Trust Alliance On Why Enterprise IoT Security Is A Lot Like BYOD

 

security

As consumer Internet of Things (IoT) devices inevitably find their way into the workplace, IT pros need to isolate them from the rest of the enterprise network, perhaps on a network of their own, so they don’t become backdoors exploitable by attackers, according to the head of the Online Trust Alliance.

Jeff Wilbur, the director of the alliance, which is an initiative within the larger Internet Society, says that it is better to embrace employees’ IoT devices and allow them to be used safely than to ban them and risk their unauthorized, unprotected use that could undermine network security.

Similarly, industrial IoT devices deployed by businesses should be firewalled off from the broader corporate network in order to minimize risk of compromise, he said in an interview with Network World senior writer Jon Gold.

Here’s a transcript of that conversation.

Network World: How does the OTA’s work with consumer-grade IoT security translate to the enterprise sector?

Wilbur: A few years ago, we took those general concepts of security and privacy, because every year we do an audit of about a thousand websites and organizations – email authentication practices, privacy and security, and we realized that the IoT market was growing, that there were going to be an order of magnitude more devices that were sending and receiving data, and generating data that needed to be secure and private as well, so we created a listing through a working group that eventually involved over a hundred different organizations. That (group) created a list of principles, mainly targeted at manufacturers, so security, privacy and lifecycle properties of IoT products, and what they should consider building into the product from the beginning, sort of the security and privacy by design.

We’ve had that out for a few years now, and it gets updated as necessary, but if you take that list of principles, and then apply it to the other side, the users of these products, it can be used as a filter to decide “what kind of products should I buy? What are the security and privacy characteristics that they should have?”

The reality today is that not all products – in fact, not many of the IoT products – are conforming to that list of principles yet. And when consumer-grade products kind of sneak their way into the enterprise … IT folks may or may not know it’s even there, and these products can be very chatty, they can be collecting data or being sort of a gateway vulnerability to the rest of the network if they’re not properly isolated or dealt with.

alliance securityNetwork World: What’s a good example of that type of consumer-type IoT sneaking into the enterprise?

Wilbur: I don’t know that we’re advocating to keep it out of the enterprise, we’re advocating to manage it within the enterprise. Because if it comes through the side door or the back door, under the radar, whatever term you want to use, that’s when it can be dangerous, but it can also, if managed properly, be just fine.

The examples I hear of late are, of course, smart TVs in conference rooms – they may mainly be used as monitors, you know, you hook your laptop to it for display, but they also are smart TVs, and depending on how much you allow that capability to be connected into your network, that’s a potential vulnerability point.

A lot of smart speakers are being used in those environments, so you’ve just got to pay attention to the data flows and where they are in the network, and who’s saying what. If you look at Alexa, for instance, and Google Home, for the most part it seems that they have pretty good security controls around it, but whoever owns those accounts, your voice queries get stored in your account. So a lot of people don’t know exactly what data is being captured. For the most part, there has been concerned about all voice being transmitted on through, even when there’s no wake word that initiates it, and that does not seem to be the case – it’s only passed through when there’s a real query involved, but it’s good to be cautious, especially in an enterprise environment.

Another area that it seems like IoT devices are making their way into [the enterprise] is appliances in the breakrooms, and it might be for the purposes of energy control or just remote monitoring, but again, those potentially can create an entry point for an attacker if they’re not managed properly. And then you’ve got fitness trackers that individuals bring in – for the most part, those just connect to your phone, and often they don’t hit the enterprise network, but depending on how you’ve got them set up, if your phone is then on your corporate Wi-Fi, then who knows?

Network World: This really DOES harken back to the BYOD challenges of several years ago, doesn’t it?

Wilbur: Exactly. And a lot of these devices have either default or hardcoded passwords, and so, if they are reachable, they might be an attacker’s entry point – they may or may not be software-updateable, so we have recommendations in [our checklist] like, if you’re looking at it from the very beginning, you should set up some policies and rules for employees about what they can bring in and what characteristics it should have.

The danger, and this is the same as the BYOD thing, is that if you’re too restrictive, you end up creating an under-the-table – they used to call it “shadow IT,” you can probably call this “shadow IoT” if you want – you can create that kind of thing where people say “I’m still gonna bring it in, but now it’s really gonna be under the radar,” as opposed to doing it with eyes wide open so you kinda know what you’re getting into.

We recommend setting up a separate network for those devices. Most companies set up a guest network for Wi-Fi, so why not have an IoT-specific network, or why not have them on your guest network also? It depends on the company, and how they want to organize things.

Network World: A lot of industrial IoT seems to involve connecting devices that were designed 10, 20, 40 years ago to the Internet, which they weren’t really meant to do. How do companies go about addressing that kind of concern, given that they’re not going to be able to simply replace giant pieces of industrial equipment that they may have been using for decades?

Wilbur: That’s going to vary according to the project – it’ll vary all the way from providing some gateway of connectivity from legacy systems into a network that gives them some sense of remote control of that, to whole new projects where you’re able to start from scratch with the latest stuff. So, in those kind of environments, the thing to be careful of is, when you have a tightly controlled, highly secure gateway, where the communication is kind of crossing between the IT network and the operational network. There’s a lot of attention these days being paid to that kind of IT/OT blending.

alliance securityWhen you have situations like that, in a gateway, you can manage the traffic flow through that gateway very well if you want to, and so that’s really the chokepoint where you can do that. When you go to the newer sort of environment, where you’ve got new products and many of the individual devices are now connected, you can do similar things. Let’s say you’ve got a factory floor, and you have all your devices connected on that floor, you don’t want that network wide-open to the rest of your corporate network, right? So you’re going to have some kind of firewall into that, and it’s really a matter of paying attention to what can be accessed by whom and from where.

The risks of having industrial applications exposed to the world in some way are great – there can be physical harm to individuals, there can be catastrophic-level attacks on machinery to make it fail, and all that kind of stuff. So the security aspect of the connectivity needs to be very strongly taken into account in those kind of environments.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind. alliance security

Link Exchange | Products And Prices
The list of link building products and prices currently offerd at LinkMarket.Net.
Blog Search: The Source for Blogs

US Homeland Security: No Apology For Immigrant Separations

Media playback is unsupported on your device

Media captionZero-tolerance: The US policy dividing families and opinion

The US homeland security secretary says the Trump administration will not apologise for separating undocumented immigrant children from their parents.

Kirstjen Nielsen told a police conference in Louisiana the young people are being well taken care of in US detention centres.

Photos went viral over the weekend showing children being held in fenced enclosures at a Texas facility.

The UN human rights chief has condemned the policy as “unconscionable”.

“We will not apologise for the job we do or for the job law enforcement does for doing the job that the American people expect us to do,” she told the National Sheriffs’ Association annual conference in New Orleans.

“Illegal actions have and must have consequences. No more free passes, no more get out of jail free cards.”

She continued: “It is important to note that these minors are very well taken care of – don’t believe the press – they are very well taken care of.

“If you cross the border illegally,” she added, “if you make a false immigration claim, we will prosecute you. If you smuggle aliens… we will prosecute you.”

Ms Nielsen was widely criticised on Sunday when she tweeted that her department does “not have a policy of separating families at the border. Period.”

Over the weekend, protesters rallied against the Trump administration’s “zero tolerance” immigration crackdown, accusing White House and US immigration officials of cruelty.

US First Lady Melania Trump and former First Lady Laura Bush each weighed in on the new policy over the weekend.

First ladies urge child migrant action

Mrs Trump said through a spokeswoman that she “hates to see children separated from families”.

Mrs Bush – who is married to George W Bush – wrote in a Washington Post op-ed that the policy was “cruel” and “immoral”.

She said pictures from the detention centres were “eerily reminiscent” of Japanese-American internment camps during the Second World War.

US Attorney General Jeff Sessions also addressed the New Orleans sheriffs’ conference on Monday, saying undocumented immigrants were exploiting the US system.

He said previous White House administrations had granted effective immunity from prosecution to those who illegally crossed the border with children, creating a “loophole”.

“Why wouldn’t you bring children with you if you know you will be released and not prosecuted?” he asked rhetorically.

Migrant children ‘held in cages’ in Texas

Trump’s blame game on separating families

Link Exchange | Products And Prices
The list of link building products and prices currently offerd at LinkMarket.Net.
Blog Search: The Source for Blogs

Homeland Security Won’t Apologize For Child Separation Laws

WASHINGTON (AP) — Homeland Security Secretary Kirstjen Nielsen says officials will not apologize for enforcing immigration laws that result in the separation of children from their parents.

Nielsen was speaking Monday at the National Sheriff’s Association conference in New Orleans. Last month, Homeland Security began referring all cases of illegal entry to the Justice Department for prosecution. Nielsen says agents are not acting cruelly, but are enforcing the laws passed by Congress. She says past administrations asked immigration agents to look the other way when families crossed the border illegally, but no longer.

The policy has resulted in nearly 2,000 minors separated from their families over six weeks, and is drawing strong criticism from lawmakers from both parties and advocates who call the tactic inhumane.

Nielsen says agents shouldn’t apologize for doing their jobs.

Link Exchange | Products And Prices
The list of link building products and prices currently offerd at LinkMarket.Net.
Blog Search: The Source for Blogs

CompTIA Security+ is a global certification that validates the baseline skills you need to perform core security functions and pursue an IT security career

Security System - BORDERS Alert and Ready

CompTIA Security+ is a global certification that validates the baseline skills you need to perform core security functions and pursue an IT security career                                                                           Why is it different? No other certification that assesses baseline cybersecurity skills has performance-based questions on the exam. Security+ emphasizes hands-on practical skills, ensuring the security professional is better prepared to problem solve a wider variety of issues. More choose Security+ for DoD 8570 compliance than any other certification. Security+ focuses on the latest trends and techniques in risk management, risk mitigation, threat management and intrusion detection. The new Security+ certification covers the Junior IT Auditor/Penetration Tester job role, in addition to the previous job roles for Systems Administrator, Network Administrator, and Security Administrator. About the exam CompTIA Security+ is the first security certification IT professionals should earn. It establishes the core knowledge required of any cybersecurity role and provides a springboard to intermediate-level cybersecurity jobs. Security+ incorporates best practices in hands-on trouble-shooting to ensure security professionals have practical security problem-solving skills. Cybersecurity professionals with Security+ know how to address security incidents – not just identify them. Security+ is compliant with ISO 17024 standards and approved by the US DoD to meet directive 8140/8570.01-M requirements. The new CompTIA Security+ SY0-501 exam is available as of October 4, 2017. More information on both versions of the exam is available in the Exam Details below.
When WIRED reached out to Google, the company said that it appreciated SRL’s research, but responded by pointing out that some of the devices SRL analyzed may not have been Android certified devices, meaning they’re not held to Google’s standards of security. They noted that modern Android phones have security features that make them difficult to hack even when they do have unpatched security vulnerabilities. And they argued that in some cases, patches might have been missing from devices because the phone vendors responded by simply removing a vulnerable feature from the phone rather than patch it, or the phone didn’t have that feature in the first place. The company says it’s working with SRL Labs to further investigate its findings. “Security updates are one of many layers used to protect Android devices and users,” added Scott Roberts, Android product security lead, a statement to WIRED. “Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”1
Computer security, also known as cybersecurity or IT security, refers to the security of computing devices such as computers and smartphones, as well as computer networks such as private and public networks, and the Internet. The field has growing importance due to the increasing reliance on computer systems in most societies. It concerns the protection of hardware, software, data, people, and also the procedures by which systems are accessed. The means of computer security include the physical security of systems and security of information held on them.

Homepage - IEEE Security & Privacy | IEEE Computer Society

Approaches to security are contested and the subject of debate. For example, in debate about national security strategies, some argue that security depends principally on developing protective and coercive capabilities in order to protect the security referent in a hostile environment (and potentially to project that power into its environment, and dominate it to the point of strategic supremacy). Others argue that security depends principally on building the conditions in which equitable relationships can develop, partly by reducing antagonism between actors, ensuring that fundamental needs can be met, and also that differences of interest can be negotiated effectively.https://www.lynda.com
Link Exchange | Products And Prices
The list of link building products and prices currently offerd at LinkMarket.Net.
Blog Search: The Source for Blogs

Artificial Intelligence Key To Do ‘more With Less’ In Securing Enterprise Cloud Services

Artificial IntelligenceArtificial Intelligence Key To Do ‘more With Less’ In Securing Enterprise Cloud Services

Security professionals in the enterprise are facing an uphill battle to maintain control of corporate networks.
Data breaches and cyberattacks are rampant, sensitive information belonging to both companies and individuals is spilling unchecked into the underbelly of the Internet, and with the emergence of state-sponsored threat actors, it is becoming more and more difficult for organizations to keep up.
It is estimated the cyberattacks and online threats will cost businesses up to $6 trillion annually by 2021, up from $3 trillion in 2015.
Once cyberattackers compromise an enterprise network or cloud service, information can be stolen, surveillance may be conducted, or in some cases, ransomware attacks can lock down an entire operation and hold a business to ransom.
However, new technologies are entering the cybersecurity space which may help reduce the financial cost and burden on cybersecurity professionals pressed for time and often operating with limited staff and budgets.
Artificial intelligence (AI), machine learning (ML), and predictive analytics applications may one day prove to be the key to maintaining control and preventing successful hacks, data breaches, and network compromise.
These technologies encompass deep learning, algorithms, and Big Data analysis to perform a variety of tasks. The main goal of AI and ML is usually to find anomalies in systems and networks of note, whether it be suspicious traffic, unauthorized insider behavior and threats, or indicators of compromise.
Able to evolve over time, the purpose of AI technologies is to learn, detect, and prevent suspicious and dangerous activities with improvements and refinements the longer such applications and systems are in use. This provides companies with a custom cybersecurity system which tailors itself to their requirements, in comparison to an off-the-shelf, traditional antivirus security solution — which is no longer enough with so many threats lurking at the perimeter.

screen-shot-2018-03-20-at-11-28-04.jpg

iboss CEO Paul Martini
In an interview with ZDNet, Paul Martini, CEO and co-founder of cloud gateway and security firm iboss said that enterprises are experimenting with these kinds of technology to “alleviate the staffing pressures caused by the well-known skills shortage in cybersecurity.”
Cybersecurity Ventures estimates that by 2021, there will be 3.5 million vacancies in the cybersecurity market left unfulfilled. To make matters worse, a report from Capgemini estimates that only 43 percent of individuals in IT roles have the cybersecurity skills required for their jobs.
While the market as a whole, training facilities, and IT organizations rush to bridge the gap, AI and machine learning technologies may be able to alleviate some of the pressure that enterprise players now face to keep data secure and networks safe.
“AI, predictive analytics, and automation allow security teams to leverage technology and do more with less,” the executive says. “AI and predictive analytics are critical aspects of improving efficiency and productivity because they reduce the number of false alarms and streamline time-intensive manual tasks.”
“For cloud services, in particular, AI and predictive analytics can leverage network anomaly detection to not only identify potential security concerns but performance issues like latency,” Martini added.
The range of these technologies is broad, but according to the executive, “any technology that takes the burden off your security and IT team is extremely useful.”
Behavioral analysis, malware prevention, and email-based security solutions are of particular use to enterprise players when the cloud is concerned.
AI, machine learning, and predictive analytics used to monitor cloud services and networks can detect suspicious traffic, anomalies, and fraudulent emails, in order to hopefully prevent an attack before it occurs.
As both personal and corporate networks have now evolved from simple PC to router systems to include mobile devices, different operating systems, and Internet of Things (IoT) products, more robust security systems are required to keep threats at bay.
“AI and predictive analytics certainly make it more difficult for threat actors to penetrate networks but as we’ve seen throughout the years, threat actors are innovative and resourceful, skilled and dedicated attackers will continue to find ways to penetrate network security,” Martini says. “While AI and predictive analytics will do well preventing the most frequent and basic attacks, highly targeted attacks that leverage unorthodox or custom attack methods will continue to cause problems for enterprise security teams.”
However, AI and machine learning technologies are not intended to replace cybersecurity teams or human input.
Instead, these technologies are best suited as a means to augment security teams — freeing them up from manual tasks to focus on more difficult challenges, patch processes, and critical security issues.
See also: AI is becoming ubiquitous across enterprise software
Data also comes into the mix. AI, ML, and predictive analytics are only as effective as the information the systems are working with, and unless enterprise firms are collecting high-quality information relating to services, users, network traffic, and more, they may find that avoidable false positives and incorrect conclusions will reduce performance levels.
“AI and predictive analytics are better suited for cloud-based cybersecurity functions because they have the benefit of larger datasets,” the executive added. “The more historical and real-time data AI programs have, the better they will be. While AI and predictive analytics will still be valuable for traditional security solutions, the highest level of performance will always be in the cloud.”
According to Gartner, 59 percent of organizations are still in the midst of developing AI strategies, while the remainder is in the process of piloting or adopting AI solutions across the board.
The research firm says that enterprises should focus on narrow AI, which are ML-based solutions which target specific tasks, including security and monitoring, rather than general AI applications, in order to maximize business value.
Previous and related coverage

Artificial Intelligence Is Rapidly Transforming The Art Of War

Several months ago, Vladimir Putin said, “Artificial intelligence is the future, not only for Russia, but for all humankind … whoever becomes the leader in this sphere will become the ruler of the world.” Artificial Intelligence (AI) and its sister technologies will be the engine behind the fourth industrial revolution, which the World Economic Forum described as “unlike anything humankind has experienced before.”
These technologies are capturing people’s imagination. However, one area remains in the shadow of public discourse: AI’s implications for national security and future warfare.
ADVERTISEMENT
AI’s promise, in the context of national security and armed conflicts, is rooted in three main fields: improving efficiency through automation and optimization; automation of human activities; and the ability to influence human behavior by personalizing information and changing the way information is shared.
Efficiency — the optimal use of minimal resources — is key. In 2016, Google successfully reduced its data center cooling energy use by 40 percent with the “deep mind” neural network. If military planners could reduce spending by 40 percent while maintaining a high level of strategic supremacy and operational readiness, precious resources could be allocated to long-term capacity building, as well as curing the chronic disease of democracy — the constant, growing burden of defense and security spending.
The characteristics of the current and future battlefield pose a great challenge to advanced militaries. Modern battlefields have become a hide-and-seek playground, especially since armed conflicts now focus on heavily populated urban areas. Advanced militaries must choose one of two alternatives: exercise air power, thus causing civilian casualties, or deploy boots on the ground, thus risking heavy losses.
AI could change this costly equation. Combined with “big data” and predictive analytics, it could help militaries identify patterns, links, and anomalies in vast amounts of information. Image processing could find the enemy needle in the urban haystack, while fusion centers could automatically combine massive amounts of data from various sources into landscape analysis for forces in the field.
In cyberspace, AI is already used by both attackers and defenders. Given the state of cybersecurity today, however, greater implementation of AI systems could be a real turning point. New generations of malware and cyberattacks can be difficult to detect with conventional cybersecurity protocols, especially if they themselves use AI. Machine learning allows defending systems to adapt over time, giving defenders a dynamic edge over hackers. AI-based systems can also categorize and prioritize attacks based on threat level. With this kind of automation, there’s almost no doubt that we will soon witness cyber wars machine-to-machine.
And while robots might yield better results in military tasks than humans, full-scale implementation is still far from feasible, especially given the current limits of such basic physical abilities as walking and running. It is more likely that we will witness the emergence of “swarms” of micro-drones capable of performing a wide array of tasks, such as intelligence gathering, gaining aerial dominance, or firing highly-accurate micro-missiles.
Finally, AI will play a significant role in winning the hearts and minds of civilians. Advertisers already use AI to tailor messages to the consumer, based on observed-past and predicted-future behavior. Furthermore, AI can create an alternative truth, with no basis in real facts. Current software can create scenes that have never occurred by manipulating existing visuals and sounds. These capabilities are already used to influence political behavior, and there’s every reason to believe that the battle over narratives — or the truth — is only in its infancy.
These rapid technological developments pose a great challenge to national security, but they also hold incredible promise. We can only hope that our policy-makers will deploy AI to its greatest advantage.
Shay Hershkovitz, Ph.D., is a political science professor specializing in intelligence studies. He is also a former IDF intelligence officer whose book, “Aman Comes To Light,” deals with the history of the Israeli intelligence community.

 

Artificial Intelligence In Security Market Strategic Focus Report With Growth Intelligence And Analysis For Period 2018 – 2023

 (EMAILWIRE.COM, March 27, 2018 ) Artificial Intelligence in Security Market Analysis to 2023 is a specialized and in-depth study of the Artificial Intelligence in Security industry with a focus on the global market trend. The report aims to provide an overview of global Artificial Intelligence in Security market with detailed market segmentation by product/application and geography. The global Artificial Intelligence in Security market is expected to witness high growth during the forecast period. The report provides key statistics on the market status of the Artificial Intelligence in Security players and offers key trends and opportunities in the market.
Publisher projects that the Artificial Intelligence in Security market size will grow from USD 3.92 Billion in 2017 to USD 20.01 Billion by 2023, at an estimated CAGR of 31.22%. The base year considered for the study is 2017, and the market size is projected from 2018 to 2023.
High usage of the Internet and the constant need for employees to be online are contributing to the increasing incidents of cyberattacks as more number of computing devices are being connected to the Internet of Things. The artificial intelligence in security market, in this report, has been segmented on the basis of offering, deployment type, security type, security solution, technology, end-user industry, and geography. Among all offerings, software holds the largest share of the overall AI in security market owing to the developments in AI software and related software development kits.
Artificial Intelligence in Security Market Players:
· Nvidia
· Intel
· Xilinx
· Samsung Electronics
· Micron
· IBM
· Cylance
· Threatmetrix
· Securonix
· Amazon
· Sift Science
· Acalvio
· Skycure
· Darktrace
· Sparkcognition
· Antivirus Companies
· High-Tech Bridge
· Deep Instinct
· Sentinelone
· Feedzai
Request a Sample Report at http://www.reportsweb.com/inquiry&RW00011692165/sample
By Offering
Software, Hardware, Services
By Deployment Type
Cloud Deployment, On Premise Deployment,
By Security Type
Endpoint Security, Network Security, Application Security, Cloud Security,
By Technology
Machine Learning, Natural Language Processing (NLP), Context Awareness Computing,
The report provides a detailed overview of the industry including both qualitative and quantitative information. It provides overview and forecast of the global Artificial Intelligence in Security market based on product and application. It also provides market size and forecast till 2023 for overall Artificial Intelligence in Security market with respect to five major regions, namely; North America, Europe, Asia-Pacific (APAC), Middle East and Africa (MEA) and South America (SAM), which is later sub-segmented by respective countries and segments. The report evaluates market dynamics effecting the market during the forecast period i.e., drivers, restraints, opportunities, and future trend and provides exhaustive PEST analysis for all five regions.
Inquire before Buying at http://www.reportsweb.com/inquiry&RW00011692165/buying
Also, key Artificial Intelligence in Security market players influencing the market are profiled in the study along with their SWOT analysis and market strategies. The report also focuses on leading industry players with information such as company profiles, products and services offered, financial information of last 3 years, key development in past five years.
Reason to Buy
– Highlights key business priorities in order to assist companies to realign their business strategies.
– The key findings and recommendations highlight crucial progressive industry trends in the Artificial Intelligence in Security market, thereby allowing players to develop effective long term strategies.
– Develop/modify business expansion plans by using substantial growth offering developed and emerging markets.
– Scrutinize in-depth global market trends and outlook coupled with the factors driving the market, as well as those hindering it.
– Enhance the decision-making process by understanding the strategies that underpin commercial interest with respect to products, segmentation and industry verticals.
Inquire for Discount at http://www.reportsweb.com/inquiry&RW00011692165/discount
Link Exchange | Products And Prices
The list of link building products and prices currently offerd at LinkMarket.Net.
Blog Search: The Source for Blogs

Protect Your Network & Respond To Security Threats Today. Free Trial.

security threats-AP Reports EPA’s Pruitt Spent Millions On Security, Travel

Security ThreatsEnvironmental Protection Agency chief Scott Pruitt’s concern with his safety came at a steep cost to taxpayers as his swollen security detail blew through overtime budgets and at times diverted officers away from investigating environmental crimes.

Altogether, the agency spent millions of dollars for a 20-member full-time detail that is more than three times the size of his predecessor’s part-time security contingent.

EPA spokesman Jahan Wilcox cited “unprecedented” threats against Pruitt and his family as justification for extraordinary security expenses such as first-class airfare to keep him separate from most passengers — a perk generally not available to federal employees.

But Pruitt apparently did not consider that upgrade vital to his safety when taxpayers weren’t footing the bill for his ticket. An EPA official with direct knowledge of Pruitt’s security spending said the EPA chief flew coach on personal trips back to his home state of Oklahoma.

The EPA official spoke on condition of anonymity for fear of retaliation.

New details in Pruitt’s expansive spending for security and travel emerged from agency sources and documents reviewed by The Associated Press. They come as the embattled EPA leader fends off allegations of profligate spending and ethical missteps that have imperiled his job.

Shortly after arriving in Washington, Pruitt demoted the career staff member heading his security detail and replaced him with EPA Senior Special Agent Pasquale “Nino” Perrotta, a former Secret Service agent who operates a private security company.

The EPA official knowledgeable about Pruitt’s security spending says Perrotta oversaw a rapid expansion of the EPA chief’s security detail to accommodate guarding him day and night, even on family vacations and when Pruitt was home in Oklahoma.

Perrotta also signed off on new procedures that let Pruitt fly first-class on commercial airliners, with the security chief typically sitting next to him with other security staff farther back in the plane. Pruitt’s premium status gave him and his security chief access to VIP airport lounges.

The EPA official said there are legitimate concerns about Pruitt’s safety, given public opposition to his rollbacks of anti-pollution measures.

But Pruitt’s ambitious domestic and international travel led to rapidly escalating costs, with the security detail racking up so much overtime that many hit annual salary caps of about $160,000. The demands of providing 24-hour coverage even meant taking some investigators away from field work, such as when Pruitt traveled to California for a family vacation.

The EPA official said total security costs approached $3 million when pay is added to travel expenses.

Wilcox said Pruitt has faced an unprecedented number of death threats against him and his family and “Americans should all agree that members of the President’s cabinet should be kept safe from these violent threats.”

A nationwide search of state and federal court records by AP found no case where anyone has been arrested or charged with threatening Pruitt. EPA’s press office did not respond Friday to provide details of any specific threats or arrests.

Pruitt has said his use of first-class airfare was initiated following unpleasant interactions with other travelers. In one incident, someone yelled a profanity as he walked through the airport.

But on weekend trips home for Sooners football games, when taxpayers weren’t paying for his ticket, the EPA official said Pruitt flew coach.

The source said Pruitt sometimes used a companion pass obtained with frequent flyer miles accumulated by Ken Wagner, a former law partner whom Pruitt hired as a senior adviser at EPA at a salary of more than $172,000. Taxpayers still covered the airfare for the administrator’s security detail.

Walter Shaub, who until last year ran the federal Office of Government Ethics, said it is a potential ethics violation for Pruitt to accept the airline tickets, even if Wagner didn’t pay cash for them. Federal officials are barred from accepting gifts from employees that have a market value of more than $10.

“It would be a very serious ethics problem, indeed, if Pruitt accepted airline tickets from a subordinate,” Shaub said.

The EPA administrator has come under intense scrutiny for ethics issues and outsized spending. Among the concerns: massive raises for two of closest aides and his rental of a Capitol Hill condo tied to a lobbyist who represents fossil fuel clients.

At least three congressional Republicans and a chorus of Democrats have called for Pruitt’s ouster. But President Donald Trump is so far standing by him.

A review of Pruitt’s ethical conduct by White House officials is underway, adding to probes by congressional oversight committees and EPA’s inspector general.

Pruitt, 49, was closely aligned with the oil and gas industry as Oklahoma’s state attorney general before being tapped by Trump. Trump has praised Pruitt’s relentless efforts to scrap, delay or rewrite Obama-era environmental regulations. He also has championed budget cuts and staff reductions at the agency so deep that even Republican budget hawks in Congress refused to implement them.

EPA’s press office has refused to disclose the cost of Pruitt’s security or the size of his protective detail, saying doing so could imperil his personal safety.

But other sources within EPA and documents released through public information requests help provide a window into the ballooning costs.

In his first three months in office, before pricey overseas trips to Italy and Morocco, the price tag for Pruitt’s security detail hit more than $832,000, according to EPA documents released through a public information request.

Nearly three dozen EPA security and law enforcement agents were assigned to Pruitt, according to a summary of six weeks of weekly schedules obtained by Democratic Sen. Sheldon Whitehouse of Rhode Island.

Those schedules show multiple EPA security agents accompanied Pruitt on a family vacation to California that featured a day at Disneyland and a New Year’s Day football game where his home state Oklahoma Sooners were playing in the Rose Bowl. Multiple agents also accompanied Pruitt to a baseball game at the University of Kentucky and at his house outside Tulsa, during which no official EPA events were scheduled.

Pruitt’s predecessor, Gina McCarthy, had a security detail that numbered about a half dozen, less than a third the size of Pruitt’s. She flew coach and was not accompanied by security during her off hours, like on weekend trips home to Boston.

Pruitt was accompanied by nine aides and a security detail during a trip to Italy in June that cost more than $120,000. He visited the U.S. Embassy in Rome and took a private tour of the Vatican before briefly attending a meeting of G-7 environmental ministers in Bologna.

Private Italian security guards hired by Perrotta helped arrange an expansive motorcade for Pruitt and his entourage, according to the EPA official with direct knowledge of the trip. The source described the Italian additions as personal friends of Perrotta, who joined Pruitt and his EPA staff for an hours-long dinner at an upscale restaurant.

Perrotta’s biography, on the website of his company, Sequoia Security Group, says that during his earlier stint with the Secret Service he worked with the Guardia di Finanza, the Italian finance police.

The EPA spent nearly $9,000 last year on increased counter-surveillance precautions for Pruitt, including hiring a private contractor to sweep his office for hidden listening devices and installing sophisticated biometric locks for the doors. The payment for the bug sweep went to a vice president at Perrotta’s security company.

The EPA official who spoke to AP said Perrotta also arranged the installation of a $43,000 soundproof phone booth for Pruitt’s office.

At least five EPA officials were placed on leave, reassigned or demoted after pushing back against spending requests such as a $100,000-a-month private jet membership, a bulletproof vehicle and $70,000 for furniture such as a bulletproof desk for the armed security officer always stationed inside the administrator’s office suite.

Those purchases were not approved. But Pruitt got an ornate refurbished desk comparable in grandeur to the one in the Oval Office.

Among the officials who faced consequences for resisting such spending was EPA Deputy Chief of Staff for Operations Kevin Chmielewski, a former Trump campaign staffer who was placed on unpaid administrative leave this year.

The prior head of Pruitt’s security detail, Eric Weese, was demoted last year after he refused Pruitt’s demand to use the lights and sirens on his government-owned SUV to get him through Washington traffic to the airport and dinner reservations.

5 Common Browser Security Threats, And How To Handle Them

The web browser is inarguably the most common portal for users to access the internet for any given array of consumer or business purposes. Innovative advances have allowed many traditional “thick client” apps to be replaced by the browser, enhancing its usability and ubiquity. User-friendly features such as recording browsing history, saving credentials and enhancing visitor engagement through the use of cookies have all helped the browser become a “one stop shopping” experience

However, the browser also has the potential to betray the user through the very same options which are intended to make life easier since it serves as a ripe target for the theft of confidential data because it holds so many proverbial eggs in its basket.

Security intelligence organization Exabeam conducted some recent research to analyze dozens of popular websites such as Google, Facebook, Amazon, and others to determine what kind of user data is stored when interacting with these entities. They found a significant amount of user information kept both on local storage and in the browser.

As a result, Exabeam released a recent blog post which outlines some of the ways your browser can be used against you along with recommended techniques to stay safe.

Here is a summary of their findings along with some other tips for protection:

1. Accessing browser history

security threatsYour browser history is a veritable map of where you go on the internet and for what purpose. And it’s not only possible to tell where you’ve been, but when you’ve been there, establishing your behavioral patterns.

Knowing you access certain sites can lead to phishing attacks against you to obtain your credentials for those sites (assuming you haven’t stored this information in the browser), establishing your purchasing habits (for instance if you are a football fan and visit NFL sites, your credit card company isn’t likely to raise an eyebrow if a slew of charges for football merchandise start showing up on your compromised credit card) or even blackmail if the site(s) in question prove illegal or unethical, or allegations thereof can be made.

Recommendations:

Clearing the browser cache is a good way to flush potentially damaging information, especially after engaging in confidential activities such as conducting online banking. This can be performed manually or set to do so automatically such as when closing the browser (Google the details for your browser version and operating system to carry out this and the other recommendations as the steps involved may be subject to change).

Use incognito mode (private browsing) since no harvestable data is stored (if you must use a public system, always make sure to do so with incognito mode).

SEE: Nine ways to disappear from the internet (free PDF) (TechRepublic)

2. Harvesting saved login credentials

Saved logins paired with bookmarks for the associated sites you visit are a deadly combination. Two mouse clicks might be all it takes for a criminal to have access to your banking/credit card website. Some sites do use two-factor authentication, such as texting access codes to your mobile phone, but many of them utilize this on a one-time basis so you can confirm your identity on the system you’re connecting from. Unfortunately, that system is then deemed trusted, so subsequent access may go entirely unchallenged.

Saved credentials associated with your email account is basically like Kryptonite to Superman in a scenario like this. An attacker who can get into your email can reset your password on almost any other website you access. And keep in mind they might not need to be on your system to do so – if they obtain your email address and password they can work at leisure from any other system they choose.

security threatsJust taking a series of screenshots (or even utilizing the camera on a mobile phone) can allow an attacker on your system to record all of your saved passwords. Firefox lets you view these quite easily. While Chrome at least requests your logon password to do so, as stated resetting this is quite easy with administrative access (which can be simple to obtain thanks to password reset utilities such as Offline NT Password and Registry Editor).

Recommendations:

Don’t save credentials in the browser. Instead, take advantage of free password managers such as KeePass or Password Safe to store passwords (never write them down) via a central master password. These password managers can securely store all your website passwords. A password manager can even access a saved URL and login for you, adding to the convenience and security of your information.

3. Obtaining autofill information

Autofill information can also be deadly. Chrome can save your home address information to make it easier to shop online, but what if your device fell into the wrong hands? Now an attacker knows where you live – and probably whether you’re home.

Recommendations:

Turn off autofill for any confidential or personal details.

SEE: Password management policy (Tech Pro Research)

4. Analyzing cookies

Cookies (files stored locally which identify users/link them to sites) are another potential attack vector. Like the browsing history, they can reveal where you go and what your account name might be.

As with #1, incognito mode can also come in handy here.

Recommendations:

Disabling cookies is touted as a potential solution, but this has been a problematic “fix” for years since many sites depend on cookies or at least severely limit your functionality (or possibly annoy you with nagging prompts) if these are turned off.

Instead, purging cookies periodically can help protect you, though be prepared to enter information repeatedly as prompted by websites.

5. Exploring the browser cache

The browser cache involves storing sections of web pages for easier access/loading on subsequent visits, which can outline where you’ve been and what you’ve seen. Malware can be tailored to prey upon cache data as well.

Exabeam also considered location history and device discovery to be risky elements in their blog post, stating these could expose user location and other devices used.

Recommendations:

As with #1 and #4, incognito mode can also come in handy here, or manually clear the cache as needed, particularly after sensitive operations.

Some other suggestions

I strongly support setting and utilizing complex passwords on your devices which are rotated periodically, and always encrypt local storage devices, especially on portable systems, to reduce the risk of access to browser data.

Use physical security such as cable locks for laptops, and always lock the screen of your systems when not in use (I do this on my home Windows PC as well). Don’t share machines/passwords with other people.

Take advantage of two-factor authentication where possible and set up recovery accounts where possible for your website accounts, and specify your mobile number and security questions for password resets. Be on the lookout for suspicious activity like emails about new accounts or password resets you didn’t request.

Some sites like Facebook can tell who is currently logged into your account (go to Settings then Security and Login), so check these details periodically – especially if anything out of the ordinary is going on.

Exabeam also recommends utilizing anti-malware software which is routinely updated along with several browser-related options (Google your browser and operating system version for the specific details on how to enact these as settings may change).

Users should also consider changing browser settings to further protect their privacy, or at least analyzing them to be aware of what options are currently enabled/disabled. There are guides online for Chrome, Firefox, Internet Explorer, Safari and Opera.

Also see: istock-681625520.jpg

Image: iStock/fizkes

 

How Experts View Cybersecurity Threats In Businesses: Part 1

Data breach problems have occurred several times during the last few years. They have affected big businesses and even government agencies and political organizations. It is true that getting connected is increasingly necessary. However, the risks of cybersecurity threats in businesses are also growing expotentially. More businesses are at stake, not only the customer data, but also the intellectual property, company reputations, as well as asset safety.

We certainly still remember the attack of WannaCry ransomware that happened several months ago. Databases of many hospitals in different countries were encrypted, thus denying the access by the owners. Likewise, some cases of data breach from credit card companies also happened lately. Unfortunately, several cybersecurity threats in businesses are overlooked by the owners. When the attacks happen, they are not able to mitigate the risks fully.

Cybersecurity Threats in Businesses in the Experts’ Eyes

Don Steinberg from KPMG Voice lately published his interviews with three experts in cybersecurity industry on Forbes website. They provided some insights on cybersecurity threats in businesses. They are Tony Buffomanto from KPMG, Gadi Evron – CEO of Cymmetria (a cybersecurity service provider), and Leonard Brody – the creator of The Great Rewrite.

cybersecurity threats in businesses

Information Security Threats Since 2017

The first question of the interview is about information security threats, which have occured since 2017. According to Brody, the cyber attacks have been more technologically sophisticated. As a result, the attacks are broader and more things become the potential victims. On the other side, Evron views the wider cyber attacks are the results of failure to consider the security aspects of the new types of technology. He even predicts that the medical sector will become the targets in the next three or five years.

Similarly, Buffomante notes the shift from personal information attacks, such as credit cacrd information or Social Security numbers to more destructive ones. His special concerns go to medical devices, implantable and wearable devices.  In other words, there will be more cybersecurity threats in businesses. The account owners or subscribers are required to have personal code to login to their accounts on online store or  online payment systems. The attackers may use the machine learning technology to steal the customer information.

Overlooked Vulnerabilities

When asked about the most overlooked aspects in web-based businesses, Buffomante points out to the security associated with privileged user accounts. Imagine what the hackers can do if they get access to the super-user privileged accounts managed by a business. He said that many tools owned by the businesses were poorly deployed, thus living the privileged accounts at stakes.

Evron mentioned the security problems in internal network. Sometimes, the businesses owners overlook the possibility that attackers get access into the internal network. If this is the case, there will be very little chance to recover from the damage caused by the hackers. Brody showed similar concerns that many businesses fail to anticipate the internal security attacks.

Buffomante, Evron, and Brody provided us with some insights on the cybersecurity issues. The businesses may overlook important security aspects when building their infrastructure. Do not miss their views on cybersecurity threats in businesses in the interviews conducted by Don Steinberg from KPMG on the next post http://www.blog-search.com 

Link Exchange | Products And Prices
The list of link building products and prices currently offerd at LinkMarket.Net.
Blog Search: The Source for Blogs