear in terms of managing expec

This week, we talk about our annual data risk assessment report and sensitive files open to every employee! 41% of companies are vulnerable. The latest finding put organizations at risk as unsecure folders give attackers easy access to business roadmaps, intellectual property, financial and health data, and more. We even discussed how data open to everyone in an organization relates to user-generated data shared with 3rd party apps. Is it a data security or privacy problem? At the very least, panelists think it’s a breach of confidence. Other articles discussed: Dead people’s privacy rights Bill Gates’ former cybersecurity adviser on being your own CISO. Tool of the Week: Charles, Web Debugging Proxy Application Panelists: Cindy Ng, Mike Buckbee, Kilian Englert, Kris Keyser Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

We’re all counting down to the RSA Conference in San Francisco April 16 – 20, where you can connect with the best technology, trends and people that will protect our digital world. Attendees will receive a Varonis branded baseball hat and will be entered into a $50 gift card raffle drawing for listening to our presentation in our North Hall booth (#3210). Attendees that visit us in the South Hall (#417) will receive a car vent cell phone holder. In addition to stopping by our booth, below are sessions you should consider attending. You’ll gain important insights into best security practices and data breach prevention tips, while learning how to navigate a constantly evolving business climate. Sessions Discussed: Protecting Enterprise Data with the National Security “100 Coins” Approach Turtles, Trust and the Future of Cybersecurity The EU’s General Data Protection Regulation—Beauty or Beast? Hacking Healthcare Live: Bits and Bytes Meet Flesh and Blood Decision-Maker Dementia: How Today’s Security Leaders Stay Lucid Panelists: Cindy Ng, Mike Thompson, Kilian Englert, Kris Keyser Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

In part one of my interview with Delft University of Technology’s assistant professor of cyber risk, Dr. Wolter Pieters, we learn about the fundamentals of ethics as it relates to new technology, starting with the trolley problem. A thought experiment on ethics, it’s an important lesson in the world of self-driving cars and the course of action the computer on wheels would have to take when faced with potential life threatening consequences. Wolter also takes us through a thought track on the potential of power imbalances when some stakeholders have a lot more access to information than others. That led us to think, is technology morally neutral? Where and when does one’s duty to prevent misuse begin and end? Transcript Wolter Pieters: My name is Wolter Pieters. I have a background in both computer science and philosophy of technology. I'm very much interested in studying cyber security from an angle that either goes a bit more towards the social science, so, why do people behave in certain ways in the cyber security space. But also more towards philosophy and ethics, so, what would be reasons for doing things differently in order to support certain values. Privacy, but then again, I think privacy is a bit overrated. This is really about power balance. It's because everything we do in security will give some people access and exclude other people, and that's a very fundamental thing. It's basically about power balance that is through security we embed into technology. And that is what fundamentally interests me in relation to security and ethics. Cindy Ng: Let's go back first and start with philosophical, ethical, and moral terminology. The trolley problem: it's where you're presented two dilemmas, where you're the conductor and you see the trolley is going down a track and it has the potential to kill five people. But then if you pull a lever, you can make the trolley go on the other track where it would kill one person. And that really is about: what is the most ethical choice and what does ethics mean? Wolter Pieters: Right. So, ethics generally deals with protecting values. And values, basically, refer to things that we believe are worthy of protection. So, those can be anything from health, privacy, biodiversity. And then it's said that some values can be fundamental, others can be instrumental in the sense that they only help to support other values, but they're not intrinsically worth something in and of themselves. Ethics aims to come up with rules, guidelines, principles that help us support those values in what we do. You can do this in different ways. You can try to look only at the consequences of your actions. And in this case, clearly, in relation to the trolley problem, it's better to kill one person than to kill five. If you simply do the calculation, you know, you could say, "Well, I pull the switch and thereby reduce the total consequences." But you could also argue that certain rules state like you shall not kill someone, which would be violated in case you pull the switch. I mean, if you don't do something, then five people would be killed. Then you don't do something explicitly, whereas you would pull the switch you would explicitly kill someone. And from that angle, you could argue that you should not pull the switch. So, this is very briefly an outline of different ways in which you could reason about what actions would be appropriate in order to support certain values, in this case, life and death. Now, this trolley problem is these days often cited in relation to self-driving cars, which also would have to make decisions about courses of action, trying to minimize certain consequences, etc. So, that's why this has become very prominent in the ethics space. Cindy Ng: So, you've talked about a power in balance. Can you elaborate on and provide an example on what that means? Wolter Pieters: What we see in cyberspace is that there are all kinds of actors, stakeholders that gather lots of information. There's governments being interested in doing types of surveillance in order to catch the terrorist amongst the innocent data traffic. There is content providers that give us all kinds of nice services, but at the same time, we pay with our data, and they make profiles out of it and offers targeted advertisements and, etc. And at some point, some companies may be able to do better predictions than even our governments can do. So, what does that mean? In the Netherlands, today actually, there's a referendum regarding new powers for the intelligence agencies to do types of surveillance online, so there's a lot of discussion about that. So, on the one hand, we all agree that we should try to prevent terrorism, etc. On the other hand, this is also a relatively easy argument to claim access to data, they're like, "Hey, we can't allow these terrorists attacks, so we need all your data." It's very political. And this also makes it possible to kind of leverage security as an arg

Prior to Varonis, Elena Khasanova worked in backend IT for large organizations. She did a bit of coding, database administration, project management, but was ready for more responsibility and challenges. So seven years ago, she made the move to New York City from Madison, Wisconsin and joined the professional services department at Varonis. With limited experience speaking with external customers and basic training, Varonis entrusted her to deploy products as well as present to customers. Elena recalls, “Not every company will give you a chance to talk to external customers without prior experience….But it was Varonis that gave me that chance.” According to her manager, Ken Spinner: Over the last 6 years, I’ve had the pleasure of working with Elena, first as a coworker in different departments, and most recently as the leader of our Remediation Team in our Professional Services department. Elena was uniquely qualified to lead the team as she had significant experience performing project management prior to planning and completing our first remediation projects. Elena’s knowledge was instrumental in defining the essence of the Varonis Data Risk Assessment, the process used by PS to perform remediation, as well as providing practical insight to Engineering during the development of the Automation Engine. Read on to learn more about Elena – this time, in her own words. What would people never guess you do in your role? Not only am I involved in professional services, I also spend a lot of time on sales calls. What did you learn about yourself after working at Varonis? I am pretty good at selling concepts and ideas. How has Varonis helped you in your career development? Prior to Varonis, I only worked in internal IT. Varonis gave me a chance to work with external customers and exposed me to sales and product management. What advice do you have for prospective candidates? Pour your heart and soul into Varonis products. If you are smart and hard-working, it will be noticed right away. What do you like most about the company? Despite being a publicly traded company, it kept its startup spirit and passion. What’s the biggest data security problem your customers/prospects are faced with? Company files are often accessible by every employee regardless of their roles. How can we fix that without someone losing access to work they really need access to? What certificates do you have? CISSP and PMP What is your favorite book? Big Magic by Elizabeth Gilbert What is your favorite time hack? I assign values in my to-do list by urgency: important (not always urgent but is important in the long run), speed and reluctance. Things I’m most reluctant to do, I try to do in the beginning of the day when my willpower is still high. What’s your favorite quote? "It would not be much of a universe if it wasn't home to the people you love." – by the greatest scientist, Stephen Hawking Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

In the midst of our nationwide debate on social media companies limiting third party apps’ access to user data, let’s not forget that companies have been publicly declaring who collects our data and what they do with it. Why? These companies have been preparing for GDPR, the new EU General Data Protection Regulation as it will go into effect on May 25th. This new EU law is a way to give consumers certain rights over their data while also placing security obligations on companies holding their data. In this episode of our podcast, we’ve found that GDPR-inspired disclosures, such as Paypal’s, leave us with more questions than answers. But, as we’ve discussed in our last episode, details matter. Other articles discussed: Apple iCloud also stores data on Google’s servers New SEC guidance on reporting data security risk What C-Suite executives need to know when it comes to security Laughing Alexa Tool of the Week: S3tk Panelists: Cindy Ng, Kilian Englert, Mike Buckbee, Matt Radolec Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

With one sensational data breach headline after another, we decided to take on the details behind the story because a concentrated focus on the headline tends to reveal only a partial dimension of the truth. For instance, when a bank’s sensitive data is compromised, it depends on how as well as the what. Security practitioner Mike Buckbee said, “It’s very different if your central data storage was taken versus a Dropbox where you let 3rd party vendors upload spreadsheets.” We’re also living in a very different time when everything we do in our personal lives can potentially end up on the internet. However, thanks to the EU’s “right to be forgotten” law, the public made 2.4 million Google takedown requests. Striking the perfect balance will be difficult. How will the world choose between an organization’s goals (to provide access to the world’s information) versus an individual’s right to be forgotten? And when organizations want to confidently make business decisions based on data-driven metrics, trusting data is critical to making the right decision. Our discussion also reminded me what our favorite statistician Kaiser Fung said in a recent interview, “Investigate the process behind a numerical finding.” Other articles discussed: Why I quit Google Balancing security and user productivity 12 best practices for user account, authorization and password management Tool of the week: Bettercap Panelists: Cindy Ng, Kilian Englert, Forrest Temple, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Today even if we create a very useful language, IoT device, or software, at some point, we have to go back to fix the security or send out PSAs. Troy Hunt, known for his consumer advocacy work on breaches, understands this very well. He recently delivered a very practical PSA: Don’t tell people to turn off Windows update, just don’t. We also delivered a few PSAs of our own: cybercriminals viewour linkedin profiles to deliver more targeted phish emails, whether we’d prefer to deal with ransomware or cryptomalware, and the six laws of technology everyone should know. Tool of the week: MSDAT Panelists: Cindy Ng, Forrest Temple, Kilian Englert, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

IT pros could use a little break from security alerts. They get a lot of alerts. All. The. Time. While alerts are important, a barrage of them can potentially be a liability. It can cause miscommunication, creating over reactivity. Conversely, alerts can turn into white noise, resulting in apathy. Hence the adage: if everything is important, nothing is. Instead, should we be proactive about our security risks rather than reactive? Articles discussed: Heatmap reveals secret military bases ICE gets access to license plate numbers Does it matter if you put your password on a post-it? Panelists: Cindy Ng, Kilian Englert, Forrest Temple, Kris Keyser Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Regular listeners of the Inside Out Security podcast know that our panelists can’t agree on much. Well, when bold allegations that IT is the most problematic department in an organization can be, ahem, controversial. But whether you love or hate IT, we can’t deny that technology has made significant contributions to our lives. For instance, grocery stores are now using a system, order-to-shelf, to reduce food waste. There are apps to help drivers find alternate routes if they’re faced with a crowded freeway. Both examples are wonderful use cases, but also have had unforeseen side effects. Even though profits are up, empty aisles at grocery stores are frustrating shoppers as well as employees. Quiet neighborhoods that became alternate routes are experiencing traffic due to a new influx of drivers as well as noise pollution. When there are unforeseen consequences from a technological improvement, are we manifesting chaos or a security risk? Other articles discussed: Rules for securing IoT Health data used as evidence in court Tool of the week: Pown Proxy Panelists: Cindy Ng, Kilian Englert, Mike Buckbee, Matt Radolec Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

It’s our first show of 2018 and we kicked off the show with predictions that could potentially drive headline news. By doing so, we’re figuring out different ways to prepare and prevent future cybersecurity attacks. What’s notable is that IBM set up a cybersecurity lab, where organizations can experience what it’s like go through a cyberattack without any risk to their existing production system. This is extremely helpful for companies with legacy systems that might find it difficult to upgrade for one reason or another. But we can all agree what’s truly difficult are the technologies that you can’t just fix with a patch, such as the Spectre and Meltdown attacks. Other articles discussed: Hotmail changed Microsoft and email Panelists: Cindy Ng, Kris Keyser, Kilian Englert Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

The emergence of Chief Data Officers(CDO) demonstrates the growing recognition of information as an asset. In fact, Gartner says that 90% of large organizations will have a CDO by 2019. To understand the CDO role more deeply, I turned to Richard Wendell. I met Mr. Wendell last year at the Chief Data Officer Summit and thought his background and expertise would help us understand the critical role a CDO plays in managing an organization’s data. Mr. Wendell is a is a founding Member of the Board of Directors of MIT’s International Society for Chief Data Officers (ISCDO). Under his leadership, he has helped create and shape the de facto community of senior executives responsible for maximizing the opportunities in data-driven decision making. Prior to ISCDO, Mr. Wendell spent two and a half years as the Vice President of Data Science and Strategic Analytics for Tyco Electronics. In this first part in a series of podcasts, Mr. Wendell defines the role of a CDO, the value a CDO brings to an organization and what a CDO needs to do in order to thrive. Transcript Responsibilities of a Chief Data Officer Inside Out Security: With over two decades worth of experience working with Fortune 500 organizations, Mr. Richard Wendell has constructed data science teams from scratch and pioneered organizations moving into advanced analytics. His methodology has been able to impact revenue streams by executing a data strategy to deepen customer insights and relationships. Most recently, Mr. Wendell is a founding member of the board of directors of MIT's International Society for Chief Data Officers. I'm thrilled to have Richard Wendell join us today to tell us more about the goals of a CDO. Because, according to Gartner, by 2019, 90% of large organizations will have a Chief Data Officer. Richard: Sure, Cindy, happy to. So, the world around us is changing very, very fast. Particularly, when you start talking about information and technology. So, just out of curiosity I went and I was looking at Google Analytics and Google Trends and some search terms for "chief data officer." And the first blip that we start seeing of any significance around "chief data officer" searches came in late 2011. Then we start to see another uptick in 2012. And, more or less, since 2013, up through current time, the searches on Google for the word "chief data officer" are growing at 100% compound annual growth rate. So, really substantial uptick. Like many areas in its early days, there are some different meanings for what people mean by chief data officer and the areas of responsibility. What we're seeing, different flavors of chief data officers, but by and large they could be characterized in sort of two buckets, the defensive chief data officer and the offensive chief data officer. Defensive CDOs, often there are a lot of them in financial services. They're more responsible typically for data governance, reporting, regulatory, and really critical functions. Quite different from the offensive CDOs we're seeing. Offensive CDOs still can be in financial services, but increasingly in other sectors, like life sciences and retail and CPG, are focusing on transforming companies that want to be, 20th century companies that want to be 21st century companies. So really, transforming the enterprise around data and analytics. Coming out with new ways of using data, data science to create insights that are truly going to be transformational for the way that business conducts itself into the future. You can see, both called CDOs, but two very, very different missions and mandates. Aggregating Data, Analyzing Data, Acting on Data Inside Out Security: So, what types of insights are CDOs being tasked with looking for? Richard: So, the answer to that question is part, I think, very largely the job of the CDO, right? So, quite often a CDO, particularly offensive CDOs, their job starts like this: a CEO or a CFO or maybe a CMO says, "We want our company to use data science. We want our company to be more data driven, and we want to start capitalizing on these new technologies. Go figure out what that means for us." And so...and that's quite often the beginning point for a chief data officer. Now, I think on a high level, in my mind, particularly the more...the chief data officers who are looking to drive transformation and innovation have to really successfully string together three critical areas: They have to aggregate data They have to analyze the data, and They have to get the business to act on the data. So this “triple A” framework is so important. So I think that...and I would just say that if you get two out of three of those right, you fail. You really...in the beginning, the value chain is raw data, and at the end is raw dollars. If you want to get from raw data to raw dollars, you have to check all three of those boxes. And, so many organizations focus on that middle slice, the analysis piece, the insights piece. Insight is incr

Self-quantified trackers made possible what was once nearly unthinkable: for individuals to gather data on one’s activity level in order to manage and improve one’s performance. Some have remarked that self-quantified devices can hinge on the edge of over management. As we wait for more research reports on the right dose of self-management, we’ll have to define for ourselves what the right amount of self-quantifying is. Meanwhile, it seems that businesses are also struggling with a similar dilemma: measuring the right amount of risk and harm as it relates to security and privacy. Acting FTC Chairman Maureen Ohlhausen said at a recent privacy and security workshop, “In making policy determinations, injury matters. ... If we want to manage privacy and data security injuries, we need to be able to measure them." A clearly defined measurement of risk and harm will become ever so important as the business world embrace deep learning and eventually artificial intelligence. Other articles discussed: Recovering “deleted” logs Other perspectives on artificial intelligence Transparency in algorthims required to curve bias Panelists: Cindy Ng, Kilian Englert, Mike Thompson, Kris Keyser Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

The end of the year is approaching and security pros are making their predictions for 2018 and beyond. So are we! This week, our security practitioners predicted items that will become obsolete because of IoT devices. Some of their guesses - remote controls, service workers, and personal cars. Meanwhile, as the business world phase out old technologies, some are embracing the use of new ones. For instance, many organizations today use chatbots. Yes, they’ll help improve customer service. But some are worried that when financial institutions embrace chatbots to facilitate payments, cyber criminals will see it as an opportunity to impersonate users and take over their accounts. And what about trackers found in apps bundled with DNA testing kits? From a developer’s perspective, all the trackers help improve the usability of an app, but does that mean we’ll be sacrificing security and privacy? Other articles discussed: Australia government consider allowing firms to buy facial recognition data Replay scripts to track cursor Tool of the Week: Sword Panelists: Cindy Ng, Kilian Englert, Kris Keyser, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Recently the Food and Drug Administration approved the first digital pill. This means that medicine embedded with a sensor can tell health care providers – doctors and individuals the patient approves – if the patient takes his medication. The promise is huge. It will ensure a better health outcome for the patient, giving caretakers more time with the ones they love. What’s more, by learning more about how a drug interacts with a human system, researchers might find a way to prevent illnesses that was once believed impossible to cure. However, as security pros there are some in the industry that believe that the potential for abuse might overshadow the promise of what could be. Other articles discussed: Is the manufacturing process in peril? Child’s face unlocks mom’s iPhoneX Why phishing is a greater threat than keyloggers and password reuse Post social security numbers world What you can learn from other industries Tool of the week: Quad9 Panelists: Cindy Ng, Mike Thompson, Kilian Englert, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Last week, I came across a tweet that asked how a normal user is supposed to make an informed decision when a security alert shows up on his screen. Great question! I found a possible answer to that question at New York Times director of infosecurity, Runa Sandvik’s recent keynote at the O’Reilly Security Conference. She told the attendees that many moons ago, Yahoo had three types of infosecurity departments: core, dedicated and local. Core was the primary infosec department. The dedicated group were subject matter experts on security, still on the infosec department, but worked with other teams to help them conduct their activities in a secure way. The security pros on the local group are not officially on the infosec department, but they’re the security experts on another team. Who knew that once upon a time dedicated and local security teams existed?! It would make natural sense that they would be the ones to assist end users on security questions, why don’t we bring them back? The short answer: it’s not so simple. Other articles discussed: More to life than convenience? Firefox gives users privacy option Neural network renders faces that doesn’t exist Panelists: Cindy Ng, Kilian Englert, Forrest Temple, Matt Radolec Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Long before cybersecurity and data breaches became mainstream, founder and CEO of SPHERE Technology Solutions, Rita Gurevich built a thriving business on the premise of assisting organizations secure their most sensitive data from within, instead of securing the perimeter from outside attackers. And because of her multi-faceted experiences interacting with the C-Suite, technology vendors, and others in the business community, we thought listening to her singular perspective would be well worth our time. What stood out in our podcast interview? When others are concerned about limited security budgets, Gurevich envisioned more hands on deck in the field of information security. The reason is that there are more and varied threats, oversaturated vendors in the marketplace, and a cybersecurity workforce shortage. “What I see happening is that there’s going to be subject matter CISOs across the company; where there will be many people with that title that become experts in very specific domains.” Also, now that cybersecurity concerns are not as industry specific, Gurevich does recognize that there are certain industries that are more at risk than others. She approaches all industries with varying degrees of risk and threats, compliance requirements, and disparate systems all in a strategic way – by giving organizations the visibility into their data and systems, what they need to protect and how they need to protect it. Transcript Cindy Ng: Long before data breaches became mainstream, Rita Gurevich, CEO of SPHERE Technology Solutions built a thriving business on the premise of assisting organizations secure their most sensitive data from within. And because of her multifaceted experiences interacting with the C-Suite, technology vendors and others in the business community, we thought listening to her singular perspective would be well worth our time. Rita, you founded SPHERE in the wake of the 2008 financial crisis when you were just 25 years old. Can you tell us about the process behind how you started your business and what kind of services you provide. Rita Gurevich: Absolutely, I started the company, essentially, on the collapse of Lehman Brothers. And after the bankruptcy, there were many different firms that bought different areas of Lehman. And I was put on a team to help figure out how to split apart all the different data and assets they owned. So if you can imagine, up until that point. Lehman was super centralized. It was operating as one company, with lots of shared services. And overnight, we essentially had to figure out who gets what. So Barclay’s Capital bought a part of the business. Numera bought a part of the business. Neuberger bought a part of the business. All these different financial services firm that bought different business units from Lehman Brothers. And what we had to do, was essentially a crash course on deep data analytics. We had to learn how to get a really quick understanding of who uses what, map that to different business entities, to figure out where it needs to go. So that required a lot of tools, a lot of metrics. We built all these algorithms. And we had to do it almost overnight. And soon after, slightly a traumatic time, in the history of our country, I had a bit of an ‘aha’ moment when decided to do some independent consulting. I quickly built a business, and now we focus on cyber security. We have a niche around data governance, identity, and access management, as well as privilege access management. And a lot of the experience that I gained at Lehman was very relevant for what I do now, because you essentially had to figure out how do I capture the information that's necessary from my environment to create metrics and analytics that are relevant to making sure my information is secure, understanding who owns what, and even potentially preparing myself for some M&A activities. Cindy Ng: And so, can you describe your work at Lehman Brothers and how that you made the connection that it was important to start your business. Rita Gurevich: Sure. So, during that time, during the bankruptcy, it was really all about data analytics. It was really about looking at all the different data, all the different assets that Lehman owned and figuring out, "Okay, who gets what?" So, if Barkley's bought investment banking, how do you know what data belongs to investment banking? If Neuberger Berman bought investment management, the investment management business, how do you figure out what data belongs to investment management? So, it was all around going really deep into the data, and using the right tools to capture all the metadata, all the activity, so you can gain an understanding of who's using it? Who owns it? and where does it need to go? So, at that time, not a lot of companies were doing that, and there wasn't really a lot of need to do that at the time. But around 2008-2009, there was just so much movement within financial services. And there was so much happen

Critical systems once operated by humans are now becoming more dependent on code and developers. There are many benefits to machines and automation such as increased productivity, quality and predictability. But when websites crash, 911 systems go down or when radiation-therapy machines kill patients because of a software error, it’s vital that we rethink our relationship with code and as well as the moral obligations of machines and humans. Should developers who create software that impact humans be required to take a ‘do no harm’ ethics training? Should we begin measuring developers by the functionality they create as well as security and moral frameworks they’re able to provide? Other articles discussed: The Parable Of The Paperclip Maximizer Krack Attack The Trolley Problem Secret Database Hack Cryptographic failure Tool of the week: Assemblyline: Files go in, and a handful of small helper applications automatically comb through each one in search of malicious clues. Panelists: Cindy Ng, Kilian Englert, Kris Keyser, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Outlined in the National Cyber Security Centre’s “Cyber crime: understanding the online business model,” the structure of a cybercrime organization is in many ways a lot like a regular tech startup. There’s a CEO, developer, and if there are enough funds, an IT department. However, one role outlined on an infographic on page nine of the report that was a surprise and does not exist in legitimate businesses. This role is known as a “money mule.” Vulnerable individuals are often lured into these roles with titles such as “payment processing agents” or “money transfer agents.” But when “money mules” apply for the job and even after they get the job, they’re not aware that they are being used to commit fraud. Therefore if cybercriminals get caught, “money mules” might also get in trouble with law enforcement. The “money mule” can expect a freeze on his bank account, face possible prosecution, and might be responsible for repaying for the losses. It might even be on your permanent record. Other articles and threads discussed: Avoiding phish scams, with @swiftonsecurity Equifax CEO says one IT pro caused the breach, with @patio11 How secure is iphoneX? Tool of the week: SPF Translator Panelists: Cindy Ng, Mike Buckbee, Kilian Englert, Mike Thompson Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

By now, we’re all aware that many of the platforms and services we use collect and store information about our data usage. Afterall, they want to provide us with the most personalized experience. So when I read that an EU Tinder user requested information about her data and was sent 800 pages, I was very intrigued with the comment from Luke Stark, a digital technology sociologist at Dartmouth University, “Apps such as Tinder are taking advantage of a simple emotional phenomenon; we can’t feel data. This is why seeing everything printed strikes you. We are physical creatures. We need materiality.” He is on to something. We don’t usually consider archiving stale data until we’re out of space. It is often through printing photos, docs, spreadsheets, and pdfs that we would feel the weight and space consuming nature of the data we own. Stark’s description of data’s intangible quality led me to wonder how weightless data impacts how we think about data security. For instance, when there’s a power outage, some IT departments aren’t deemed important enough to be on a generator. Or when Infosec is often seen as a compliance requirement, not as security. Another roadblock security pros often face is when they report a security vulnerability – it’s not usually well received. Podcast panelists: Cindy Ng, Mike Buckbee, Kilian Englert, Mike Thompson Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

While some regard Infosec as compliance rather than security, veteran pentesters Sanjiv Kawa and Tom Porter believe otherwise. They have deep expertise working with large enterprise networks, exploit development, defensive analytics and I was lucky enough to speak with them about the fascinating world of pentesting. In our podcast interview, we learned what a pentesting engagement entails, assigning budget to risk, the importance of asset identification, and so much more. Regular speakers at Security Bsides, they have a presentation on October 7th in DC, The World is Y0ur$: Geolocation-based Wordlist Generation with Wordsmith. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Ofer Shezaf is Director of Cyber Security at Varonis. A self-described all-around security guy, Ofer is in charge of security standards for Varonis products. He has had a long career that includes most recently a stint at Hewlett-Packard, where he was a product manager for their SIEM software, known as ArcSight. Ofer is a graduate of Israel's elite Technion University. In this second part of the interview, we explore ways to improve data security through security by design techniques at the development stage, pen testing, deploying Windows 10s, and even labeling security products! Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Ofer Shezaf is Director of Cyber Security at Varonis. A self-described all-around security guy, Ofer is in charge of security standards for Varonis products. He has had a long career that includes most recently a stint at Hewlett-Packard, where he was a product manager for their SIEM software, known as ArcSight. Ofer is a graduate of Israel's elite Technion University. In this first part of the interview, Ofer shares his thoughts on the changing threat landscape. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Dr. Tyrone Grandison has done it all. He is an author, professor, mentor, board member, and a former White House Presidential Innovation Fellow. He has held various positions in the C-Suite, including his most recent role as Chief Information Officer at the Institute of Health Metrics and Evaluation, an independent health research center that provides metrics on the world's most important health problems. In our interview, Tyrone shares what it’s like to lead a team of forty highly skilled technologists who provide tools, infrastructure, and technology to enable researchers develop statistical models, visualizations and reports. He also describes his adventures on wrangle petabytes of data, the promise and peril of our data economy, and what board members need to know about cybersecurity. Transcript Tyrone Grandison: My name is Tyrone Grandison. I am the Chief Information Officer at the Institute for Health Metrics and Evaluation, IHME, at the University of Washington in Seattle. And IHME is global in profit in the public health and population health space, where we're focused on how do we get people to have a long life and have that long life at the highest health capacity possible. Cindy Ng: Often times, the bottom line drives businesses forward, where your institute is driven by helping policy makers and donors determine how to help people live longer and healthier lives. What is your involvement in ensuring that that vision is sustained and carried through? Tyrone Grandison: Perfect. So I lead the technology team here, which is a team of 40 really skilled data scientists, software engineer, system administrators, project and program managers. And what we do is that we provide the base, the infrastructure. We provide tools and technologies that enable researchers to, one, ingest data. So we get data from every single country across the world. Everything from surveys to censuses to death records. No matter how small or poor or politically closed a country is. And we basically house this information. We help the researchers develop statistical models. Like, very sophisticated statistical models and tools on them that make sense of the data. And then we actually put it out there to a network of over 2,400 collaborators. And they help us produce what we called the Global Burden of Disease that, you know, shows what in different countries of the world is the predominant thing that is actually shortening lives in particular age groups, for particular genders and all demographic information. So, now people can, if they wanted to, do an apples-to-apples comparison between countries across ages and over time. So, if you wanted to see the damage done by tobacco smoking in Greece and compare that to the healthy years lost due to traffic injuries in Guatemala, you can actually do that. If you wanted to compare both of those things with the impact of HIV in Ghana, then that's now possible. So our entire thing is, how do we actually provide the technology base and the skills to, one, host the data, support the building of the models and support the visualization of it. So people can actually make these comparisons. Cindy Ng: You're responsible for a lot and let's try to break it down a bit. When you receive a bunch of data sets from various sources, take me through what your plan is for it. Last time we spoke, we spoke about obesity. Maybe is that a good one to, that everyone can relate to and with? Tyrone Grandison: Sure. So, say we get a obesity data sets from either the health entities within a particular country. It goes through a process where we have a team of data analysts look at the data and extract the relevant portions of it. We then put it into our ingesting pipeline, where we then vet it. Vet it in terms of what can it apply to. Does it apply to specific diseases? Obviously, it's going to apply to a specific country. Does it apply to a particular age group and gender? From that point on, we then include it in models. And we have our modeling pipeline that does everything from estimating the number of years lost from obesity in that particular country. Also, as I mentioned before, it actually sees if that particular statistic that we got from that survey is relevant or not. From there, we basically use it to figure out, okay, well what is the overall picture across the world for obesity? And then, we visualize it and make it accessible. And provide people with the ability to tell stories on it with the hope that at someone point, a policymaker or somebody within the public health institute within a particular country is gonna see it and actually use it in their decision making in terms of how to actually improve obesity in their particular country. Cindy Ng: And when you talk about relevant and modeling, people say in the industry that there is a lot of unconscious bias. How do you reconcile that? And how do you work with certain factors that people think is controversial? For instance, people have said th

We’re a month away from Halloween, but when a police detective aptly described a hotel hacker as a ghost, I thought it was a really clever analogy! It’s hard to recreate and retrace an attacker’s steps when there are no fingerprints or evidence of forced entry. Let’s start with your boarding pass. Before you toss it, make sure you shred it, especially the barcode. It can reveal your frequent flyer number, your name, and other PII. You can even submit the passenger’s information on the airline’s website and learn about any future flights. Anyone with access to your printed boarding pass could do harm and you would never know who your perpetrator would be. Next, let’s assume you arrive at your destination and the hotel is using a hotel key with a vulnerability. In the past, when hackers reveal a vulnerability, companies step up to fix it. But now, when systems need a fix and a software patch won’t do, how do we scale the fix for millions of hardware on hotel keys? Other articles discussed: Make metrics and influence people Keylogging with an iphone and android Tool of the week: Gost: Build a local copy of Security Tracker. Panelists: Cindy Ng, Kilian Englert, Forrest Temple, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Do you keep holiday photos away from social media when you’re on vacation? Security pros advise that it's one way to reduce your security risk. Yes, the idea of an attacker mapping out a route to steal items from your home sound ambitious. However, we’ve seen actual examples of a phishing attack as well as theft occur. Alternatively, the panelists point out that this perspective depends on how vulnerable you might be. If attackers need an entry and believe that you’re a worthy target is vastly different from the general noise of regular social media sharers. Other articles discussed: Pseudo ransomware increases Companies improve their security because of rise in ransomware Seven things startups need to know Biometrics: What’s in a face What happens when you reply to spam, a TED Talk $500,000 for a zero day? Tool of the week: https://github.com/wangyu-/udp2raw-tunnel Panelists: Cindy Ng, Mike Thompson, Forrest Temple, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

How long does it take you to tell the difference between fried chicken or poodle? What about a blueberry muffin or Chihuahua? When presented with these photos, it requires a closer look to differentiate the differences. It turns out that self-driving car cameras have the same problem. Recently security researchers were able to confuse self-driving car cameras by adhering small stickers to a standard stop sign. What did the cameras see instead? A 45 mph speed limit sign. The dangers are self-evident. However, the good news is that there are enough built-in sensors and cameras to act as a failsafe. But followers of our podcast know that other technologies with other known vulnerabilities might not be as lucky. Other articles discussed: New law would making re-anonymizing data illegal Encoding malware into physical strands of DNA Wiretapping your Amazon Echo Responsible ways to share a vulnerability Tool of the week: Macie, Automatically Discover, Classify, and Secure Content at Scale Panelists: Cindy Ng, Jeff Peters, Kris Keyser, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Dr. Zinaida Benenson is a researcher at the University of Erlangen-Nuremberg, where she heads the "Human Factors in Security and Privacy" group. She and her colleagues conducted a fascinating study into why people click on what appears to be obvious email spam. In the second part of our interview, Benenson offers very practical advice on dealing with employee phishing and also discusses some of the consequences of IoT hacking. Transcript [Inside Out Security] Zinaida Benenson is a senior researcher at the University of Erlangen-Nuremberg. Her research focuses on the human factors connections in privacy and security, and she also explores IoT security, two topics which we are also very interested in at the Inside Out Security blog. Zinaida recently completed research into phishing. If you were at last year's Black Hat Conference, you heard her discuss these results in a session called How To Make People Click On Dangerous Links Despite Their Security Awareness. So, welcome Zinaida. [Zinaida Benenson] Okay. So my group is called Human Factors In Security And Privacy. But also, as you said, we are also doing technical research on the internet of things. And mostly when we are talking about human factors, we think about how people make decisions when they are confronted with security or privacy problems, and how can we help them in making those decisions better. [IOS] What brought you to my attention was the phishing study you presented at Black Hat, I think that was last year. And it was just so disturbing, after reading some of your conclusions and some of the results. But before we talk about them, can you describe that specific experiment you ran phishing college students using both email and Facebook? The Experiment [ZB] So in a nutshell, we sent, to over 1,000 university students, an email or a personal Facebook message from non-existing persons with popular German names. And these messages referred to a party last week and contained a link to supposed pictures from the party. In reality, this link led to an “access denied” page, but the links were individual. So we could see who clicked, and how many times they clicked. And later, we sent to them a questionnaire where we asked for reasons of their clicking or not clicking. [IOS] Right. So basically, they were told that they would be in an experiment but they weren't told that they would be phished. [ZB] Yes. So recruiting people for, you know, cyber security experiments is always tricky because you can't tell them the real goal of the experiment — otherwise, they would be extra vigilant. But on the other hand, you can't just send to them something without recruiting them. So this is an ethical problem. It's usually solved by recruiting people for something similar. So in our case, it was a survey for... about the internet habits. [IOS] And after the experiment, you did tell them what the purpose was? [ZB] Yes, yes. So this is called a debriefing and this also a special part of ethical requirements. So we sent to them an email where we described the experiment and also some preliminary results, and also described why it could be dangerous to click on a link in an email or a Facebook message. [IOS] Getting back to the actual phish content, the phish messaging content, in the paper I saw, you showed the actual template you used. And it looked — I mean, as we all get lots of spam – to my eyes and I think a lot of people's eyes, it just looked like really obvious spam. Yet, you achieved like very respectable click rates, and I think for Facebook, you got a very high rate – almost, was it 40% – of people clicking what looked like junk mail! [ZB] We had a bare IP address in the link, which should have alerted some people. I think it actually alerted some who didn't click.. But, yes, depending on the formulation of the message, we had 20% to over 50% of email users clicking. And independently on the formulation of the message, we had around 40% of users clicking. So in all cases, it's enough, for example, to get a company infected with malware! 50% Clicked on Emails [IOS] That is surprising! But then you also learned by surveying them, the reasons they were clicking. And I was wondering if you can share some of those, some of the results you found? [ZB] So the reasons. The most important or most frequently stated reason for clicking was curiosity. People were amused that the message was not addressed to them, but they were interested in the pictures. And the next most frequently stated reason was that the message actually was plausible because people actually went to a party last week, and there were people there that they did not know. And so they decided that it's quite plausible to receive such a message. [IOS] However, it was kind of a very generic looking message. So it's a little hard to believe, to me, that they thought it somehow related to them! [ZB] We should always consider the targeting audience. And this was students, and students communic

When we delete a file, our computer’s user interface makes the file disappear as if it is just a simple drag and drop. The reality is that the file is still in your hard drive. In this episode of the Inside Out Security Show, our panelists elaborate on the complexities of deleting a file, the lengths IT pros go through to obliterate a file, and surprising places your files might reside. Kris Keyser explains, “When you’re deleting a file, you’re not necessarily deleting a file. You’re deleting the reference to that file.” Other Articles Discussed: UK government guidance on protecting a computer on wheels Companies need force fields to protect their network Illinois state employees get cybersecurity training The security of shredding paper Uber drivers outsmart the algorithm? One hack away from Armageddon? Instead of “Tool of the Week”, we learned about a coveted certification from a Blackhat attendee: Offensive Security Certified Professional. It is a 24-hour lab test to demonstrate your understanding of identifying vulnerabilities, pen testing, etc. Panelists: Cindy Ng, Kris Keyser, Jeff Peters, Forrest Temple Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Zinaida Benenson is a researcher at the University of Erlangen-Nuremberg, where she heads the "Human Factors in Security and Privacy" group. She and her colleagues conducted a fascinating study into why people click on what appears to be obvious email spam. In the first part of our interview with Benenson, we discusses how she collected her results, and why curiosity seems to override security concerns when dealing with phish mail. Transcript [Inside Out Security] Zinaida Benenson is a senior researcher at the University of Erlangen-Nuremberg. Her research focuses on the human factors connections in privacy and security, and she also explores IoT security, two topics which we are also very interested in at the Inside Out Security blog. Zinaida recently completed research into phishing. If you were at last year's Black Hat Conference, you heard her discuss these results in a session called How To Make People Click On Dangerous Links Despite Their Security Awareness. So, welcome Zinaida. [Zinaida Benenson] Okay. So my group is called Human Factors In Security And Privacy. But also, as you said, we are also doing technical research on the internet of things. And mostly when we are talking about human factors, we think about how people make decisions when they are confronted with security or privacy problems, and how can we help them in making those decisions better. [IOS] What brought you to my attention was the phishing study you presented at Black Hat, I think that was last year. And it was just so disturbing, after reading some of your conclusions and some of the results. But before we talk about them, can you describe that specific experiment you ran phishing college students using both email and Facebook? The Experiment [ZB] So in a nutshell, we sent, to over 1,000 university students, an email or a personal Facebook message from non-existing persons with popular German names. And these messages referred to a party last week and contained a link to supposed pictures from the party. In reality, this link led to an “access denied” page, but the links were individual. So we could see who clicked, and how many times they clicked. And later, we sent to them a questionnaire where we asked for reasons of their clicking or not clicking. [IOS] Right. So basically, they were told that they would be in an experiment but they weren't told that they would be phished. [ZB] Yes. So recruiting people for, you know, cyber security experiments is always tricky because you can't tell them the real goal of the experiment — otherwise, they would be extra vigilant. But on the other hand, you can't just send to them something without recruiting them. So this is an ethical problem. It's usually solved by recruiting people for something similar. So in our case, it was a survey for... about the internet habits. [IOS] And after the experiment, you did tell them what the purpose was? [ZB] Yes, yes. So this is called a debriefing and this also a special part of ethical requirements. So we sent to them an email where we described the experiment and also some preliminary results, and also described why it could be dangerous to click on a link in an email or a Facebook message. [IOS] Getting back to the actual phish content, the phish messaging content, in the paper I saw, you showed the actual template you used. And it looked — I mean, as we all get lots of spam – to my eyes and I think a lot of people's eyes, it just looked like really obvious spam. Yet, you achieved like very respectable click rates, and I think for Facebook, you got a very high rate – almost, was it 40% – of people clicking what looked like junk mail! [ZB] We had a bare IP address in the link, which should have alerted some people. I think it actually alerted some who didn't click.. But, yes, depending on the formulation of the message, we had 20% to over 50% of email users clicking. And independently on the formulation of the message, we had around 40% of users clicking. So in all cases, it's enough, for example, to get a company infected with malware! 50% Clicked on Emails [IOS] That is surprising! But then you also learned by surveying them, the reasons they were clicking. And I was wondering if you can share some of those, some of the results you found? [ZB] So the reasons. The most important or most frequently stated reason for clicking was curiosity. People were amused that the message was not addressed to them, but they were interested in the pictures. And the next most frequently stated reason was that the message actually was plausible because people actually went to a party last week, and there were people there that they did not know. And so they decided that it's quite plausible to receive such a message. [IOS] However, it was kind of a very generic looking message. So it's a little hard to believe, to me, that they thought it somehow related to them! [ZB] We should always consider the targeting audience. And this was students, and students com

While some management teams are afraid of a pentest or risk assessment, other organizations - particularly financial institutions - are well aware of their security risks. They are addressing these risks by simulating fake cyberattacks. By putting IT, managers, board members and executives who would be responsible for responding to a real breach or attack, they are learning how to respond to press, regulators, law enforcement, as well as other scenarios they might not otherwise expect. However, other security experts would argue that cyber war rooms are financially prohibitive for most organizations with a limited budget. What’s more, organizations should keep in mind that not all attacks have to be complicated. If organizations curb phishing attacks or achieve a least privilege model, they would already significantly reduce their risk. Other Articles Discussed: Dark web marketplaces AlphaBay and Hansa shut down Every voting machine gets hacked at DEF CON Real life Minority Report German judge rule that keylogging employees is illegal Tool of the week: Reply All Podcast: Long Distance Panelists: Cindy Ng, Mike Buckbee, Kris Keyser, Kilian Englert Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Some of you might be familiar with Roxy Dee’s infosec book giveaways. Others might have met her recently at Defcon as she shared with infosec n00bs practical career advice. But aside from all the free books and advice, she also has an inspiring personal and professional story to share. In our interview, I learned about her budding interest in security, but lacked the funds to pursue her passion. How did she workaround her financial constraint? Free videos and notes with Professor Messer! What’s more, she thrived in her first post providing tech support for Verizon Fios. With grit, discipline and volunteering at BSides, she eventually landed an entry-level position as a network security analyst. Now she works as a threat intelligence engineer and in her spare time, she writes how-tos and shares sage advice on her Medium account, @theroxyd Transcript Cindy Ng: For individuals who have had a nonlinear career path in security, Threat Intelligence Engineer Roxy Dee knows exactly what that entails. She begins by describing what it was like to learn about a new industry with limited funding, and how she studied security fundamentals in order to get her foot in the door. In our interview, she reveals three things you need to know about vulnerability management, why fraud detection is a lot like network traffic detection, and how to navigate your career with limited resources. We currently have a huge security shortage, and people are making analogies as to the kind of people we should hire. For instance, if you're able to pick up music, you might be able to pick up technology. And I've found that in security it's extremely important to be detail oriented, because the adage is the bad guys only need to be right once and security people need to be right all the time. And I had read on your Medium account the way you got into security, for practical reasons. And so let's start there, because it might help encourage others to start learning about security on their own. Tell us what aspect of security you found interesting and the circumstances that led you in this direction. – Roxy Dee: Just to comment on what you've said. Actually, that's a really good reason to make sure you have a diverse team is because everybody has their own special strengths and having a diverse team means that you'll be able to fight the bad guys a lot better because there will always be someone that has that strength where it's needed. The bad guys, they can develop their own team the way they want and so it's important to have a diverse team because every bad guy you meet is going to be different. That's a very good point, itself. Cindy Ng: Can you clarify "diverse?" You mean everybody on your team is going to have their own specialty that they're really passionate about? By knowing what they're passionate about, you know how to leverage their skill set? Is that what you mean by diversity? Roxy Dee: Yeah. That's part of it. I mean, just making sure that you don't have the same person. For example, I'll tell my story like you asked in the original question. As a single mom, I have a different experience than someone that has had less difficulties in that area, so I might think of things differently, or be resourceful in different ways. Or I'm not really that great at writing reports. I can write well, but I haven't had the practice of writing reports. Somebody that went to college, they might have that because they were kind of forced to do it, by having people from different backgrounds that have had different struggles. And I got into security because I was already into phone phreaking, which is a way of hacking the phone system. And so for me, when I went to my first 2600 Meeting and they were talking about computer security and information security, it was a new topic and I was kind of surprised. I was like, "I thought 2600 was just about phone hacking." But I realized that at the time...It was 2011, and phone hacking had become less of a thing and computer security became more of something. I got the inspiration to go that route, because I realized that it's very similar. But as a single mom, I didn't have the time or the money to go to college and study for it. So I used a lot of self-learning techniques, I went to a lot of conferences, I surrounded myself with people that were interested in the topic, and through that I was able to learn what I needed to do to start my career. Cindy Ng: People have trouble learning the vocabulary because it's like learning a new language. How did you...even though you were into phone hacking and the transition into computer security, it has its own distinct language, how did you make the connections and how long did it take you? What experiences did you surround yourself with to cultivate a security mindset? Roxy Dee: I've been on computers since I was a little kid, like four or five years old. So for me, it may not be as difficult for me as other people, because I kind grew up on co

We’re counting down to Blackhat USA to attend one of the world’s leading information security conference to learn about the latest research, development and trends. We’ll also be at booth #965 handing out fabulous fidget spinners and showcasing all of our solutions that will help you protect your data from insider threats and cyberattacks. In this podcast episode, we discuss sessions you should attend as well as questions to ask that will help you reduce risk. We even cover why it isn't wise to only rely on important research methods like honeypots save you from insider threats or other attacks. The Art of Securing 100 products The Active Directory Botnet And the Script-Kiddie Said, “Let There Be No Light” Zero Days, Thousands of Nights and Times of Zero-Day Vulnerabilities and Exploits IoT Candy Jar: Intelligent-Interaction HoneyPot Devices Tool of the Week: Virtual Private Cloud (VPC) Panelists: Cindy Ng, Kris Keyser, Kilian Englert, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Finally, after years of advocacy many popular web services have adopted two-factor authentication (2FA) as a default security measure. Unfortunately, as you might suspect attackers have figured out workarounds. For instance, attackers that intercept your PIN in a password reset man-in-the-middle attack. So what should we do now? As the industry moves beyond 2FA, the good news is that three-factor authentication is not on the shortlist as a replacement. Google’s identity systems manager, Mark Risher said, “One of the truths we’ve found is that people won’t accept more security than they think they need.” There have been talks about using biometrics as a promising form of authentication. In the meantime, know that using 2FA is more secure than using just a password. Other Articles Discussed: Singapore cybersecurity pros needs a license to conduct investigative work White hat privilege Android malware threatens to expose browsing history to your contacts Websites without https are not recommended Panelists: Cindy Ng, Rob Sobers, Mike Buckbee, Kilian Englert Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Right now, many companies are planning 2018’s budget. As always, it is a challenge to secure enough funds to help with IT’s growing responsibilities. Whether you’re a nonprofit, small startup or a large enterprise, you’ll be asked to stretch every dollar. In this week’s podcast, we discussed the challenges a young sysadmin volunteer might face when tasked with setting up the IT infrastructure for a nonprofit. And for a budget interlude, I asked the panelists about the growing suggestion for engineers to take philosophy classes to help with ethics related questions. Other Articles Discussed: PC that will self-destruct if tampered FTC’s panel discussion on growing security and privacy challenges with connected cars Dilemmas with Google’s Project Zero Tool of the week: honeyλ, a simple, serverless application designed to create and monitor URL {honey}tokens, on top of AWS Lambda and Amazon API Gateway Panelists: Cindy Ng, Kilian Englert, Mike Thompson, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

When it comes to infosecurity, we often equate treating data like money. And rightfully so. After all, data is valuable. Not to mention the human hours devoted to safeguarding an organization’s data. However, when a well-orchestrated attack happens to destroy an organization’s data, rather than for financial gain, we wondered if data is really worth more than money. Sure you can quantify the cost of tools, equipment, hours spent protecting data, but what about intellectual and emotional labor? How do we assign proper value to the creative essence and spirit of what makes our data valuable? Other Articles Discussed: People like the idea of privacy, but not the effort How the Internet could kill us all Military retaliation for a cyberattack Canada Supreme Court blocks Google searches FTC updated COPPA to include IoT toys Panelists: Cindy Ng, Mike Buckbee, Kilian Englert, Mike Thompson Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

It’s been reported that 85% of businesses are in the dark about their data. This means that they are unsure what types of data they have, where it resides, who has access to it, who owns it, or how to derive business value from it. Why is this a problem? First, the consumer data regulation, GDPR is just a year away and if you’re in the dark about your organization’s data, meeting this regulation will be a challenge. Organizations outside the EU that process EU citizens’ personal data, GDPR rules will apply to you. Second, when you encounter attacks such as ransomware, it’s a bit of a mess to clean up. You’ll have to figure out which users were infected, if anything else got encrypted, when the attack started, and how to prevent it from happening in the future. However, what’s worse than a ransomware attack are ones that don’t notify you like insider threats! These threats don’t present you with a ransomware-like pop-up window that tells you you’ve been hacked. It’s probably better to be the company that got scared into implementing some internal controls, rather than the one that didn’t bother and then went out of business because all its customer data and trade secrets ended up in the public domain. In short, it just makes good business and security sense to know where your data resides. Other articles discussed: The GOP data leak contains a wealth of personal information on roughly 61 percent of the US population End-to-end security could be mandatory across most of Europe What’s so exciting about behavioral biometrics? Learn more about the Orange is the New Black ordeal and the family-owned post production studio that had to deal with it. Tool of the week: DNSTwist Panelists: Cindy Ng, Mike Thompson, Kilian Englert, Mike Buckbee Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

The short answer is: if your organization store, process or share EU citizens’ personal data, GDPR rules will apply to you. In a recent survey, 94% ­of large American companies say they possess EU customer data that will fall under the regulations, with only 60% of respondents that have plans in place to respond to the impact the GDPR will have on how th­ey handle customer data. Yes, GDPR isn’t light reading, but in this podcast we’ve found a way to simplify the GDPR’s key requirements so that you’ll get a high level sense of what you’ll need to do to become compliant. We also discuss the promise and challenges of what GDPR can bring – changes to how consumers relate to data as well as how IT will manage consumer data. After the podcast, you might want to check out the free 7-part video course we developed with Troy Hunt on the new European General Data Protection Regulation that will tell you: What are the requirements? Who will be affected? How does this help protect personal data? Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Troy Hunt is a web security guru, Microsoft Regional Director, and author whose security work has appeared in Forbes, Time Magazine and Mashable. He’s also the creator of “Have I been pwned?”, the free online service for breach monitoring and notifications. In this podcast, we discuss the challenges of the industry, learn about his perspective on privacy and revisit his talk from RSA, Lessons from a Billion Breached Data Records as well as a more recent talk, The Responsibility of Disclosure: Playing Nice and Staying Out of Prison. After the podcast, you might want to check out the free 7-part video course we developed with Troy on the new European General Data Protection Regulation that will be law on May 25, 2018 - changing the landscape of regulated data protection law and the way that companies collect personal data. Pro tip: GDPR will also impact companies outside the EU. Transcript Cindy Ng: Troy Hunt is a web security guru, Australian Microsoft Regional Director and author whose security writing has appeared in Forbes, Time Magazine, and Mashable. In this podcast, we talk about his popular website, Have I Been Pwned, the morals and ethics in the work we're involved in, and one thing everyone should get when it comes to security. I'd like to try to capture on a podcast things that we can't do in writing or in visual format and I think there's an emotional aspect in audio. It really helps people get to know more of who you are. Troy Hunt: You know, those were the exact words that just came to mind as you were saying it because there's a lot of feeling and sentiment that gets lost when you just throw things out, isn't there? Cindy Ng: Mm-hmm. Definitely. And you have a site, Have I Been Pwned, that notifies people when there's a data breach. And I was listening to your recording that you did at RSA, "Lessons from a Billion Breached Records." I thought it was really interesting that you were making the case that kids, they're 18, 19, 20 years old that are hackers, then you're mediating conversation with them. Do you talk to their parents? Troy Hunt: No, I just tell them to go to their room and think about what they've done. And we...no, I can't do that. I feel like doing that at times because you get the sense, and to be clear, when we say, "talk," it is all text, right? This is not what you and I are doing. And to the earlier point, that, yeah, this doesn't sort of convey emotion and sentiment and maturity in the same way as a voice discussion does. This is all sort of text-based chat. And you sort of get the impression from the style of chat, the words that are used, the references that are made, you build up this mental image of who you're talking to, right? And time and time again, it's like this is a young male, it's either legally a child, you know, normally 15, 16, 17, or very young adult, maybe sort of early 20s at the eldest. And time and time again, we see that that plays out to be the case. And particularly when we look at historical incidents of the likes of "hacktivists" being arrested and charged and that's a little bit of a liberally-used term, I suspect, hacktivist. Very often when we see people that have been breaking into systems and causing havoc for not necessarily for sort of monetary gain or personal advancement, but just because it was there, just for the lulz. We see this pattern time and time again. Look, I mean, certainly, at that age, people are independent enough that I'm not going to end up in conversations with their parents. That would be condescending for me to go, "Hey, is your mom or dad there?" You know, "Can I have a chat to them?" So, we don't normally end up in that direction. Cindy Ng: It's just funny that you're engaging with them in a very human way to verify a breach or in the process of. Troy Hunt: You know, they are human. Cindy Ng: Well, we really don't know what hackers look like. We have a certain kind of image of them. Troy Hunt: Well, I mean, yes and no. So we have put faces to them insofar as we have seen many previous incidents where we've seen these people, this, you know, class of person, charged and turn up publicly. I mean, some of very sort of high-profile ones have been the likes of some of the individuals from the LulzSec hacktivist group that were very active around 2011. So we know of people like Jake Davis who was about 18 at the time who was charged. We know it's Jake because he was up there in the news as a sort of a high-profile catch, if you like, for the authorities. And we've also seen him and others as well in that group actually go on to do some really cool stuff in very productive ways. So, you know, I guess there is this part of us which knows in an evidence-based way who these individuals tend to be and the demographic they fit into. And then the point I make, particularly in the introduction of that talk about the billions of breached records, is that there's this other side which is

In this concluding post of John Carlin’s Lessons from the DOJ, we cover a few emerging threats: cyber as an entry point, hacking for hire and cybersecurity in the IoT era. One of the most notable anecdotes are John’s descriptions of how easy it was to find hacking for hire shops on the dark web. Reviews of the most usable usernames and passwords and most destructive botnets are widely available to shoppers. Also, expect things to get worse before they get better. With the volume of IoT devices now available developed without security by design, we'll need to find a way to mitigate the risks. Transcript Cindy Ng: You may have following our series on John Carlin's work during his tenure as Assistant Attorney General for the U.S. Justice Department. He described cyber as an entry point as one of our threats using our latest election process as an example. But now, John has a few more emerging threats to bring to your attention, hacking for hire and cyber security in the IoT era. One of John's striking descriptions is how easy it is to find hacking for hire shops on the dark web. Reviews of the most usable usernames and passwords and the most destructive botnets are widely available to shoppers. Expect things to get worse before they get better. With the volume of IoT devices created without security by design, we'll need to find a way to mitigate the risk. John Carlin: Let me move to emerging threats. We've talked about cyber as an entry part, a way that an attack can start. Even when the cyber event isn't really the critical event in the end, our electoral system and confidence in it wasn't damaged because there was an actual attack on the voting infrastructure, if there's an attack where they steal some information that's relatively easy to steal and then they get to combine with the whole campaign of essentially weaponizing information, and that caused the harm. The other trend we're seeing is the hacking for hire. I really worry about this one. I think over the next five years, what we're seeing is, the dark web now, it's so easy to use, well, I don't recommend this necessarily, but when you go on it, you see sophisticated sales bazaars that look as customer-friendly as Amazon. And when I say that I mean it literally looks like Amazon. I went on one site and it's complete with customer reviews, like, "I gave him four stars, he's always been very reliable, and 15% of the stolen user names and passwords that he gives me work, which is a very high rate." Another one will be like, "This crook's botnet has always been really good at doing denial-of-service attacks, five stars!" So that's the way it looks right now on the dark web, and that's because they're making just so much, so much money they can invest in an infrastructure and it starts to look as corporate as our private companies. What I worry about, is because those tools are for rent, use the botnet example, you know, one of the cases that we did was the Iranian Revolutionary Guard Corps attack on the financial sector. They hit 46 different financial institutions with the distributed denial-of-service attack, taking advantage of a huge botnet of hundreds and hundreds of thousands of compromised computers. They'd knocked financial institutions, who have a lot of resources offline, effected hundreds of thousands of customers, cost tens of millions of dollars. Right now, on the dark web, you can rent the use of an already made botnet. So the criminal group creates the botnet, they're not the ones who necessarily use it. Right now they tend to rent it to other criminal groups who will do things like GameOver Zeus, a case that we did, you know, they'll use it for profit, they'll use it for things like injecting malware that will lead to ransomware or injecting malware for a version of extortion, essentially, where they were turning on people's video cameras and taking naked pictures, and then charging money, or all the other criminal purposes you can put a botnet to. But it doesn't take much imagination to see how a nation stayed or a terrorist group could just rent what the criminal groups are doing to cause an attack on your companies. In terms of emerging threats, you're certainly tracking the Internet of Things era. I mean, you think about how far behind we are given where the threat is just because we moved very, very quickly from putting everything we value, from analog to digital space, connecting it to the internet over a 25-year period roughly. We're now on the verge of an even more transformative evolution, where we put not just information, but all the devices that we need from everything, from the pacemakers in our heart, the original versions that were rolled out, actually this is still an issue, for good medical reasons they wanted to be able to track in real-time information coming out of people's hearts, but they rolled it out un-encrypted, because they just don't think about it when it comes to the Internet of Things. Th

Long before websites, apps and IoT devices, one primary way of learning and sharing information is with a printed document. They’re still not extinct yet. In fact, we’ve given them an upgrade to such that nearly all modern color printers include some form of tracking information that associates documents with the printer's serial number. This type of metadata is called tracking dots. We learned about them when prosecutors alleged 25-year-old federal contractor Reality Leah Winner printed a top-secret NSA document detailing the ongoing investigation into Russian election hacking last November and mailed it to The Intercept. Rest assured the Inside Out Security Show panelists all had a response to this form of printed metadata. Another type of metadata that will be discussed in the Supreme Court is whether the government needs a warrant to access a person’s cell phone location history. “Because cell phone location records can reveal countless private details of our lives, police should only be able to access them by getting a warrant based on probable cause,” said Nathan Freed Wessler, a staff attorney with the ACLU Speech, Privacy, and Technology Project. Other articles discussed: Malware Installed On a Router Can Take Control Over a Device’s LEDs and Use Them To Transmit Data Twitter product, Studio has vulnerability that allowed tweeting from any account Commenting secret code on Britney Spears’ Instagram account Inside Out Security Show panelists: Cindy Ng, Mike Buckbee, Kilian Englert, Forrest Temple Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

The latest release of SANS’ Security Awareness Report attributed communication as one of the primary reasons why awareness programs thrive or fail. Yes, communication is significant, but what does communication mean? “The goal of communication is to facilitate understanding,” said Inside Out Security Show(IOSS) panelist, Mike Thompson. Another panelist, Forrest Temple expanded on that idea, “The skill of communication is the clarity through which that process happens. Being about to tell a regular user about the purpose behind the policy is the important part.” However, IOSS panelist Kilian Englert pushed back on the report’s findings that insinuated users or security pros are to blame when a program fails. Yes, clear communication is vital, but also added, “We’re all in this together.” Others echoed this sentiment as well when we discussed a recent report that 83% of Security Pros Waste Time Fixing Co-Workers Non-Security Problems. Other articles discussed: Inmates built computers and hid them in ceiling, connected them to prison network Proposed US Bill Would Legalize Aggressive "Hack Back" Attacks Is “I forget” a valid defense when court orders demand a smartphone password? China’s New Cybersecurity Law Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

We’re living in exciting times. Today, if you have an idea as well as a small budget, you can most likely create it. This is particularly true in the technology space, which is why we’ve seen the explosion of IoT devices on the marketplace. However, what’s uncertain is the byproduct of our enthusiastic making, innovating, and disrupting. Hypothetical questions that used to be debated on the big screen are questions we’re now debating on our podcast. Will we be able to maintain an appropriate level of privacy within our homes? What are some positive and negative applications of a new technology? Should we extinguish our identification cards so that we can authenticate with biometrics? On this week’s Inside Out Security Show, Cindy Ng, Kilian Englert, Kris Keyser and Mike Buckbee weigh in on these pressing questions. Other articles discussed: All IT jobs are cybersecurity jobs now Does the laptop ban make sense? Course of the week: GDPR Attack Plan: What You Need To Know Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/