State of Cybercrime

We continue with our series with John Carlin, former Assistant Attorney General for the U.S. Department of Justice’s National Security Division. This week, we tackle ransomware and insider threat. According to John, ransomware continues to grow, with no signs of slowing down. Not to mention, it is a vastly underreported problem. He also addressed the confusion on whether or not one should engage law enforcement or pay the ransom. And even though recently the focus has been on ransomware as an outside threat, let’s not forget insider threat because an insider can potentially do even more damage. Transcript Cindy Ng: We continue our series with John Carlin, former Assistant Attorney General for the U.S. Justice Department. This week we tackle ransomware and insider threats. According to John, ransomware is a vastly under-reported problem. He also addressed the confusion on whether or not one should engage law enforcement or pay the ransom. And even though, lately, we've been focused on ransomware as an outside threat, one area that doesn't get as much focus is insider threat. And that's worrisome because an insider can potentially do even more damage. John Carlin: Ransomware, it was skyrocketing when I was in government. In the vast, vast, as I said earlier, majority of the cases, we were hearing about them with the caveat that they were asking us not to make it public, and so it is also vastly under-reported. I don't think there's anywhere near, right now, the reporting. I think Verizon attempted to do a good job. There've been other reports that have attempted to get a firm number on how big the problem is. I think the most recent example that's catching peoples attention is Netflix. Another area where I think too few companies right now are thinking through how they'd engage law enforcement. And I don't think there's an easy answer. I mean, there's a lot of confusion out there as to whether you should or shouldn't pay. And there was such confusion over FBI folks, when I was there, giving guidance saying, "Always pay." The FBI issued guidance, and we have a link to it here, that officially says they do not encourage paying a ransom. That doesn't mean, though, that if you go into law enforcement that they're gonna order you not to pay. Just like they have for years in kidnapping, I think they may give you advice. They can also give back valuable information. Number one, if it's a group they've been monitoring, they can tell you, and do as they've tried to move more towards the customer service model, they can tell you whether they've seen that group attack other actors before, and if they have, whether if you pay they're likely to go away or not. Because some groups just take your money and continue. Some groups, the group who's asking for your money isn't the same group that hacked you, and they can help you on that as well. Secondly, just as risk-reduction, as the example I gave earlier of Ferizi shows, or the Syrian Electronic Army, you can end up, number one, violating certain laws when it comes to the Treasury, so called OFAC, and material support for terrorism laws by paying a terrorist or other group that's designated as a bad actor. But more importantly, I think for many of you, then, that potential criminal regulatory loss is the brand. You do not want a situation where it becomes clear later that you paid off a terrorist. And so, by telling law enforcement what your doing, you can hedge against that risk. The other thing you need to do has nothing to do with law enforcement, but is resilience and trying to figure out, "Okay, what are my critical systems, and what's the critical data that could embarrass us? Is it locked down? What would be the risk?" The most recent public example Netflix has shown, you know, some companies decide season 5 of "Orange is the New Black," it's not worth paying off the bad guy. We've been focusing a lot on outside actors coming inside, and something I think has gotten too little attention or sometimes get too little attention, is the insider threat. That's another trend. As we focus on how, when it comes to outsider threats, the approach needs to change, and instead of focusing so much on perimeter defense, we really need to focus on understanding what's inside a company, what the assets are, what we can do to complicate the life of a bad guy when they get inside your company. Risk mitigation, in other words. A lot of the same expenditures that you would make, or same processes that you put in place to help mitigate that risk, are also excellent at mitigating the risk from insider threat. And that's where you can get a economy of scale on your implementation. When I took over National Security Division, my first, I think, week, was the Boston Marathon attack. But then, shortly after that was a fellow named Snowden deciding to disclose, on bulk, information that was devastating to certain government agencies across the board. And one of my

In part two of our series, John Carlin shared with us lessons on economic espionage and weaponized information. As former Assistant Attorney General for the U.S. Department of Justice’s National Security Division, he described how nation state actors exfiltrated data from American companies, costing them hundreds of billions of dollars in losses and more than two million jobs. He also reminded us how important it is for organizations to work with the government as he took us down memory lane with the Sony hack. He explained how destructive an attack can be, by using soft targets, such as email that do not require sophisticated techniques. Transcript Cindy Ng: In part two of John Carlin's talk, we learn more about how nation state actors exfiltrate data from American companies, costing them hundreds of billions of dollars in losses and more than two million jobs. He also took us down memory lane, describing how the Sony hack showed us how successful an attack can be by using soft targets, such as email, that do not require sophisticated techniques. John Carlin: Let me talk a little bit about economic espionage and how we moved into this new space. When I was a computer-hacking prosecutor prosecuting criminal cases, we were plenty busy. And I worked with an FBI squad, and the squad that I worked with did nothing but criminal cases. There was an intelligence squad who was across the hall, and they were behind a locked, secured compartmented door. The whole time I was doing criminal cases, about 10, 15 years ago, we never went on the other side of that door. If an agent switched squads, they just disappeared behind that locked, secured door. I then went over to the FBI to be Chief of Staff to the director, FBI Director Mueller. And when I was there, that door opened and we started to see day-in, day-out what nation state actors were doing to our country. And what we saw were state actors, and we had a literal jumbotron screen the size of a movie theater where we could watch it through a visual interface in real time. And we were watching state actors hop into places like universities, go from the university into your company, and then we would literally watch the data exfiltrate out. As we were watching this, it was an incredible feat of intelligence, but we also realized, "Hey, this is not success. We're watching billions and billions of dollars of what U.S. research and development, and our allies, have developed in losses. We're seeing millions of jobs lost." One estimate has it at more than two million jobs. "What can we do to make it clear that the threat isn't about consumer data or IP, the threat is about everything that you value on your system? And how do we make clear that there's an urgent need to address this problem?" What we did is, when I came back to Justice to lead up the National Security Division, is we looked to start sharing information within government. So, for the first time, every criminal prosecutor's office across the country, all 93 U.S. Attorneys' offices now has someone who's trained on the bits, and the bytes and the Electronic Communication Privacy Act on the one hand. On the other hand, on how to handle sensitive sources and methods, and encouraged to see, can you bring a case? This only happened in 2013. This approach is still very, very new. The FBI issued an edict that said, "Thou shalt share what was formally only on the intelligence side of the house with this new, specially-trained cadre." They then were redeployed out to the field. It's because of that change in approach that we did the first case of its kind, the indictment of five members of the People's Liberation Army, Unit 61398. This was a specialized unit who, as we laid out in the complaint, they were hitting companies like yours and they were doing it for reasons that weren't national security, they weren't nation-state reasons. They were doing things like...Westinghouse was about to do a joint venture with a partner in China, and right before they were gonna into business together, you watched as the Chinese uniformed members of the People's Liberation Army, the second largest military in the world, went in, attacked their system and instead of paying to lease the lead pipe as they were supposed to do the next day, they went in and stole the technical design specifications so they could get it for free. That's one example laid out in the complaint. Or to give another example, and this is why it's not the type of information that is required to be protected by regulation, like consumer data or intellectual property. Instead, for instance, they went in to a solar company, it was a U.S. subsidiary of a German multi-national and they stole the pricing data from that company. Then the Chinese competitor, using this information stolen by the People's Liberation Army, price dumped. They set their product just below where the competitor would be. That forced that competitor into bankruptcy.

After WannaCry, US lawmakers introduced the Protecting Our Ability to Counter Hacking Act of 2017, or PATCH Act. If the bill gets passed, it would create a Vulnerabilities Equities Process Review Board where they would decide if a vulnerability, known by the government, would be disclosed to a non-government entity. It won’t be an easy law to iron out as they’ll need to find the right balance between vulnerability disclosure and national security. Meanwhile Shadow Brokers, the hacking group that leaked the SMBv1 exploit that led to WannaCry, announced that they would create a subscription-based business that would give paying members a monthly data dump of zero-days and exploits. Grounded in our post WannaCry world, the Inside Out Security Show panelists – Cindy Ng, Mike Thompson and Kilian Englert – mulled over a popular philosophical keynote by Cory Doctorow, The Coming War on General Purpose Computing. We closed out the show by discussing another potentially deadly attack, Adylkuzz and whether not they’d prefer an attack like ransomware that notifies them or a cryptocurrency miner that consumes resources from their system and they wouldn’t even know it. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Even though it feels like France’s presidential election happened ages ago, it was a very public security win. The Inside Out Security show panelists – Cindy Ng, Kris Keyser, Mike Buckbee, and Kilian Englert synthesize how it all unfolded. They also weighed in on the FBI director’s release from his duties. What’s relevant in this story in the infosec space is what happens after someone leaves an organization. Other stories discussed: Ross Anderson interview A keylogger in HP’s audio driver Attacked Over Tor Tool of the week: Gixy Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Sue Foster is a London-based partner at Mintz Levin. In the second part of the interview, she discusses the interesting loophole for ransomware breach reporting requirements that's currently in the GDPR However, there's another EU regulation going into effect in May of 2018, the NIS Directive, which would make ransomware reportable. And Foster talks about the interesting implications of IOT devices in terms of the GDPR. Is the data collected by your internet-connected refrigerator or coffee pot considered personal data under the GDPR? Foster says it is! Inside Out Security Sue Foster is a partner with Mintz Levin based out of the London office. She works with clients on European data protection compliance and on commercial matters in the fields of clean tech, high tech, mobile media, and life sciences. She's a graduate of Stanford Law School. SF is also, and we like this here at Varonis, a Certified Information Privacy Professional. I'm very excited to be talking to an attorney with a CIPP, and with direct experience on a compliance topic we cover on our blog — the General Data Protection Regulation, or GDPR. Welcome, Susan. Sue Foster Hi Andy. Thank you very much for inviting me to join you today. There's a lot going on in Europe around cybersecurity and data protection these days, so it's a fantastic set of topics. IOS Oh terrific. So what are some of the concerns you're hearing from your clients on GDPR? SF So one of the big concerns is getting to grips with the extra-territorial reach. I work with a number of companies that don't have any office or other kind of presence in Europe that would qualify them as being established in Europe. But they are offering goods or services to people in Europe. And for these companies, you know in the past they've had to go through quite a bit of analysis to understand the Data Protection Directive applies to them. Under the GDPR, it's a lot clearer and there are rules that are easier for people to understand and follow. So now when I speak to my U.S. clients, if they're a non-resident company that promotes goods or services in the EU, including free services like a free app, for example, they'll be subject to the GDPR. That's very clear. Also, if a non-resident company is monitoring the behavior of people who are located in the EU, including tracking and profiling people based on their internet or device usage, or making automated decisions about people based on their personal data, the company is subject to the GDPR. It's also really important for U.S. companies to understand that there's a new ePrivacy Regulation in draft form that would cover any provider, regardless of location, of any form of publicly available electronic communication services to EU users. Under this ePrivacy Regulation, the notion of what these communication services providers are is expanded from the current rules, and it includes things that are called over-the-top applications – so messaging apps and communications features, even when a communication feature is just something that is embedded in a website. If it's available to the public and enables communication, even in a very limited sort of forum, it's going to be covered. That's another area where U.S. companies are getting to grips with the fact that European rules will apply to them. So this new security regulation as well that may apply to companies located outside the EU. So all of these things are combining to suddenly force a lot of U.S. companies to get to grips with European law. IOS So just to clarify, let's say a small U.S. social media company that doesn't market specifically to EU countries, doesn't have a website in the language of some of the EU country, they would or would not fall under the GDPR? SF On the basis of their [overall] marketing activity they wouldn't. But we would need to understand if they're profiling or they're tracking EU users or through viral marketing that's been going on, right? And they are just tracking everybody. And they know that they're tracking people in the EU. Then they're going to be caught. But if they're not doing that, if not engaging in any kind of tracking, profiling, or monitoring activities, and they're not affirmatively marketing into the EU, then they're outside of the scope. Unless of course, they're offering some kind of service that falls under one of these other regulations that we were talking about. IOS What we're hearing from our customers is that the 72-hour breach rule for reporting is a concern. And our customers are confused and after looking at some of the fine print, we are as well!! So I'm wondering if you could explain the breach reporting in terms of thresholds, what needs to happen before a report is made to the DBA's and consumers? SF Sure absolutely. So first it's important to look at the specific definition of personal data breach. It means a breached security leading to the ‘accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or acc

Last week, when the world experienced the largest ransomware outbreak in history, it also reminded me of our cybersecurity workforce shortage. When events like WannaCry happen, we can never have too many security heroes! There was an idea floating around that suggested individuals with a music background might have a promising future in security. The thinking is: if you can pick up music, you can also pick up technology. The Inside Out Security panelists – Cindy Ng, Mike Thompson, Forrest Template and Mike Buckbee – are in agreement. Their sentiments expanded to all artists and added that creative thinking along with attention to detail can go a long way. Other articles discussed: Intel Warns of Active Management Technology Vulnerability Besides Netflix’s Orange is the New Black threat, hackers also helped ourselves to copies of titles from other companies IoT companies keep building devices with security flaws What nuclear security officers (and infosec pros) can learn from casino managers IBM sends USBs with malware to customers Tool of the week: Pi hole Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Sue Foster is a London-based partner at Mintz Levin. She has a gift for explaining the subtleties in the EU General Data Protection Regulation (GDPR). In this first part of the interview, she discusses how US companies can get caught up in either the GDPR's extraterritoriality rule or the e-Privacy Directive's new language on embedded communication. She also decodes the new breach notification rules, and when you need to report to the DPA and consumers. Privacy and IT security pros should find her discussion particularly relevant. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Last week, John P. Carlin, former Assistant Attorney General for the U.S. Department of Justice’s (DOJ) National Security Division, spent an afternoon sharing lessons learned from the DOJ. And because the lessons have been so insightful, we’ll be rebroadcast his talk as podcasts. In part one of our series, John weaves in lessons learned from Ardit Ferizi, Hacktivists/Wikileaks, Russia, and the Syrian Electronic Army. He reminds us that the current threat landscape is no doubt complicated, requiring blended defenses, as well as the significance of collaboration between businesses and law enforcement. John Carlin currently chairs Morrison & Foerster’s global risk and crisis management team. Transcript Cindy Ng: John Carlin, Chair of Morrison and Foerster's Global Risk and Crisis Management Group says the secret to effective crisis management is that you've thought about it before the crisis. We thought we'd put his expertise to good use by having him share with us his experience as Assistant Attorney General for National Security on a wide range of topics. He described the current threat landscape, economic espionage, weaponized information, and what organizations can do to manage their risk. We are re-broadcasting his talk in a series that was held last week by starting with describing what a blended threat looks like, the particular challenges of insider threats, and the significance of the government working collaboratively with the private sector. John Carlin: The threat when it comes to what's facing our private companies has reached a level we haven't seen before. That's true for two reasons really. Some of what we're seeing on the threats are things that in the national security community that we've been monitoring for years, but we've had a change of approach. So in the past, while we were monitoring it, it would stay in classified systems. We would watch what nation states were doing or terrorist groups were doing and we didn't have any method to make it public. So one trend has been governments are starting to make public what they see in cyberspace. The second is that the actual threat itself has increased both in volume and complexity. That's been quite noticeable. In the past year alone, and really the past two years, we've seen cyber incidents that have gotten people's attention from every level. That has caused in government a shift in terms of the regulatory attention that's focused on cyber security breaches. When I recently left government, there was almost an unholy rush across every regulatory and law enforcement agency as they realized what the scope of the threat was and how their existing regulatory or law enforcement authorities were not covering it. That caused them to do two things. One, to try to come up with creative ways to interpret existing regulatory standards so that they can impose liability in the event of a cyber breach, and second, for those who realize that no matter how creative you got, there just was no way to bring it within existing regulations, more countries around the world are adopting data breach laws than ever before, most notably, Europe coming onboard in 2018, but really it's a global phenomenon. And as part of the focus on data breach, they're also having laws that are starting to impose certain standards of care or specific security obligations. I think it's that combination of increased awareness of the threat plus an increasingly complex and potentially punitive regulatory and law enforcement environment that's made this a top-of-mind issue for C-suites in poll after poll, not just here in the United States but in countries throughout the world. It's new and they're not quite sure what the legal regulatory landscape looks like, and accordingly, it's the type of thing that keeps them up at night. For those of you in the information technology space, that could be good news and bad news. It means more scrutiny on what you're doing but then hopefully, as we explain what it is and what can be done, it will also mean more resources. There's the old description of traditional cyber threats, and it's not like any of these have stopped, which would be crooks, nation states, activists, terrorists, everyone who wants to do something bad in the real world moving to cyberspace as we move everything that we value from analog to digital space, and the type of activity that they did ranged from economic espionage type activity to destruction of information, alteration of information, which I think is a trend that we need to watch, this is the idea of the integrity of your data may be at stake. I know, it's top-of-mind for those of us responsible for protecting against criminal and national security threats in government and fraud. I'm not going to spend too much on those traditional buckets. I wanted to highlight two new areas of cyber threat that are here, now. One is the, what I'll call the blended threat and the second is insider threats. Let's start with the ble

Rather than referring our weekly podcast panelists as security experts, we’re now introducing them as security practitioners. Why? A popular business article on mindset brought to our attention the perils of having self-proclaimed titles, such as experts and gurus. It signals our “thirst for knowledge in a particular subject has been quenched.” That is far from reality! Security is a constantly evolving field, with new threats and vulnerabilities. To have a fighting chance, it would behoove us to start by cultivating a curious learner mindset by asking, “Why?” and “How does this work?” As reformed security know-it-alls, here are some of the stories we covered: Unroll.me apologizes for Not Being Clear It Sells User Data Misinterpretation of Uber buying Unroll.me data BrickerBot breaks unsecured gadgets Antivirus Program Mistakenly IDs Windows as a Threat Hacked Amazon seller accounts Tool of the week: Account Lockout Status Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

There’s been a long held stigma amongst our infosec cohort and it’s getting in the way of doing business. What’s the stigma, you ask? “Know-it-all” techies who are unable to communicate. Unfortunately, this shortcoming also puts our jobs at stake. According to a recent cybersecurity survey, the board of directors polled said that IT and security executives will lose their jobs because of their failure to provide the board with useful, actionable information. It gets worse. More than half of board members say that the data presented is too technical. In an effort to redeem ourselves and to understand the problem, I suggested role playing with the Inside Out Security panel – Cindy Ng, Kilian Englert, Mike Buckbee, and Kris Keyser – and to also practice speaking with executives about cybersecurity. I presented two practical scenarios. The first prompt: explain why you might need UBA, even if you already have a SIEM tool. The other: explain the importance of keeping the health data generated from a wearable, safe and secure. Articles discussed in our podcast: How to derive a profit from the data deluge Headphones that spy on listeners New phone sign-in feature that skips the password Microchip implanted in between one’s thumb and index finger Microsoft fixed critical vulnerabilities in uncredited update released in March Tool of the week: Powersploit Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

As sleep and busyness gain prominence as status symbols, I wondered when or if good security would ever achieve the same notoriety. Investing in promising security technology is a good start. We’ve also seen an upsurge in biometrics as a form of authentication. And let’s not forget our high school cybersecurity champs! However, as we celebrate new technologies, sometimes we remain at a loss for vulnerabilities in existing technologies, such as one’s ability to guess a user’s PIN with the phone’s sensors. I’m also alarmed with how easily you can order an attack! Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

If you want to be an infosec guru, there are no shortcuts to the top. And enterprise information security expert, Christina Morillo knows exactly what that means. When she worked at the help desk, she explained technical jargon to non-technical users. As a system administrator, Christina organized and managed AD, met compliance regulations, and completed entitlement reviews. Also, as a security architect, she developed a comprehensive enterprise information security program. And if you need someone to successfully manage an organization’s risk, Christina can do that as well. In our interview, Christina Morillo revealed the technical certificates that helped jumpstart her infosec career, described work highlights, and shared her efforts in bringing a more accurate representation of women of color in tech through stock images. Transcript Cindy Ng: Christina Morillo has been in the security space long before automation and actual data became the industry's "it" word. She has been helping organizations advance their infosec and insider threat programs through her deep technical expertise in centralizing disparate systems, strengthening and automating tasks, as well as translating complex issues between the business and IT stakeholders. In our interview, Christina highlights hallmarks in her career, turning points in the industry, and how she worked her way to the top. Cindy Ng So, you've been in the security space for almost 20 years, and you've seen the field transform into something that people didn't really know about. Into something that people see almost regularly on the front page news. And I wanted to go back in time and for you to tell us how you got started in the security business. Christina Morillo: So, I actually got started in the technology industry about 18 years ago, and out of that, in security, I've been like 11 to 12 years. But I pretty much got started from the ground up while I was attending university. I actually got a job doing technical support for, at the time, compaq computers. So that's like I'm aging myself right there. But back when compaq computers were really popular, I worked for a call center, and we did 24-hour technical support. And that's where I kind of learned all of my troubleshooting skills, and being able to kind of walk someone through restarting their computer, installing an update, installing a patch, being able to articulate technical jargon, in a nontechnical format. Then from there, I moved on to doing more desktop support. I wanted to get away from the call center environment, I wanted to get away from that, and be in, like, an enterprise environment where I was the support person, so I could get that user interaction. So that's where my journey started. It feels like yesterday, but it's been a long time. Cindy Ng It goes by quickly, and how did you get started at Swiss Re? Christina Morillo: When I came back home from university, I am originally from New York City, I was looking for work. And I wanted to really get into financial services, doing IT within the financial services industry because I knew that would be a good strategic move for my professional career. I bumped into this recruiter, and he told me about a position at Swiss Re within their capital management investment division. And so I gave it a go even though I didn't have the experience. You know, I took a shot. And they really liked the fact that I had prior experience with active directory and networking. And since I was very much hands-on and I had just taken some Microsoft certifications, so I was like really into it. So I was able to answer the questions really efficiently, and they liked me, so they gave me the shot. That's what started me into the world of information security, and identity, and access management, and access control. I learned all my "manual foundation" I'll call it, manual fundamentals, at Swiss Re. Cindy Ng Would you say that your deep understanding of AD was an important part of your career? Christina Morillo: Oh, absolutely. Absolutely. Cindy Ng And what do most sysadmins get wrong when it comes to their understanding of AD? Christina Morillo: There is a lot to do with the whole permissioning and file structure. A lot of times people don't really go into the differences between share permissions and NTFS permissions. And it can get really complex really fast. Especially when you're learning in school, you create your environment, right? So it's very clean. But when you start at a company, you're looking at years of buildup. So you go into these environments where it's nowhere near what you learned at school. So you're just like, oh my goodness. And it becomes really overwhelming very quickly. I think it's, like, not having that deep understanding and deep knowledge, and just kind of taking short routes. Because we're very busy during the day, and there's a lot to do, right? Especially for sysadmins. They have a lot on their plates. So I think a lot of times it's

It was only last week that we applauded banks for introducing cardless ATMs in an effort to curb financial fraud. But with the latest bank heists, it may help to turn up the offense and defense. Why? Hackers were able to drill a hole, connect a wire, cover it up with a sticker and the ATM will automatically and obediently dispense money. Another group of enterprising hackers changed a bank’s DNS, taking over their website and mobile sites, redirecting customers to phishing sites. But let’s be honest and realistic. Bank security is no easy feat. They’re complicated systems with a larger attack surface to defend. Whereas attackers only need to find one vulnerability, sprinkle it with technical expertise, and gets to decide when and how the attack happens. Moreover, they don’t have to worry about bureaucracy, meeting compliance and following laws. The bottom-line is that attackers have more flexibility and are more agile. In addition to evolving bank security threats, we also covered the following: Android overtakes Windows as the internet’s most used operating system Whose responsibility is it to revoked SSL certificates if they’re obvious phishing sites? Your smart TV doesn’t need to be connected to the internet to have a security fail Connecting technology with textiles to create smart textiles is an ambitious task! Tool of the week: ngrok, secure introspected tunnels to localhost Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Recently, the Pew Research Center released a report highlighting what Americans know about cybersecurity. The intent of the survey and quiz was to understand how closely Americans are following best practices recommended by cybersecurity experts. One question on the quiz reminded us that we’re entitled to one free copy of our credit report every 12 months from each of the three nationwide credit reporting companies. The reason behind this offering is that there is so much financial fraud. And in an effort to curve banking scams, Wells Fargo introduced cardless ATMs, where customers can log into their app to request an eight-digit code to enter along with their PIN to retrieve cash. Outside the US, the £1 coin gets a new look and line of defense. It uses an Integrated Secure Identification Systems, which gets authenticated at high speeds, with automated industry-leading detection levels. Plus, it’s harder to counterfeit and that’s exactly what we want! Other themes and ideas we covered that weren’t part of the quiz: Things to look out for on browser extensions Connecting our brains wirelessly to computers An industrial smart dishwasher has a vulnerability Did the Inside Out Security panel – Cindy Ng, Mike Thompson, Kilian Englert, and Mike Buckbee - pass Pew’s cybersecurity quiz? Listen to find out! Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Besides talking to my fav security experts on the podcast, I’ve also been curious with what CISOs have been up to lately. Afterall they have the difficult job of keeping an organization’s network and data safe and secure. Plus, they tend to always be a few steps ahead in their thinking and planning. After a few clicks on Twitter, I found a CISO at a predictive analytics SaaS platform who published a security manifesto. His goal was to build security awareness into every job, every role, and to give people a reason to choose the more secure path. Another CSO at a team communication and collaboration tool company stressed the importance of transparency. This means communicating with their customers as much as possible - what he’s working on and how their bug bounty and features work. As for what CISOs are reading and sharing, here are a few links to keep you on your toes and us talkin’: 3 ways to outsmart attackers by using their own playbook Rogue cell phone towers to distribute Android banking malware via spoofed SMS messages Phisher tricked two big US tech companies into wiring him $100 million Firefox gets complaint for labeling unencrypted login page insecure (Sorry! That’s a feature, not a bug) Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Over the past few weeks, we’ve been debating a user’s threshold for his personal data seen in the public domain. For instance, did you know that housing information has always been public information? They are gathered from county records and the internet has just made the process of gathering the information less cumbersome. However, if our personal information leaks into the public domain - due a security lapse – it’s still not as serious as, say, a breach of 2 million records. The point is that many security experts will remind us that there is no perfect security as lapses and breaches will happen. Meanwhile, I bemoan that no data should be left behind(all data should be protected!) and discuss my concerns with this week’s Inside Out Security Show panel – Cindy Ng, Mike Buckbee, Kilian Englert and Forrest Temple. Additional articles we discussed: Google’s Deepmind Makes AI Program That Can Learn Like A Human Organizations are Facing Challenges Getting Value from Big Data Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

In our "always-on" society, it's important that our conversation on IoT security continues with the question of data ownership. It's making its way back into the limelight when Amazon, with the defendant’s permission, handed over user data in a trial. Or what about a new software that captures all the angles from your face to build your security profile? Your face is such an intimate aspect to who you are, should we reduce that intimacy down to a data point? I discussed these questions with this week’s Inside Out Security Show panel – Cindy Ng, Forrest Temple, Kilian Englert and Mike Buckbee. Additional articles we discussed: Leaked data tranche of 8,700 documents purportedly includes tools that turn smart TVs into covert surveillance devices. Spammers expose their entire operation through bad backups Inside the TalkTalk 'Indian scam call centre' A sysadmin told the courts he was authorized to trash his employer’s network Google accidentally spreads fake news Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

As more physical devices connect to the internet, I wondered about the responsibility IoT manufacturers have in building strong security systems within devices they create. There’s nothing like a lapse in security that could potentially halt the growth of a business or bring more cybersecurity awareness to a board. I discussed these matters with this week’s Inside Out Security Show panel – Cindy Ng, Forrest Temple, Kilian Englert and Mike Buckbee. First in line to be discussed was the shocking revelation that while car manufacturers enabled users to control their vehicles with an app, they never thought through what happens when it’s sold. What’s the harm? In the words of the car owner, “If I were a criminal, I could’ve stolen the car.” In another alarming article, a security researcher recently discovered that anyone can connect and control a cuddly CloudPets via Bluetooth, recording private conversations with the built-in microphone. If you’re a parent who finds this IoT toy a cute way to leave messages with your child, your privacy may be at stake. Additional recent news articles we discussed include: AWS North Virginia facility outage Speedy data transfer via the blink of its hard drive LED light indicator Tool of the week: Chaos Monkey is a resiliency tool that helps applications tolerate random instance failures. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

I recently came across an article that gave me pause, “Why Data Breaches Don’t Hurt Stock Prices.” If that’s the case and if a breach doesn’t impact the sale of a company, does security matter? So I asked the Inside Out Security Panel – Cindy Ng, Forrest Temple, Mike Buckbee and Kilian Englert. They gently reminded me that there’s more than just the stock price to look at – brand, trust, as well as pending lawsuits. In addition to these worries, proper breach notification is becoming a bigger responsibility. Is there a good or bad way to notify others about a breach? We discussed a controversial way a vendor disclosed their breach as well as some of the top stories of the week: Would you tell border patrol agents the password to your phone? This must be the year of mobile security S. Homeland Security employees locked out of computer networks Hacked audio recordings of conversations, passwords and docs Tool of the week: Netflix Stethoscope Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

The debate between users volunteering their data for better service versus being perceived as a creepy company who covertly gathers user data remains a hot topic for the Inside Out Security panel –Cindy Ng, Kris Keyser, Mike Buckbee, and Kilian Englert. There were two recent stories that triggered this debate. Recently, a smart television manufacturer agreed to pay a $2.2 million fine to the Federal Trade Commission for “collecting viewing data on 11 million consumer TVs without the consumer’s knowledge or consent.” Is that creepy or perhaps the argument could be made that viewing data only helps with the overall user experience? Contrast the aforementioned story with one where psychologists and data scientists can measure a user’s voluntary Facebook likes to diagnose a personality type. This is known as psychometrics and measured using a model often referred to as OCEAN: openness (how open you are to new experiences?), conscientiousness (how much of a perfectionist are you?), extroversion (how sociable are you?), agreeableness (how considerate and cooperative you are?), and neuroticism (are you easily upset?). With your personality type identified, marketers believe that it can be used to influence users in a future purchasing decision or voting in a presidential election. The panelists had vastly different views on acceptable and unacceptable behaviors. Tool of the week: Git pre-commit hook to search for Amazon AWS API keys. Other stories covered in this podcast: Introducing "fabricated" data breaches to Have I been pwned Engineers hack a casino slot machine Really, really smart computers that play poker Microsoft hosts the Windows source in a monstrous 300GB Git repository 76 apps in Apple’s App Store still don’t use best practices to protect user data Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

In part two of my interview with Angela Sasse, Professor of Human-Centred Technology, she shared an engagement she had with British Telecom(BT). The accountants at BT said that users were resetting passwords at a rate that overwhelmed the helpdesk's resources, making the cost untenable. The security team believed that the employees were the problem, meanwhile Sasse and her team thought otherwise. She likened the problem of requiring users to remember their passwords to memory exercises. And with Sasse’s help, they worked together to change the security policy that worked for both the company and the user. We also covered the complexities of choosing the right form of authentication (i.e. passwords, 2FA or biometrics?), the pros and cons of user training, and the importance of listening to your users. Transcript Cindy Ng: Is there an engagement that you're able to talk about publicly of what happens when you're first engaged with an organization, what that process looks like? Angela Sasse: You know, when we originally published "Users Are Not the Enemy," we didn't say that it was...this first study was down in British Telecom, but they subsequently did out themselves as the organization. And they actually approached me originally, because they knew they had a problem, but the security people hadn't realized. They thought it was...the employees were the problem. They were getting heat from the accountants over the cost of running the password reset desks because their employees couldn't cope with the passwords. There was an awful lot of resets going on. And those help desks got bigger and bigger, you know, both the internal ones and also the ones they were running for some of the services, you know, for the internet services they were running. And the accountants basically said, "The help desks have reached this size now, and this is untenable." You know, I mean, first of all, they can't grow anymore, and in the long run you've got to look to reducing this. You know, the cost is just untenable. And so they originally said, "Oh, it's people's fault they can't remember their passwords," and whereas once we did the study, I said to them, "No, you're asking them to do memory exercises, to perform feats of memory that humans just can't do." And so, to me, actually, at this time, so this was in the late '90s, you know, it was clear to me that single sign-on, you know, that they really needed to look to bring a lot of the different systems they had behind a single sign-on. And that took a while. So that business case took, in total, five years to put that through the company and put it into action. But there was a couple of things that we worked on with them to reduce the load as much as we could without having a single sign-on mechanism. So, for instance, to get the company to standardize the user IDs, because if you've got lots of different passwords, having lots of different user IDs on top of that really doesn't help. And the next thing we did, which is something that only really has happened very recently, is to increase the lifetime of passwords, so to, basically, say, like, changing them every 30 days is ridiculous, right? You're pushing people...you know, the only way they can remember that is by either using the same password everywhere or by having very easy passwords with just numbers at the end, you know, that they keep increasing whenever they have to change it. So we basically worked with them and put...you know, basically changed the policies. And then they also took a view that for some of the infrequently-used systems, it was okay to write them down, to write passwords down, and then securing what they were writing down. That was the process over a period of time, and I think every time they made a change, they could see it was getting slightly better until the point then when they introduced a single sign-on. And I think a lot of organizations...I also know we worked with a financial services institution at the time where they went though a similar process. But then, of course, with outsourcing, the ability to put everything behind a single sign-on was going away. So even if you had a single sign-on for your internal systems, with all the outsourced stuff, and, you know, if you have, like, your blue book and your gym is contracted out. You know, some even contract their HR out, and all of those service providers have their own access credentials. Then employees very quickly end up with, you know, maybe half a dozen or up to ten different passwords again. So that problem got back, and I think it's just taken a long time. About 10 years ago, some organizations experimented with having biometric access to our IT systems. And that sort of, it worked for some of them, but others just found that it wasn't robust enough, and you had far too high error rates. But effectively now we've seen a shift to two-factor authentication. That means that the memory part of it is

This week, we continue our ongoing ransomware discussion with the Inside Out Security Show panel - Cindy Ng, Kilian Englert, Mike Buckbee, and Mike Thompson. But before we launched into our conversation, as an icebreaker, I asked the panel what their advice would be to this tired sysadmin who deleted the wrong directory on the wrong server? Buckbee: Do exactly what they did to fix the problem. Englert: It happens, just have to recover and move on. Thompson: Always take a snapshot before touching your production server. Back to Ransomware I likened this singular, life-changing malware to Emperor Palpatine. Why? The scammers try to be your friend and provide customer support. Meanwhile, they’re clever about extorting money from you. There were a few interesting ransomware stories that we covered: An IT pro that tried to fight back by sending the perpetrators a Locky ransomware. We’re not certain if it was a success, but at least he tried One hijacked a hotel from making new hotel keys Police storage devices that record video data were infected The scariest of them all, Google Play hosted a ransomware app that infected a user’s cell phone Moving away from ransomware, here are some other stories we covered: Android VPNs don’t really encrypt Backups of backups – pressing delete doesn’t fully delete your data US can’t just seize data Tool of the week: Google’s Site Reliability Engineering Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Inspired by this tweet, I asked the Inside Out Security Show panel – Cindy Ng, Kilian Englert, Mike Buckbee, and Alan Cizenski - if they could add an extra factor of authentication, what would it be? Plus, we covered a few hot topics: The risks of replacing passports and manned desks with biometric scanning and automation What would it take to set up AD for 28 million users? Buying technology is not a strategy A password manager that doesn’t encrypt everything? Does perfect security exist? What you can learn from reverse engineering 16K apps Tool for a Sysadmin PsHosts: Powershell Cmdlet Module for modifying the hosts file on Windows Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Adam Tanner is the author of "Our Bodies, Our Data", which tells the story of a hidden dark market in drug prescription and other medical data. In recent years hackers have been able to steal health data on a massive scale -- remember Anthem? In this second part of our interview, we explore the implications of hacked medical data. If hackers get into a data brokers' drug databases and combine with previously stolen medical insurance records, will they rule the world? Transcript Inside Out Security: Today, I'd like to welcome Adam Tanner. Adam is a writer-in-residence at Harvard University's Institute for Quantitative Social Science. He's written extensively on data privacy. He's the author of What Stays In Vegas: The World of Personal Data and the End of Privacy As We Know It. His articles on data privacy have appeared in Scientific American, Forbes, Fortune, and Slate. And he has a new book out, titled "Our Bodies, Our Data," which focuses on the hidden market in medical data. Welcome, Adam. Adam Tanner: Well, I'm glad to be with you. IOS: We've also been writing about medical data privacy for our Inside Out Security blog. And we're familiar with how, for example, hospital discharge records can be legally sold to the private sector. But in your new book, and this is a bit of a shock to me, you describe how pharmacies and others sell prescription drug records to data brokers. Can you tell us more about the story you've uncovered? AT: Basically, throughout your journey as a patient into the healthcare system, information about you is sold. It has nothing to do with your direct treatment. It has to do with commercial businesses wanting to gain insight about you and your doctor, largely, for sales and marketing. So, take the first step. You go to your doctor's office. The door is shut. You tell your doctor your intimate medical problems. The information that is entered into the doctor's electronic health system may be sold, commercially, as may the prescription that you pick up at the pharmacy or the blood tests that you take or the urine tests at the testing lab. The insurance company that pays for all of this or subsidizes part of this, may also sell the information. That information about you is anonymized. That means that your information contains your medical condition, your date of birth, your doctor's name, your gender, all or part of your postal zip code, but it doesn't have your name on it. All of that trade is allowed, under U.S. rules. IOS: You mean under HIPAA? AT: That's right. Now this may be surprising to many people who would ask this question, "How can this be legal under current rules?" Well, HIPAA says that if you take out the name and anonymize according to certain standards, it's no longer your data. You will no longer have any say over what happens to it. You don't have to consent to the trade of it. Outsiders can do whatever they want with that. I think a lot of people would be surprised to learn that. Very few patients know about it. Even doctors and pharmacists and others who are in the system don't know that there's this multi-billion-dollar trade. IOS:Right … we've written about the de-identification process, which it seems like it's the right thing to do, in a way, because you're removing all the identifiers, and that includes zip code information, other geo information. It seems that for research purposes that would be okay. Do you agree with that, or not? AT: So, these commercial companies, and some of the names may be well-known to us, companies such as IBM Watson Health, GE, LexisNexis, and the largest of them all may not be well-known to the general public, which is Quintiles and IMS. These companies have dossiers on hundreds of millions of patients worldwide. That means that they have medical information about you that extends over time, different procedures you've had done, different visits, different tests and so on, put together in a file that goes back for years. Now, when you have that much information, even if it only has your date of birth, your doctor's name, your zip code, but not your name, not your Social Security number, not things like that, it's increasingly possible to identify people from that. Let me give you an example. I'm talking to you now from Fairbanks, Alaska, where I'm teaching for a year at the university here. I lived, before that, in Boston, Massachusetts, and before that, in Belgrade, Serbia. I may be the only man of my age who meets that specific profile! So, if you knew those three pieces of information about me and had medical information from those years, I might be identifiable, even in a haystack of millions of different other people. IOS: Yeah …We have written about that as well in the blog. We call these quasi-identifiers. They're not the traditional kind of identifiers, but they're other bits of information, as you pointed out, that can be used to sort of re-identify. Usually it's a small subset, but not always. And tha

While I thought we could ride on our recent successes for just a bit longer, attackers are back in full swing, filling my twitter feed with latest jaw dropping security news. As I waded in worry, I stumbled upon an interesting Benjamin Franklin quote, “Distrust and caution are the parents of security.” Should distrust and caution be the parents of security? Who or what should the parents of security be? I brought these questions to the Inside Out Security Show panelist – Cindy Ng, Kilian Englert, Mike Buckbee, and Forrest Temple. Also, here are some of the stories we covered. Stop using SMB1 Learn about the latest vulnerabilities Gmail phishing scam Hi-res image of your peace sign could lift your fingerprint IT employee offered to unlock data for $200,000. Maybe it should have just been $2,000? Sysadmin Tool: Nishang - PowerShell for penetration testing and offensive security. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

With ransomware and data breaches driving headlines, it can feel like security pros are always one step behind. However, I recently found a few stories that I thought were worth celebrating. Not everyone on the Inside Out Security Show panel – Cindy Ng, Mike Buckbee, Kilian Englert, and Kris Keyser – thought the stories were good news. Nonetheless, I think that over time, as technologies mature, they do become more stable and secure. A few steps forward, a few steps back, right? Here are some of the stories we covered. What do you think? California makes ransomware a standalone crime Department of Defense gets into the bug bounty business List item ISO Vulnerability Disclosure Standard is now free FTC and FCC are paying close attention to IoT A few states tell you if you’ve been hacked Airports leverage machine learning and big data to assist with security Sysadmin Tool: How to set up a SPF record to prevent spam and spear phishing Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Adam Tanner is the author of "Our Bodies, Our Data", which tells the story of a hidden dark market in drug prescription and other medical data. Adam explains how the sale of "anonymized" data is a multi-billion dollar business not covered by HIPPA rules. In this first part of our interview, we learn from Adam how the medical data brokers got started and why it's legal. Transcript Inside Out Security: Today, I'd like to welcome Adam Tanner. Adam is a writer-in-residence at Harvard University's Institute for Quantitative Social Science. He's written extensively on data privacy. He's the author of What Stays In Vegas: The World of Personal Data and the End of Privacy As We Know It. His articles on data privacy have appeared in Scientific American, Forbes, Fortune, and Slate. And he has a new book out, titled "Our Bodies, Our Data," which focuses on the hidden market in medical data. Welcome, Adam. Adam Tanner: Well, I'm glad to be with you. IOS: We've also been writing about medical data privacy for our Inside Out Security blog. And we're familiar with how, for example, hospital discharge records can be legally sold to the private sector. But in your new book, and this is a bit of a shock to me, you describe how pharmacies and others sell prescription drug records to data brokers. Can you tell us more about the story you've uncovered? AT: Basically, throughout your journey as a patient into the healthcare system, information about you is sold. It has nothing to do with your direct treatment. It has to do with commercial businesses wanting to gain insight about you and your doctor, largely, for sales and marketing. So, take the first step. You go to your doctor's office. The door is shut. You tell your doctor your intimate medical problems. The information that is entered into the doctor's electronic health system may be sold, commercially, as may the prescription that you pick up at the pharmacy or the blood tests that you take or the urine tests at the testing lab. The insurance company that pays for all of this or subsidizes part of this, may also sell the information. That information about you is anonymized. That means that your information contains your medical condition, your date of birth, your doctor's name, your gender, all or part of your postal zip code, but it doesn't have your name on it. All of that trade is allowed, under U.S. rules. IOS: You mean under HIPAA? AT: That's right. Now this may be surprising to many people who would ask this question, "How can this be legal under current rules?" Well, HIPAA says that if you take out the name and anonymize according to certain standards, it's no longer your data. You will no longer have any say over what happens to it. You don't have to consent to the trade of it. Outsiders can do whatever they want with that. I think a lot of people would be surprised to learn that. Very few patients know about it. Even doctors and pharmacists and others who are in the system don't know that there's this multi-billion-dollar trade. IOS:Right … we've written about the de-identification process, which it seems like it's the right thing to do, in a way, because you're removing all the identifiers, and that includes zip code information, other geo information. It seems that for research purposes that would be okay. Do you agree with that, or not? AT: So, these commercial companies, and some of the names may be well-known to us, companies such as IBM Watson Health, GE, LexisNexis, and the largest of them all may not be well-known to the general public, which is Quintiles and IMS. These companies have dossiers on hundreds of millions of patients worldwide. That means that they have medical information about you that extends over time, different procedures you've had done, different visits, different tests and so on, put together in a file that goes back for years. Now, when you have that much information, even if it only has your date of birth, your doctor's name, your zip code, but not your name, not your Social Security number, not things like that, it's increasingly possible to identify people from that. Let me give you an example. I'm talking to you now from Fairbanks, Alaska, where I'm teaching for a year at the university here. I lived, before that, in Boston, Massachusetts, and before that, in Belgrade, Serbia. I may be the only man of my age who meets that specific profile! So, if you knew those three pieces of information about me and had medical information from those years, I might be identifiable, even in a haystack of millions of different other people. IOS: Yeah …We have written about that as well in the blog. We call these quasi-identifiers. They're not the traditional kind of identifiers, but they're other bits of information, as you pointed out, that can be used to sort of re-identify. Usually it's a small subset, but not always. And that this information would seem also should be protected as well in some way. So, do you thi

We continue our discussion with Dr. Ann Cavoukian. She is currently Executive Director of Ryerson University’s Privacy and Big Data Institute and is best known for her leadership in the development of Privacy by Design (PbD). In this segment, Cavoukian tells us that once you’ve involved your customers in the decision making process, “You won’t believe the buy-in you will get under those conditions because then you’ve established trust and that you’re serious about their privacy.” We also made time to cover General Data Protection Regulation (GDPR) as well as three things organizations can do to demonstrate that they are serious about privacy. Learn more about Dr. Cavoukian: Follow her on Twitter: @AnnCavoukian Read her book: Who Knows: Safeguarding Your Privacy in a Networked World Transcript Cindy Ng: Dr. Cavoukian, besides data minimalization, de-identification, user access control, what are some other concrete steps that businesses can take to benefit from protecting privacy? Dr. Cavoukian: I think one of the things businesses don't do very well is involve their customers in the decisions that they make, and I'll give you an example. Years ago I read something called "Permission Based Marketing" by Seth Godin, and he's amazing. And I read it, and I thought, "Oh this guy must have a privacy background," because it was all about enlisting the support of your customers, gaining their permission and getting them to, as Godin said, "Put their hand up and say 'count me in.'" So I called him, he was based in California at the time, and I said, "Oh Mr. Godin, you must have a privacy background?" And he said something like, "No, lady, I'm a marketer through and through, but I can see the writing on the wall. We've gotta engage customers, get them involved, get them to wanna participate in the things we're doing." So, I always tell businesses that are serious about privacy, "First of all, don't be quiet about it. Shout it from the rooftops, the lengths you're going to, to protect your customer's privacy. How much you respect it, how user-centric your programs are, and you're focused on their needs in delivering." And, then, once they understand this is the background you're bringing, and you have great respect for privacy, in that context you say, "We would like you to consider giving us permission to allow it for these additional secondary uses. Here's how we think it might benefit you, but we won't do it without your positive consent." You wouldn't believe the buy-in you will get under those conditions because then you have established a trusted business relationship. They can see that you're serious about privacy, and then they say, "Well by all means, if this will help me, in some way, use my information for this additional purpose." You've gotta engage the customers in an active dialog. Cindy Ng: So ask, and you might receive. Dr. Cavoukian: Definitely, and you will most likely receive. Cindy Ng: In sales processes they're implementing that as well, "Is it okay if I continue to call you, or when can I call you next?" So they're constantly feeling they're engaged and part of the process, and it's so effective. Dr. Cavoukian: And I love that. Myself, as a customer... I belong to this air miles program, and I love it, because they don't do anything without my positive consent. And, yet, I benefit because they send me targeted ads and things I'm interested in. And I'm happy to do that, and then I get more points and then it just continues to be a win-win. Cindy Ng: Did you write anything about user access controls? What are your thoughts on that? Dr. Cavoukian: We wrote about it in the context of that you've gotta have restricted access to those who have... I was gonna say, "Right to know." Meaning there are some business purpose for which they're accessing the data. And that can be...when I say, "business purpose," I mean that broadly, in a hospital. People who are taking care of a patient, in whatever context, it can be in the lab. They go there for testing. Then they go for an MRI, and then they go... So there could be a number of different arms that have legitimate access to the data, because they've gotta process it in a variety of different ways. That's all legitimate, but those people who aren't taking care of the patient, in some broad manner, should have absolutely complete restricted access to the data. Because that's when the snooping and the rogue employee... Cindy Ng: Curiosity. Dr. Cavoukian: ...picture, the curiosity, takes you away, and it completely distorts the entire process in terms of the legitimacy of those people who should have access to it, especially in a hospital context, or patient context. You wanna enable easy access for those who have a right to know because they're treating patients. And then the walls should go up for those who are not treating in any manner. It'd be diffi

Next month, the world will be talking security at the annual RSA Conference, which will be held in San Francisco on February 13th to the 17th. When it comes to discussing security matters, experts often tell us to take stock of our risks or to complete a risk assessment. However, perhaps before understanding where we might be vulnerable, it might be more important to consider exactly what threats we’re really faced with. In this episode of the Inside Out Security Show, I asked our panelists – Cindy Ng, Mike Thompson, Kilian Englert, and Mike Buckbee about four #realthreats – disgruntled employees, passwords on sticky notes, hijacked accounts and ransomware. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

I recently had the chance to speak with former Ontario Information and Privacy Commissioner Dr. Ann Cavoukian about big data and privacy. Dr. Cavoukian is currently Executive Director of Ryerson University’s Privacy and Big Data Institute and is best known for her leadership in the development of Privacy by Design (PbD). What’s more, she came up with PbD language that made its way into the GDPR, which will go into effect in 2018. First developed in the 1990s, PbD addresses the growing privacy concerns brought upon by big data and IoT devices. Many worry about PbD’s interference with innovation and businesses, but that’s not the case. When working with government agencies and organizations, Dr. Cavoukian’s singular approach is that big data and privacy can operate together seamlessly. At the core, her message is this: you can simultaneously collect data and protect customer privacy. Transcript Cindy Ng With Privacy by Design principles codified in the new General Data Protection Regulation, which will go into effect in 2018, it might help to understand the intent and origins of it. And that's why I called former Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian. She is currently Executive Director of Ryerson University's Privacy and Big Data Institute and is best known for her leadership in the development of Privacy by Design. When working with government agencies and organizations, Dr. Cavoukian's singular approach is that big data and privacy can operate together seamlessly. At the core, her message is this, you can simultaneously collect data and protect customer privacy. Thank you, Dr. Cavoukian for joining us today. I was wondering, as Information and Privacy Commissioner of Ontario, what did you see what was effective when convincing organizations and government agencies to treat people's private data carefully? Dr. Cavoukian The approach I took...I always think that the carrot is better than the stick, and I did have order-making power as Commissioner. So I had the authority to order government organizations, for example, who were in breach of the Privacy Act to do something, to change what they were doing and tell them what to do. But the problem...whenever you have to order someone to do something, they will do it because they are required to by law, but they're not gonna be happy about it, and it is unlikely to change their behavior after that particular change that you've ordered. So, I always led with the carrot in terms of meeting with them, trying to explain why it was in both their best interest, in citizens' best interest, in customers' best interest, when I'm talking to businesses. Why it's very, very important to make it...I always talk about positive sum, not zero sum, make it a win-win proposition. It's gotta be a win for both the organization who's doing the data collection and the data use and the customers or citizens that they're serving. It's gotta be a win for both parties, and when you can present it that way, it gives you a seat at the table every time. And let me explain what I mean by that. Many years ago I was asked to join the board of the European Biometrics Forum, and I was honored, of course, but I was surprised because in Europe they have more privacy commissioners than anywhere else in the world. Hundreds of them, they're brilliant. They're wonderful, and I said, "Why are you coming to me as opposed to one of your own?" And they said, "It's simple." They said, "You don't say 'no' to biometrics. You say 'yes' to biometrics, and 'Here are the privacy protective measures that I insist you put on them.'" They said, "We may not like how much you want us to do, but we can try to accommodate that. But what we can't accommodate is if someone says, 'We don't like your industry.'" You know, basically to say "no" to the entire industry is untenable. So, when you go in with an "and" instead of a "versus," it's not me versus your interests. It's my interests in privacy and your interests in the business or the government, whatever you're doing. So, zero sum paradigms are one interest versus another. You can only have security at the expense of privacy, for example. In my world, that doesn't cut it. Cindy Ng Dr. Cavoukian, can you tell us a little bit more about Privacy by Design? Dr. Cavoukian I really crystallized Privacy by Design really after 9/11, because at 9/11 it became crystal clear that everybody was talking about the vital need for public safety and security, of course. But it was always construed as at the expense of privacy, so if you have to give up your privacy, so be it. Public safety's more important. Well, of course public safety is extremely important, and we did a position piece at that point for our national newspaper, "The Globe and Mail," and the position I took was public safety is paramount with privacy embedded into the process. You have to have both. There's no poin

Over the past few weeks, we started seeing a few new security trends that we think haven’t yet had their defining moment and will likely see more of next year. We reflected on the predictions we made last year and shared our annual cybersecurity predictions for 2017. Meanwhile the Inside Out Security Show panel – Kilian Englert, Forrest Temple and Mike Buckbee - also speculated on a few things of their own based on a few articles they’ve read the news recently – hackers guessing your credit card information in less than six seconds, the security implications of the Amazon Go Grocery Store, and more malvertising. Plus, we also continued our never ending debate on privacy. But what the panelists couldn’t get enough of were the allegations that Russia attempted to affect the outcome of the US presidential election. No, we didn’t discuss the politics of what happened, but they did share teachable moments we can all learn from. To start – we’ve all heard of scams where the IRS or FBI call about identify theft or about our taxes. But what happens when the real FBI is really calling? If there isn’t a process in place for every little detail that happens, then we’re left vulnerable. “My first step would be to see if it’s really the FBI calling. Because there are so many weird scams around stuff like that,” advises Mike Buckbee. Kilian Englert supplemented Mike’s advice with this suggestion: “If you look at some of the standards that come out, like the NIST standards. A lot of them recommend having some type of plan in place…some plan, any plan.” And don’t be deterred because Forrest Temple reminds us, “You don’t see the successes; you only see the failures…That’s how data security is. Maybe there are a million successful for every failure, you just don’t know.” Click play to hear the rest of the show and why Kilian isn’t a fan of Barcelona Football. There’s a point! We promise! Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

I recently came across a tweet that was shared during the Infosecurity Maganzine Conference in Boston, “Security is a benefit, but not always a feature.” Why? You can spend a lot of money and still be hacked or not spend a dime and not be hacked. How did the Inside Out Security Show panel react? Here's what Mike Buckbee, Kilian Englert and Alan Cizenski had to say: Buckbee: It’s all tradeoffs. It’s all a bet. If you go into a casino and putting money down…While it’s true you can spend a lot of money and still get hacked, it’s less likely than you spend nothing. Or not even so much spend, in terms of money, but in terms of effort. You spend the effort and time to make secure systems….so you’re trying to play the odds. Englert: We can write it up as a true-ism…We’ve never been hacked before, so we must be secure. That’s the default security mindset, which is at odds with the truth…The best security in the world, only takes you so far. Cizenski: When you’re spending money on security tools, at that point, at the very least, you’re gonna have an audit trail or something to look back at so you can say, “How did that happen?” Instead of just thinking, “We’ve never been hacked. We’re good.”…When it does happen, you can’t really do much about it [if you don’t have an audit trail]. Click play to learn more! Additional comments include: • A rogue admin who took down a former employer’s network • Admins who experience burn out • NIST announced guidance on SMS on two factor. • Whether or not security problems are the user’s fault or not • As well as the latest research report on security shortcomings on a heart device. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Based in Norway, Per Thorsheim is an independent security adviser for governments as well as organizations worldwide. He is also the founder of PasswordsCon.org, an annual conference that’s all about passwords, PIN codes, and authentication. Launched in 2010, the conference invites security professionals & academic researchers to better understand and improve security. In part one of our discussion with Per, we examined two well-known forms of authentication – passwords and hardware. In this segment, he talks about a lesser known form -biometrics and the use of keystroke dynamics to identify individuals. Per explains, “Keystroke dynamics, researchers have been looking at this for many, many years. It’s still an evolving piece of science. But it’s being used in real life scenarios with banks. I know at least there’s one online training company in the US that’s already using keystroke dynamics to verify if the correct person is doing the online exam. What they do is measure how you type on a keyboard. And they measure the time between every single keystroke, when you are writing in password or a given sentence. And they also look for how long you keep a button pressed and a few other parameters.” What’s even more surprising is that it is possible to identify one’s gender using keystroke dynamics. Per says, “With 7, 8, 9 keystrokes, they would have a certainty in the area of 70% or more…and the more you type, if you go up to 10, 11, 12, 15 characters, they would have even more data to figure out if you were male or female.” Those who don’t want to be profiled by their typing gait can try Per Thorshim’s and another infosec expert Paul Moore’s Keyboard Privacy extension. Transcript Cindy Ng: Let's talk a bit about biometrics because that's really interesting. Keystroke dynamics and it refers to your typing gait: how often you pause, how fast you type. With just a few characters if you type seven to nine characters, you can build a profile of a person. I'm wondering if you can talk a little bit about if you're able to tell someone's gender, are you also taking into account their location? How can you tell whether or not they're typing with one or two hands, their gender, their age? These are soft metrics, but really important and... Per Thorsheim: Keystrokes dynamics... There have been researchers looking into this for many, many years already. But still, it's a really a modeling piece of science. But it is also being used today in real-life scenarios with banks. I know that there is at least one online training company in the U.S. who is already using keystroke dynamics, to verify if the correct person is actually doing the online exam as an example. What they do is they measure how you type on your keyboard and they measure the time between every single keystroke when you're writing in a password or a given sentence. They also look out for how long you keep each button depressed and a few other parameters. Now, this sounds weird, I know. But I learned from researchers in France, they have been collecting this kind of data from a lot of men and women, and talk about men and women being different in many different areas. But I had never guessed. I would have never believed until they told me that men and women in general type differently on a keyboard, using normal standard 10 finger touch type on a keyboard. They said that as soon as you have entered seven, eight, nine characters onto a keyboard, we can with a pretty good probability tell you if it is a man or a woman typing on the keyboard. That is again assuming typing normally with 10 fingers touch type on a keyboard. Cindy Ng: What is the accuracy rate of the gender identification? Per Thorsheim: The accuracy that they talked about is they would say that with seven, eight, nine keystrokes, they would have a certainty on this in the area of 70% or more. So, of course, it's not that good, but it's improving. And the more you type if you go up to 10, 12, 15 characters, they would have even more data to figure out whether you're a male or female. But that's just figuring out male or female. It doesn't identify you as a unique human being on planet earth. Because in that setting, this technology is nowhere near good enough. There are lots of people that would actually type just like you on a keyboard, in the world. Cindy Ng: What's the probability of you typing in the same way as other people in our population? Per Thorsheim: If you have an iPhone and you're using Touch ID with your iPhone or maybe an iPad today, the fingerprint reader that is being used by Apple today, they usually say that those devices have what we call a false acceptance rate or false rejection rate of 1 in 50,000. Meaning that 1 in 50,000 attempts, where you try to identify to your own phone will fail even if you're using the correct finger. The other way around 1 in 50,000 people, it means that person among 50,001 will have a fingerprint that will be accepted as you. But it's not you ge

Last month, there was a thought-provoking article on programmers who were asked to do unethical work on the job. We often talk about balancing security with precaution and paranoia, but I wondered about the balance of ethics and execution. As always, I was curious to hear the reactions from the Inside Out Security Show panel – Mike Buckbee, Kris Keyser, and Mike Thompson. Here’s what they had to say: Thompson: “The downside in technology is that shortcuts lead to lapses in security…In healthcare, there are tight regulations…but who is making that decision in the technology industry?” Buckbee, “We talk about different kinds of crime like property, violent crime, and white collar crime. There’s cybercrime as well. People have different acceptable models in these different areas. [For instance] when it comes to SQL injection, you probably don’t think that adding a few additional characters to a URL is a felon criminal trespass, but it totally could be…” Keyser, “I drew a parallel between engineers that work in the physical space and engineers that work in the digital space. And engineer or somebody who builds a faulty house with a poor structure or horrible locking system, there would be repercussions for that if the house collapsed…I don’t think people have realized the parallels between that and the digital space.” Click play to see what else they had to say! Additional responses include: thoughtful insights to the most recent San Francisco MUNI hacker that got hacked, potentially unnecessary malware fixes, as well as the latest hacking tools and exploits. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Based in Norway, Per Thorsheim is an independent security adviser for organizations and government. He is also the founder of PasswordsCon.org, a conference that’s all about passwords, PIN codes, and authentication. Launched in 2010, the conference is a gathering security professionals & academic researchers worldwide to better understand and improve security worldwide. In part one of our conversation, Per explains - despite the risks - why we continue to use passwords, the difference between 2-factor authentication and 2-step verification, as well as the pros and cons of using OAuth. Naturally the issue of privacy comes up when we discuss connected accounts with OAuth. So we also made time to cover Privacy by Design as well as the upcoming EU General Data Protection Regulation(GDPR). Transcript Cindy Ng Recently, I had the pleasure to speak with an independent security advisor, Per Thorsheim, on all things passwords. Based in Norway, he is the founder of Passwords Con, the world's first and only conference about passwords. It's a gathering of security professionals and academic researches from all around the world where they discuss ways to improve security worldwide. Thank you, Per. Let's get started. So, a very important question, so, lots of security experts have warned us the dangers of passwords, but why are we continuing to use it? Per Thorsheim Well, it's cheap to use from a business perspective. There are many cases where we don't have a business situation where, you know, there's no point in using anything else than passwords. They are available in every single system we use, and if you want something else, it's going to be more expensive. And who's going to pay for that? Cindy Ng A lot of people are using password managers to manage all our different accounts for all our different sites. And there’s also two-factor authentication which can be tiresome. You suggested that there's life after two-factor authentication. Can you tell us a little bit more about that? Per Thorsheim Yeah, you know, we have National Security Awareness month here in Norway, just like in the US, in all of October. And a very important message that we have been bringing out in all possible channels over the past month is to use two-factor authentication. And basically what that is, is that in addition to having a username and password, you would have a code that you need to enter that you will get from a key from a text message or something similar. Maybe you have a couple of codes written down on a piece of paper that you have to type in, in addition to your password. That's two-factor authentication. Now, what I mean about life after two-factor authentication is that every step that we add into the process of authenticating, you know, how to figure out that you are the correct person logging into our system, takes time. And by adding a second factor, it will take you, in most cases, a little bit extra time to be able to log in. For some people, that's okay. For some people, it's a disruption. It's annoying, and what I've been thinking about, you know, by saying, "life after two-factor authentication," is, "What happens today when, in my case, I have, like, 400 accounts on different services all over the internet and at home and at different, you know, banks and insurance companies and so on? What happens today that I'm actually using two-factor authentication with all of those accounts?" I'm just imagining to myself that that's going to be very annoying. It's going to take a lot of time. Every time I have to log in to any kind of service, I have to type in username, I have to type in my password or pass phrase, and then I also have to look at my phone to receive a text message or find you know, that dumb piece of hardware dongle that I forgot at home, probably, and type in a code from that one as well. So from a usability perspective, I'm a little bit concerned, maybe even a little worried about what's the world going to be in a couple years when all the services that I'm using today are either offering or even requiring me to use two-factor authentication? Now, from a security perspective, adding this kind of two-factor authentication's a good thing. It increases security in such a way that in some cases, even if I told you my password for my Facebook account, as an example, well, I have two-factor authentication. You won't be able to log in, because as soon as you type in my username and password, I will be receiving a code via SMS from Facebook on my phone, which you don't have access to. Now, without that code, you will not be able to log in to my account. The security perspective of this is really good which is why we recommend it. From the usability side, I'm a little bit concerned about the future. Cindy Ng What's the difference between the two-factor authentication and the two-step authentication, in terms of increasing usability? Per Thorsheim Two-step verification process is what I conside

Like many in IT, you can probably commiserate with this week’s Inside Out Security Show panel – Cindy Ng, Mike Buckbee and Alan Cizenski – on elaborating when someone asks you, “What Do You Do for a Living?” Whether you’re a programmer or a sysadmin, the scope of your role is often multi-faceted and complex. In this episode, we talk about various roles and responsibilities of those in IT - differentiating similar tools, testing and evaluating, balancing practical decision making, and much more. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

On election day, I stumbled upon an article that described presidential candidates’ newfound ability to influence voters with big data. Not health, financial or sensitive data, but data from loyalty cards, gym memberships etc. Rather than a financial exchange as the end goal, the purpose of using big data to influence end users would be for a vote on November 4th. What a fascinating use of data! I had to get responses from the Inside Out Security Show panel – Cindy Ng, Kilian Englert, Mike Buckbee, and Forrest Temple. They engaged in a lively discussion on the pros and cons of leveraging big data in a presidential election, the significance of data integrity, as well as the controversies on the ability to re-identify anonymized data. Lastly, in our “Tool for Sysadmins” segment, Buckbee shares PowerForensics. By the way, we also discuss when it’s worthwhile to script and when it’s worth forking over a check to get security done right. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

In the next part of our discussion, data privacy attorney Sheila FitzPatrick get into the weeds and talks to us about her work in setting up Binding Corporate Rules (BCR) for multinational companies. These are actually the toughest rules of the road for data privacy and security. What are BCRs? They allow companies to internally transfer EU personal data to any of their locations in the world. The BCR agreement has to get approval from a lead national data protection authority (DPA) in the EU. FitzPatrick calls them a gold standard in compliance—they’re tough, comprehensive rules with a clear complaint process for data subjects. Another wonky area of EU compliance law she has worked on is agreements for external transfer data between companies and third-party data processors. Note: it gets even trickier when dealing with cloud providers. This is a fascinating discussion from a working data privacy lawyer. And it’s great background for IT managers who need to keep up with the lawyerly jargon while working with privacy and legal officers in their company! Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Earlier this month at the awesome O’Reilly Security Conference, I learned from world-leading security pros about the most serious threats facing IT. Hmm, sounds like that would make a great topic to discuss with the Inside Out Security Show panel – Cindy Ng, Kilian Englert, Kris Keyser, and Peter TerSteeg. Let’s go meta. According to expert Becky Bace, you can generalize security challenges as a cycle of new attacks and vulnerabilities, requiring damage control and remedies, and then followed by newer and smarter attacks. It’s always kind of the same problem, but dressed up a little differently each time. Moreover, in the latest 2016 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study, 80% of the respondents say inadequate funding is one of the top barriers to effectively addressing cybersecurity threats. That led me to wonder, how can we get more funding and stretch existing dollars for the Infosec department? Our panelists discussed ways in which we can help businesses make and save money, the costs of a breach, and whether or not organizations should get cyberinsurance. And towards the end of the show, we played make-believe IT deparment and pretended we got extra budget for our team. Finally, we enjoyed a lighthearted IT moment as we discussed this tell-all article, 25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

In this episode of the Inside Out Security Show panel – Cindy Ng, Mike Buckbee and Mike Thompson – shared their thoughts on the latest botnet attack. “This botnet attack that happened recently that brought down the DNS services. That’s probably unfortunately the first of many,” warns Mike Thompson. His concerns also launched the group into discussing the challenges of balancing innovation alongside security and privacy. We ended the show with a few tools Buckbee recommended, “The big DDoS attack that happened, it was really targeted at a company called Dyn…It was the DNS that indicated where the traffic should go that was messed up, at the DNS provider level…A lot of times, it happens at a local level…it’s really easy to mess up your own DNS. A very useful tool: What’s my DNS” Listen in if you wanna know the very first security precaution Thompson takes when he gets a new router. You'll also learn who out of the group has embraced IoT devices with open arms. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Since October was Cyber Security Awareness month, we decided to look at what’s holding back our efforts to make security—to coin a phrase—“great again”. In this episode of the Inside Out Security Show panel – Cindy Ng, Kilian Englert, Kris Keyser, and Mike Buckbee – shared their thoughts on insider threats as discussed on a recent Charlie Rose show, the brilliant but evil use of steganography (the practice of concealing a file, message, image, or video within another file, message, image, or video), and the dark market for malware hidden in underground forums. For a taste of the podcast, here are a few data security ideas and quotes from our panelists. Insider Threat. According to Keyser, an insider attack might not necessarily be the fault of employees. It could be that a hacker obtained their credentials—by guessing or pass-the-hash-- and the attack was executed under their name. So don’t make an employee the ‘fall guy’ for what was really an outsider. Blame IT instead. Kidding! Steganography. On hackers hiding credit card information on images, Keyser says, “It’s reminiscent of the skimmer attack, you might find on an ATM or a card reader at shop you go to, but it’s applying that same concept to data, the nonphysical world.” Like the rest of us, Englert was fascinated by the use of steganography. Englert says, “It’s always been kind of an interesting concept that I played with just for fun, but to see this used as an exfilitration method, it’s terrifying and it’s also brilliant. Having the website serve up the information you’re stealing, publicly, hidden in image files, it’s such a great way to get data out.” What will hackers think up next? Underground Forums. Englert thinks these underground sites are fulfilling a market need. He says, “Why not be enterprising? Makes sense from a business perspective. It’s not moral, but a way to make money.” Hackers are certainly displaying an entrepreneurial spirit. Thinking Like a Hacker With DDos attacks on the rise – up 125% in 2016-- Buckbee shares what he learned from Marek Majkowski’s presentation, “Are DDoS attacks a threat to the decentralized internet?” A united Internet makes us strong, and with a divided one we may fall. A Tool for Sysadmins Mosh (mobile shell) is a remote terminal application that supports intermittent connectivity, allows roaming, and speculatively and safely echoes user keystrokes for better interactive response over high-latency paths. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

We have more Ken Munro in this second part of our podcast. In this segment, Ken tells us how he probes wireless networks for weaknesses and some of the tools he uses. One takeaway for me is that the PSKs or passwords for WiFi networks should be quite complex, probably at least 12 characters. The hackers can crack hashes of low-entropy WiFi keys, which they can scoop up with wireless scanners. Ken also some thoughts on why consumer IoT devices will continue to be hackable. Keep in mind that his comments on security and better authentication carry over quite nicely to the enterprise world. Transcript Inside Out Security: You’ve focused mostly on testing the IoT — coffee makers, doorbells, cameas –and it’s kind of stunning that there’s so much consumer stuff connected to the internet. The Ring Doorbell and iKettle, were examples I think, where you obtained the WiFi PSKs (pre-shared keys). Could you talk more your work with these gadgets? Ken: Yeah, so where they're interesting to us is that in the past to get hold of decent research equipment to investigate, it used to be very expensive. But now that the Internet of Things has emerged. We're starting to see low-cost consumer goods with low-cost chip sets, with low-cost hardware, and low-cost software starting to emerge at a price point that the average Joe can go and buy and put into their house. A large company, if they buy technologies, has probably got the resources to think about assessing their security … And put some basic security measures around. But average Joe hasn't. So what we wanted to do was try and look to see how good the security of these devices was, and almost without exception, the devices we've been looking at have all had significant security flaws! The other side of it as well, actually, it kind of worries me. Why would one need a wireless tea kettle? IOS: Right. I was going to ask you that. I was afraid to. Why do you think people are buying these things? The advantage is that you can, I guess, get your coffee while you're in the car and it'll be there when you get home? Ken: No. It doesn't work like that …Yeah, that's the crazy bit. In the case of the WiFi kettle, it only works over WiFi. So you've got to be in your house! IOS: Okay. It's even stranger. Ken: Yeah, I don't know about you but my kitchen isn't very far away from the rest of my house. I'll just walk there, thanks. IOS: Yeah. It seems that they were just so lacking in some basic security measures … they left some really key information unencrypted. What was the assumption? That it would be just used in your house and that it would be just impossible to someone to hack into it? Ken: You're making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all. I think that's one of the biggest issues right now is there are a lot of manufacturers here and they're rushing new product to market, which is great. I love the innovation. I'm a geek. I like new tech. I like seeing the boundaries being pushed. But those companies that are rushing technologies to market with not really understanding the security risk. Otherwise, you're completely exposing people's homes, people's online lives by getting it wrong. IOS: Right. I guess I was a little surprised. You mentioned in your blog something called wigle.net? Ken: Yeah, wigle is …. awesome and that's why WiFi's such a dangerous place to go. IOS: Right. Ken: Well, there's other challenges. It's just the model of WiFi -- which is great, don't get me wrong -- when you go home with your cell phone, your phone connects to your WiFi network automatically, right? Now, the reason I can do that is by sending what are called client probe requests. And that's your phone going, "Hey, WiFi router, are you there? Are you there? Are you there?" Of course, when you're out and about and your WiFi's on, it doesn't see your home WiFi router. But when you get home, it goes, "Are you there?" "Yeah, I'm here," and it does the encryption and all your traffic's nice and safe. What wigle does — I think it stands for wireless integrated geographic location engine, which is crazy … security researchers have been out with wireless sniffers, scanners, and mapped all the GPS coordinates of all the wireless devices they see. And then they collate that onto wigle.net, which is a database of these which you can basically query a wireless network name … and work out where they are. So it's really easy. You can track people using the WiFi on their phones using wigle.net. You can find WiFi devices. A great example of that was how we find the iKettle, that you can search wigle.net for kettles. It's crazy! IOS: Yeah, I know. I was stunned. I had not seen this before. I suspect some of the manufacturers would be surprised if they saw this. We see the same thing in the enterprise space or IT. I'm just sort of surprised that's just so many tools and hacking tools out there. But in any case, I think

Our inspiration for this week's show was Michelle Obama's popular catchphrase, "When they go low, you go high." Don't worry, our next episode will also have a fun Republican catchphrase. In this episode, we discussed how low the security of our favorite things have gone - in music, email, and the internet of things(IoT). Music. There are a lot of music lovers that use Spotify on their desktops, but they weren't expecting it to periodically cause their browser to open malicious sites without their permission. Email. These days, even though kids these days think email is passé, organizations still rely on email. That's why, we must cover Yahoo's 500 million leaked accounts as well as hacked presidential candidates emails. (Psst, go to 5:03, if you wanna know how much Yahoo would have paid if GDPR - the EU's latest data protection regulation - was in effect) IoT. Lastly, we discussed Mirai, the recent DDoS attack against Brian Krebs, who runs KrebsOnSecurity.com, a publication about cybersecurity. Thinking Like a Hacker In this segment, we attempt to explain "SQL Injection" to a 5-year-old. A Tool for Sysadmins Fiddler - The free web debugging proxy for any browser, system or platform Subscribe & Follow itunes / android / RSS feed @infosec_podcast Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

If you want to understand the ways of a pen tester, Ken Munro is a good person to listen to. An info security veteran for over 15 years and founder of UK-based Pen Test Partners, his work in hacking into consumer devices — particularly coffee makers — has earned lots of respect from vendors. He’s also been featured on the BBC News. You quickly learn from Ken that pen testers, besides having amazing technical skills, are at heart excellent researchers. They thoroughly read the device documentation and examine firmware and coding like a good QA tester. You begin to wonder why tech companies, particularly the ones making IoT gadgets, don’t run their devices past him first! There is a reason. According to Ken, when you’re small company under pressure to get product out, especially IoT things, you end up sacrificing security. It’s just the current economics of startups. This approach may not have been a problem in the past, but in the age of hacker ecosystems, and public tools such as wigle.net, you’re asking for trouble. The audio suffered a little from the delay in our UK-NYC connection, and let’s just say my Skype conferencing skills need work. Anyway, we join Ken as he discusses how he found major security holes in wireless doorbells and coffee makers that allowed him to get the PSK (pre-shared keys) of the WiFi network that’s connected to them. Transcript Inside Out Security: You’ve focused mostly on testing the IoT — coffee makers, doorbells, cameas –and it’s kind of stunning that there’s so much consumer stuff connected to the internet. The Ring Doorbell and iKettle, were examples I think, where you obtained the WiFi PSKs (pre-shared keys). Could you talk more your work with these gadgets? Ken: Yeah, so where they're interesting to us is that in the past to get hold of decent research equipment to investigate, it used to be very expensive. But now that the Internet of Things has emerged. We're starting to see low-cost consumer goods with low-cost chip sets, with low-cost hardware, and low-cost software starting to emerge at a price point that the average Joe can go and buy and put into their house. A large company, if they buy technologies, has probably got the resources to think about assessing their security … And put some basic security measures around. But average Joe hasn't. So what we wanted to do was try and look to see how good the security of these devices was, and almost without exception, the devices we've been looking at have all had significant security flaws! The other side of it as well, actually, it kind of worries me. Why would one need a wireless tea kettle? IOS: Right. I was going to ask you that. I was afraid to. Why do you think people are buying these things? The advantage is that you can, I guess, get your coffee while you're in the car and it'll be there when you get home? Ken: No. It doesn't work like that …Yeah, that's the crazy bit. In the case of the WiFi kettle, it only works over WiFi. So you've got to be in your house! IOS: Okay. It's even stranger. Ken: Yeah, I don't know about you but my kitchen isn't very far away from the rest of my house. I'll just walk there, thanks. IOS: Yeah. It seems that they were just so lacking in some basic security measures … they left some really key information unencrypted. What was the assumption? That it would be just used in your house and that it would be just impossible to someone to hack into it? Ken: You're making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all. I think that's one of the biggest issues right now is there are a lot of manufacturers here and they're rushing new product to market, which is great. I love the innovation. I'm a geek. I like new tech. I like seeing the boundaries being pushed. But those companies that are rushing technologies to market with not really understanding the security risk. Otherwise, you're completely exposing people's homes, people's online lives by getting it wrong. IOS: Right. I guess I was a little surprised. You mentioned in your blog something called wigle.net? Ken: Yeah, wigle is …. awesome and that's why WiFi's such a dangerous place to go. IOS: Right. Ken: Well, there's other challenges. It's just the model of WiFi -- which is great, don't get me wrong -- when you go home with your cell phone, your phone connects to your WiFi network automatically, right? Now, the reason I can do that is by sending what are called client probe requests. And that's your phone going, "Hey, WiFi router, are you there? Are you there? Are you there?" Of course, when you're out and about and your WiFi's on, it doesn't see your home WiFi router. But when you get home, it goes, "Are you there?" "Yeah, I'm here," and it does the encryption and all your traffic's nice and safe. What wigle does — I think it stands for wireless integrated geographic location engine, which is crazy … security researchers have been out with wirele

Since security pertains to everyone, in this episode of the IOSS we challenged ourselves to tie security back to Kevin Bacon. You might have to give us a few passes, but the connection is still strong. Keira Knightley: Earlier this year, a man applied for credit account at Best Buy using Keira Knightley’s driver’s license information. If they didn’t catch him, it would have affected her FICO score. And speaking of FICO, they just created an Enterprise Security Score, which rates how secure an organization is. We debated whether or not a score will improve security. Chris Pine: Knightley was in Jack Ryan: Shadow Recruit with Pine. He worked undercover as a compliance officer at an investment firm. If Pine was a compliance officer for a security firm that profited by tanking a medical device stock, I’m guessing he’d have to raise a red flag. Harrison Ford – Ford also played the character, Jack Ryan in Clear and Present Danger, so Pine and Ford are practially the same person. But it was when he played a doctor in The Fugitive that caught our attention. While Ford played a doctor who was framed for murder, recently a woman’s stolen identity almost landed her in jail. And we discussed the dangers of medical identity theft. The Obamas – The Obamas invited Harrison Ford to the White House. It impressed us that the White House now has a CISO. Tom Hanks – Hanks narrated Obama’s “ Road We Traveled” Kevin Bacon – And lastly, Hanks and Bacon appeared in Apollo 13. Listen in and join the fun! The post Six Degrees of Kevin Bacon (Security Edition) – IOSS 24 appeared first on Varonis Blog. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

In this second podcast, Bennett continues where he left off last time. Borden describes his work on developing algorithms to find insider threats based on analyzing content and metadata. Transcript Cindy: Hi, everyone. Welcome to our Inside Out Security Podcast. Andy and I are very excited to have Bennett Borden. He plays many roles. He is an attorney, a data scientist, and also a partner at Drinker Biddle in Washington D.C. So welcome, Bennett. Andy: Thanks, Cindy. And again welcome, Bennett. Thank you for joining this call. So we're really excited to have you, and mostly because you have this unusual background that bridges law and data analysis. You've also written some really interesting articles on the subject of applying data science to e-discovery. I'm wondering for our non-lawyer readers of the blog, can you tell us what discovery is and how it has led to the use of big data techniques? Bennett: Sure, absolutely. And Andy and Cindy, thanks for having me. So discovery is a process in litigation. And it's a process when two or more parties get into litigation. These rules about discovery require the parties to trade information about whatever the case is about. So if you think of a patent infringement case or a breach of contract case, the two parties ‘serve discovery’—that’s what it's called--on each other. This is basically a game of Go Fish. And one side says, "Give me all your documents about the formation of the contract," and then the other side has to go and find all those documents. As you can imagine, in the information age, that could be anything! You've got to go find all the emails about that and all the documents like Word or PowerPoint. Depending on the case, it could be things like server logs or financial or HR data. It becomes quite the hunt in this modern age. Varonis: Right. So it has become e-discovery or electronic discovery. Bennett: That's exactly right. Varonis: The problem is finding relevant documents. And this problem of finding relevancy and how to decide whether a document is relevant would seem to lead to some ideas in data science. Bennett: Yes, and that's what's been really great about the advent of the information age and big data analytics in the last few years. Discovery has been around since the 1960's, but it was initially a paper endeavor. You had to go to file cabinets and file rooms and you'd find stuff, and copy it, and hand it over. But as we’ve gotten into computerized systems and databases and especially email, it's become really quite burdensome. Millions of dollars are spent trying to find and locate these documents. It began as an issue of search technology, having to search these different repositories, document management systems and file servers and email servers. Then as data analytics came online, we have these advanced machine learning search capabilities. As I find something that I'm looking for, it's basically a “more like this” search, and analytical tools can help us understand the characteristics of what they call responsive documents and help us find more like that. It's greatly increased the efficiency of the discovery process. Varonis: Right. So it seems like some of these ideas of using data science started with e-discovery, but it has branched out from there. And I know you've written about how data analytics was used, for example, in other legal transactions like a mergers and acquisition case that you wrote about. Can you tell us more about how it's expanding from just e-discovery? Bennett: Yeah. This is really what's one of the most interesting parts of data science and its convergence in the legal sphere, because if you think about it, a lawyer's most fundamental product is really information. As a litigator, as a corporate lawyer, what we're trying to figure out is what happened and why: sometimes it’s whose fault it is or even trying to understand the value of a transaction or the value of a company, or the risk that's associated with certain kinds of securities transactions. All of that is based on information. The easier it is and the more accurately and quickly you can get at certainty of information, the better legal product you have. We started playing with these techniques. It’s the same techniques that were helping us find information that was relevant to a case, and tried to apply these to different settings. One of the most obvious is investigation settings, like a regulatory investigation or even an internal investigation. It's the same kind of principle, you're looking for electronic evidence of what happened. And that kind of pushed us into some interesting other areas. If you think about how a merger or acquisition happens, company A wants to buy company B, and so company A asks a bunch of questions — what they call due diligence. They want to know what your assets and liabilities are, what risks you might face, what are your uncollectible accounts, and, say, do you have any kind of environmental risk or litiga

When it comes to ransomware, we can’t stop talking about it. There’s a wonderful phrase for our syndrome, “the attraction of repulsion,” meaning that something is so awful you can’t stop watching and/or talking about it. How awful has ransomware been? According to the FBI, in the first three months of 2016, ransomware attacks cost their victims a total of $209 million. And it doesn’t stop there. It’s impacted many businesses including financial firms, government organizations, healthcare providers, and more. In this episode of the Inside Out Security Show(IOSS), we cover three types of ransomware: CryLocker(impersonates the US government), FairWare(targets Linux users), and yes, fake ransomware. While some might disagree on whether or not to pay the ransom, we can all agree that ransomware is the canary in the coal mine. The post Attraction of Repulsion (to Ransomware) – IOSS 23 appeared first on Varonis Blog. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Once we heard Bennett Borden, a partner at the Washington law firm of DrinkerBiddle, speak at the CDO Summit about data science, privacy, and metadata, we knew we had to reengage him to continue the conversation. His bio is quite interesting: in addition to being a litigator, he’s also a data scientist. He’s a sought after speaker on legal tech issues. Bennett has written law journal articles about the application of machine learning and document analysis to ediscovery and other legal transactions. In this first part in a series of podcasts, Bennett discusses the discovery process and how data analysis techniques came to be used by the legal world. His unique insights on the value of the file system as a knowledge asset as well as his perspective as an attorney made for a really interesting discussion. Transcript Cindy: Hi, everyone. Welcome to our Inside Out Security Podcast. Andy and I are very excited to have Bennett Borden. He plays many roles. He is an attorney, a data scientist, and also a partner at Drinker Biddle in Washington D.C. So welcome, Bennett. Andy: Thanks, Cindy. And again welcome, Bennett. Thank you for joining this call. So we're really excited to have you, and mostly because you have this unusual background that bridges law and data analysis. You've also written some really interesting articles on the subject of applying data science to e-discovery. I'm wondering for our non-lawyer readers of the blog, can you tell us what discovery is and how it has led to the use of big data techniques? Bennett: Sure, absolutely. And Andy and Cindy, thanks for having me. So discovery is a process in litigation. And it's a process when two or more parties get into litigation. These rules about discovery require the parties to trade information about whatever the case is about. So if you think of a patent infringement case or a breach of contract case, the two parties ‘serve discovery’—that’s what it's called--on each other. This is basically a game of Go Fish. And one side says, "Give me all your documents about the formation of the contract," and then the other side has to go and find all those documents. As you can imagine, in the information age, that could be anything! You've got to go find all the emails about that and all the documents like Word or PowerPoint. Depending on the case, it could be things like server logs or financial or HR data. It becomes quite the hunt in this modern age. Varonis: Right. So it has become e-discovery or electronic discovery. Bennett: That's exactly right. Varonis: The problem is finding relevant documents. And this problem of finding relevancy and how to decide whether a document is relevant would seem to lead to some ideas in data science. Bennett: Yes, and that's what's been really great about the advent of the information age and big data analytics in the last few years. Discovery has been around since the 1960's, but it was initially a paper endeavor. You had to go to file cabinets and file rooms and you'd find stuff, and copy it, and hand it over. But as we’ve gotten into computerized systems and databases and especially email, it's become really quite burdensome. Millions of dollars are spent trying to find and locate these documents. It began as an issue of search technology, having to search these different repositories, document management systems and file servers and email servers. Then as data analytics came online, we have these advanced machine learning search capabilities. As I find something that I'm looking for, it's basically a “more like this” search, and analytical tools can help us understand the characteristics of what they call responsive documents and help us find more like that. It's greatly increased the efficiency of the discovery process. Varonis: Right. So it seems like some of these ideas of using data science started with e-discovery, but it has branched out from there. And I know you've written about how data analytics was used, for example, in other legal transactions like a mergers and acquisition case that you wrote about. Can you tell us more about how it's expanding from just e-discovery? Bennett: Yeah. This is really what's one of the most interesting parts of data science and its convergence in the legal sphere, because if you think about it, a lawyer's most fundamental product is really information. As a litigator, as a corporate lawyer, what we're trying to figure out is what happened and why: sometimes it’s whose fault it is or even trying to understand the value of a transaction or the value of a company, or the risk that's associated with certain kinds of securities transactions. All of that is based on information. The easier it is and the more accurately and quickly you can get at certainty of information, the better legal product you have. We started playing with these techniques. It’s the same techniques that were helping us find information that was relevant to a case, and tried to apply these to different s

In this second podcast, Mr. Wendell continues where he left off last time. He explains the skills you’ll need in order to be an effective Chief Data Officer and we learn more about MIT’s International Society of Chief Data Officers. Transcript Skills a CDO Need: Information Technology, Mathematics, Change Management Inside Out Security: You've given many examples how the CDO has a relationship with a CIO, the CMO, the CEO, and so you need a whole bunch of different skillsets. What are some skills you need in order to be an effective CDO? Richard: Yeah, there are really three category of skills. The first category is what I'll call an IT skillset, traditionally. The second is more of a math skillset, and the third is really, like you mentioned, around communication, and even HR and change management. So I could talk to each of those briefly. Information Technology It's an interesting role, right, because typically, people who are strong in IT may not have as much background or expertise in math or HR, and you could say that about the other two as well. These are the three different areas of skills that often do not overlap, and to be a good CDO, you absolutely must have all three skills areas. The IT skillset is all about new data technology. So I think the number one, if you go online and you look at search terms, the number one phrase that's most commonly associated with the chief data officer is data science. Data science, if you look at, again, it mean a lot of things to a lot of people. But chief data officers, chief analytics officers manage the data science function. Data science takes place in most companies now on top of newer data technology stacks. There are so many new technologies emerging every day that are absolutely critical for managing the function of data science, data integration. And so being able to go in and work with IT department on building out that technology suite, and even occasionally standing up IT infrastructure with these new kinds of tools that, you know, maybe the IT department is typically focused more on very, very proven technologies that are enterprise scale that could be deployed and maximized their IT ROI, that is what they should be focused on. That's the perfect focus for IT. But if that's all you do as a company, then you're never going to experiment with somebody's new technologies that are really required to do data science well, and this is where a CDO comes in. So, you know, it's really important to be able to stand up and manage some of these new IT technologies, and you have to be a hacker to make it work. I mean, a lot of companies I know spend a year and a half just trying to figure out how to productionalize their hadoop cluster inside their firewalls. So you have to know how to hack through these things and hack around them. I find a lot of my peers in the CDO community grew up as hackers, and you really have to have that hacker mindset and enjoy problem solving. Mathematics Secondary of math, I mean, this is really all algorithms so you need to understand machine learning. You need to know what are the different flavors of machine learning and how is it applied. And you need to be able to, I think in order to be good, you need to be able to get down to a fairly detailed level with your data scientist to talk about different packages, and how they're applied in different parameters that they're using in their model. Machine learning is just one area that's really hot right now but I think of advanced analytics, some statistics all have many different models that are used to solve different types of problems. And operations research, frankly, is an area that's often overlooked. There are many powerful quantitative techniques that come out of operations research, and increasingly now, computer science that are all really important and all have their place, and they're just different tools for different jobs. So we need to have that tool kits of algorithms to know which one or ones are best applicable to different business use cases. If you want to do a cluster analysis with a huge dataset, maybe you want to do a simple k-means. If you have a smaller dataset and you think you can get more insight out of it, then maybe you can do a hierarchical. It's just one simple example, but you need to be able to match the business use case to the scale of data to the algorithm. Change Management And then the third area, I mentioned the HR skillset, is really around change management. This is where most companies I see really fall down because most companies focus on insight. Insights are great. Insights don't make money. And this is where I'm talking specifically about like 20th century companies that are looking to be 21st century companies. Companies like that, they are filled with a lot of really great talent that's just not used to being data driven in their workflows. And quite often, sometimes, there's resistance to data. Maybe folks, at the end of the day, feel t

Last week, Alpesh Shah of Presidio joined us to discuss law firms and technology. With big data, ediscovery, the cloud and more, it’s of growing importance that law firms leverage technology so that they can better serve their clients. And in doing so, law firms can spend more time doing “lawyerly things” and, um, more billing. Hallmarks of this episode include: why it’s critical for law firms to leveraging technology why clients demand that law firms care about data security and extra steps law firms need to take if they want to work with healthcare providers and financial institutions Want to learn more about Presidio? Visit them online. Or better yet, email Alpesh Shah [email protected]. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post Bring Your Geek To Court – IOSS 22 appeared first on Varonis Blog. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/