Category: Interviews

Supply Chain Cybersecurity: Experts on How to Mitigate Third Party Risk

This article was originally posted at:

23 information security experts provide tips for securing data across business partners, suppliers, and other third parties.

When companies think about security, they most often think of securing their networks, software, and digital assets against cyber attacks and data breaches. But the supply chain – whether a traditional manufacturer or service provider’s supply chain or the “data supply chain” relied on by most large companies – is also vulnerable to security risks, as has been seen in a litany of major data breaches via third parties.

Practically every company has a place in the supply chain, and supply chains are evolving to be as much about the flow of information as they are about the flow of goods and services. Thus, it comes as no surprise that supply chain security is a highly complex, evolving function, and it’s one that security pros and business executives are giving more attention as the risks facing information throughout the supply chain become increasingly obvious.

Supply chain security is every company’s responsibility. The supply chain as a whole is only truly secure when all entities throughout the supply chain carry out effective, coordinated security measures to ensure the integrity of supply chain data, the safety of goods, and the security of the global economy. To find out what tactics and methods companies can utilize to enhance the security of their supply chains and contribute to global supply chain security, we asked a panel of security experts and supply chain professionals to answer this question:

“What steps should companies take to secure their supply chains against cyber attacks/data breaches?”

Chadd Carr is the Director of PricewaterhouseCoopers (PwC) National Cyber Threat Research Center. As a former Special Agent with the Air Force Office of Special Investigations, Chadd has over 18 years’ experience in cyber security, network intrusion investigations, computer forensics, and information operations expressly related to the financial services sector. As a Director with PwC, he oversees PwC’s Cyber Threat Intelligence services, servicing both national and international clients, throughout all sectors.

“There are a few steps steps should companies take to secure their supply chains against cyber attacks and data breaches…”

1. Companies should consider defining reasonable levels of security and associated controls; requiring sub-contractors, vendors, and critical supply chain partners to meet or exceed those standards as terms and conditions of established business agreements.

2. Companies should consider adding vendor-identifiable information to any existing cyber threat intelligence activities to identify instances of emerging threats or active attacks. Threat actors may compromise a lesser-defended vendor network identified as having access to the principal enterprise network. Awareness of these activities would allow the parent company to initiate countermeasures before the threat actor has the opportunity to move laterally onto their network. Cybersecurity, much like life, requires collaboration.

This article was originally posted at:

Why you need to be proactive against data scraping

This article was originally posted at:

DATA is the currency of the modern business. For organizations big and small alike, data now plays a big part in ensuring that a business can optimize its operations, correctly target its marketing, properly engage its customers an enable employees to collaborate. With the prevalence of mobile data connections, the Internet-of-Things, connected workflows and social networks, organizations are now more capable of building actionable intelligence around customer and operations data.

With such access to data, however, there is always the concern about security – in particular about the integrity of corporate and user data. According to a 2015 study by the Ponemon Institute and IBM, businesses incur an average cost of US$154 per record lost or leaked, up 6 percent from the previous year. For an enterprise of scale, such costs also grow as your database size increases – which can run to the millions of dollars. For a small business, any data leakage might result in a breach of customer confidence.

According to EMC, China leads the way in the number of businesses that rank ahead of the curve in the data maturity matrix, at 30 percent. However, a vast majority of businesses, at 87 percent, rank in the bottom two categories, which means that most businesses globally are not yet prepared to properly manage and secure their data.

What is data scraping?
Data scraping involves gathering either structured or unstructured data from digital sources – such as the web, databases, or other digital repositories – for the purpose of incorporating these into another database or other ends. For example, you might have data published on your website, and other parties can easily pull out this data and publish this as their own.

This usually involves bots that crawl websites or databases and parse it into their own content. While content scraping might be straightforward, some scrapers are capable of going deeper and scrape content from supposedly private databases through security flaws.

Why it’s becoming a serious concern
The rising popularity of cloud platforms and distributed infrastructure brings about increased difficulty in mitigating risks that can arise from data being transported across both encrypted and open networks. This primarily emanates from the nature of enterprise collaboration today. For example, popular BYOD policies in businesses might result in corporate data leaking through personal devices or personal connections.

Social engineering attacks are another potential vector, which can lead to attackers gaining access to business data through a legitimate user’s credentials. Data can then be scraped piecemeal and then reconstituted later on.

The obvious repercussions here involve other parties gaining access to possibly confidential or proprietary content. For example, a competitor might gain hold of your customer list or other proprietary data. However, malicious entities can also take your data hostage, sell it to another party, or leak it to the public. Take for example the Sony Pictures leak in 2014, which resulted in millions of customer and employee records leaked, along with email messages that led to a costly PR nightmare for the entertainment company.

According to Juniper Research, cybercrime will cost businesses a whopping US$2.1 trillion by 2019, mostly from attacks orchestrated by organized cybercrime groups. In fact, such activities are becoming more and more profitable for cybercriminals, given the importance that businesses place on data today. Hacker groups can either sell the data or hold it ransom, using the prospect of leakage to blackmail businesses into paying huge fees, or even simply locking down data on a user’s computer in exchange for payment.

How should I address data scraping?
Perhaps the most straightforward way to protect one’s data would be to harden the infrastructure to protect against unwanted data extractions while allowing legitimate scrapers to access your content. For example, you can filter scrapers at several levels, which can prevent these from reaching your database. However, you will need to let legitimate bots through, such as Google’s search crawlers.

This will involve an approach based on analytics – how does your system know whom to block and who to let through? Some solutions would involve using a challenge-based approach in blocking traffic, and some would use heuristics – analyzing bot behavior to determine their intent.

Another potential solution is to establish safeguards in your network topology so bots don’t ever get to reach your database. Such edge-based blocking like content delivery networks, reverse proxies and web application firewalls will also help protect against network overloads or even DDoS attacks, to some extent.

The emerging trend in data leakage prevention is shifting from manual prevention towards automatically mitigating breaches even before they happen. Chad Carr, director of Cyber Threat Detection at PriceWaterhouseCoopers, says that this will involve automation: “Integrated intelligent platforms designed to mimic the training, capabilities, and methodologies of security professionals and threat actors alike – capable of fusing end-to-end intelligence (external-to-perimeter-to-end point), all tipping-and-queuing each other, and feeding logic into active control defenses; essentially removing the human from the action loop.”

The takeaway
The key here is to be proactive against data scraping, leakages and loss. If you have any data to protect, you should not be passive and simply react when an incident occurs. Don’t wait for an attack to happen before acting on protecting your enterprise assets. Instead, you will need to harden your infrastructure, establish policies for ensuring data integrity, and use intelligence and analytics to your advantage.

This article was originally posted at:

Baltimore Cyber Security Director Brings Safe Resolutions to Clients

This article was originally posted at:

For Chadd D. Carr, director of cyber threat intelligence and response services at PricewaterhouseCoopers, his passion for cyber security started at a very young age. Throughout his career, he has held a number of positions, including serving as a federal agent and computer crime investigator with the USAF Office of Special Investigations.

Carr holds a Bachelor of Science in information systems management from National Louis University, a Master of Science in information technology from the University of Maryland University College and a Pd.D.c in cyber security from Northcentral University.

What are the responsibilities of your current role?

“As director, I oversee both our breach response and cyber intelligence services, although the latter consumes most of my day-to-day. I focus on three areas: pre-attack posturing, generating intelligence on emerging cyber threats and performing breach indicator assessments for our clients to help defend against cyber threats; steady-state activities, ensuring our client information systems are safeguarded effectively and post-attack, conducting computer network forensics and remediation activities in the event of a data breach or theft of intellectual property.”

What is your favorite part about your daily duties?

“Every day brings with it new challenges. Our industry really has no checklist. It’s really about pulling together a group of highly skilled professionals to resolve problems real-time as they happen. PwC employs the best and the brightest, and with that comes a never-ending opportunity to grow, both professionally and personally. The best part of the day is definitely working alongside great people.”

How has your education/training prepared you for your current role?

“Education is critical, both in terms of knowledge and all the peripheral things you learn along the way such as prioritizing tasks, time management, self-sacrifice, commitment and goal setting. Education is good, but it’s the application of what you learned that makes you intelligent. I’m a lifelong student who believes that the moment you stop learning is the moment you become irrelevant.”

What do you do to continue your education/training?

“I always try to be enrolled in at least one continuing education course at any given time, whether it is a college course or industry certification. If my employer has funding for tuition assistance, you can be pretty sure I’m going to maximize it!”

Do you have any advice for others looking to enter this field?

“Cyber security is a highly dynamic and constantly evolving field. If you approach it as a hobby, you will miss way too much to make a difference. It’s a lifestyle. You have to live it day in and day out. It’s also an industry that calls upon your reputation, or brand, daily. You have to go to school. You need certifications. You need to get a Bachelor of Science and eventually a Master of Science in a computer-centric field. I fell in love with both school and computers, so a doctorate was a natural evolution because I also have a strong passion to share knowledge with others.”

This article was originally posted at:

Experts on the Data Loss Prevention (DLP) Market in 2016 & Beyond

This article was originally posted at:

With the number of high-profile security breaches on the rise, such as the massive healthcare data breaches at Anthem and Premera, the hack and ensuing data breach at the U.S. government’s Office of Personnel Management, Sony’s multiple hacking incidents in recent years, the highly publicized Target breach, and many others, industry analysts have noted a massive resurgence in demand for data loss prevention (DLP) solutions. But how will today’s trends impact the DLP market in 2016 and beyond, and what changes looming on the horizon will cause DLP solutions to evolve to accommodate the increasingly complex data protection needs of modern organizations?

To find out how today’s security experts see the DLP market evolving in the coming years, we asked a panel of leading cybersecurity experts to answer this question:

“Where do you see the data loss prevention (DLP) market going in 2016 and beyond?”

Chadd Carr is the Director of Cyber Threat Detection and Response Services for PricewaterhouseCoopers (PwC). As a former Special Agent with the Air Force Office of Special Investigations, Carr has over 18 years’ experience in cyber security, network intrusion investigation, and information operations expressly related to data breaches and data loss. As a Director with PwC, he oversees both the Incident Response and Cyber Threat Intelligence services, servicing both national and international clients, public and private, throughout each of the 16 critical infrastructures. Data loss detection and prevention is one of many threats he identifies, counters, and remediates daily. Furthermore, as he is a management consultant as opposed to a tech consultant, he maintains awareness and expertise across a wide range of data loss prevention technologies in order to present the best cyber security solution to clients.

“The new paradigm around cybersecurity, specifically data loss prevention and identification, will certainly be…”

Centered around data fusion with a particular focus on minimizing the time to identify, validate, and remediate incidents of exposure. This will most likely come in the form of integrated intelligent platforms designed to mimic the training, capabilities, and methodologies of security professionals and threat actors alike – capable of fusing end-to-end intelligence (external-to-perimeter-to-end point), all tipping-and-queuing each other, and feeding logic into active control defenses; essentially removing the human from the action loop.

Why focus on identification as opposed to prevention? Since the first truncated transmission traveled between the University of California and the Stanford Research Institute in 1969, our society has become increasingly integrated. Specific to data loss, this integration has enabled access to networked resources, the tools/knowledge needed to nefariously exfiltrate data they contain, and a way for threat actors to monetize it. The previous barriers of entry into this market (software, technical training, methods, etc.) have gone away, attracting a wide group of actors including hackers, hacktivists, and advanced persistent threats (APTs). Although motivation may be used to differentiate these groups, the primary delineators of these are technical expertise and access to resources. Ultimately, there are too many exfiltration points to monitor effectively. By searching for hives of data across the surface, deep, and dark webs, organizations are better positioned to contain exposure.

In the meantime, organizations need to remain vigilant and committed to a defense-in-depth framework. No one single solution is capable of defending against all variety of data exfiltration. Security-savvy or threat-aware organizations understand that sound cyber security is much like physical fitness in that it is a lifestyle, and any plan that forces users to deviate too far off of their normal behaviors will not endure. The trick is to achieve balance between security and usability and trade-off between threat probability and threat ramifications.

This article was originally posted at:

eBay Becomes Next Big Company Hit with Data Breach

Original article published at:

The list of big companies that has been hacked by cybercriminals continues to grow, and eBay is the latest addition.

The online auction website announced in May 2014 that a database containing encrypted passwords and other non-financial data was infiltrated by hackers sometime between late February and early March of the same year.

But the cybercriminals may not be able to count this data breach as a total win. While they were able to penetrate eBay’s database of passwords and other personal account information, they were not able to break into its database of financial information, according to the company.

“Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” the company wrote in a release.

The compromised eBay database included customers’ names, encrypted passwords, email and postal addresses, phone numbers, and dates of birth. But financial details, such as debit and credit card numbers, and any personal or financial information for PayPal users, were not compromised.

It was likely not for a lack of trying, says Chadd Carr, cyberthreat intelligence expert at C4Cyber, a Gainesville, Virginia-based network security company.

“Like many, eBay uses a segmented framework, essentially compartmentalizing data types as a matter of containment in the event of a breach,” he says. “Subscriber financial data is stored separately from subscriber account information.”

However, while your credit card information may be safe from cybercriminals for now, you still may not completely avoid trouble. According to Carr, cybercriminals can use the type of information that was stolen in the eBay breach to launch mass phishing attacks in an effort to solicit further personal information. If they are able to obtain your Social Security number, credit card information, or other data, your financial life could be at risk.

If you are an eBay user, consider these five tips to help you stay vigilant and protect your personal information:

1. Change your username and password on your eBay account and on any other accounts sharing that username or password. Hackers commonly run lists of usernames and passwords through some automated scripts when attempting to access bank accounts, Carr says. This means if you share your eBay username with your online bank account, for example, your finances could be vulnerable.

The Federal Trade Commission (FTC) suggests being unpredictable with your passwords. Steer clear of words that could easily be guessed, such as your name and date of birth, and use at least 10 characters in all passwords.

2. Be cautious when asked to share your personal information. Do not hand out personal information to someone you don’t know who is soliciting it over email, a text message, social media, or a phone call. The FTC says that legitimate companies won’t ask for bank or credit card information, Social Security numbers, passwords, or other sensitive details through unsecured channels.

Those who bid frequently on eBay should be especially vigilant of related scams.

“A common scam is to target sport memorabilia enthusiasts in an effort to make side deals,” Carr says.

With users’ stolen email addresses, cybercriminals could monitor high-volume bids and email the top bidders, telling them the winner backed out and asking if they are still interested in the item. The victims, assuming the inquiry is authentic, may agree to send a check for an item that never comes.

3. Lock down your social media profiles to friends only.

“Email addresses, mailing addresses, and phone numbers are the foundation of identity theft,” Carr says.

Social media profiles frequently make at least one of these pieces of information easily searchable, and typically they attach it to your real name. Protect yourself by making your profile private and the security settings more restrictive.

4. Check your bank accounts often. Look for any charges you don’t recognize, flag them, and contact your bank immediately. Regardless of whether your information has been compromised, this should be part of anyone’s financial routine.

5. Check your credit report. Because the eBay theft involved personal information rather than financial information, it’s actually more likely that you’ll catch an identity thief through your credit report than your bank account. You are entitled to one free credit report from each of the three national credit bureaus every 12 months at If you’d like more regular access, consider a credit monitoring product.

Original article published at:

Can CIOs justify replacing employees with a hologram projector?

This article was originally published at:

With hologram technology advancing, it may soon be possible to replace traditional workers with hologram projectors. But is it smart? A CTO weighs in.

Each month, the CIO Media group at TechTarget will be featuring an emerging technology and discussing its potential impact for CIOs and the organization. In this inaugural installment of Future State, senior site editor Wendy Schuchart discusses 3-D hologram technology and finds out what our CIO readers think about using it for applications in the organization.

When is a CIO like a human resources director? Answer: When the employees have been replaced by three-dimensional hologram technology.

Like something off of Star Trek’s Holodeck, the science behind 3-D holographic projection made huge news earlier this century when entrepreneurs re-animated dead celebrities for concerts. Now, 3-D holographic projections have become mild novelty pieces in airport security lines in Washington, D.C., New York, Boston and Long Beach, Calif. Recent technological advancements make clear that a new 3-D hologram projector will be attainable by even the smallest SMBs very soon. Three-dimensional holograms could potentially be used to draw foot traffic into a retail store or to communicate information at recreational facilities, for instance.

Hologram technology vendors such as Tensator and AirportOne stress that 3-D holographic projections are the perfect employee: They never need caffeine or a bathroom break and can work 24 hours a day all year without asking for vacation during the busiest time of the business cycle. With starting costs of $25,000 per “worker,” if used around the clock, hologram technology could certainly pay for itself quickly over the salary of actual workers in the same roles.

But CIOs remain doubtful that a hologram projector would be applicable to most business functions.

“Although we have a fairly large number of people visiting our facilities daily and have an active presence in trade shows, we would not procure, maintain or transport such an item. The dynamic nature of both those environments requires human communication and collaboration,” said Chadd Carr, executive vice president and CTO at Gainesville, Va.-based Advanced Concepts Research Group LLC.

Scientists at the Massachusetts Institute of Technology in Cambridge, Mass., have enhanced the visual quality of 3-D holographic projections, improving on the spatial light modulator to potentially offer more affordable options. At a starting cost of $500, hologram technology could suddenly be within the grasp of small SMBs.

But until technology allows for significantly more interaction with the customer, CIOs and industry leaders are concerned that the 3-D hologram is just a really expensive, pretty video monitor.

“The holographic informative technology is better suited for environments which allow for captive audiences for an extended period of time, such as waiting rooms (clinics, hospitals, dentists, etc.) or the department of motor vehicles,” Carr said. “Preprogrammed communications are not conducive for sales where potential clients choose whether to do business with you or not in a matter of seconds.”

Others agree with Carr’s contention that the technology isn’t always feasible — or even a good spend of IT budgets. “I’ve seen the one at IAD [Washington Dulles International Airport] — it’s pretty weak, and no more useful than a screen or even a static sign would be,” said Phil Smith III, a senior product manager and architect at Voltage Security Inc.

For now, the marketplace doesn’t seem terribly interested in replacing its live in-person workforce with 3-D hologram projections. Case in point: The company that created the 3-D hologram of Tupac Shakur for Coachella went bankrupt last year. Perhaps a 3-D hologram projector is more complicated than flesh and blood, after all.

What do you think? Would you ever deploy a 3-D hologram projector in place of a real employee? Vote yea or nay in the comments.

This article was originally published at:

InvestMaryland Challenge: Q&A with Advanced Concepts Research Group

The first-ever InvestMaryland Challenge is down to its final round with just 33 companies competing for more than $300,000 in grants and business services. The final winners will be announced during the Governor’s Cup Awards Ceremony on April 15.

One of the companies, selected out of more than 250 applicants, is Advanced Concepts Research Group, based in Gainesville,Virginia and Aberdeen, Maryland, founded in 2010. To find out a little more about this high-tech company, we spoke with President and CEO Yasuko Carr and Executive Vice President and CIO Chadd Carr, who also describe themselves as a “dynamic husband and wife duo.”

Q. What does Advanced Concepts Research Group do, and how would you explain it to the average person?

Yasuko: We are a certified minority and woman-owned small business. ACRG offers expertise in information technology research and development and formal test and evaluation of information and intelligence-based systems. Our goal is to provide a broader range and more robust set of cyber threat intelligence tools essential for building a more secure cyberspace. ACRG’s Security Sciences Laboratory seeks to reduce future cyber security issues through the research of root causes of modern cyber security deficiencies, fostering open collaboration and integration of emerging knowledge, and expediting time-to-market of technologies, standards, and requirements.

Q. Has the company been successful so far?

Chadd: We’re about two years in the making and we average a new customer about once a month, so we’re growing at a rapid pace. People see the value in what we’re doing because we’re filling a huge gap that not only concerns businesses and the federal government, but also daily consumers like you and me. We’re so far having great success. One of the biggest challenges of our products, which you can classify as disruptive technology, is that they’re too new. People need time to get their minds around how this works.

Q. Tell us more about the unique and innovative things your company is doing. How is it moving the industry forward?

Chadd: We identify gaps in security. We come up with innovative solutions to fill that gap and what’s novel about us is that we have the expertise to develop those tools in-house. With our Templar Keyboard, we noticed that the current security structures, whether they be a personal computer or at work, simply ask you for a username and password, sometimes they have a common access card or another card you stick in a slot, but really all that is doing is ensuring that someone has the right login information. It in no way seeks to verify that the person with those credentials is the authorized person, so that’s common in any security architecture today. The Templar Keyboard, using some advanced biometric technology and computer algorithms, is able to constantly verify that the person is the actual authorized human user. Right now, it’s the only biometric keyboard being developed. The fingerprint technology being used currently captures the entire fingerprint. Instead, we use a grid process, where we take snippets of multiple fingerprints at random variations and do link analysis to determine identity.

Q. If Advanced Concepts Research Group were to win prize money in the contest, how would it use the money to further its goals?

Yasuko: We’re committed to matching funds won in the InvestMaryland Challenge, and using the prize money to take the company to the next level. One use would be continued research and development, which would be accomplished in our IT lab here in Maryland, and the second would be prototype development, which we would outsource to one of the 250 InvestMaryland Challenge applicants.

This article was orinigally posted at:

Scroll to top