Articles Featured
Who is responsible for public cloud security?
November 26, 2018
, , , ,

I had an interesting conversation with a Cloud Architect of a global enterprise who was adamant that data in the public cloud is secured by the cloud provider. He rightly pointed that Amazon, Microsoft, and Google, have security capabilities and practices in place for protecting the availability and integrity of the services they offer.


I asked who is responsible for protecting the confidentiality of data as well as the availability and integrity of applications? Our conversation led to following threats: Data breaches, inadequately secured APIs, insufficient identity, credential, and access management, shared technology vulnerabilities, denial of service (DoS), malicious insiders among others. Integration among different public clouds is difficult.

Public cloud security doesn’t end with the cloud provider

The ever-expanding corporate attack surface reduces visibility into threats and vulnerabilities for both the IT team and its internal customers. And lack of integration leads to an unnecessarily large number of manual workflows, which presents resource challenges for security teams facing tight budgets and staffing. In addition, sharing of threat intelligence among solutions cannot be automated, so proactive risk management may be nearly impossible.

To overcome these challenges, the security (cloud) architects need a cloud-centric mindset and the help of cloud security technologies that integrate tightly and automate as many processes as possible.

Making a secure transition to the public cloud

Common problems when security of cloud-based applications is mismanaged include unsecured directories, deployment of insecure non-production applications in the same security environment as a production server, failure to patch known vulnerabilities, and miss-configured firewalls.

End-user credentialing and passwords also continue to cause headaches for security teams. Some employees use the same credentials for an assortment of applications. They may use the same password for critical internal applications, such as finance systems, for the software they access in the public cloud. This security practice means that if the public cloud is breached, the company would be vulnerable to direct attacks of internal systems or indirect attacks using social engineering. A recent study finds that 81% of hacking-related data breaches leveraged passwords that were either weak, stolen, or simply the software’s default.

Unlike providers of public cloud infrastructure, SaaS providers are responsible for securing both the application and infrastructure. Still, content permissions are the responsibility of application users.

But this approach can open up the organization to new vulnerabilities. Line-of-business employees may set overly permissive read privileges and give the wrong people access to sensitive information. Dow Jones, as an example, lost millions of customer records last year due to poor permission management in the public cloud.17 Similarly, business users might fail to properly lock down write privileges, which can open the door to hackers changing corporate files.

How to manage cloud security when providers and customers share responsibility

Customers who run applications on Infrastructure-as-a-Service (IaaS) platforms are also taking on significant security responsibilities. While IaaS providers are responsible for keeping cloud services running, the customer is fully responsible for security of the operating systems and software running on the platform. This requires attention not only to upfront security settings, but also to ongoing patching and updates.

Articles Featured
Cyber Security: How America Prepared for Midterm Elections
November 22, 2018
, , , ,

Undoubtedly there are risks we take when we entrust our democracy to a system so essential to preserving our most basic rights and freedoms. The United States of America, as well as its encompassing state and local governments, have made election security a top priority given the ongoing efforts by foreign players to impact U.S. elections. Election systems in many jurisdictions face a significant risk of compromise because of inadequate funding for cybersecurity. Federal funding of $380 billion from the Help America Vote Act (HAVA) fills a portion of that gap, but state and local governments need to be strategic in how they manage this budget.

Secure voting requires reliable processes and secure frameworks that cut across the entire system. Cybersecurity in elections call for precise technical recommendations with robust risk-mitigation plans to guarantee safety.

Since August 2016, the strain on the electoral system has dramatically increased due to a series of cybersecurity related concerns. Foreign interference of midterm elections from external parties has become a reality.

The election system comprises voter registration databases, vote casting, and tallying among other crucial aspects of any election. Both internal and public communications are also essential. All these systems need a great deal of integrity. No element should be compromised and thus the need arises for proper security procedures to address outlined security breaches to any of the arrangements. Election integrity is at stake here. Challenges were evident in the 2016 election cycle, especially from the communications aspect. Information sharing proved critical even though no votes seemed to have been altered in 2016.

There is a consensus that the digital attack surface is larger than ever before, and is growing on an industrial scale. The complexity of managing security is difficult and becoming more challenging. Advanced threats continue to evolve and are harder to combat. But the responsibility of protecting democracy does not squarely rest on the government’s shoulder. “Social platforms have a responsibility to address misinformation as a systemic problem, instead of reacting to case after case,” writes The New York Times’ (NYT) editorial board.

“At this stage of the internet’s evolution,” writes NYT editorial board “content moderation can no longer be reduced to individual postings viewed in isolation and out of context. The problem is systemic, currently manifested in the form of coordinated campaigns both foreign and homegrown. While Facebook and Twitter have been making strides toward proactively staving off dubious influence campaigns, a tired old pattern is re-emerging — journalists and researchers find a problem, the platform reacts and the whole cycle begins anew. The merry-go-round spins yet again.”

Secretaries of State throughout United States, close to 40 of serving in the capacity of the state’s chief election officials, are on the forefront of safeguarding the entire election process and more specifically, the election platforms which can be compromised to alter the outcome of the elections. They have recruited information technology teams to design robust frameworks to help them address the information security concerns. Other sectors have also been brought in, among them the National Guard, private-sector security companies, universities, and even the federal government. However, the team that seems to be the strongest and more likely to bring in a more significant input is the Department of Homeland Security (DHS).

The decentralized system seems to be working, at least for now. It is the biggest protection of the American democracy. The best part is the fact that designation remains in place, thus allowing state and local election officials to work towards achieving an effective election. This will only be achieved through a seamless system of election. The best move is the fact that the local government has developed a more productive relationship with the DHS. This is a leap forward because the challenges of election security can be faced through a combined effort.

The standout aspect which renders the United States readier than ever is the immense support that they are bringing in the cybersecurity domain. There is a dire need for a comprehensive assessment of all the physical services that are going to be used during the elections. Information sharing is another building block of a midterm election, implying the need for robust frameworks, reliable platforms, and secure media which would translate to a credible election process. Other issues which can be tackled more effectively as a result of this relationship is the education aspect. Education opportunities ensure that those in charge have hands-on skills in minimizing chances of election tampering rendering it resilient to interference. From the education aspect, staff and all the key officials need to be enlightened on the need to have a secure system, for example, the fact that they do not have to share critical access codes to such systems.

One other significant recommendation is a proper preparation process of bringing in the Government Coordination Council (GCC), who make up one of the most essential stakeholders. They are concerned with information sharing, more specifically election data which determines the outcome of the election. They have the necessary expertise to secure the information infrastructure which would be used in the analysis and sharing of election data. The fact that they involved 50 states with over 1,000 local election offices as members creates a common hub that enhances the ability to share information among the election officials, increasing the data breach risk. However, such a risk can be mitigated with the presence of GCC which has hands-on experience on data security.

Allowing free flow of information among election officials on a secure, common platform eases the risk management practices. This is the best recommendation which would translate to a secure election framework cutting through all the processes. Such a recommendation can easily be amplified across the local regions. Having learned from the 2016 election cycle the need to be vigilant concerning threats that affect election infrastructure, elections’ risks are now well analyzed with proper mitigation plans. These plans enhance security, provide comprehensive training of election officials, and prioritize updated systems.

Having federal partners, those in the private sector and the state as parties in the election process ensure that there are strong cyber practices to counter information security threats. Other critical recommendations encompass comprehensive threats analysis which would eventually aid in coming up with water-tight risk management plans. Security has been given top priority, and elections are now taken seriously. Necessary information security defence mechanisms have to be put to practice. All these steps have covered the critical issues just as highlighted in the article. Advanced election systems with secure processes are mandatory and should be employed in the process of delivering credible midterm elections in the United States.

Election security is crucial to a functional democracy, and local elections administrators have a difficult and important job in ensuring that elections run smoothly and their results are reliable.  A comprehensive approach to network security that covers a jurisdiction’s entire infrastructure — from the data centre to multiple clouds, from voting machines to voter registration databases – is in place but requires constant updating.

With clear visibility and centralized control, administrators can avoid manual security processes and stop advanced threats before they cause a threat to democracy.

This article was first published in Hilal Monthly here

Articles Featured
Think about the United Nations!
October 18, 2018

If you are like the majority of my friends, you would have imagined UN Peacekeeping – Blue helmets, tanks, soldiers with their guns or refugee camps.

But if you were to ask Liberians like Sahr Sundu and Musa Karnley, you will get a different answer.

Liberia the first independent African Republic (established in 1847) has suffered two civil wars that claimed over 250,000 lives and ruined the social, cultural and economic structure. The UN Mission in

Liberia, or UNMIL, was deployed in October 2003. The Mission’s 14-plus years of operation was a success story. Relative peace and order were restored; however, the economy was in dire straits. The UN mission had a limited budget, and the iron-clad scope was restricting its activities. Staying within the mandate, UNMIL troops conducted several quick-impact projects (QIPs) to alleviate the suffering of the population.

The Pakistani Battalion in Liberia led a quick-impact project (QIP) to teach much-needed skills like how to repair electrical appliances, generators, and other equipment. The primary motivation of this project was to prevent internal-displacement and migration – if people in Tubmanburg got proper training they would not have to run to Monrovia (the capital).

“The Story of UNMIL,” a recent United Nations book cites an encounter of a UN observer with two Liberians who attended the training nine years ago:

“Mr. Sahr now owns God’s Time is the Best Workshop, which he says is the best in Tubmanburg and built most of the doors and windows in the town. He had been trained as a welder/ technician by the Pakistani engineers. He said that the training had helped him, his family and the immediate community.”

“Musa Karnley was also trained by the Pakistanis as a welder and a generator technician and is currently the manager of Nakar Garage in Tubmanburg, specializing in generator repair and welding. He said that the training gave him the knowledge and technical skills to do repairs, and had given him an edge over the competition, especially in getting new jobs. His income increased tremendously, he said.”

The United Nations Mission in Liberia (UNMIL) has come to a conclusion, mostly thanks to the Troop Contributing Countries. Pakistan’s two battalions went home leaving behind millions of happy Liberians.

Last year, Major General Saihu Zaway Uba, Force Commander of UNMIL expressed concern with the drawdown of the mission. He told the Security Council that his Mission’s 14-year presence had been reduced to just 434 troops on the ground and was expected to be fully liquidated in June 2018. He recommended “clear and flexible” planning considerations in the transition phase, and a graduated approach to drawdown, among other measures.

The UN Operation in Côte d’Ivoire (UNOCI) completed its mandate last year after more than thirteen years. In general, a drawdown of the troops is a good thing. However, if not done correctly, the risk of chaos and civil war looms high. A staggered drawdown of troops coupled with capacity building of local law enforcement mitigates the risk of a relapse into violence.

The UN Peacekeeping has been under significant pressure. The 2018/19 budget for thirteen peacekeeping operations and overhaul of secretariat management structure is $6.69 Billion. Down from approximately $7.5 Billion a year ago.

Historically, the United States has been a generous donor to the Peacekeeping operations. But the Trump administration introduced drastic cuts to the Contributions for International Peacekeeping Activities (CIPA) in 2019, budget slashing over $710 million for CIPA account, which includes UN Peacekeeping funding. CIPA dropped from $1.908 billion to $1.196 billion – a 37 percent cut from FY’17 enacted levels.

Trump administrations critics claim this move is unwise. The US Government Accountability Office (GAO) agrees. A recent GAO report states that supporting UN Peacekeeping operations is eight times cheaper than the U.S. going it alone.

Better World Campaign President Peter Yeo in a statement said: “supporting the UN is both in our (US) national security interests and a good deal for American taxpayers.”

Peacekeeping Organization has also been under tremendous scrutiny to show an outcome leading to management reforms.  After much debate among member nations, the Organization announced two new departments focused on political and peacebuilding affairs and four stand-alone divisions for Africa to “streamline the Organization’s operations.”

In recent years, the United Nations has been prioritizing African TCCs because of the lower cost of logistics. That doesn’t come without risk. Some recently added TCCs do not have the experience, mindset, training or equipment required to carry out the Peacekeeping charter.

Last December, fourteen UN peacekeepers were killed in the Democratic Republic of Congo. The peacekeeping officers were all Tanzanian. A month later, in January 2018, a Pakistani soldier lost his life in an ambush. Our peacekeepers immediately responded with appropriate force killing 11 members of attacking militia.

Since 1960, Pakistan has contributed troops in 46 Peacekeeping missions in 28 countries. In the last ten years, Pakistan has ranked number one among Troop Contributing Countries. Pakistan’s contribution has dropped this year following drawdowns of two battalions from Darfur and one from Congo. UN’s emphasis on recruiting African TCCs has also impacted Pakistan’s ranking.

Dr Maleeha Lodhi, Permanent Representative of Pakistan to United Nations reminds this scribe:

“For over five decades, Pakistan has been a leader in UN peacekeeping, both as a troop contributing country and as an important voice in normative and reform processes at the UN in this area. Pakistan is proud to have contributed to the success of several UN peacekeeping missions. Its role in this critical UN enterprise is one reflection of Pakistan’s commitment to upholding and preserving international peace and stability.”

There is a recognition at the UN headquarters that Pakistani troops are highly experienced in peacekeeping, well equipped and well poised. Sierra Leone’s Military Adviser Col Albert Jusu, in an encounter with his Pakistani counterpart, expressed gratitude saying: “We have left Pakistan’s flag on the schools that you guys built so that we always remember how Pakistan helped us rebuild our country. Pakistani soldiers have the kind of mindset that is needed to stabilize and rebuild.

Besides building schools and bridges, Pakistanis have also delivered healthcare. Major-General Salihu Zaway Uba, UNMIL Force Commander, told the Security Council: “The Pakistani Medical Unit has been providing medical level 2 services to all of the UN personnel and ensuring the stable health of UNMIL personnel.”

Living in New York, one of the most diverse cities in the world, I often run into Africans. Many of them know Pakistan because of its contribution to the peacekeeping mission.

The expertise Pakistan has gained serving in these missions culminated in the Centre for International Peace and Stability (CIPS) at the National University of Science and Technology (NUST). Secretary-General Ban Ki-Moon inaugurated CIPS in 2013. Recently Under-Secretary-General of Peacekeeping Operations, Jean Pierre Lacroix visited CIPS to pay tribute to sacrifices of Pakistani peacekeepers.

Pakistan is now at a point where it can train resources of other TCCs to replicate the success of Liberia, Darfur, Côte d’Ivoire, and Congo.

I know the lives of 156 Pakistani peacekeepers are not gone in vain because today, as a Sudanese friend tells me: “Pakistan knows Africa and Africans know Pakistan.”

This article was published by Hilal Magazine.

Articles Featured
Did LifeLock Security Bug Put you at Risk?
July 26, 2018
, , ,

LifeLock, the identity theft protection company, has put millions of customer emails at risk for phishing and identity theft attacks, thanks to a bug on its website.

The bug enabled customer email addresses to be harvested by simply changing one number in the URL of a web page used by customers to unsubscribe from LifeLock communications.

It’s important to note that this is not a breach, but it is a vulnerability to pay attention to since ID thieves can use email addresses to steal other personal info.

How Symantec Resolved the Issue Involving the LifeLock Marketing Opt-Out Page

LifeLock claims:

Responsible stewardship of critical data is our central mission, and we take these matters very seriously. The issue was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. The issue was not with our main member portal or any other pages on besides the marketing opt-out page.

Here is what you should do:

  1. Be skeptical of email communications urging you to take immediate action or claiming that they are privacy policy updates.
  2. Do not click on any suspicious-looking links in those messages and instead forward any suspicious email to the company itself. Call the company directly to confirm whether any such messaging is actually from them.
  3. Do not enter any personal info or credentials via links in emails. If you need to make updates, go directly to the company’s website to do so.

LifeLock monitors identity-related events, such as new account openings and credit-related applications. The company offers a $1 Million Service Guarantee. 

In late 2016, Symantec bought Lifelock for $2.3 billion. Shares of Symantec were up 0.4% at $20.77 on Thursday.

Articles Featured
Data Brokers Detest California’s Privacy Law
July 12, 2018
, , , ,

California’s consumer privacy law is expected to have a significant impact on companies that deal in personal data — and especially those operating in the digital space. The California Consumer Privacy Act, A.B. 375, affords California residents an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected.

The law stipulates that consumers have the right to request the deletion of their personal information, opt out of the sale of personal information, and access the personal information in a “readily useable format” that enables its transfer to third parties without hindrance.

The law’s requirements could threaten established business models far beyond California and throughout the digital sector.

Much of the political impetus behind the law’s passage came from some major privacy scandals that have come to light in recent months, including the Cambridge Analytica incident involving Facebook user data. This and other news drove public support for a privacy ballot initiative that would have instituted an even stricter data protection regime on companies that deal in consumer data if the state’s residents voted to pass it in November. But after intense negotiation, especially from leading internet companies and internet service providers, the backers of the ballot initiative agreed to drop the initiative and instead support the passage of the law.

Data Privacy: California Leads the Way

The bill gives consumers the right to have their personal data deleted; the right to know the commercial purpose for collecting their data; and the categories of sources from which the data are collected. It also prohibits a business from selling the personal data of anybody under the age of 16 unless that child agrees.

The bill gives companies the ability to offer discounts to customers who allow their data to be sold and charge those who opt out a reasonable amount based on how much the company makes selling the information.

Lawmakers say they will likely make alterations to improve the policy before it takes effect. Some privacy advocates are worried that lobbyists for business and technology groups will use that time to water it down.

TechNet, a technology lobbying group, urged lawmakers to improve the law before it takes effect “so it provides meaningful privacy protections for Californians while also allowing all the benefits and opportunities consumers expect from U.S. technology to continue.”

Policymakers around the country looking at what California has done on this issue should understand that the California Legislature’s work is far from finished and that this law remains a work in progress.

The California law is not as expansive as Europe’s General Data Protection Regulation, or G.D.P.R., a new set of laws restricting how tech companies collect, store and use personal data.

Google, Facebook, Verizon, Comcast and AT&T each contributed $200,000 to a committee opposing the proposed ballot measure, and lobbyists had estimated that businesses would spend $100 million to campaign against it before the November election.

AI, ML and Deep Learning “cheat sheet” for the busy professionals
July 9, 2018
, , , , ,

Can you distinguish between “Deep Learning” and “Machine Learning.”? What about “artificial intelligence”? Let’s start with the definition of artificial intelligence because this is where it all begins.

Artificial intelligence (AI), “the ability of a digital computer or computer-controlled robot to perform tasks commonly associated with intelligent beings.”

Simply put, AI is a technology that enables a machine (computer/robot) to make an intelligent decision or take action. Academically speaking, “AI technology enables an intelligent agent to cognitively perceive its environment and correspondingly attempt to maximize its probability of success of target action.” In this context, a hardware module, software, a robot, or an application is “an intelligent agent,” The discipline of AI is probably older than you 🙂 Following excerpt is from 1953.

“We propose that a two-month, 10-man study of artificial intelligence be carried out during the summer of 1956 at Dartmouth College in Hanover, New Hampshire. The study is to proceed on the basis of the conjecture that every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it. An attempt will be made to find how to make machines use language, form abstractions and concepts, solve kinds of problems now reserved for humans, and improve themselves. We think that a significant advance can be made in one or more of these problems if a carefully selected group of scientists work on it together for a summer”.

Moving on to Machine learning (ML) which has evolved from pattern recognition and computational learning theory in AI. ML is the capability of a computer to learn without being explicitly programmed. It is functionality to learn and make predictions from data.

Simply put Machine learning, is concerned with the implementation of computer software that can learn autonomously. When provided with sufficient data, a machine learning algorithm can learn to make predictions or solve problems, such as identifying objects in pictures or winning at particular games, for example. Here is a reasonable definition of ML.

 “Machine Learning is the science of getting computers to learn and act like humans do, and improve their learning over time in autonomous fashion, by feeding them data and information in the form of observations and real-world interactions.”

  • “Machine learning is the science of getting computers to act without being explicitly programmed.” – Stanford
  •  “Machine learning is based on algorithms that can learn from data without relying on rules-based programming.”- McKinsey & Co.
  •  “Machine learning algorithms can figure out how to perform important tasks by generalizing from examples.” – University of Washington
  •  “The field of Machine Learning seeks to answer the question “How can we build computer systems that automatically improve with experience, and what are the fundamental laws that govern all learning processes?” – Carnegie Mellon University

A neural network is composed of simple processing nodes, or ‘artificial neurons’, which are connected to one another in layers. Each node will receive data from several nodes ‘above’ it, and give data to several nodes ‘below’ it. Nodes attach a ‘weight’ to the data they receive, and attribute a value to that data. If the data does not pass a certain threshold, it is not passed on to another node. The weights and thresholds of the nodes are adjusted when the algorithm is trained until similar data input results in consistent outputs.

Now let’s talk about “deep learning.”

“Deep learning is a machine learning technique that uses multiple internal layers of nonlinear processing units to conduct supervised or unsupervised learning from data.”

Deep learning literature borrows from neuroscience, and implemented as “a neural network.” You will find academics and practitioners of this field talk about “neurons and perceptrons.” Relax – they are not going to operate on your brain.

Simply put, the nonlinear processing units are commonly referred to as the neurons. Automation became possible due to AI technology. Machines become capable of automated learning and making decisions due to machine learning technology. Moreover, precision details are cognitively noticed in the automated learning process and used in the accurate decision making of complex problems due to deep learning technology.

A more recent variation of neural networks, which uses many layers of artificial neurons to solve more difficult problems. Its popularity as a technique increased significantly from the mid-2000s onwards, as it is behind much of the wider interest in AI today. It is often used to classify information from images, text or sound.