ibuted and democratic, according to renowned security technologist, Bruce Schneier, not controlled by corporations. Developments in the past few weeks indicate he may be right.
Speaking at the RSAC Conference in San Francisco last week, Schneier talked of trust and how we give it to people, strangers, organizations, and technology. His description of that process predicted the development of artificial intelligence controlled almost exclusively by the user, rather than the dystopian corporate AI replacing humanity.
Encryption became a hot topic in the news in the past month. The United Kingdom, Sweden, France and the EU are considering requiring “back doors” to encryption protections. The “Signalgate” scandal in Washington, DC started most people asking, “What is this encryption stuff?” So we decided to provide a primer on the state of encryption today.
While the technology behind encryption is complex, it is not new. The basic algorithms have been with us for decades, silently running on devices and servers, invisible to the user. The purpose is basic: to keep data safe from prying eyes, like criminals and nation states.
Encryption is also a good way of saving money and not just in avoiding ransoms. Insurance companies often offer up to 15% premium discounts to businesses demonstrating strong security practices, including proper data encryption. Encryption significantly reduces the risk of data breaches and their associated costs.
The DDoS attack on X.com this week provided a certain amount of schadenfreude for people less than enamored by Elon Musk. It also rang alarm bells in the cybersecurity community.
Premium Membership Required
You must be a Premium member to access this content.
The EU's Digital Operational Resiliency Act (DORA) went live in January. This legislation's goals seem to conflict with the US administration’s willingness to ignore technology security standards. The question is: Who will stand up to protect corporate and consumer data?
DORA is highly targeted at the stability and resilience of the financial services sector. It ensures financial institutions can respond to, withstand, and recover from ICT-related threats and disruptions. It also requires robust strategies and policies to manage ICT risks in financial institutions.
Arnaud Treps, chief information security officer at Odaseva, said, “DORA is very different from previous regulation where you have to change where you operate. DORA is about having proper backups, the capability to restore quickly, and building redundancy.”
Europe takes the lead
But does the US rejecting data privacy regulation mean walling America off from the rest of the world? Meta has threatened to potentially limit
An independent threat intelligence team warned the Treasury Department that representatives of Elon Musk's Department of Government Efficiency was a significant “insider threat.” The warning made the problem of insider threats a new worry for US citizens, sparking multiple discussions on social media. It also made a new case for technology that defended against the threat.
Insider threats are not the most common form of security weakness, but they are the hardest to defend against. Even if a company successfully screens out potential bad actors in the hiring process, they have to make sure who they hired is who shows up to get their security badge. And if they get past those two processes, there’s always the possibility of an unbalanced or angry employee bringing a firearm into the office to commit mayhem. Luckily there are technologies in place, such as advanced detection and response, identification validation, and AI-driven weapons detection available in the market.
Identifying the threat
According to the Verizon Data Breach Investigation report for 2024, 80 percent of breaches are based on social engineering and phishing making them the top attack vectors. However, the report said that 32 percent of breaches involving an insider are considered malicious. That is a cause for significant concern when hiring new workers. Identifying a potential threat is easier than repairing the damage it causes later.
Pig-butchering may be proving the Luddites were right. The social-engineering scam bypassed ransomware as the most profitable cybercrime approximately two years ago. After government regulations and law enforcement took a big bite out of returns for ransomware this past year, public-private partnerships are taking aim at the new champ.
TL;DR
* Pig butchering eclipses losses from ransomware
* Top targets are tech savvy people under 50
* Human error trumps cyber awareness
* Public/private partnerships making inroads at dismantling scam operations
* Tips to avoid scams
* Podcast with Arkose CEO
Between 2020 and 20023, scammers reaped more than $75 billion from victims around the world. Approximately 90 percent of the losses came from of purchasing fraudulent cryptocurrency, according to the US Treasury Department’s, Financial Crimes Enforcement Center. In comparison, ransomware attacks in that same period harvested $20 billion worldwide in ransoms and cost approximately another $20 billion in recovery costs.
As we prepare for the annual October holiday season with Cybersecurity Awareness Month there is an important question to ask. Are we as a society at the point of fatigue over every new security breach, or are the companies getting breached just too big to fail?
Security giant Fortinet announced a data breach this week that was remarkable in two ways. One was how small the breach was (less than 500GB) Two was how calm Fortinet seemed to be about. Security gadfly Dr. Chase Cunningham posted a flippant comment about the breach on Linkedin, encouraging his followers to “buy on the breach.” He pointed out that with big public companies, in security or not, generally take a hit on their stock for a day or two after a breach, but the stock rises to new highs as the dust clears. And no one seems to care about the downstream customers whose data might have been stolen.
A 2010 study published in the Journal of Cost Management concluded that a company could be more profitable if it annoyed unhappy customers more than they already were. The success of that strategy increased with the size of the company, according to the study, and when there were fewer competitors for a customer to turn to.
The reasons for the success were simple. If a pissed off customer decided to go a smaller provider, there were always new customers who signed up, simply because they were the biggest. If there were no smaller competitors, the customer never went away. In the process, the offending company rarely has to pay out to make the customer whole. The study pointed our that companies like United Airlines have notoriously bad customer service, but they rarely lose market share because of it.
Kevin Szczepanski, co-chair of Barclay Damon's Data Security, is much more forgiving
State legislatures are scrambling hard to enact regulations of the cybersecurity and AI industries to protect them from themselves. And the leaders of those industries object to the efforts, like drug abusers forced into rehab.
For the past 10 years, the investor world shoveled money into any company that said they are focused on AI, but that support is starting to shake. Many AI startups that have received billions of investment are struggling financially, not the least of which is the elephant in the room, OpenAI. The most successful AI company in the world is on pace to lose $5 billion this year and, according to CEO Sam Altman, the company needs more than $8 billion more investment this year or will face bankruptcy inside 12 months.
Part of the loss of confidence in AI are the number of failures that seem to be increasing. The AI Incident Database, which chronicles incidents dating back to 1983, now contains 629 incidents. An even bigger reason is the self-governing rules the industry says it has adopted either don’t work or are ignored altogether.
The industry has generally acknowledged its weaknesses. More than a year ago, Altman sat before the US Senate essentially begging for the government to regulate the industry. Support for that legislation has waned, however, as 15 U.S. state legislatures are considering dozens of bills to regulate the development and use of artificial intelligence.
In a letter from OpenAI Chief Strategy Officer Jason Kwon to California Senator Scott Wiener (author of SB 1047), the company highlighted several reasons it opposed the bill, including the recommendation that regulation should be, "shaped and implemented at the federal level. A federally-driven set of AI policies, rather than a patchwork of state laws, will foster innovation and position the US to lead the development of global standards."
The “patchwork” argument has been used to oppose proposed laws in nine states. The problem with that is most federal laws come after a critical mass of laws at the state level. Historically, when two thirds of the sites pass similar laws, the US Congress considers standardizing them nationally. The US is less than halfway through that process.
The legislators authoring these bills seem to understand that they are not “experts” in technology and have been working with tech companies to make the bills more palatable. In California’s SB 1047, Weiner, removed provisions for criminal prosecution and an entirely new state bureaucracy to enforce the bill before it went to the governor’s desk last week. Instead, the bill merely directs the state attorney general to file civil charges when companies violate the mandates.
Premium Membership Required
You must be a Premium member to access this content.
The English riots this past week provide a Dickensian “best of times…worst of times.” context to politics in the United Kingdom and possibly the United States later this year. The UK has had a significant political shift in leadership that brought relief to the majority of that countries citizens (the best) but also encouraged the minority opinion to lash out with provocation from domestic actors and foreign states (the worst). This highlight the fact that digital security concerns reaches far beyond the confines of corporate CISO offices.
The rioters are extreme anti-immigration nationalists whipped up by false information regarding the stabbing of several young children and adults at a dance recital in Southport, a town just north of Wales. The disinformation came from several sources but is primarily coming through a Russian-linked website posing as a legitimate American news organization. The claim was meanwhile amplified up by far-right figures Tommy Robinson and Andrew Tate. Robinson was arrested under anti-terrorism laws but is out on bail has been vacationing in Europe. He is still spreading disinformation. Tate is currently under “judicial supervision” for rape and human trafficking charges. X owner Elon Musk has also participated personally in sewing the discord.
Foreign interference grows
Meanwhile, open source intelligence monitored by companies like Zero Fox and Fletch have identified efforts by North Korea and Russia to interfere in elections of Western countries including Germany and the United States. Zero Fox said, “The Telegram-based bot service IntelFetch had been aggregating compromised credentials linked to the Democratic National Committee (DNC) and their websites. This data, primarily sourced from botnet logs and third-party breaches, includes sensitive information such as login credentials for party members and delegates. This breach poses a significant risk of unauthorized access and potential disruptions to the convention.”
Zero Fox said the DNC had been alerted several weeks ago and that the weaknesses fixed. The DNC Convention is set to begin August 19 and Zero Fox was planning on announcing their findings that day to boost their profile.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.