The insecurity of privileged users — curiosity is dangerous

Larry Ponemon

The ability to control access to critical information resources and prevent a data breach remains an elusive goal for many organizations.  In The 2019 Study on Privileged Access Security sponsored by Sila Solutions Group, Ponemon Institute presents four years of research findings on how individuals with the most access to high value information assets can be a serious insider risk.

For purposes of this research, privileged users are assigned privileged access based on their roles and responsibilities. Such access can be defined as broad or elevated access rights to IT networks, enterprise systems, applications and/or information assets. However, according to the findings of this study, these individuals often use their rights inappropriately and put their organizations’ sensitive information at risk. For example, the majority of respondents say privileged users feel empowered to access all the information they can view and although not necessary will look at an organization’s most confidential information out of curiosity.

The 659 respondents we surveyed self-reported that they have privilege access to IT resources. Seventy-seven percent of these respondents have access to a minimum of three IT resources and a maximum of more than six IT resources.

The expectation that the risk of privileged user abuse will increase has risen significantly since 2011. The survey found 56 percent of respondents say they expect privilege user abuse to increase in the next 12 to 24 months, a significant increase from 44 percent of respondents in the 2011 research. Further, more than half of respondents (53 percent) say their organization experienced a data breach or other access-related security incident within the past three years

The following are reasons new solutions and governance processes are needed to decrease the risk of privileged user abuse.

  • Even if an employee or contractor has appropriate access to high-value information assets, they put their organizations at risk by accessing sensitive or confidential data without a business need and sometimes share their access credentials with other in the organization.
  • The number of organizations that can’t monitor privileged user activities has increased since last year and a problem with access governance processes is that they don’t have a unified view of privileged user access across the enterprise.
  • According to respondents, a lack of resources, in-house expertise and in-house technologies are challenges to improving the efficiency and security of their access governance processes. Specifically, organizations cannot keep pace with the number of access change requests, reduce the burdensome process for business users requesting access. Respondents also cite the lack of a consistent approval process for access and a way to handle exceptions as significant problems
  • The increasing number of regulations is also contributing to the difficulty in managing access governance. It is also affected by the adoption of virtualization technologies or DevOps tooling.
  • Too much reliance on manual processes for granting privileged user access and reviewing and certifying privileged user access hinders the ability to meet growing requests for access changes.
  • To identify insider threats, organization continue to rely upon monitoring and reviewing log files and using non-PAM security technologies. Fewer organizations are deploying PAM tooling capabilities like session monitoring, performing endpoint monitoring and using big data analytics.

“The results of The 2019 Study on Privileged Access Security shed light on the fact that privileged access is more prevalent than people may realize. It touches every part of an organization and has far-reaching implications for an organization’s business objectives as well as its security,” said Tapan Shah, managing director at Sila. “Leaders need to step back and ask why individuals have the access they do, and how that aligns with the mission of their business – unnecessary privileged access puts data, employees, customers, and the overall business at risk.”

Part 2. Key Findings

Following is an analysis of the key findings. To understand trends in organizations’ abilities to manage privileged user access, whenever possible we compare the findings from 2011, 2014 and 2016 to this year’s research. The complete audited findings are presented in the Appendix of this report.

We have organized the findings according to the following topics:

  • Why privileged user abuse is increasing
  • The security risks created by not keeping up with the delivery and review of access rights
  • New approaches to managing access, including collaboration between IT and lines of business, are needed

Why privileged user abuse is increasing

 According to 81 percent of respondents, privileged access rights are required to complete their current job assignments. However, 19 percent of respondents say they do not need privileged access to do their jobs but have it any way. The two primary reasons are everyone at his or her level has privileged access even if it is not required to perform a job assignment (46 percent of respondents) and the organization failed to revoke these rights when they changed their role and no longer needed access privileges (30 percent of respondents). Since 2011, more respondents report that their organization assigned privileged access rights for no apparent reason – from 15% in 2011 to 20% now.

Even if access rights are appropriate, privileged user abuse is prevalent. Some 70 percent of respondents say it is very likely or likely privileged users access sensitive or confidential data without a business need, such as curiosity. Sixty-two percent of respondents say privileged access rights that go beyond the individual’s role and responsibility, which indicates the difficulty organizations have in keeping up with access change requests and reviews of access rights. Many respondents (41 percent) say privileged users are sharing their access credentials with others in the organization.

To continue reading this report, visit Sila’s website.


The Gretchen Rubin interview on tech and happiness

Bob Sullivan

Is tech hacking your happiness?  And can you reverse that — can tech help make you happier?

This month we began the second season of the So, Bob podcast, hosted by me and Alia Tavakolian, and these are the questions Alia and I explore with Gretchen Rubin, author of The Happiness Project and numerous other best sellers.

Our interview with her was so powerful that we made it the first episode of this new So, Bob season, and our takes up the entire podcast.

I love podcasting because there’s time to dig deep into issues — much deeper than I can in a blog post that’ll you’ll scan for a minute or two.  And the question of tech and happiness is a big topic.

We focused on the key concept of another Gretchen book, The Four Tendencies– her schema that people generally fall into one of four categories: upholder, questioner, rebel, or obliger.  What are these groups? I think they are pretty self-evident, but you can take a quiz and learn more about them at Gretchen’s site.

I wanted Gretchen to talk with us about how gadgets, and particularly smartphones, impact our happiness. We pretty moved into the different ways people from each category react to tech. Do obligers feel obliged to answer every email in a way rebels do not? (Yes). And so on.

I must say I was pretty stunned at the conclusion Gretchen came to.   You are best off listening to the podcast and and letting Grethen explain in her own words. But if you want something to read/scan, here’s part of our conversation:

BOB: Into this Schema you have… ..drop a smartphone…that tings at you with a thousand times a day. 

G: Yes.

B: How do each of these characters react to that? 

G: Okay. So I think I’m very typical as an upholder, which is like, it’s very easy for me to turn it off.

G: It’s very easy for me to ignore it. If I’m like, I need to focus, I can’t look at my phone. That feels like something that I can ignore because my inner expectation, uh, is that I need to, I need to read, I need to, you know, uh, go for a walk, I need to, you know, whatever it is, I, so it’s easy for me to ignore it. And I remember talking, but it’s also a question, and this is true for all the tendencies, is people have different values and they have different kinds of belief systems. And that comes into play. So I was talking to a, actually a guy, uh, military guy who was an upholder and he was saying, oh, well, one of the reasons why I find, this was like three or four years ago, one of the reasons I find Facebook so burdensome is I have to like everything that everybody posts.

G: And I was like, no, you don’t. And like he had decided that was the rule. And so he felt an extreme like, like that he needed to meet that expectation for himself was I was just like, man, I don’t, I don’t feel that expectation. So part of it is that people have different ideas. Some people are like, you can’t leave dishes in the sink overnight. I’m like, you can totally leave dishes in the sink overnight. So I would meet the inner expectation if I had it but I just don’t have it, which is how you can get slacker upholders. It’s not upholders are type A, they can be slackers, they can meet their sta… they can meet every expectation for themselves, but they just have very low expectations. So.

A: Wow, I didn’t think about that. Okay. 

G: So questioners, questioners probably have an, they have an easier time with something like this cause it’s all about efficiency.

Does this work for me? Like, and they tend to like to customize things and hack things. So I would anticipate that many questioners would find it pretty easy to find ways to do workarounds. However questioners also are very drawn to data and research and information. And it might be that, and they can get analysis paralysis, which is where they want more and more information. And so for some questioners, something like the Internet is more of a burden where like if I’m gonna buy a tent, I want to do more and more and more research. So it’s sort of like the endless, the endless supply of information is very burdensome to them. But if they were like, I need to shut off the phone from 6:00 to 9:00 PM so I can spend quality time with my family, that probably wouldn’t be that hard for a questioner because they understand why they’re doing it.

And they do love to customize typically. They like to make things right for them. And so something like, I’m gonna change my notifications. That would make a lot of sense to a questioner. It’s like, just because notifications work for you, I don’t know that they’re going to work for me. Obligers, this is hard because if they feel like everyone’s clamoring for their attention, they’re going to find it very painful to ignore that because it’s like someone texted me, I have to text back. Somebody emailed me, I need to read that email right away. Somebody calling me, I have to pick up. Someone’s expecting me to like their Instagram post. I need to like it. Like these things add up.

A: I don’t know what you’re talking about. 

G: Yeah, yeah, yeah. But so here’s something that obligers can do. There’s many ways to create outer accountability. One of the quick things that obligers can always do is to remember if you say yes to someone, you have to say no to someone else. And so you could say, look, people are, you know, I’m getting all these texts and emails from the office between six and nine, but my family and I, we have talked about how it’s important for us to have quality time and therefore to say yes to my family, I’m going to say no to the office or like, you know, um, and so because part of the time obligers feel like I have to say yes, but it’s like no, you have to say no too, who do you say no to?

And a lot of times when they formulate it that way, it’s easier for them to make choices. But when the thing about tech is it feels, it feels kind of like, oh, you could just do this in 10 seconds. Why wouldn’t you just do this right now? Why wouldn’t you just do this right now? And like 10 seconds becomes five hours. We’ve all experienced that.

A: It’s deceptive. 

G: Yeah. And then for… rebels can do whatever they want to do. So like they want to do it, they’ll do it. They don’t want to do it, they don’t want to do it. It’s like, what do you want? And so if a rebel wants to change because often they get frustrated because they want to change something. But the minute they tried to make a rule from themselves, they want to break it. So in, a rebel would not do well doing something like from six to nine, I’m not going to be on my, on my phone because that’s scheduling that makes them feel trapped.

So what works for rebels is identity. What kind of person am I? How do I want to be in the world? And they are also very, uh, put a very high value on freedom and choice. So I things like I’m not a slave to my phone. I’m not controlled by email. You can’t make me answer your Instagram. I’m free. I need time to reflect. I need time to exercise. I had, I need time to rewatch, you know, Parks and Recreation. And so, you know, it’s just like, if I’m going to be who I am, like I just have to like, you know, put my phone down and walk away from it. Because when they tie it into their identity, it’s much easier for them to do something. Rules don’t work for them, whereas it rule might work really well for an obliger or for a questioner or an upholder.

A: So illuminating.

B: You have just made, um, the last five years of my life make sense. 

G: Oh good! Like, tell me why, tell me why. 

B: You have. Because I write about all of this overwhelmedness and technology, right,

G: Yeah.

B: And I don’t know, I’m gonna make up a number 67, 70% of the time people are like, thank God someone’s finally talking about this. The world is so complicated. I’m so overwhelmed. 

G: Yeah. 

B: But one third of the time ish, people were like, what are you talking about? 

G: Interesting.

B: Um, so I think I’m talking just to one set of people. 

G: Yeah. 

B: I’m talking just to obligers…

A: Wow.

B: I’m not talking to everybody. 

G: Yeah. 

B: Nobody else really seems to have much of a problem with this, whereas this, this one set of people…

G: But see, it’s interesting that you say that because obligers, because obliger is such a big group, people often assume that it’s everyone because, and the way, one of the reasons that I got the insight into the upholder tendency was I was speaking to a journalist and she said, why is it the busy parents like us can ever take time for ourselves?

G: And I said, actually I have no trouble taking time for myself. And she said, actually neither do I. And I’m like, well then why, what is the premise of your article? Because you and I are both busy parents and neither one of us have experienced this. 

A: Yeah.

G: So clearly it’s not a universal thing. So what’s going on there? And that’s when I was like, just because everybody feels something like it’s always you have to say, do I feel this? Now I think sometimes people conflate it. Like feeling overwhelmed by email is a shorthand for saying, I’m overwhelmed by all the tasks that people at work want me to do. It doesn’t matter if it’s email, like Instagram is an internet only problem. Tasks that being pestered at work for people who want you to do things and want your attention and what, yeah, that’s just inherent in work. And like it’ll just take whatever form it takes. It’s like that’s, that’s really a work problem. But then there are some things about being overwhelmed by technology that are truly created or so dramatically amplified that they’re changed by technology. Yeah.

Keeping Pace in the GDPR Race: A Global View of GDPR Progress in the United States, Europe, China and Japan

Larry Ponemon

This is the follow-up study to last year’s research, The Race to GDPR. In this year’s study, we expanded the research, for the first time, to include China and Japan in addition to the United States and Europe. A total of 1,263 organizations are represented in this study.

 The uniquely demanding European Union (EU) General Data Protection Regulation (GDPR) came into force on May 25, 2018, virtually transforming how organizations in every industry handle personal data. This study reflects practical difficulties and regional differences in levels of adherence to GDPR across Europe, the US, China and Japan.

Sponsored by law firm McDermott, Will and Emery LLP and our strategic alliance MWE China Law Offices, this follow-up research tackles the ongoing challenges in the wake of GDPR and the practical difficulties organizations face despite their dedication to implementing the new requirements. Participants in this study work in a variety of departments including IT, IT security, compliance, legal, data protection office and privacy. All organizations represented in this research are subject to GDPR.

Executive Summary: GDPR Progress and Data Breach Management

GDPR work is ongoing as most organizations did not meet the May 25, 2018 deadline. Many organizations are renewing their GDPR budgets accordingly. Most organizations represented in this research report that GDPR took longer than they had anticipated (54 percent of respondents) and that it was equally or more difficult to implement than other data privacy and security requirements (80 percent of respondents). Most organizations have a GDPR budget (72 percent of respondents) About a third of these respondents say the budget will be renewed annually (35 percent of respondents) or continue indefinitely (24 percent of respondents).

About half of the respondents say their organizations had GDPR data breaches that must be reported to regulators. Forty-six percent of respondents say their organizations had an average of approximately two reportable data breaches since GDPR came into effect and about one in six received a follow-up inquiry or inspection from the Regulator. Thirty-nine percent of respondents in US organizations and 45 percent of respondents in European organizations say they reported a personal data breach to a Regulator.

Data breach reporting under GDPR continues to be a major challenge across the board for almost all organizations, regardless of region. Only 18 percent of respondents are highly confident in their organizations’ ability to communicate a reportable data breach to the relevant regulator(s) within 72 hours. This suggests that early breach awareness and identification, even on a preliminary basis, continues to be a major difficulty with more help needed.

More US organizations reported GDPR cyberattacks than other regions. Respondents in US organizations say they experienced more cyberattacks (45 percent) under GDPR than respondents in European (34 percent), Japanese (38 percent) and Chinese organizations (31 percent).

More US organizations than European and Chinese organizations engaged an external cybersecurity service to investigate GDPR security incidents. The use of outside forensic vendors to investigate cyberattacks is higher in the US (44 percent of respondents) than in European (40 percent of respondents) and Chinese (25 percent of respondents) organizations. Surprisingly, 47 percent of Japanese respondents used forensic vendors, which is more than US organizations. Greater use of external forensic organizations likely identifies cyberattacks earlier and more accurately than the use of internal IT resources alone. As Europe and China catch up with the US experience of data breach management, we would expect the reported percentage of GDPR data breaches due to cyberattacks and the use of outside forensic firms to increase.

Many respondents from the US, Europe and Japan engaged external cybersecurity services. Forty-seven percent of Japanese respondents and 44 percent of US respondents say their organizations used an external cybersecurity service provider to investigate GDPR data breaches or cyberattacks. Forty percent of EU and 25 percent of Chinese respondents say their organizations engaged such a service. Of these respondents, 65 percent of US, 56 percent of European and 55 Japanese respondents say the work was conducted under litigation or attorney-client privilege.

Cyber risk insurance was obtained by approximately a third of the organizations, and of those, less than half say that their insurance covers GDPR fines or penalties. Approximately a third of respondents report that their organizations have insurance that covers cyber risks, and 43 percent of those respondents say their cyber insurance policy covers GDPR fines or penalties. The types of incidents most often covered by cyber insurance policies are external attacks by a cyber criminal (62 percent of respondents), human error, mistakes and negligence (41 percent of respondents), and malicious or criminal insiders (38 percent of respondents). However, 10 percent of respondents do not know what their cyber risk insurance policy covers.

A surprisingly high percentage of respondents say their organizations appointed a Data Protection Officer (DPO) under the GDPR, and about half of the non-European respondents say they appointed an EU Representative. These high numbers are surprising because there are notably strict criteria for appointing DPOs and EU Representatives. These findings, however, may also include voluntary appointments for these positions.

United States and European Findings

More than half of respondents in US organizations apply GDPR data subject rights to both US and European employees. Fifty-seven percent of these respondents say their organizations do so because they want to take a global approach, while about half of these respondents (49 percent) believe it is required by the GDPR.

More US respondents than European respondents say compliance with GDPR will assist in their compliance with the California Consumer Privacy Act (CCPA). Forty-six percent of US respondents say compliance with GDPR has helped define the strategy and overall approach to their compliance with the forthcoming California Consumer Privacy Act (CCPA) and other US state privacy laws, while 30 percent of European respondents say this is the case. Forty-three percent of US respondents and 33 percent of European respondents say compliance with the CCPA and other US state privacy laws will cause their organizations to re-evaluate their compliance position under the GDPR.

China Findings

China has the lowest level of compliance with GDPR. Only 29 percent of the Chinese respondents say their organizations are fully compliant with the GDPR, more than 10 percent lower than what respondents in US and European organizations are reporting. Fifty percent of Chinese respondents say GDPR is as difficult to implement as other data privacy and security requirements.

Chinese respondents use internal resources to respond to data breaches, rather than external ones. Only 25 percent of Chinese respondents use external cybersecurity services to investigate data breaches, which is significantly less than other countries.

Chinese respondents’ means of compliance under the GDPR lags behind US and European respondents.  Fewer Chinese respondents take measures in several key areas to maintain GDPR compliance compared to US and European respondents, including localization, document retention and creating a data map showing data flow and process. Only 2 percent of Chinese respondents have evaluated their relationships with third-party vendors, in contrast to the 45 percent of respondents in US organizations and 30 percent of respondents in European and Japanese organizations. This is likely due to differences in data transfer rules and China’s data security laws.

Unlike US and European respondents, fewer Chinese organizations report they have purchased cybersecurity insurance.  Only one-in-five Chinese respondents (19 percent) report that their organizations have insurance covering cyber risks. Fifteen percent of these respondents are not sure what types of incidents their cyber insurance policies cover, which is higher than the percentages from the other jurisdictions.

Japan Findings

Most respondents say their organizations have not achieved full compliance with GDPR. Only 32 percent of Japanese respondents say their organizations have achieved full compliance with GDPR. Forty-one percent of Japanese respondents say the GDPR is as difficult to implement as other data privacy and security requirements (e.g., Japanese Data Protection Legislation or China’s cybersecurity law).

Japanese respondents adopt measures to prevent and respond to data breaches—but they are not as regular with assessments. Forty-seven percent of Japanese respondents say they use external cybersecurity services to investigate data breaches, which, as noted, is more than what respondents in US and European organizations report. Less than half of Japanese respondents (43 percent) regularly conduct testing, assessments or evaluation of the effectiveness of technical and organizational measures for ensuring the security of the processing.  In contrast, 65 percent of respondents in China and 54 percent of respondents in European organizations take such security actions.

Japanese respondents’ awareness in complying with the GDPR also lags behind US and European respondents. Japanese respondents say their organizations take measures in several key areas to maintain compliance compared to what respondents in the US and Europe report. These actions include introducing or updating document requirements (39 percent of respondents), creating a data inventory (46 percent of respondents) and investing in new technologies or services (39 percent of respondents), but this is less than reported for US, European and Chinese organizations.

Read the complete findings at the McDermott, Will and Emery website.

Texas cities unplug from Net after widespread ransomware attack

City of Denison press release

Bob Sullivan

Maybe you’re bored of reading about ransomware attacks, but plenty of local government agencies wish they were so bored. Organized bands of cybercriminals keep pounding away at smaller government IT systems with great success.  In the latest attack (that we know about), more than 20 agencies across Texas were hit last week, requiring an all-hands-on deck response from state authorities.  And in an important new-ish development, the attack negatively impacted an even wider set of agencies and citizens — as some leaders chose to disconnect systems pre-emptively.

“The evidence gathered indicates the attacks came from one single threat actor,” said the Texas Department of Information Resources in a statement. “Responders are actively working with these entities to bring their systems back online.”

The situation was dire enough that  Texas Gov. Greg Abbott ordered a “Level 2 Escalated Response” to the attacks, one step below the Texas Division of Emergency Management’s highest level of alert, according to

It was also dire enough that other local governments are unplugging systems from the Internet even if they are not infected by the attack.  Denison, Texas, warned residents that city employees will have “little to no access to email during the outage” in a release published on its website. The city also cannot accept certain kinds of payments.

“Out of an abundance of caution, the City of Denison has disconnected its information systems
from the internet,” the release said. “While the City of Denison has not been directly affected by the attack,
precautionary measures are being taken to maintain the integrity of the city’s information

Grayson County also unplugged, according to 

“We cannot email you, receive e-filings, issue birth, death or marriage records, or receive web-based inquiries,”  Emergency Management Director Sarah Somers told the TV station.

It’s probably wise for small agencies to disconnect during such incidents; it’s hard to imagine they can all afford top-notch information security professionals to fight back when there’s already a large shortage.  But the response shows that ransomware attacks are really taking a toll on smaller agencies, and their impact is being felt far beyond the institutions that are actually being forced to pay up.

This also suggests that citizens should keep fastidious records when dealing with any government agency, and don’t let bills wait until the last minute — lest your water provider or parking ticket agency be unable to process your electronic payment by the due date.






Two-thirds of security workers consider quitting because of burnout

Larry Ponemon

Security Operations Centers (SOC) are an increasingly important part of organizations’ efforts to keep ahead of the latest cybersecurity threats. However, for a variety of reasons revealed in this research, organizations are frustrated with their SOC’s lack of effectiveness in detecting attacks.

A SOC is defined as a team of expert individuals and the facility in which they work to prevent, detect, analyze and respond to cybersecurity incidents. Critical to the SOC’s success is support from the organization’s senior leaders, investment in technologies, and the ability to hire and retain a highly skilled and motivated team. The purpose of this research is to understand the barriers and challenges to having an effective SOC and what steps can be taken improve its performance.

Sponsored by Devo Technology, Ponemon Institute surveyed 554 IT and IT security practitioners in organizations that have a SOC and are knowledgeable about cybersecurity practices in their organizations. Their primary tasks are implementing technologies, patching vulnerabilities, investigating threats and assessing risks.

While respondents consider the SOC as essential or important, most respondents rate their SOC’s effectiveness as low and almost half say it is not fully aligned with business needs. Problems such as a lack of visibility into the network and IT infrastructure, a lack of confidence in the ability to find threats and workplace stress on the SOC team are diminishing its effectiveness.

“The survey findings clearly highlight that a lack of visibility and having to perform repetitive tasks are major contributors to analyst burnout and overall SOC ineffectiveness,” said Julian Waits, General Manager of Cyber, Devo. “It is critical that businesses make the SOC a priority and evolve its effectiveness by empowering analysts to focus on high-impact threats and improving the speed and accuracy of triage, investigation, and response.”

The following findings reveal why organizations have SOC frustration 

  • The visibility problem: The top barrier to SOC success, according to 65 percent of respondents, is the lack of visibility into the IT security infrastructure and the top reason for SOC ineffectiveness, according to 69 percent, is lack of visibility into network traffic.
  • The threat hunting problem: Threat hunting teams have a difficult time identifying threats because they have too many IOCs to track, too much internal traffic to compare against IOCs, lack of internal resources and expertise and too many false positives. More than half of respondents (53 percent) rate their SOC’s ability to gather evidence, investigate and find the source of threats as ineffective. The primary reasons are limited visibility into the network traffic, lack of timely remediation, complexity and too many false positives.
  • The interoperability problem: SOCs do not have high interoperability with the organization’s security intelligence tools. Other challenges are the inability to have incident response services that can be deployed quickly and include attack mitigation and forensic investigation services.
  • The alignment problem: SOCs are not aligned or only partially aligned with business needs, which makes it difficult to gain senior leadership’s support and commitment to providing adequate funding for investments in technologies and staffing. Further, the SOC budget is inadequate to support the necessary staffing, resources, and investment in technologies. On average, less than one-third of the IT security budget is used to fund the SOC and only four percent of respondents say more than 50 percent of the cybersecurity budget will be allocated to the SOC.
  • The problem of SOC analyst pain: IT security personnel say working in the SOC is painful because of an increasing workload and being on call 24/7/365. The lack of visibility in to the network and IT infrastructure and current threat hunting processes also contribute to the stress of working in the SOC. As a result, 65 percent say these pain factors would have caused them to consider changing careers or leave their job and many respondents say their organizations are losing experienced security analysts to other careers or companies.
  • As a result of these problems, the mean time to resolution (MTTR) can be months. Only 22 percent of respondents say resolution can occur within hours or days. Forty-two percent of respondents say the average time to resolve is months or years.

Read the rest of this report at Devo Technologies.

Has tech killed attention? Why listening with your whole body helps, with Annie Murphy Paul

Bob Sullivan

One of my favorite subjects is the problem of shortened attention spans and the fallacy of multitasking in the digital age.  Tech competes for our eyes and ears perhaps thousands of times each day.  The average worker only gets a few moments to focus on something without being interrupted.  Even lovers look at smartphones during intimate conversations.

This is not a world I want to live in, and I bet you don’t, either.  With rare exceptions, multitasking isn’t multitasking at all — rather, it’s rapid task switching. Plenty of studies show (including my own research conducted with Carnegie  Mellon University) that people who are doing two things at once simply underperform at both tasks.

Into this complex subject steps Annie Murphy Paul, one of the great science writers of our time. We were lucky to have Annie on our latest episode of “So, Bob…” She’s done extensive research into the science of being smart, and if you listen to her, I believe you will actually feel smarter. You will definitely feel that she is both a great speaker and a great listener.  In case you can’t listen at this moment, I’ve included a couple of highlights below — but when you can, please listen to the podcast. As long as I’m not interrupting something.

On listening with your whole self

“One thing that we get away from in the use of technology is the body,” Annie told me. “We become this disembodied head that you know, is just looking at a screen. And so I find that when I talk to someone that I’m close to or, even when I interview someone I try to be in my own body and aware of the feelings and the sensations that are coming up in me as I talk to that other person and I try to assume a state of being both calm and alert and being open to whatever I’m feeling from the other person. And that’s the basis of, of empathy, when you are using your own body as an instrument to understand the other person.

On the myth of multitasking

“Looking at several streams of information or entertainment while students are studying is, seems almost universal. My own children’s elementary school classes do it and I know that the students, the college students that I’ve taught do it and they all think they can do it well, and that’s the rub because we don’t have a very good sense of our own proficiency at paying attention and we may not be aware, but it is the case that when we’re trying to pay attention to many things at once, we work more slowly, we, we make more errors and we don’t perform at the same level that we would if we were paying attention to just one thing. So I think in terms of what teachers and parents and others who are concerned about kids should be thinking about it’s, it’s instilling in them the habit of mono tasking of just doing one thing at a time.

On taking ‘tech breaks’ – giving kids set times to check their phones, then put them away

The idea is to have an expanding length of time between tech breaks. So it might be 15 minutes at the start and then half an hour and then 45 minutes. And, the idea behind it is first of all, to break the habit of checking every 30 seconds or every minute and sort of lengthen that amount of time that kids are able to go without checking or even thinking of checking.

On why book are better

The fact that paper books have no notifications and no dings and beeps or anything, it’s actually makes it a superior form of equipment. And I think that that was something humans got right a long time ago.


The State of Web Application Firewalls

Larry Ponemon

Web application firewalls (WAF) are essential to securing web-based applications and, as shown in this research sponsored by Cequence Security, are a necessary or critical piece of an organization’s security arsenal and infrastructure. Unlike traditional firewalls, WAFs analyze traffic and make decisions based on a set of predefined business rules. Traditional firewalls base their decision to allow or block traffic on simple parameters such as IP address or port number. WAFs mostly base their decision on an in-depth analysis of the HTML data.

Ponemon Institute surveyed 595 IT and IT security practitioners who are responsible for the deployment of a WAF in their organizations. Fifty-three percent of respondents are either responsible for application security (30 percent) or are application owners (23 percent).

The research clearly reveals WAF dissatisfaction in three areas. First, organizations are frustrated that so many attacks are bypassing their WAFs and compromising business-critical applications. In addition, they’re experiencing the pain of continuous, time-consuming WAF configuration, and administration tasks. Lastly, they’re dealing with significant annual costs associated with WAF ownership and staffing.

Attacks on the application layer are bypassing organizations’ WAFs. Sixty-five percent of respondents say attacks on the application tier are bypassing the WAF frequently or sometimes.

As a result, most organizations represented in this survey do not think their WAFs are effective in securing their web-based applications and are not satisfied with them.

When asked to rate satisfaction with their organization’s WAF on a scale of 1 = not satisfied to 10 = very satisfied, only 40 percent are very satisfied (7+ responses) due to the fact that only 43 percent of respondents say their WAF is very effective (7+ responses on the 10-point scale).

Part 2. Key findings

 In this section, we provide a deeper analysis of the research findings. The complete audited findings are presented in the Appendix of this report. We have organized the report according to the following themes:

  • The difficulty in protecting Web, mobile and API apps
  • The challenge of WAF deployment and management
  • Features that improve the WAF’s effectiveness

The difficulty in protecting Web, mobile and API apps

 Organizations prioritize the protection of Web and mobile applications. Organizations represented in this research protect an average of 158 Web, mobile and API apps. The primary focus of application security is on Web (67 percent of respondents) and mobile (58 percent of respondents) applications. Thirty-seven percent of respondents say their organizations are protecting API services.

Organizations are more effective at protecting mobile applications. When asked to rate their organization’s effectiveness in protecting mobile applications and API services, 54 percent of respondents say they are very effective in protecting mobile apps versus only 38 percent of respondents who say their effectiveness in protecting API services is very high.

Mobile client applications are most likely to interact with organizational applications. Some 55 percent of respondents say mobile apps interact with their organizations’ applications followed by partners using APIs (36 percent of respondents).

Attacks are bypassing the WAF. In the past 12 months, 65 percent of respondents say attacks on their organizations’ application tiers have bypassed the WAF frequently (23 percent) or sometimes (42 percent).

The challenge of WAF deployment and management

 Security is the primary reason to invest in a WAF.  Organizations are spending an average of $419,100 on WAF products and/or services and an additional average of $200,500 for staff to manage WAF-related security issues. Organizations typically have 2.5 full-time employees to manage the WAF. On average, the staff spends 45 hours per week responding to alerts and 16 hours per week to creating and/or updating rulesets.

The top three reasons to invest in a WAF are the protection of the IT infrastructure (60 percent of respondents), prevention of attacks (56 percent of respondents) and the protection of data (54 percent of respondents).

Most WAFs used only for attack detection. Only 22 percent of WAFs deployed in the organizations represented in this study both detect and block attacks.

Currently, most WAFs are either an on-premises hardware appliance or managed appliance. About one third of respondents say their WAF is an on-premises hardware appliance and 21 percent of respondents say this is the ideal deployment. Twenty percent of respondents say an on-premises virtual appliance is ideal and 18 percent of respondents say a cloud-based WAF is ideal.

Read the rest of this study at the Cequence website.



Is work killing you? Should we blame our tech, ourselves, or our culture? A So, Bob podcast

Bob Sullivan

“Working too hard can give you a heart attack-ack-ack-ack-ack-ack. You oughta know by now.”

Summer is well under way, and if you haven’t planned your vacation yet, you aren’t alone.  Americans are terrible at taking vacations, terrible at relaxing — terrible at shutting down and rebooting. I think I know why, and I bet you do, too.

Always-on gadgets mean always-on employees, and this is driving many of us mad.  Five years ago, I began a series of stories called The Restless Project to examine all the ways Americans are struggling with constant pressure from tech, and from a broken economy.

People are working themselves sick, even dying at the office.  I thought I might write a book about overwork: But then good friend Annie Murphy Paul (more from her soon!) introduced me to then-Washington Post report Brigid Schulte, and I learned she had already written that book. It’s called Overwhelmed: Work, Love, and Play When No One Has The Time.

Instead of a book, I’ve now made a podcast about this subject, with Alia Tavakolian and Spoke Media. Click play below or listen on iTunes, on Stitcher, or wherever you get your podcasts.

Maybe this is nothing new. When Billy Joel sang about working too hard in 1977, he wasn’t signing about smartphones.  OTOH, tech and all its trappings make keeping up with life hard and harder with each passing email. New gadgets and new communications tools (Snapchat! Messenger! Instagram DMs!) continuously add to our pile things to check on.

Brigid is one of the first guests in our So, Bob series, and we talked about the intersection of technology and overwork (Spoiler: She’s doesn’t blame tech nearly as much as I do!).  She is fascinating. Here’s a taste of our discussion.

(Brigid now works for New America and is director of the Better Life Lab.)

BRIGID: There’s a fascinating phenomenon that, that behavioral scientists to found, they call it tunneling.…you kind of have this tunnel vision and then what you’re only able to do is focus on just the few things right in front of you. You’re not able to stop and ask yourself bigger questions. You’re not able to see the bigger picture. You can’t get out of the tunnel and ask yourself that question, do I even want to be in this tunnel?

BOB: …So for you now, it’s almost like a sensation. You’re like, oh my God, I’m going in the tunnel.

BRIGID: Yeah, I can feel it closing in. Yeah. You know, and I, it was somebody else once said because we have this crazy, achievement culture and it’s all about productivity and all of these tips and tricks and life hacks and tech. It’s all supposed to, you know, they, on the one hand we say it’s to make our life easier, but let’s face it in this kind of busy-ness as a badge of honor culture, it’s about cramming more crap into your day and then somehow feeling awesome about just how insanely busy you were and somehow you will manage to end the day standing up.


BRIGID: I would talk to these researchers, this one woman who studies busy-ness and the fast pace of life in North Dakota of all places. And she’s come to the conclusion that busy-ness we’ve made it such a badge of honor that it’s a choice, but she also calls it a non choice choice because you feel like you can’t make any other choice if you want to fit in or if you want to have status. And so, um, I do try to pull out of that like what a sick way to get status. You know, by like making ourselves, you know, ill and unhealthy and not making time for things that you enjoy, that there’s something to be, you know, to be proud about that you have work life conflict or never go on vacation or don’t sleep well. That’s crazy. I do feel like, uh, jobs have become incredibly complicated. I do feel like technology as a part of that. Um, and I think that we haven’t figured out how to manage that well as human beings. And, and so those are things that can be challenging that uh, figuring out how much is enough when you are a knowledge worker and there isn’t a whistle that goes off at the end of the day, you don’t have any visual markers. Like I’ve, you know, created my pile of widgets and I can check the box. It’s very difficult to figure out when you’re done and when is it good enough. Um, so that’s really a challenge of modern work. And I don’t think we have good answers and I’m here to say I’m trying to figure it out myself.

DDoS attacks are relentless, and 5G will only make things worse

Larry Ponemon

The State of DDoS Attacks against Communication Service Providers, sponsored by A10 Networks, specifically studies the threats to Internet Services Providers (ISPs) Mobile and/or Cloud Services Providers (CSPs). Ponemon Institute surveyed 325 IT and IT security practitioners in the United States who work in communication service provider companies and are familiar with their defenses against DDoS. (Click here to access the full report at A10 Networks)

According to the research, communication service providers (CSPs) are increasingly vulnerable to DDoS attacks. In fact, 85 percent of respondents say DDoS attacks against their organizations are either increasing or continuing at the same relentless pace and 71 percent of respondents say they are not or only somewhat capable of launching measures to moderate the impact of DDoS attacks. The increase in IoT devices due to the advent of 5G will also increase the risk to CSPs.

Respondents were asked to estimate the number of DDoS attacks their organizations experienced in the past year from a range of 1 to more than 10. On average, CSPs experience 4 DDoS attacks per year. Based on the findings, the most common DDoS attacks target the network protocol, flood the network with traffic to starve out the legitimate requests and render the service unavailable. As a result, these companies will face such serious consequences as diminished end user and IT staff productivity, revenue losses and customer turnover.

 The most serious barriers to mitigating DDoS attacks are the lack of actionable threat intelligence, the lack of in-house expertise and technologies. As a result of these challenges, confidence in the ability to detect and prevent DDoS attacks is low. Only 34 percent of respondents say their organizations are very effective or effective in preventing the impact of the attack and only 39 percent of respondents say they are effective in detecting these attacks.

Following are the most salient findings from the research.

The most dangerous DDoS attackers are motivated by money. The DDoS attacker who uses extortion for financial gain represents the greatest cybersecurity risk to companies, according to 48 percent of respondents. These criminals make money offering their services to attack designated targets or to demand ransomware for not launching DDoS attacks. Forty percent of respondents fear the attacker who executes a DDoS attack to distract the company from another attack. Only 25 percent of respondents say a thrill seeker and 21 percent of respondents say an angry attacker pose the greatest cybersecurity risk.

Attacks targeting the network layer or volumetric floods are the most common attacks experienced. The most common types of DDoS attacks are network protocol level attacks (60 percent of respondents) and volumetric floods (56 percent of respondents). In a volumetric flood, the attacker can simply flood the network with traffic to starve out the legitimate requests to the DNS or web server.

DDoS attacks pose the greatest threat at the network layer. Respondents were asked to allocate a total of 100 points to seven layers in the IT security stack. The layer most at risk for a DDoS attack is the network layer followed by the application layer. The findings suggest how organizations should allocate resources to prevent and detect DDoS attacks.

DDoS attacks can have severe financial consequences because they cause a loss of productivity, customer turnover and damage to property, plant and equipment. DDoS attacks affect the bottom line. Respondents consider the most severe consequences are diminished productivity for both end users and IT staff.

Threat intelligence currently used to mitigate the threat of a DDoS attack is stale, inaccurate, incomplete and does not integrate well with various security measures. Seventy percent of respondents believe their DDoS-related threat intelligence is often too stale to be actionable and 62 percent of respondents say it is often inaccurate and/or incomplete. Other issues include the difficulty in integrating DDoS threat intelligence with various security measures and the high false positive rate, say 60 percent and 58 percent of respondents respectively.

To improve prevention and detection of DDoS attacks, organizations need actionable threat intelligence. Sixty-three percent of respondents say the biggest barrier to a stronger cybersecurity posture with respect to DDoS attacks are a lack of actionable intelligence. To address this problem, 68 percent of respondents say the most effective technology in mitigating DDoS threats is one that provides intelligence about networks and traffic.

Scalability, integration and reduction of false positives are the most important features to prevent DDoS attacks. As part of their strategy to address DDoS security risks, companies want the ability to scale during times of peak demand, integrate DDoS protection with cyber intelligence solutions, integrate analytics and automation to achieve greater visibility and precision in the intelligence gathering process and reduce the number of false positives in the generation of alerts.

Most organizations plan to offer DDoS scrubbing services. Sixty-six percent of respondents either have a DDoS scrubbing service (41 percent) or plan to in the future (25 percent). Benefits to offering these services are revenue opportunities, enhanced customer loyalty and lower support tickets with subscribers.

To read the rest of this study, visit A10 Networks.

Milk still expires, but now — mercifully– your passwords won’t

Bob Sullivan

Who hasn’t been interrupted during some important task by a strictly-imposed network requirement to “update” a password?  And who hasn’t solved this modern annoyance by some ridiculous, unsafe naming convention like “CorpPassword1…CorpPassword2…CorpPassword3” and so on. People already have 150 or so passwords they must remember. Forced expiration made this already untenable situation even worse — 150 *new* passwords every month or so?

Those days are, thankfully, coming to a close. Last year, NIST revised its passwords, urging companies to abandon forced expirations. And recently, Microsoft announced it would remove the requirement from Windows 10 standards.

This will finally start a movement to drop forced password updates.

In its announcement, Microsoft was both logical and forceful in its argument.

“Periodic password expiration is an ancient and obsolete mitigation of very low value,” it said. “When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”

Either a password is compromised, so it should be changed now — why wait 30 or 60 days? — and if it’s not compromised,  why create the extra hassle?

More from MS:

If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.

Gartner cybersecurity analyst Avivah Litan called the move a “most welcome step.”

“Finally a big tech company (that manages much of our daily authentication) is using independent reasoned thinking rather than going along with the crowd mentality when the crowd’s less secure password management practices are – however counterintuitive – less secure,” she wrote on her blog. 

What should companies be doing about passwords instead? Litan hopes this step signals the beginning of the end of traditional passwords.  Meanwhile, Microsoft hints at what better security looks like:

“What should the recommended expiration period be? If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?”

Coincidentally, this week’s “So, Bob” podcast deals with password managers.  Listen on iTunes,on Stitcher or click play below if a play button appears for you.