On April 7, residents of Dallas, Texas struggled to get sleep as 156 of the city’s hurricane warning system sirens sounded all in one shot and it didn’t stop at that….triggering another 15 times. Prior to this incident, I wrote a Smart City security Q/A op-ed for IT Pro Portal on what would keep a city leader up at night and this was certainly one of them as the New York Times reported the hurricane emergency warning system was hacked! Connected living and Smart Cities are here and security concerns are building up faster than we can find solutions. As the MIT Technology Review outlines, “Researchers have been finding vulnerabilities in connected city hardware, from traffic signals to smart meters, for several years now. The concern is that as such infrastructure proliferates, with devices increasingly connected by the Internet of things, hackers will identify more flaws and and use them to plunge whole cities into chaos.”
Do you think you live in a connected or Smart City? Worried about your connected living security? Read more of my comments as I weigh in with Jamie Condliffe and the MIT Technology Review.
Australia’s Privacy Amendment (Notifiable Data Breaches) Act 2017 marks a milestone for information security legislation, but industry is still questioning the need for legal intervention.
Australia is not the first country to introduce strict breach notification laws, nor is it likely to be the last. To date, approximately 90 countries have introduced legislation or have existing laws for breach notification with varying degrees of strictness, enforcement and penalties. And yet data breaches still go undetected and unreported. The United States has approximately 47 states with separate breach notification laws and has yet to introduce a consolidated and unified law at the national level.
It’s not a matter of strictness, breadth or depth that makes digital privacy and breach notification laws effective. In fact, the only way the effectiveness of breach notification and data privacy laws is measured is anchored on whether the legislation helped prevent breaches from happening in the first place. Measuring effectiveness of legislation is a “fuzzy science” at best…….[read my complete article featured in ComputerWorld].
Recently I sat down with the Kim Komando Show to talk all things cyberwar and Russian hacking. As we engaged in our discussion we concluded its likely the United States is under cyber attack right now and no one knows exactly where some of the attacks are coming from. Take a listen to this Komando on Demand podcast as I weigh in with Kim Komando and Peter W. Singer for proof of these attacks and how they could lead to a much bigger war in the near future.
When we think of large entertainment venues and events, it’s not just ticket fees and concessions anymore. Sporting is entertainment and this year’s Super Bowl LI (51) is one of the most complex, technologically orchestrated events in the world; ranging from tablet-based play books to RFID wearable sensors on players sending real time performance data and analytics to coaches and mobile apps. Supply chain attacks can affect virtually any industry that relies on complex IT and infrastructures, as well as data delivery networks. While we typically think of large retailers, this weekend’s NFL event stands to be one of the most high-value targets for cyber criminals and other sophisticated attackers intent on mass disruption, manipulation and/or destruction. The number of third-party vendors involved in supporting the “game of all games” is comprised of one of the most complex interlocked networks imaginable. It’s “mind bending” to think of the network of suppliers, each introducing unique vulnerabilities and cyber security issues into the overall infrastructure, resulting in “breach exposure windows” during a very compressed period of time when sponsors, vendors, broadcast networks and advertisers have hundreds of millions at stake.
Just days away from Super Bowl LI, I talked with Dan Stoller of Bloomberg BNA on the possibility that we may be seeing a “national digital deflategate debate” if a major Super Bowl cyberattack were to happen. Let’s face it, data has changed athletics and sporting to a point where game play is based on bioinformatics, data science and using technology to increase marginal gains for competitive advantage. It shouldn’t be the case that the amount of air in a ball is scrutinized and debated, but it has become a material breach in proprietary competitive data and intellectual property lending an unfair advantage to teams in one of the only sporting entertainment events that owns its own day of the week. Read more as I weigh in with Bloomberg BNA.
Just sat down with StateScoop’s Jake Williams and the State of California’s Chief Information Security Officer Peter Liebert to discuss all things ransomware. Take a listen to a preview of this edition of StateScoop’s Virtual Roundtable series as I discuss emerging threats and what it means for state and local governments across the country.
You can listen to the full virtual roundtable via SoundCloud here.
Recently I sat down with DubaiEye Radio 103.8FM to talk all things IoT and Smart Cities cyber security. One area of particular interest were “rogue drones” and the recent havoc at airports causing massive flight and safety disruptions. The adoption of smart city/connected living technology across the United Arab Emirates (UAE) is the answer to ‘rogue drones’ causing havoc at local airports, that being the ability to monitor and detect the billions of IoT connected devices to include internet enabled drones.
Click below to listen to the interview and hear my thoughts on IoT, connected living and drones.
Dyn’s business, domain name services, is often referred to as the roadmap of the internet. It’s what translates URLs like TheStreet.com into the 12-digit IP address at which websites reside. This isn’t because IP addresses are secret (at time of writing, for example, this website’s address was 220.127.116.11). They’re simply tough for human beings to remember…..read the full article here with my comments as I weigh in with TheStreet author Eric Reed .
Imagine that you are driving through downtown New York City (NYC) and only relying on your GPS for directions. All of a sudden, the GPS stops working and you are stuck in mid-town Manhattan traffic during rush hour. If you have ever tried to drive in NYC, you know it’s easier to navigate a corn maze blindfolded than to attempt to navigate the complicated NYC streets.
A Domain Name System (DNS) is much like a GPS, in that DNS gets you from point A to point B online. While a GPS allows you to look up any destination in the world and find a path to that destination, DNS is your map, navigator, and transportation all rolled up in one, specifically for the internet. Behind every domain name is an intimidating looking series of numbers called an internet protocol (IP) address (Example: 172.217.0.XX) and it gets much worse with next generation addresses which may look something like (2606:2800:220:6d:26bf:1447:1097:XXX). The bottom line is it’s much easier to remember a name (i.e. – Google dot com) rather than commit to memory a series of random numbers for every destination on the internet. DNS is the foundation that translates the domain name you type into your browser to the correct IP address and routes your request to the right place in real time. It just works, but when it doesn’t, it becomes one of the most disruptive roadblocks for the web.
On October 21st, 2016, various media outlets reported multiple waves of Distributed Denial of Service (DDoS) attacks that targeted New Hampshire based-DNS provider Dyn, which led to the disruption of the company’s ability to provide its subscribers with DNS services – resulting in massive issues for 17 of the top 100 most visited sites such as Twitter, Github, Reddit, AirBnB, Spotify, Soundcloud, Netflix and PayPal…..read more here.
Recently RSA Security’s Chief Marketing Officer (CMO) Holly Rollo and I sat down and put our brains together to flush out the absolute necessities of what needs to be in place when the unthinkable happens to a company and/or government organization….that being….you don’t have a data breach communication and response plan when a cyber breach happens.
Below is a highlight of what Holly and I had to say in a recent Harvard Business Reviewfeature titled “Your Company Needs a Communication Plan for Data Breaches”…..
In an instant, any business can find itself in the frightening position of watching the brand you’ve worked so hard to build being taken to its knees by a cyber breach. Few things are more damaging to a brand’s reputation than a hack in the headlines, and in the event of a public security incident, it’s highly likely that the Chief Marketing Officer (CMO) and the Chief Security Officer (CSO) will be the first people the CEO looks to and says “What do we do now?”
When a data breach happens, there is nothing worse than trying to figure out how to manage the crisis on the fly as it is still happening. That’s why every strategic marketing plan, and every company’s overall security strategy, should incorporate a data breach communication plan.
Even a rumor of a breach can trigger a communications crisis. Here’s a generalized scenario similar to cases we’ve experienced: A hot new mobile technology company lands one of the most successful IPOs of the year. A hacker going by the name of ‘Tumbleweed’ enters a forum and brags that the device can be hacked. Other hackers begin to post on different forums, and a newspaper picks it up. A news cycle begins. Senior engineers in the company respond to the forums by denying the hacking claims. Hacker forums go crazy and issue a “bug bounty” to try to compromise the device, with some claiming success………
Read the complete Harvard Business Review feature here….
Given the increased complexities and sophistication of cyber adversaries today, the demand for skilled IT security practitioners has outweighed the supply — particularly those skilled in security operations, intelligence, data analytics and forensic analysis. Drawing parallels to healthcare, increases in medical device, imaging, research/development and clinical care has involved much the same way. These advances in technologies have given us the ability to detect faster, “diagnose” and prevent. The outgrowth has created a broad shortage of practitioners with both the clinical/tactical skills and the operational experience necessary within today’s evolving threat landscape. So what does a Cyber Doctor look like and what are we doing to educate and train the next generation of “security care givers”?