All posts by Michelle Drolet

The Darwin defense: can ‘genetic algorithms’ outsmart malware?

Coming to a future near you: software code that mutates and evolves.

We often talk about computer systems and information security in biological terms. Threats and defenses evolve, viruses run rampant, and machines learn by emulating the neural networks in our brains. Cybersecurity is an endless war between attackers and defenders, just as biology is a war between predators and prey.

What if we could create an automated process of selection for computer programs, where the fittest would survive and adapt to become more robust, closing vulnerabilities and fixing bugs with each new self-producing version? That’s precisely what some researchers are working on and it may lead us to a future where software repair and security is automated, without the input of coders.

The malware mountain

Malicious software or malware is an enormous problem. The AV-Test Institute registers more than 250,000 new malicious programs every day. Trying to combat that threat is far from easy, especially with limited time and resources. Cybercrime damages will cost $6 trillion annually by 2021, according to Cybersecurity Ventures, up from $3 trillion in 2015.

In a competitive market where new features and devices are developed as quickly as possible, security often takes a back seat. The need to secure the IoT is a good example. We’re connecting billions of devices to our networks that offer new potential points of entry for hackers. Many of these IoT devices lack basic security provisions or they have not been properly configured to take advantage of the security they do offer.

A single default password may hand an attacker the keys to your digital kingdom. Even with a stringent update policy and a string of security patches, which is not the state of play for most businesses, much less your average homeowner, there is still risk. New vulnerabilities emerge all the time and updates can create as many bugs as they fix.

The Darwin defense

The concept of a genetic algorithm was pioneered by John Henry Holland, a professor of psychology, electrical engineering, and computer science. He recognized the potential of applying Darwin’s concept of natural selection to computers. Now, Stephanie Forrest of the University of Michigan, having earned her Ph.D with Holland, is applying these genetic algorithms to software.

The idea is to allow different versions of a computer program to mate and merge their code. Some of the time, the new versions work better than their predecessors. Each software version is judged on its ability to perform the functions it was originally created for. Weak versions that don’t perform well are culled. Promising new variants survive and mate. There’s also an element of unexpected innovation that comes through mutation, providing desirable new features.

These genetic algorithms are essentially evolving through selective breeding and artificial adaptation. New generations can develop quickly with no need for human intervention. This automated process has the potential to get great results far more quickly and cheaply than traditional software development, where repairing bugs and closing vulnerabilities is slow and difficult.

Automation and evolution

Traditional software development has given way to a much faster process and there’s a growing understanding that automation can introduce speed, consistency and free up talent to focus on areas where they can add more value. Artificial intelligence has benefitted enormously by borrowing from biology, so it stands to reason that security software could do the same.

As potential attack surfaces grow, there are countless risks to assess and remediate. There’s so much to consider, from third-party risk management to the growth of botnets. Cybersecurity professionals understand that this is a war that will never end. Hackers and cybercriminals continue to identify and exploit new avenues of attack. Just as innovation drives new software features, it leaves bugs and vulnerabilities in its wake.

Even with the help of a common set of principles, like NIST’s Cybersecurity Framework, it’s difficult to keep malware off your network. New vulnerabilities are discovered every day, but too many companies also fail to remediate for known issues. Patching is a real problem that needs to be addressed.

It’s easy to see the exciting potential of automated, evolutionary software development for rapid bug fixes and enhanced security.


This article was originally posted on CSOOnline >

5 questions to ask your CEO about cybersecurity

Why you need to go beyond compliance.

Businesses will continue to face a ton of cyber threats, some of which will impact organizations severely enough to require security measures that will reach far beyond compliance. A Ponemon Institute study showed that the average compromised record cost approximately $194 per record. Loss of business due to cyber breaches were estimated to be approximately $3 million.

As you can see, it’s important to make sure that the risk of cyber breaches is taken seriously.

Compliance standards will enable your organization to establish a solid baseline to deal with known risks, but this does nothing to address new and changing threats. Also, more sophisticated threats and vulnerabilities aren’t always known or covered in compliance. You need to have a risk-based approach to this, so that your organization will have a more cost-effective and comprehensive management of these risks.

One of the most common problems involving cybersecurity is the constantly and rapidly changing landscape of security risks. The ever-evolving business environment is changing faster than we’re able to keep up. The traditional way to approach this problem was to focus the majority of resources on the most important parts and create protection against those threats that are the biggest known. This of course, left some lesser important parts of the system vulnerable. In other words, there were some less dangerous risks that were left unprotected, that could possibly cause lost business and still make life hard.  This approach is no longer sufficient in our current day and age.

To approach this problem in the best way possible, advisory organizations have been promoting a different approach.

The National Institute of Standards and Technology (NIST) and the U.S. government have both issued some updated guidelines. (You can learn more about what NIST’s Cybersecurity Framework can do for you here.) While both involve recommendations to business organizations to make a shift towards real-time assessments and continuous monitoring of cyber risks, let’s consider what Homeland Security says are the five key questions to ask your CEO.

1. How specifically is the executive body of leaders kept up to date on the current level of cyber risks and impact to the business?

2. What currently is the level and impact of cyber risks to the business? What key plans or strategies exist to deal with risks that have been identified?

3. How specifically is our current cybersecurity program applying industry standards and best practices?

4. Throughout the course of a week, how many and what types of incidents are detected within the company? What threshold standard is used to alert the executive body of leaders?

5. Just how thorough is our cyber incident response plan? How many times a week or a month is it tested?

As you can see, these questions all lead you to a risk-based approach. With this approach, you’re not just adhering to compliance standards. You’re using a comprehensive approach that leverages best practices and industry standards to identify possible problems, along with processes in place to keep everyone informed. This will enable you to increase the chances of a fast and timely response to possible cybersecurity threats. It will also increase the chance of a quick and easy recovery, when and if such an event should occur.

Time is crucial in this matter. Early response actions can decrease the amount of negative impact to your organization and even possibly eliminate it altogether.  They key to this is planning. This is more than just having a checklist in place and then going down the list, checking off each task. It will involve continuous comprehensive, risk-based preparation in conjunction with your business leadership, public affairs, general counsel, system operators, continuity planners, CEO and your Chief Security Officers.


This article was originally posted on CSOOnline >

Three crucial keys to understanding HIPAA compliance

You already know how important it is to be HIPAA compliant. A lot of businesses, including registered marijuana dispensaries, get confused about the requirements, when it comes to dealing with protected health information. It can get a little fuzzy, if you’re not privy to the big picture.

The Health Insurance Portability & Accountability Act was created in order to set a standard for safeguarding private patient information. Any entity dealing with this kind of protected health information (PHI) is required to ensure all the mandatory processes, network and physical security protocols have been put in place. Prior to these laws, there was no standard for securing PHI. As the medical, healthcare and other covered entities began to technologically advance, there was a movement away from the paper process. More and more businesses began to use electronic data systems to provide clinically based functions, answer eligibility questions and pay claims.


Why is this important?

Keep in mind the major goal of the HIPAA compliance law is to protect the privacy of individuals’ PHI, while allowing covered businesses, including registered marijuana dispensaries, to work with new technologies. These technologies often assist and increase the efficiency and quality of the care provided. With the advance of these technologies comes increased risk of exposing PHI. Without the privacy rule, a patient’s information could very likely, without patient consent, end up being passed on to their employer.

This employer then could use the information to make personal decisions in the workplace. Another scenario could be a lender getting their hands on the patient’s health information and then using that to deny the patient’s application for a credit card, auto loan or home mortgage. In order to avoid this, it is imperative covered businesses do all they can to be HIPAA compliant.


Three keys to compliance: PIE

1. Protect against wrongful and impermissible abuse of PHI and other unauthorized disclosures. This includes ensuring compliance by your workforce.

2. Identify and secure against any threats to the safety of all PHI.

3. Ensure the safety, integrity, confidentiality, privacy and accessibility of all PHI transmitted, maintained, received and/or created.


A business associate can be any third party working with patient records and/or claims processing: accountants, attorneys, consultants, and registered marijuana dispensaries. If they service healthcare entities and have access to PHI, they are all included under HIPAA’s definition of business associates.

In summary, what you want to focus on is the big picture. Covered entities are required to protect patient health information. You are allowed to disclose PHI only to business associates whose services you use, granted you obtain satisfactory assurances. Therefore, your priority is to ensure your business associates will comply with HIPAA and safeguard the PHI they are transacting with throughout your relationship. Obtaining satisfactory assurances means getting it in writing, according to HIPAA compliance guidelines.


This article was originally posted on Worcester Business Journal>

Worcester Business Journal’s IT Forum Review

Thanks to all who joined us at the Worcester Business Journal’s IT Forum. We hope that you found the event informative.


The following is some post event information that we thought would be helpful.

  • CLICK HERE to take our event survey. Please take a moment to complete this survey. Your feedback is important to us!
  • Visit for event photos and the keynote presentation. Event video will be uploaded within the next week – so check back again!
  • If you’d like to stay informed on future events or kept up to date on the business scene in Central Mass, click here to sign up for a FREE subscription to the Worcester Business Journal. Also, like our Facebook page and connect with us on LinkedIn!

Thank you again. We hope to see you at future events!



MetroWest’s 2017 Community Leadership Breakfast

Did you know that 74% of employees say their job is more fulfilling when they are provided opportunities to make a positive impact at work?

Towerwall is proud to be a sponsor of Foundation for MetroWest’s 2017 Community Leadership Breakfast.

The Breakfast is one of MetroWest’s key events of the year: it gives corporate decision makers and civic leaders the opportunity to hear from a major thinker in corporate philanthropy, connect with each other, and learn more about the Foundation’s leadership in creating strong, vibrant MetroWest communities.

Click here for more information and to register >

How much will non-compliance with GDPR cost you?

Any breach of the General Data Protection Regulation could lead to severe fines.

The General Data Protection Regulation (GDPR) went through four years of preparation and debate before being passed by the EU parliament last year. Strict GDPR requirements lay out how companies should process, store, and secure the personal data of EU citizens. The enforcement date is May 25, 2018, and any company not in compliance by that date could be in for a very nasty shock indeed.

The short answer to our question can be found in paragraph 5 of Article 83, which dictates that infringements can lead to fines of up to 20 million euros ($23.6 million at the time of writing) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Little wonder then, that 92% of US multinationals surveyed by PwC named GDPR as a top priority, and 77% plan to spend $1 million or more on compliance.

Sky high fines?

The high ceiling on fines that will come in with GDPR will give data regulators much greater punitive power, in theory. In practice, we simply don’t know how fines will be levied.

Maximum fines are rare, but there’s currently a great deal of variance from country to country. For example, in the U.K. the Information Commissioner’s Office can issue fines up to 500,000 GBP, but the highest fine to date was 400,000 GBP ($532,158) for telecoms company TalkTalk, after a major data breach that exposed the names, addresses, dates of birth, phone numbers and email addresses of more than 150,000 customers, and bank account details and sort codes for thousands.

There’s some debate about whether high fines will be levied, and in what circumstances, but it’s possible that some data regulators will want to send a clear message by making an example of a company for non-compliance. Apparently, the European Data Protection Board (EDPB) will offer guidance on fines, but that guidance is not yet available and the first few cases are liable to set a precedent.

Reputational damage

The risk of GDPR fines isn’t just the fine amount, but also the fact that your company name will appear in headlines associated with a lack of security. The lasting damage to your brand is hard to quantify, but it seems likely that people concerned about privacy will avoid the brand if an association is made. In the aftermath of TalkTalk’s breach, for example, the company lost more than 100,000 customers.

A severe fine for non-compliance will generate a lot of news stories and any potential customer researching their options may find those stories and be influenced by them for years to come. The way companies collect and use data is coming under increasing scrutiny as privacy concerns among consumers grow, and that trend is only going to increase. Why take the risk?

Sensible security

With uncertainty about the level of fines that will be imposed, businesses need to invest some time and resources into researching GDPR. When Vanson Bourne surveyed 1,600 organizations, it found that 37% of respondents don’t know whether their organization needs to comply with GDPR, while 28% believe they don’t need to comply at all. Ignorance will not provide any protection from fines.

Compliance is a smart move, not just to avoid fines, but to safeguard your customer data. For the most part, the requirements are formalizing a set of principles that you should already be applying. Assess your privacy, hire or appoint a data protection officer, create a data breach plan that includes clear notification within 72 hours, and make sure you know where your data is at all times. Preparing for GDPR compliance is hardly an insurmountable task.

If this prompts companies to review the data they collect and assess whether they need to store it, then that’s a good thing. Too many companies have a data hoarding attitude and it creates unnecessary risk. There’s also no excuse for neglecting to create clear consent forms and privacy policies. Ultimately, companies should not be treating data protection as optional.

We can’t say for sure what non-compliance with GDPR will cost you, but there’s a good chance it will prove more expensive than compliance, and that’s the point.


This article was originally posted on CSOOnline >

Join Michelle Drolet at the Worcester Business Journal IT Forum #WBJITFORUM

Register Today >




Making a bad situation worse: how Equifax mishandled the breach

Companies must respond to data breaches properly to limit the damage. Unfortunately, Equifax did not.

There have been some very high-profile data breaches in the last few years, but the latest disaster to hit the headlines concerns one of the largest credit bureaus in the United States. It’s estimated that the Equifax data breach exposed 143 million consumers, with cybercriminals accessing birth dates, addresses, and even Social Security, credit card and driver’s license numbers, making it one of the worst corporate data breaches ever.

The global average cost of a data breach is $3.62 million, according to the Ponemon Institute, which also estimates the average cost for each lost or stolen record containing sensitive data at $141. But mishandle a breach and that cost can rise. The lax security that led to a breach of this magnitude must be investigated, but in the immediate aftermath of an attack like this, how a company responds is crucial in limiting the damage.

Unfortunately, to say Equifax responded poorly would be an understatement.


Delayed disclosure

Any company that suffers a data breach has a duty to those affected to inform them quickly. Equifax claims it learned about the breach at the end of July. It took around six weeks to disclose it. During that time three senior executives sold shares, according to Bloomberg, which has prompted an investigation by a New York law firm. Questionable trading aside, at the very least you would assume that Equifax might have used the time to plan a response and create a system to allow its customers to check whether their data was exposed. Instead, it announced the sudden retirement of its CEO.


Misdirecting potential victims

Naturally, the first thing people want to do when they hear about a breach like this is to check whether their data was accessed. Instead of building pages on its main, trusted website to allow people to check, Equifax directed potential victims to a new domain – – which was bug-ridden and flagged by some browsers as a phishing threat.

Equifax asked people to enter the last six digits of their Social Security number in order to check if their data had been exposed. Some people entered their information via computer and were told they were unaffected, but got a different answer about exposure when they logged in from a smartphone with the same details, according to KrebsonSecurity.

Even if this site had worked properly, the reason why creating a separate domain is a bad idea became obvious when the official Equifax Twitter account mistakenly and repeatedly directed people to a phishing link instead of its own site. Luckily for Equifax the site had been set up by software engineer, Nick Sweeting, as proof of how easy it is for cybercriminals to set up phishing scams. It got 200,000 hits before he took it down.


Head in the sand

The attackers gained access to the Equifax system by exploiting a vulnerability in the Apache Struts web-application, which is widely used in the enterprise. The thing is, that bug had been disclosed back in March and a patch to fix it was available. Equifax had ample opportunity to update, it was aware of the patch, and yet several months later it had still not managed to successfully apply it.

It later transpired that Equifax had also suffered a breach back in March, though the company did not share any details on what, if any, data was exposed. It’s unclear if there’s any link between the two incidents, but the first attack should have been a warning signal. Although, it should be obvious that a credit bureau holding all the data cybercriminals need for lucrative identity theft is always going to be a major target.


Looking for a silver lining?

They say every cloud has one, but it’s not easy to find one here for the millions of Americans whose data has not been properly protected. What’s so galling about the Equifax breach is how avoidable it was.

Security isn’t arcane knowledge, simply applying NIST’s Cybersecurity Framework could have prevented this. And to exacerbate the situation by delaying and then misdirecting potential victims shows a staggering lack of care. An investigation by the Federal Trade Commission is underway. And deservedly so.


This article was originally posted on CSOOnline >

Join Sophos for a “Future of Endpoint Protection” Event

Join Sophos CEO Kris Hagerman and SVP Dan Schiappa at the Revere Hotel in downtown Boston to learn more about the latest development in Sophos’ innovative approach to endpoint protection.

Seating is limited; reserve your seat today to discover:

  • Sophos’ vision on the future of cybersecurity, direct from our CEO and SVP of Products
  • How the Ransomware epidemic is evolving and how you can stop it
  • Predictive endpoint protection fueled by Artificial Intelligence and deep learning
  • Live demo of the new release of Sophos’ award-winning Intercept X


Register Now >