Connect with us

Security

GOOGLE CAMPUS DOORS HACKED, ALLOWED UNAUTHORIZED ENTRY – OTHER COMPANIES VULNERABLE

Published

on

Google engineer found that he was able to hack the supposedly secure doors at the search giant’s Sunnyvale offices. He was able to unlock doors without the RFID key, and even lock out employees who did have their key.

 

Forbes reports that David Tomaschik found what turned out to be a completely inexcusable vulnerability in the Software House devices used to secure the site.

Last summer, when Tomaschik looked at the encrypted messages the Software House devices (called iStar Ultra and IP-ACM) were sending across the Google network, he discovered they were non-random; encrypted messages should always look random if they’re properly protected.

He was intrigued and digging deeper discovered a “hardcoded” encryption key was used by all Software House devices. That meant he could effectively replicate the key and forge commands, such as those asking a door to unlock. Or he could simply replay legitimate unlocking commands, which had much the same effect […] And he could prevent legitimate Google employees from opening doors.

Worse, the hack left no trace in the security logs, so there would be no evidence of whether or not the exploit had ever been used.

The same Software House tech is widely used by other companies, meaning that any number of businesses could be left vulnerable.

Google has been forced to segment its network to prevent exploitation of the flaw, and while Software House has now come up with a solution, that will require new hardware. Software House said only that ‘this issue was addressed with our customers.’

 

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

THE IOT’S PERPLEXING SECURITY PROBLEMS

Published

on

Worldwide spending on the Internet of Things will total nearly US$773 billion this year, IDC has predicted.

The IoT will sustain a compound annual growth rate of 14.4 percent, and spending will hit $1.1 trillion by 2021, according to the firm’s forecast late last year.

Consumer IoT spending will total $62 billion this year, making it the fourth largest industry segment, after manufacturing, transportation and utilities. The leading consumer use cases will be related to the smart home, including home automation, security and smart appliances, IDC said.

Cross-industry IoT spending, which encompasses connected vehicles and smart buildings, will gobble up $92 billion this year, and will be among the top areas of spending for the next three years.

IoT growth will get a boost from new approaches coming from firms such as China’s Tuya Smart, for example, which combines hardware access, cloud services, and app development in a process that lets manufacturers transform standard products into smart products within one day.

Shadow IoT Devices on Enterprise Networks

One third of companies in the U.S., the UK and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a recent Infoblox survey of 1,000 IT directors across the U.S., the UK, Germany and the UAE.

The reported shadow IoT devices included the following:

  • Fitness trackers – 49 percent;
  • Digital assistants such as Amazon Alexa and Google Home – 47 percent;
  • Smart TVs – 46 percent;
  • Smart kitchen devices such as connected microwaves – 33 percent; and
  • Gaming consoles – 30 percent.

There were 1,570 identifiable Google Home assistants deployed on enterprise networks in the U.S. as of March, according to the Infoblox survey. There were 2,350 identifiable smart TVs deployed on enterprise networks in Germany, and nearly 6,000 identifiable cameras deployed on UK enterprise networks.

Shadow IoT devices are devices connected to the company network but not purchased or managed by the IT department, according to Infoblox.

“Often IoT devices are added to the network without the direct knowledge of IT,” noted Bob Noel, director of strategic relationships and marketing for Plixer.

“Companies need to pay attention to the deployment of IoT devices, which are regularly put online with default passwords, legacy code riddled with known vulnerabilities, and a lack of defined policies and procedures to monitor them, leaving companies extremely vulnerable,” he told the E-Commerce Times.

More than 80 percent of organizations surveyed said security was the top consideration in IoT purchase decisions, said Brent Iadarola, VP of mobile & wireless communications at Frost & Sullivan.

However, “the unfortunate reality today is that unknown assets and unmanaged networks continue to exist in enterprise networks and are often overlooked by vulnerability scanners and solutions that monitor network changes,” he told the E-Commerce Times.

Still, “we have started to see some movement towards integrated IoT security solutions that offer end-to-end data collection, analysis and response in a single management and operations platform,” Iadarola noted.

Security for the IoT

“IoT security is highly fragmented and many devices are vulnerable,” observed Kristen Hanich, research analyst at Parks Associates.

“There are a large number of devices out there with known weaknesses that can easily be exploited by commonly available attacks,” she told the E-Commerce Times.

Most of these devices won’t receive protective updates, Hanich said, and “as most IoT devices are put in place for years or even decades, this will lead to hundreds of millions of vulnerable devices.”

Cybercriminals have been launching newer and more creative attacks on IoT devices, either to compromise them or to leverage them in botnets.

For example, Wicked — the latest version of the Mirai botnet malware, originally released in 2016 — leverages at least three new exploits.

A new version of the “Hide-and-Seek” botnet, which controls more than 32,000 IoT devices, uses custom-built peer-to-peer communication and multiple anti-tampering techniques, according to BitDefender.

“We should be preparing ourselves for many years of attacks powered by IoT botnets,” Sean Newman, director of product management for Corero Security, told the E-Commerce Times.

Cost is a problem with IoT security, Parks Associates’ Hanich noted. “Security must be built-in from the onset, which takes time and effort. It also requires regular maintenance and updates after selling the devices, potentially for many years.”

Many device makers are skipping security to keep their prices down, she pointed out, as security “does not drive unit sales of their products.”

Medical Devices and IoT Security

The IoT’s healthcare component includes connected medical devices and consumer wearables such as smartwatches and fitness trackers.

Medical device manufacturers increasingly have been incorporating connectivity to the Internet, but 53 percent of healthcare providers and 43 percent of medical device manufacturers don’t test their medical devices for security, noted Siddharth Shah, a healthcare industry analyst at Frost & Sullivan.

Few have taken significant steps to avoid being hacked, he told the E-Commerce Times.

Network-connected medical devices “promise an entirely new level of value for patients and doctors,” said Frost & Sullivan healthcare industry analyst Kamaljit Behera.

However, “they also introduce new cybersecurity vulnerabilities that could affect clinical operations and put patient care at risk,” he told the E-Commerce Times.

“The perceived risk from connected medical devices within the hospital is high, but steps are now being taken to prevent attacks,” said Frost’s Shah. “Still, there’s lots to be done.”

The risk to enterprise networks of being hacked through consumer healthcare-related devices “isn’t a big issue,” according to Greg Caressi, global business unit leader for transformational health at Frost & Sullivan.

“Personal devices are not commonly connected to private corporate networks other than healthcare IT vendors,” he told the E-Commerce Times.

Google and Apple have been leading the charge of smart devices into the healthcare realm, with other companies, such as fitness device manufacturers, following suit.

Continue Reading

Business

CRYPTOHACKERS BREACH STATCOUNTER TO STEAL BITCOINS

Published

on

Hackers planted malware on StatCounter to steal bitcoin revenue from Gate.io account holders, according to Eset researcher Matthieu Faou, who discovered the breach.

The malicious code was added to StatCounter’s site-tracking script last weekend, he reported Tuesday.

The malicious code hijacks any bitcoin transactions made through the Web interface of the Gate.io cryptocurrency exchange. It does not trigger unless the page link contains the “myaccount/withdraw/BTC” path.

The malicious code secretly can replace any bitcoin address that users enter on the page with one controlled by the attacker. Security experts view this breach as critical because so many websites load StatCounter’s tracking script.

“This security breach is really important considering that — according to StatCounter — more than 2 million websites are using their analytics platform,” Faou told TechNewsWorld. “By modifying the analytics script injected in all those 2 million websites, attackers were able to execute JavaScript code in the browser of all the visitors of these websites.”

Limited Target, Broad Potential

The attack also is significant because it shows increased sophistication among hackers regarding the tools and methods they use to steal cryptocurrency, noted George Waller, CEO of BlockSafe Technologies.

Although this form of hijacking is not a new phenomenon, the way the code was inserted was.

The growth of the cryptocurrency market and its emerging asset class has led hackers to increase their investments in devising more robust attempts and methods to steal it. The malware used is nothing new, but the method of delivering it is.

“Since the beginning of 2017, cryptocurrency exchanges suffered over (US)$882 million in funds stolen through targeted attacks across at least 14 exchanges. This hack adds one more to the list,” Waller told TechNewsWorld.

In this instance, attackers chose to target the users at Gate.io, an important cryptocurrency exchange, said Eset’s Faoul. When a user submitted a bitcoin withdrawal, attackers in real time replaced the destination address with an address under their control.

Attackers were able to target Gate.io by compromising a third-party organization, a tactic known as a “supply chain attack.” They could have targeted many more websites, Faoul noted.

“We identified several government websites that are using StatCounter. Thus, it means that attackers would have been able to target many interesting people,” he said.

Telling Financial Impact

Gate.io customers who initiated bitcoin transactions during the time of the attack are most at risk from this breach. The malware hijacked transactions legitimately authorized by the site user by changing the destination address of the bitcoin transfers, according to Paige Boshell, managing member of Privacy Counsel.

As a rule, the number of third-party scripts, such as StatCounter, should be kept to a minimum by webmasters, as each represents a potential attack vector. For exchanges, additional confirmations for withdrawals would have been beneficial in this case, given that the exploit involved swapping the user’s bitcoin address for that of the thieves.

“Gate.io has taken down StatCounter, so this particular attack should be concluded, Boshell told TechNewsWorld.

The extent of the loss and the fraud exposure for this breach is not yet quantifiable. The attackers used multiple bitcoin addresses for the transfers, Boshell added, noting that the attack could have been deployed to impact any site using StatCounter.

Protection Strategies Not Foolproof

StatCounter needs to improve its own code audit and constantly check that only authorized code is running on its network, suggested Joshua Marpet, COO at Red Lion. However, most users will not realize that StatCounter is at fault.

“They’ll blame Gate.io, and anything could happen — loss of business, run on the bank,’ and even closing their doors,” he told TechNewsWorld.

Checking the code is not always a workable prevention plan. In this case, the malware code looked like the Gate.io user’s own instructions, noted Privacy Counsel’s Boshell.

“It was not easily detectable by the fraud tools that Gate.io uses to protect against and detect malware,” she said.

Network admins are not really affected in this type of breach, as the malicious code is processed at the workstation/laptop rather than on the webserver, according to Brian Chappell, senior director of enterprise and solutions architecture at BeyondTrust. It also does not provide any mechanism to gain control over the system.

“In essence, a lot of stars need to line up to make this a significant risk in that regard,” he told TechNewsWorld. “Effective vulnerability and privilege management would naturally limit the impact of any intrusion.”

That is a direction that admins need to look. There is nothing they can do to control the initial attack, assuming the targeted websites are accepted sites within their organization, Chappell added.

Even a well-protected website can be breached by compromising a third-party script, noted Eset’s Faou.

“Thus, webmasters should choose carefully the external JavaScript code they are linking to and avoid using them if it is not necessary,” he said.

One potential strategy is to screen for scripts that replace one bitcoin address with another, suggested Clay Collins, CEO of Nomics.

Using analytics services that have a good security reputation is part of that, he told TechNewsWorld.

“Folks with ad/script blockers were not vulnerable,” Collins said.

More Best Practices

Traffic analysis, website scanning and code auditing are some of the tools that could have detected that something was causing abnormal transactions and traffic, noted Fausto Oliveira, principal security architect at Acceptto. However, it would have been ideal to prevent the attack in the first place.

“If the Gate.io customers had an application that requires strong out-of-band authentication above a certain amount, or if a transaction is aimed at an unknown recipient, then their customers would have had the opportunity to block the transaction and gain early insight that something wrong was happening,” Oliveira told TechNewsWorld.

Using script blocking add-ons like NoScript and uBlock/uMatrix can put a measure of personal control in the website user’s hands. It makes Web browsing more challenging, noted Raymond Zenkich, COO of BlockRe.

“But you can see what code is being pulled into a site and disable it if it is not necessary,” he told TechNewsWorld.

“Web developers need to stop putting third-party scripts on sensitive pages and put their responsibility to their users over their desire for advertising dollars, metrics, etc.,” Zenkich said.

Beware Third-Party Anythings

As a rule, the number of third-party scripts should be kept to a minimum by webmasters, suggested Zenchain cofounder Seth Hornby, as each one represents a potential attack vector.

“For exchanges, additional confirmations for withdrawals would also be beneficial in this case, given that the exploit involved swapping the user’s bitcoin address for that of the thieves,” he told TechNewsWorld.

Even third-party outsourcing solutions can open the door to cyber shenanigans, warned Zhang Jian, founder of FCoin.

“So many companies within the cryptocurrency space rely on third-party companies for different duties and tasks. The ramification of this outsourcing is a loss of accountability. This puts many companies in a tough spot, unable to locate attacks of this nature before it is too late,” he told TechNewsWorld.

Instead, network admins should work toward creating in-house versions of their tools and products, from beginning to end, Jian suggested, to ensure that control of these security measures lies within their reach.

Continue Reading

Security

FORMER WHITE HOUSE CIO THERESA PAYTON: ‘THERE ARE GRAVE CONCERNS ABOUT ELECTION INTERFERENCE’

Published

on

heresa Payton, CEO of Fortalice Solutions, is one of the most influential experts on cybersecurity and IT strategy in the United States. She is an authority on Internet security, data breaches and fraud mitigation.

She served as the first female chief information officer at the White House, overseeing IT operations for President George W. Bush and his staff.

With the U.S. midterm elections fast approaching, both Payton’s observations about the current cybersecurity threat level and her advice about shoring up the nation’s defenses carry special weight.

theresa payton ceo fortalice solutions

In this exclusive interview, she also shares her views on social networking, privacy, and the changing playing field for women who aspire to leadership roles in technology.

TechNewsWorld: What is the chief cyberthreat to the upcoming midterm elections?

Theresa Payton: My biggest worry and concern is that citizens will not trust election results and that the election process will lose legitimacy. We know that the Department of Homeland Security, working with state election officials, have raced against the clock to secure voting systems. Our U.S. intelligence agencies have repeatedly been on the record stating there is no evidence that cybercriminals modified or deleted any votes in 2016.

The next area of concern is for the communications, contacts, and digital campaigns of candidates being broken into and doxed. While the news focuses on securing the votes and the voter databases of the midterm elections, there is not a lot of attention on whether or not campaigns take threats targeting their campaigns seriously. Nothing would hit closer to home for a candidate than if their election was hacked and they lost — or won.

“Cyber” is certainly a buzzword, but it’s not a word without meaning. With the onslaught of breaches, candidates should be laser-focused on cybersecurity.

TNW: What should federal officials do to shore up election security? What should state and local governments do? Where does the buck stop?

Payton: It’s crucial that elected officials on the left and right not politicize an issue in the short term that will have grave long-term consequences for national security.

Defensively, we need to harden our election infrastructure at the local level. This is the responsibility of the Department of Homeland Security.

DHS needs to continue to work at the local level with state election officials, but also to provide much more robust cybersecurity capabilities for protection and detection at the campaign level.

We also need to be sure that the intelligence and homeland security community is effectively sharing information and tools, techniques and tactics.

TNW: How serious are concerns that election interference might be caused by tampering with back-end election systems? What can federal agencies do to address the problems of outdated voting equipment, inadequate election-verification procedures, and other potential vulnerabilities? Is there an argument to be made for some level of mandatory federal oversight of state and local voter systems?

Payton: There are grave concerns about election interference and the race to secure them, globally, is under way. The idea that voter databases could be seeded with falsified data or modified has been around for decades, but the technical know-how and motive has caught up with that idea. Election officials in a race towards automation and efficiency may have helped criminals along, but it’s not too late if we act now.

Today, there are entire countries totally relying on electronic voting: Brazil, since 2000, has employed electronic voting machines, and in 2010 had 135 million electronic voters. India had 380 million electronic voters for its Parliament election in 2004.

It is easy to see why electronic voting is the wave of the future and how the United States could model its own voting system after these countries. It’s faster, cheaper and more accessible for those with disabilities. Also, would you miss the experience of, or the reporting of, the every-election-day headline of “Long Lines at the Polls Today”? Probably not. That is certainly less painful than a recount though.

We are headed towards electronic voting as the sole system we use despite these facts:

  • “The U.S. intelligence community developed substantial evidence that state websites or voter registration systems in seven states were compromised by Russian-backed covert operatives prior to the 2016 election — but never told the states involved, according to multiple U.S. officials,” NBC News reported earlier this year.
  • Russia hacked the Democratic National Committee’s emails with the intention to “interfere with the U.S. election process,” according to the director of national intelligence, James R. Clapper Jr., and the Department of Homeland Security.
  • As far as we know, despite the scans and alarm bells, no outside entity has changed any records in the registration database.
  • Scams such as “text your vote” were more prevalent than ever, and will increase as electronic voting becomes more widespread.

The good news is our government took this very seriously. Prior to the midterm elections, the Department of Homeland Security offered state election officials “cyber hygiene scans” to remotely search for vulnerabilities in election systems. They also conducted threat briefings and onsite reviews, as well as released a memo of “best practices” — guidance how best to secure their voter databases.

Some have called for more federal oversight and moving towards a more restrictive security model, but the states own the voting process. Providing year-round briefings from DHS, FBI, CIA, and NSA would prove to be very helpful over time.

Also, we have to remember elections are decentralized. Sometimes there is security in obscurity. Each state in our country, plus the District of Columbia, run their own election operations, including voter databases. A hostile nation state could not feasibly wipe out each system with one wave of their magic wand.

How we vote, though, is just one-way our elections could be compromised. Another concern going forward must be disruption of Internet traffic, as we saw occurred just days before the last presidential election cycle on Oct. 21st, 2016, when the Mirai botnet crippled part of the Internet for hours.

A massive Distributed Denial of Service (DDoS) attacked a host server causing major disruptions to some of the most highly visited websites in the United States. The attack was in two waves, first on the East Coast and then on the West Coast.

As our country votes on Election Day in different time zones, and polling stations close at different times, the similarity is chilling.

However, we need everyone to turn out to vote. The focus on bolstering our election security defenses is reassuring. What we know is the warning signs are there. As we move towards the future, and focus on creating and protecting a new system to collect our votes, we need to protect the one we already have.

Two things you can be sure of after this year’s election: Eventually, every vote you cast in a United States election will be electronic, and one of those elections will be hacked. No doubt about it. But the recount in 2016 in Wisconsin reminds us all why we need a backup.

TNW: What are some ways candidates and campaigns can shore up their cybersecurity without draining their war chests? What are some of the practices they should implement in the very early days? A campaign that’s very secure ultimately might lose due to lack of visibility. How can campaigns strike the right balance?

Payton: Never before have campaigns collected so much essential information that would be lucrative to so many cybercriminals. Credit card numbers, bank account information, addresses, online identities. The assets go on and on, and cybercriminals are just like bank robbers in the old days: They follow the money.

That is why in today’s day and age, if you are on a campaign, whether it be state, national or local, you need to be as vigilant about protecting data as any business. Otherwise, you will lose your customers — also known as constituents and voters.

Anyone on a tight budget can follow these guidelines to protect their campaign assets:

  1. Make it as hard as possible on cybercriminals by separating donor information details onto a completely separate domain name with separate user IDs and passwords from the campaign. For example, your campaign domain might be VoteSallySue.com, but donor details would be stored at MustProtectDetails.com.
  2. Using that same practice, run all of your internal communications on a domain name that’s not the campaign name — i.e., email addresses should not be [email protected] but rather [email protected] Increase the level of protection for internal messages by using encrypted messaging platforms for internal communications, such as Signal or Threema.
  3. Also, be sure to encrypt all of your campaign’s donor data. We have yet to hear a report of a campaign’s donor data being hacked and used for identity theft, but we will — of that I am sure. It would be too lucrative not to try. Once it is hacked, it will be hard to restore confidence in your operation. Just ask any major retailer, bank or organization who has recently been hacked, and they will tell you. I don’t even need to use their names, you know the headlines.
  4. Train technology and campaign staff to spot spearphishing emails and scams. Oh, sure, you think everyone knows not to “click on that link,” but recent studies illustrate doing just that is the No. 1 cause of breaches among employees.
  5. Another safeguard that raises the bar in terms of security is implementing two-factor authentication wherever feasible. When you use a platform that employs two-factor authentication, don’t you feel safer? Possibly annoyed, as well, but certainly reassured that the extra step has been taken to secure your data. Don’t you want the electorate to feel the same way?
  6. Finally, post a privacy policy that’s easy to read, easy to find, and you’ll find voters have more confidence in just your agenda.

TNW: How well — or poorly — have Facebook, Twitter, Google and other tech companies addressed the problems that surfaced in 2016?

Payton: I was encouraged to hear that with less than three weeks to go for the U.S. mid-terms, that Facebook has stood up a war room to combat social media community manipulation as the world heads into elections this fall and winter.

They have also said they have war-gamed a number of scenarios to ensure their team is better prepared for elections around the globe. Much is at stake, so the fact that Facebook also integrated the apps they have acquired — such as WhatsApp and Instagram — into the mix of the war room is a great idea.

If I were to give them advice, I would suggest that another great step to take would be to create a way to physically embed representatives from law enforcement, other social media companies — including Twitter, Linkedin and Google — and to allow election officials around the globe to have a “red phone” access to the war room.

TNW: What are some of the most pressing cybersecurity problems facing social networks, apart from their use as political tools?

Payton: The ability to change their business and moderator models, in real time, to morph quickly to shut down fake personas, fake ads, and fake messaging promoting political espionage, even if it means higher expenses and loss of revenue. Social media companies have made a lot of progress since the 2016 presidential elections and claims of global-wide election meddling, but the criminals have changed tactics and it’s harder to spot them.

On the heels of the August 2018 news that Microsoft seized six domains that Russian Internet trolls planned to use for political espionage phishing attacks around the same time that Facebook deactivated 652 fake accounts and pages tied to misinformation campaigns, Alex Stamos, the former Facebook security chief, posted an essay in Lawfare, and stated that it was “too late to protect the 2018 elections.”

TNW: What role should the government play in protecting citizens’ privacy online?

Payton: As the Internet evolves, laws and regulations must change more rapidly to reflect societal issues and problems created by new types of behavior taking place online. Never before has the world had access to statements, pictures, video and criticism by millions of individuals who are not public figures.

The Internet provides us with places to document our lives, thoughts and preferences online, and then holds that material for an indefinite period of time — long after we might have outgrown our own postings.

It also provides places where we can criticize our bosses, local building contractors, or polluters.

This digital diary of our lives leaves tattered pages of our past that we may forget about because we cannot see them, but they could be collected, collated, and used to judge us or discriminate against us without due process. The government needs to think ahead and determine which laws need to be enacted to protect our right to opt in and out of privacy features and to own our digital lives and footprints.

TNW: What is your opinion of Europe’s “right to be forgotten” law? Do you think a similar law would make sense in the United States?

Payton: The European Union’s “right to be forgotten” sets an interesting precedent, not just for its member countries but for citizens around the world. It is too early to know what the long-term impacts of the EU’s decision to enforce a “right to be forgotten” with technology companies will be. However, it’s a safe bet the law will evolve and not disappear.

There are concerns that giving you or organizations more control of their Internet identity, under a “right to be forgotten” clause, could lead to [censorship] of the Internet. Free-speech advocates around the globe are concerned that the lack of court precedent and the gray areas of the EU law could lead to pressure for all tech companies to remove results across the globe, delinking news stories and other information upon an individual’s request.

A quick history lesson of how this law came about: A Spanish citizen filed a complaint with Spain’s Data Protection Agency and indicated that Google Spain and Google Inc. had violated his privacy rights by posting an auction notice that his home was repossessed. The matter was resolved years earlier but since “delete is never really delete” and “the Internet never forgets,” the personal data about his financial matters haunted his reputation online.

He requested that Google Spain and Google Inc. be required to remove the old news so it would not show up in search engine results. The Spanish court system reviewed the case and referred it to the European Union’s Court of Justice.

Here is an excerpt of what the May 2014 ruling of the EU Court said:

“On the ‘Right to be Forgotten’: Individuals have the right — under certain conditions — to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing… . A case-by-case assessment is needed considering the type of information in question, its sensitivity for the individual’s private life and the interest of the public in having access to that information. The role the person requesting the deletion plays in public life might also be relevant.”

In the U.S., implementing a federal law might be tempting, but the challenge is that the ability to comply with the law will be complex and expensive. This could mean that the next startup will be crushed under compliance and therefore innovation and startups will die before they can get launched.

However, we do need a central place of advocacy and a form of a consumer privacy bill of rights. We have remedies to address issues but it’s a complex web of laws that apply to the Internet. Technology changes society faster than the law can react, so U.S. laws relating to the Internet will always lag behind.

We have a Better Business Bureau to help us with bad business experiences. We have the FTC and FCC to assist us with commerce and communications. Individuals need an advocacy group to appeal to, and for assistance in navigating online defamation, reputational risk, and an opportunity to scrub their online persona.

TNW: What is your attitude toward social networking? What’s your advice to others regarding the trustworthiness of social networks?

Payton: Social networking can offer us amazing ways to stay in touch with colleagues, friends and loved ones. It’s a personal decision as to how involved you are online, how many platforms you interact with, and how much of your life that you digitally record or transact online.

If you want to be on social media but don’t want to broadcast everything about you, I tell my clients to turn off location tracking — or geolocation tools — in social media. That way you aren’t “checking in” places. Cybercriminals use these check-ins to develop your pattern of life and to track your circle of trust. If a cybercriminal has these two patterns, it makes it easier for them to hack your accounts.

Register for an online service that will give you a phone number, such as Google Voice or Talkatone. Provide that number on social media and forward it to your real cellphone. Avoid personality surveys and other surveys — they are often very fun to do, but the information posted often gives digital clues to what you may use for your password.

Always turn on two-factor authentication for your accounts, and tie your social media accounts to an email address dedicated to social media. Turn on alerts to notify you if there is a login that is outside your normal login patterns.

The amount of personal information you choose to share is up to you — and everyone has to find that limit of what is too much — but at the very least, never give out personally identifiable information like your address, DOB, financial information, etc.

TNW: As the first woman to serve in the role of CIO at the White House, under President George W. Bush, how did you feel about becoming an instant role model for girls and young women interested in tech careers?

Payton: It’s an honor to think about the opportunity to give back and to help along anyone that wants to pursue this career path, especially young women. Candidly, we need everyone to fight the good fight. My heart breaks when I see computer and engineering classes with very few women in them.

We did not reach out to the women early enough, and when I talk to young women in high school and college about considering cybersecurity as a career, many of then tell me that since they have had no prior exposure they are worried about failing, and that it’s “too late now to experiment.” To which I tell them that it’s always a great time to experiment and learn new things!

theresa payton ceo fortalice solutions

Prior to taking on the role at the White House, I had been very active in women in technology groups and was passionately recruiting young women to consider technology careers. At the time I was offered the role and accepted, I candidly didn’t have an immediate aha moment about being a role model for women because of that specific job. I was most focused on making sure the mission was a success. I see it now and it’s an honor to be able to be a role model and I strive to live up to that expectation.

The cybersecurity industry can do more to help women understand the crucial role that cybersecurity professionals play that make a difference in our everyday lives. Unfortunately, hackers, both ethical and unethical, are often depicted as men wearing hoodies over their faces, making it difficult for women to picture themselves in that role as a realistic career choice, because they don’t think they have anything in common with hackers.

Studies show that women want to work in professions that help people — where they are making a difference. When you stop a hacker from stealing someone’s identity, you’ve made a difference in someone’s life or business. At the end of the day, the victims of hackers are people, and women can make a tremendous difference in this field. This is something the industry as a whole needs to do a better job of showing women.

TNW: You’re now the CEO of a company in the private sector. Can you tell us a little about what Fortalice Solutions does, its mission, and your priorities in guiding it?

Payton: Fortalice Solutions is a team of cybercrime fighters. We hunt bad people from behind a keyboard to protect what matters most to nations, business and people. We combine the sharpest minds in cybersecurity with active intelligence operations to secure everything from government and corporate data and intellectual property, to individuals’ privacy and security.

At Fortalice, our strengths lie in studying the adversary and outmaneuvering them with our human-first, technology-second approaches.

TNW: How have attitudes toward women in powerful positions changed — for better or worse — in recent years?

Payton: Although thankfully this is beginning to change, I am typically the only woman in the room — and that was common in banking as well as technology. I had to learn how to stand up for myself and ensure my voice was heard. I’ve had more than my fair share of times when my technical acumen has been discounted because I’m female.

I’ve learned that grace and tact go a long way, and I’m very, very proud to say that my company is nearly dead-equal male/female. We even started an organization called “Help A Sister Up” — you can find us on LinkedIn — that’sdedicated to advancing women in technology and serving as a rallying point for them and their male advocates. We post job openings, interesting articles, avenues for discussion. Please join us!

TNW: What’s your advice to girls and women entering technological fields about whether to seek employment in the private or the public sector? What are some of the pros and cons, particularly from the standpoint of gender equality?

Payton: An April 2013 survey of Women in Technology found that 45 percent of respondents noted a “lack of female role models or [the encouragement to pursue a degree in a technology-related field].”

It’s been proven that professional mentorship and development dramatically increase participation in any given field, so the lack of women in cybersecurity is really a compounding problem — we don’t have enough women in cyber because there aren’t enough women role models in cyber.

While connecting with other women has had its challenges, there are wonderful women in cyber today. Look at Linda Hudson — currently the chairman and CEO of The Cardea Group and former president and CEO of BAE Systems Inc. — shattering the glass ceiling for women behind her. Also, up-and-comer Keren Elazari, a global speaker on cybersecurity and ethical hacker out of Israel.

I’ve been very lucky to work with wonderful, inspiring women in cyber, but I recognize that my exposure might be more than women starting their career. This brings me to my next point: I recommend all cyber practitioners, and especially women, take advantage of all the amazing free tools out there from RSA, TED talks, and even YouTube.

You can watch speeches from veteran cybersecurity professionals about their careers, hear their advice on how to succeed, and learn new skills to keep you competitive in the workplace. Consider free online courses in cybersecurity or popular programming languages like Python. Ask your colleagues to show you their favorite geek gadget or ethical hack.

There are some excellent security frameworks and guidance available for free online, such as the NIST framework, CIS Critical Security Controls, SSAE 16, and discussions on GDPR. Leverage social media to hear what’s on the minds of security experts. You must be a constant student of your profession in this field.

Continue Reading
Advertisement

Trending