Telehealth’s emergence and the keys to security in 2021
Security Magazine
January 15, 2021
Telehealth was an unexpected technology bright spot in 2020, as the Office for Civil Rights (OCR) relaxed enforcement of certain aspects of HIPAA, helping to reduce COVID exposure via virtual rounding and virtual visits.
Unfortunately, bad actors have shown a lack of morality in their pursuit of illegal profits and have continued to attack medical organizations. Ransomware attacks, for example, can cripple a hospital’s abilities to provide high-quality patient care by denying access to key computer systems, which would force medical professionals to have to treat patients based on memory and paper-based records.
The following three high-level recommendations provide a basis for defense in depth for healthcare organizations in 2021.
See publication
Tags: Cybersecurity, Healthtech
How Healthcare Organizations Can Prepare For Upcoming Ransomware Attacks
Ascent Solutions
November 02, 2020
Our initial set of recommendations will help to mitigate the immediate risks of a ransomware attack. Continuous planning based on risks will help to support long-term cybersecurity resiliency despite these sustained and evolving adversarial threats to the well-being of our communities.
See publication
Tags: Cybersecurity, Healthtech
Although 2020 is the year of the crisis, only one is new
Grey Swan Guild
July 03, 2020
People may aptly sum up 2020 in a single word: crisis. An inadequate response to the COVID-19 pandemic has led to the deaths of hundreds of thousands of people globally. The underlying data are more tragic, as the pandemic has disproportionately affected communities of color that have lived with the daily existing threats of shrinking economic mobility and racism. At the same time, both public and private organizations have struggled to mount an effective defense against cybercrime, which represents not only one of the largest transfers of wealth in human history but also threatens public trust in democracy and civil society. This article provides context and actionable steps to begin to dismantle the underpinnings of these long-standing crises; however, this article is not the solution. Only sustained action will lead to meaningful change.
See publication
Tags: COVID19, Cybersecurity, Diversity and Inclusion
10 ways to get more from your security budget
CSO Magazine
April 27, 2020
For years, security budgets seemed to go only one direction: up. As recently as February of this year, some 62% of organizations said they planned to increase their cybersecurity spending for 2020, according research by analyst firm ESG.
But that was then.
Like their C-suite peers, CISOs today are being asked to do more with less – and probably will be for some time, as the world continues in these uncertain economic times.
See publication
Tags: Cybersecurity
Could Artificial Intelligence Solve Cybersecurity Staffing Shortages?
EdTech Magazine
April 23, 2020
AI can also help improve retention rates by making entry-level cybersecurity jobs “less dull,” says Kayne McGladrey, CISO and CIO of Pensar and a member of the IEEE. “We get people out of school, and they are excited to be on the team. Then, on their first day, they’re handed a checklist: here’s the things you will do and the order in which you will do them.”
A job that consists of reading logs and chasing down false leads may not be enticing enough to keep workers around, especially when those kinds of skills are in demand at higher pay elsewhere. “We’re asking people to act like machines,” he says, “and that’s not very a very effective engagement model.”
See publication
Tags: AI, Cybersecurity
Cyber Security Is Integral To Business Continuity Planning
CSHub.com
April 06, 2020
Communications are critical for an organization when an incident occurs. Leadership must effectively share information with the workforce. For some organizations, this requires enacting the critical communications plan that has been drilled. For others, an incident is a disruption to the normal course of business, which is where business continuity planning demonstrates its value to the organization.
See publication
Tags: Business Continuity, Cybersecurity
3 Ways Artificial Intelligence Can Improve Campus Cybersecurity
EdTech
March 30, 2020
“Every university has a whole crop of new individuals who come into the organization on an annual or quarterly basis,” McGladrey explains. With such a frequent influx of new arrivals bringing their own devices and computers, it’s essentially impossible for university IT teams to control the sheer number of new endpoints.
AI can identify networking traffic, assess what “normal” looks like on a university network and do it at a larger scale that humans can accomplish. Thus, if a “faculty member normally arrives at 8 a.m., does work until 7 p.m. and then maybe logs on to her email at 9 p.m., you wouldn’t expect that individual to be up at 3 a.m. connecting from China. AI can monitor those patterns of normalcy,” he says.
See publication
Tags: AI, Cybersecurity, Edtech
Design Flaws In Cyber Security Reports And Related CISO Sleep Patterns
Cyber Security Hub
March 10, 2020
I recently stopped using my fitness tracker, though not due to a cyber security breach or privacy concerns. Rather, it came down to the overwhelmingly negative reports provided by the app.
Like many CISOs, I don’t sleep much; in my case, getting by on five to six hours of sleep a night is hereditary. Although the tracker collected detailed telemetry, the app only provided comparative reports against other people. Despite my experience, the app alarmingly claimed I’d been having terrible problems sleeping for weeks in a row.
Producing highly accurate reports without individual customization is a consistent design flaw of many cyber security solutions available today.
See publication
Tags: Cybersecurity
How Secure Is Your Home Wi-Fi?
How To Geek
March 03, 2020
When it comes to modern technology, everything is a compromise between convenience and security. Everyone wants fast access to the internet, which is why Wi-Fi is everywhere. But how secure is your home Wi-Fi router? What can you do to protect your network? Something you rarely hear these days is that as long as you follow a few common-sense and easily implemented best practices, you probably have very little to worry about.
See publication
Tags: Cybersecurity, IoT
DoD Introduces New Information Security Standard
Zyston
February 24, 2020
At the end of January 2020, the U.S. Department of Defense (DoD) approved the Cybersecurity Maturity Model Certification (CMMC) with plans to apply this new standard to up to 3,000 subcontractors by the end of 2020. How does this apply to your organization?
See publication
Tags: Cybersecurity, Supply Chain
ICS security challenges and how to overcome them
TechTarget
December 20, 2019
The internet of things has brought several security risks into the limelight -- from the use of default or hardcoded passwords on cameras to the inability of resource-constrained sensors to run security mechanisms, such as encryption.
One of the biggest security challenges, however, might be IT/OT convergence -- the merging of information technology with operational technology. IT teams are no strangers to infosec, but their OT counterparts working among industrial control systems (ICSes) have generally never worked in internet-connected networks. Yet, as the benefits of IoT and industrial IoT (IIoT) become apparent, more ICSes and OT environments are becoming connected -- bringing multiple benefits but also creating multiple security threats. Compounding the risk is that IT teams don't know how to handle threats in such environments, leaving many IT and OT teams unsure exactly where the security responsibility lies.
See publication
Tags: Cybersecurity, IoT
Four 2019 Enterprise Cyber Focal Points And The 2020 Ramifications
Cyber Security Hub
December 16, 2019
2019 wasn’t a great year for cyber security. Although the number and scope of solutions available on the market increased, blue teams around the globe have been stymied by the increasing complexity and tactics of threat actors and the sheer volume of data to review. Here are four predictions for the coming storm, based on events in 2019.
See publication
Tags: Cybersecurity, Supply Chain
Keynote slides from TagNW Summit 2019
TagNW
December 07, 2019
Cyber attacks are bad and getting worse, and you’d like to turn things around before it’s too late. In this session, you’ll learn how the three most common attacks target people, how to deter and deny threat actors attacking your applications, and how to defend yourself and your community.
These slides were originally presented at the 2019 TagNW Summit in Bellingham, WA.
See publication
Tags: Cybersecurity
We Talk to Global Cybersecurity Influencer and Expert Kayne McGladrey!
My Hacker Tech
November 29, 2019
We thought it would be a great idea to get Kayne's take on some key issues facing the world from a cybersecurity perspective, and also learn more about his journey. We get lots of questions from readers about how to break into the cybersecurity industry, how to get their foot in the door, and all manner of other questions relating to getting started. This is why we think it's so important to share the experiences of those in the industry.
See publication
Tags: Cybersecurity, IoT
A cybersecurity skills gap demands thinking outside the box
Tech Target
November 04, 2019
According to McGladrey, HR's fear of bringing in the wrong person -- and indirectly causing a breach -- often drives such postings. That, in turn, fuels the perception that there's an insurmountable shortage of security candidates, he said, when, in fact, a broad spectrum of diverse, talented individuals exists if organizations are willing to find and train them.
But security leaders need to make the case to HR for hiring people based on aptitude and skill, even if they aren't "a certified ethical hacker since 2000, with 10 years of experience with Kali Linux and a Purple Heart."
"Flexibility is really important" to successfully fill the cybersecurity skills gap, McGladrey said.
See publication
Tags: Cybersecurity
3 Ways To Prepare Now For Future Endpoint Defense
Top CyberNews
September 27, 2019
“The explosion of connected devices also requires re-thinking the protection mechanisms to apply to those endpoints,” says Kayne McGladrey, Director of Security and IT, Pensar Development. “Similarly, the widespread adoption of cloud-based services means that there’s no single network to protect.”
See publication
Tags: Cybersecurity
3 Ways To Prepare Now For Future Endpoint Defense
CSHub
September 26, 2019
“The explosion of connected devices also requires re-thinking the protection mechanisms to apply to those endpoints,” says Kayne McGladrey, Director of Security and IT, Pensar Development. “Similarly, the widespread adoption of cloud-based services means that there’s no single network to protect.”
See publication
Tags: Cybersecurity, IoT
4 Cybersecurity Best Practices for Electrical Engineers
Dark Reading
September 24, 2019
Threat actors have increased their focus on supply chain attacks since 2017, with 73% of engineering firms reporting a supply chain attack in 2018. In the first quarter of 2019, Operation Shadowhammer was revealed to have compromised the software update mechanism of a major PC manufacturer. According to eSentire, 44% of firms have suffered a significant supply chain breach through a vendor.
These high-profile breaches have either been used to deploy ransomware or steal the intellectual property produced by engineers. As engineers create and access intellectual property such as CAD designs or manufacturing data, achieving persistence in an engineering firm gives a threat actor unparalleled insight into upcoming product designs and manufacturing processes.
Much of the media focus has been on the financial damage from supply chain breaches, the nation-state actors behind the breaches, and the ill-defined "supply chain" itself. But surprisingly, despite the overheated media coverage, most electrical engineering (EE) firms are not the targets of a bear, kitten, or panda, which are frequently cited as advanced persistent threat groups behind the attacks. Most EE firms are targeted by threat actors of opportunity because they have two necessary ingredients: people and computers. This article lays out four best practices for individual EEs to help protect their firms.
See publication
Tags: Cybersecurity
Changing The Course Of History Means Every Month Needs To Be Cyber Security Month
Cyber Security Hub
September 09, 2019
There’s a communications breakdown between those working in cyber security and those who are not. This failure to communicate is leading to the greatest transfer of wealth in history. People aren’t seeking actionable advice during “October is National Cyber Security Month”, and they’re tuning out of their mandatory corporate drop-ceiling one-hour cyber security training in the breakroom. Even though individuals are harmed, there’s the persistent belief that this must be someone else’s problem.
See publication
Tags: Cybersecurity
The Ethics Of The IoT: Are Engineers Failing To Speak Up?
CSHub
June 25, 2019
The overwhelming majority of IoT devices on the market are hot garbage that do not follow security best practices. Allowing consumers to use passwords that have appeared in breaches before makes it easy for threat actors to gain persistence on devices. Devices with no update mechanism means IoT devices become a perpetual threat once the first vulnerability is found. Most people have no way of knowing that their IoT sensor needs an update, so it’s unrealistic to shift the responsibility of software updates to consumers.
See publication
Tags: Cybersecurity, IoT
Securing IoT: Whose responsibility is it?
Tech Target
February 26, 2019
Enterprises and consumers alike are rewarding vendors that produce low-cost, insecure devices, such as $20 IP-based security cameras. It'd be easier for everyone if those consumers instead sent $20 to threat actors who will inevitably compromise those devices, as this would only be a $20 problem.
However, when threat actors conscript thousands of insecure IP-based security cameras into a botnet that can knock major brands off the internet -- such as what happened with the Mirai botnet attacks in the fall of 2016, it potentially becomes a multimillion-dollar problem that affects major markets and international relations.
See publication
Tags: Cybersecurity, IoT
How can a security automation tool help mitigate unknown threats?
Tech Target
January 25, 2019
Security automation tools help ease the deluge of alerts security teams receive, according to IEEE member Kayne McGladrey, letting them focus on more interesting aspects of IT security.
See publication
Tags: Cybersecurity, Risk Management
How do AI algorithms automate IoT threat detection?
IoT Agenda
January 09, 2019
IoT threat detection is about to get easier, thanks to the automating abilities of AI algorithms. But, as IEEE member Kayne McGladrey explains, it doesn't mean humans are out of the picture.
See publication
Tags: AI, Cybersecurity, IoT
How Awareness, Attention Can Improve Cyber Security
CS Hub
October 10, 2018
Besides working nights, I learned in my fifteen-minute conversation that Rosa volunteers at an elementary school. She’d met no one who worked in cyber security, and the kids she worked with hadn’t considered it as a career option. They wanted to be rappers, they wanted to be marine biologists; they didn’t know there was a high-paying position called “security operations center analyst.”
See publication
Tags: Cybersecurity
3 Cybersecurity Challenges for IIoT Devices in 2018
Robotics Business Review
September 25, 2018
As the clock ticks towards a massive and preventable cyberattack on IIoT devices, manufacturers and companies deploying them must address three challenges.
See publication
Tags: Cybersecurity, IoT
Budgetary Foresight: 3 Essential Cyber Security Programs For 2019
CSHub
July 16, 2018
The back-to-school sales circulars are arriving, a reminder that fall is on its way. For most organizations, fall also brings an annual budgetary exercise for which many mid-level managers and executives will be unprepared.
See publication
Tags: Cybersecurity
Video: Certification Campaigns (Core Identity and Access Management Part 8 of 8)
linkedin
July 11, 2018
In this last video in the series of 8 about Identity and Access Management, we will see how the process of certification in consulting works. IGA, a governance administration tool, will produce certification reports and should work with all the systems. The auditor will use the tool, and the tool will interrogate all the resources. All the logic and process for the campaign will be saved in this tool. This reduces the need to keep questioning participants constantly.
See publication
Tags: Cybersecurity
Video: Attestation Reporting (Core Identity and Access Management Part 7 of 8)
linkedin
June 27, 2018
Kayne McGladrey discusses Attestation Reporting in the seventh video in this series about Identity and Access Management. The goal of Attestation Reporting is to ensure that a user should have the access that has been requested and if not, being able to revoke that access.
See publication
Tags: Cybersecurity
3 Tips To Thwart Insider Attacks: An Essential Guide For Summer Travels
CS Hub
June 25, 2018
Dos And Dont's For Privileged Accounts
See publication
Tags: Cybersecurity
Video: Multi-Factor Authentication (Core Identity and Access Management Part 6 of 8)
linkedin
June 20, 2018
In this sixth episode of this 8 part series on Identity and Access Management, Kayne McGladrey reviews Multi-Factor Authentication (MFA). MFA can be used in many instances to ensure the identity of a person trying to access or approve items on your system. There are several different types of MFA that can be used, and this video discusses which ones are recommended or not and why. Several different scenarios are also presented to discuss when/why you want to have MFA set up to work with your Identity and Access Management and User and Entity Behavior Analysis systems. You will learn:
See publication
Tags: Cybersecurity
The 'Internet of Payments' puts ID security on the smartphone
Payments Source
May 29, 2018
When a "pay restroom" 100 miles from the nearest major city accepts frictionless mobile payments, stores that force buyers to wait a minute for a chip-and-PIN transaction seem dated, and cash-only transactions are inconvenient.
See publication
Tags: Cybersecurity
Three Preventative Measures for Cybersecurity Health-Care Disorders
Bloomberg Law
April 25, 2018
The regulatory environment for health-care organizations places a high value on personal health information, writes Kayne McGladrey of Integral Partners. However, the dark web market value of PHI has cratered, according to cybersecurity firm Flashpoint. A PHI record that sold for an average of $75 to $100 in 2015 would net $0.50 to $1 in 2017, he writes.
See publication
Tags: Cybersecurity
Two Easy Steps To Reduce And Detect Threats In A Cloud Environment
CS Hub
March 19, 2018
Although organizations believe the cloud to be inherently more secure, this two-step strategy will improve the security of cloud-based solutions for each organization. When combined with a larger cyber security program, these reduce the risks of a damaging breach.
See publication
Tags: Cloud, Cybersecurity
‘Cyber Security’s Not An Install Process’: Q&A With Kayne McGladrey
CS Hub
February 12, 2018
McGladrey, whose work focuses on identity and access management, leads a team that assists clients in multiple industries. The focus: insider and outsider threats on non-privileged or privileged credentials. McGladrey said that technology has matured so much, that overall cyber security is not about software installation.
See publication
Tags: Cybersecurity
‘It Comes Back To You’: Evaluating Third-Party Cyber Risk Management
CS Hub
February 07, 2018
Expanding on this, national cyber security expert and the Director of Information Security Services at Integral Partners, Kayne McGladrey, told the Cyber Security Hub that, “If you’re breached by a third party, nobody cares that it’s the third party’s fault. It comes back to you.”
He continued: “It’s your fault for not having adequate controls. And the single easiest third-party control is around onboarding and off-boarding third-party accounts.”
Even if you’re rotating passwords, monitoring privileged access, auditing, etc., McGladrey said you must know, empirically, who’s accessing your network.
See publication
Tags: Cybersecurity, Risk Management
Welcoming the robo-nannies
HP Enterprise
January 30, 2018
"Things that were unthinkable 10 years ago are being accepted as commonplace. And that trend will continue.”
See publication
Tags: AI, Cybersecurity
Back-of-the-cocktail-napkin math
Integral Partners
November 30, 2017
The attendees we met who did not have a PAM program all expressed the same underlying frustration that while they understood PAM technology was important, they could not get budgetary approvals. These organizations had no automated way to rotate passwords on a regular, scheduled basis. They were also generally afraid of rebooting systems, despite the agreed-upon values of clearing stored password hashes that can be obtained by tools like Mimikatz, which can scrape memory in Windows to obtain passwords and hashes.
See publication
Tags: Cybersecurity
Mind the gap: three actions to take today based on AT&T’s latest Cybersecurity Insights report
Kayne McGladrey
November 02, 2017
AT&T recently released volume 6 of their Cybersecurity Insights report, titled “Mind the Gap: Cybersecurity’s Big Disconnect.” You can download a copy of the report here.
The report helps to explain some of the reasons underlying the massive breaches we have seen this year. As Robert F. Kennedy once said, “Like it or not, we live in interesting times.”
To put this interesting year in context:
Half of the U.S. population became victims of identity theft due to malfeasance by Equifax.
All three billion Yahoo! users lost their passwords in the biggest hack ever.
Deloitte, one of the Big Four professional services firms that offer cybersecurity consulting, had their email hacked.
The NSA’s hacking tools were stolen twice in the same year and put to immediate use by criminals building cyberweapons like Petya/NotPetya and WannaCry.
Here are three things that organizations should do immediately based on the report’s findings:
See publication
Tags: Cybersecurity
"Universal fingerprint" can crack 65% of the real fingerprint identification
China Business Network
April 25, 2017
In modern society, the fingerprint recognition function makes the smart phone become miraculous convenience. Just a touch can be unlocked, to achieve payment, no need to enter the password. From the shop a small package of snacks, to a laptop, and even the value of one million US dollars Aston - Martin retro car, can be used to solve the fingerprints. In some of the bank's App application, with fingerprint identification can also pay bills, tens of thousands of dollars on the transfer and so on.
See publication
Tags: Cybersecurity
Five spring cleaning tips for your Identity and Access Management program
(IN)Secure Magazine by Helpnet Security
March 30, 2017
Spring cleaning is a tradition for millions of families, but most companies lack the same tradition when it comes to the long-term management of their Identity and Access Management (IAM) programs. This is not benign neglect, but rather an underlying fear that the IAM program resembles a shaky tower of cardboard boxes full with random stuff, sitting in the garage.
See publication
Tags: Cybersecurity
Understanding Cybersecurity Breaches at Consulting Firms
IEEE Transmitter
March 29, 2017
Cybersecurity threats are affecting consulting and professional service firms causing substantial losses. Kayne McGladrey (@kaynemcgladrey), an IEEE Member and professional services director, weighed in on how consulting firms can mitigate threats, keep client data safe and learn from current breaches.
See publication
Tags: Cybersecurity
Three Lessons about Cloud Security from 1980s Horror Movies
ISSA Journal
March 10, 2017
This article discusses how businesses can apply three fundamental best practices for adapting current security programs to mitigate insider threats as applications and data migrate to the cloud.
See publication
Tags: Cloud, Cybersecurity
The Truth-Bias and How It Affects IAM, IGA and PAM Programs
Integral Partners
February 11, 2017
In his research on deception, Jeff Hancock often refers to the Truth-Bias, formally recognized by Levine, McCornack, and Park in 1999. In essence, people have a higher tendency to believe other people, particularly via email as there is a permanent record of the conversation. Unfortunately, people are only able to detect lies about 50% of the time, which is equivalent to a coin toss. What are the implications for Identity Governance and Administration (IGA), Identity and Access Management (IAM) and Privileged Access Management (PAM) programs, all of which often incorporate email or other permanent logs of access requests?
See publication
Tags: Cybersecurity
IAM market consolidation looms in 2017
Integral Partners
January 04, 2017
I predict that 2017 will be a year of market consolidation in the Identity and Access Management (IAM) market, driven by organizational changes rather than revolutionary improvements in technology. Consequently, niche vendors will resort to increasingly desperate discounting schedules, funding rounds, or mergers to stay solvent as the year progresses.
See publication
Tags: Cybersecurity, Mergers and Acquisitions
Getting Started with Identity Analytics for an Identity and Access Management (IAM) Program
LinkedIn
November 30, 2016
User and device analytics have been a primary focus of this year’s Gartner Identity and Access Management (IAM) Summit. Keynote speakers, research analysts, and vendors have all shown a vision of how companies can help to improve an organization’s security posture through deploying User and Entity Behavior Analytics (UEBA). Unfortunately, there’s been no general direction of how to get started with this technology, outside of ‘get your stakeholders involved’ and ‘talk to vendors.'
See publication
Tags: Cybersecurity
How healthcare organizations can prepare for a data breach: 7 tips
Becker's Hospital Review
March 09, 2021
Incident responses and recovery plans should be updated biannually. Kayne McGladrey, CISSP and cybersecurity strategist for Ascent Solutions said, "Effective incident response plans must cover preparation, detection and analysis, containment, eradication and recovery, and post-incident activity."
See publication
Tags: Cybersecurity, Healthtech
https://www.westernfrontonline.com/2021/02/23/state-cybersecurity-office-bill-introduced-after-breach/
The Western Front
February 23, 2021
Most government agencies won’t notice a breach within 24 hours, Kayne McGladrey, CISSP said, and they can even last up to 90 days until someone notices. “Hackers can wipe files off hard drives, create industrial accidents and even shut off things in a manufacturing facility,” McGladrey said.
See publication
Tags: Cybersecurity, Govtech
The Importance of Supply Chain Risk Management in Government
FedTech Magazine
February 22, 2021
In the wake of the attack “we are seeing people who were previously not aware of supply chain risk who are now really concerned about this,” says Kayne McGladrey, cybersecurity strategist at Ascent Solutions. Such attacks could give bad actors significant leeway. “The real fear is that an external entity can breach that third party to gain a foothold in a federal network. They would then be able to move laterally within that network, with privileges that they should not have,” McGladrey says.
See publication
Tags: Cybersecurity, Govtech, Supply Chain
Healthcare Voices on Telehealth Security Concerns
Lifewire
February 12, 2021
“Changes made to medical organizations' cybersecurity maturity should be considered carefully against external audit requirements, such as HITRUST. A proactive stance provides the best defense to organizations and to society, as a breach of patient records or the loss of service at a medical facility during a pandemic poses a danger to the health and well-being of people."
See publication
Tags: COVID19, Cybersecurity, Health and Safety
2021 IT priorities require security considerations
Tech Target
January 11, 2021
2020 was the year no one could have predicted. IT and security teams had to quickly adapt to shutdowns that brought remote workforce security issues, COVID-19-related phishing campaigns, ransomware attacks on schools and hospitals, and more. Now, as enterprises begin 2021, there are three more pandemic response challenges to potentially contend with: securing a hybrid remote and office work structure; securely reopening offices and facilities; and adapting to a permanent remote working environment. Kayne McGladrey, IEEE senior member and security architect and governance, risk and compliance practice lead at Ascent Solutions, outlined the most significant challenges each scenario presents and how security teams should prepare for them now to thwart potential security issues.
See publication
Tags: COVID19, Cybersecurity
Strike a balance: Ensuring secure remote work without hindering productivity
CIO
December 16, 2020
Kayne McGladrey (@kaynemcgladrey), Security Architect at Ascent Solutions, agrees: “Microsoft 365, for example, allows for automatic classification and labeling of unstructured data, but also permits users to provide a justification when the automation gets it wrong.
“Combined with automated data loss prevention, this can allow a business to easily enforce and report on policies for sharing non-public data both inside and outside of their organization,” he says.
See publication
Tags: Cybersecurity, Future of Work
How to ensure virtual roadshows, negotiations are safe amid COVID-19
CFO Dive
December 14, 2020
Companies should record video calls when doing so poses an obvious business benefit, the participants have consented to it, and there are adequate controls in place to limit access to the resulting video to only authorized parties, Kayne McGladrey, security architect at cybersecurity consultancy Ascent Solutions, said.
To ensure accessibility,companies should also strongly consider using closed captioning on call recordings, McGladrey added.
See publication
Tags: COVID19, Cybersecurity
Maximizing the Impact of Data Analytics
CIO
December 09, 2020
“Being able to rapidly detect and evict threats is necessary in the modern enterprise to avoid regulatory and legal penalties while protecting confidential data or trade secrets,” says Kayne McGladrey, CISSP (@kaynemcgladrey), cybersecurity strategist at Ascent Solutions.
See publication
Tags: Cybersecurity
The Friday Five
The Newsworthy
November 20, 2020
What is your favorite quote, charity, book, and/or anything else you want to share?
The work by the NSA and DoD in providing cybersecurity internships at historically Black colleges and universities is a compelling force for diversity in my workforce.
What do you do for fun?
Live Twitter chats about cybersecurity and the economy as part of #IDGTechTalk; I enjoy them as I learn a lot and can also leverage my large library of GIFs to keep the conversation light.
See publication
Tags: Cybersecurity
What is the last thing to do before the end of the year?
Cybersecurity Hub
November 18, 2020
Get your budgets in. I think that's the main thing everybody needs to do is get their 2021 budget in if you're on an annual fiscal year. I hope you've already had a risk definition conversation- get in front of the board or in front of your CIO or in front of your CFO, whoever is going to ultimately pay the bill. And then for anything where you know you can't afford it because you've seen a reduction in your budget as a consequence of the pandemic- have that conversation early with your cyber insurance broker. (Cyber insurance should be paid out of legal). Because for every one of those things your budget ain't going to cover- it's got to either flow to insurance or to where you have written down somewhere that you accept the risk.
See publication
Tags: Business Strategy, Cybersecurity
Open Source Mindset Bolsters Hybrid Cloud Strategies
CIO
November 12, 2020
Linux continues to be a popular deployment choice for new virtual machines on Azure. “Organizations moving legacy on-premises Linux servers to the cloud can quickly gain the benefits of robust disaster recovery and security without needing to change platforms or applications”.
See publication
Tags: Cloud, Cybersecurity
Threat Landscaping
Cybersecurity Hub
November 03, 2020
"Have a KPI about value that came out of your threat intelligence feed. Did it actually cause you to do something differently? Were your analysts able to act on this, or was it just another thing that they had to go look at? Because when you think of time as being our chief enemy, if it's sucking time and not producing value, why do you keep it? It's a data feed, ultimately. At the end of the day, you have to contextualize it in terms of your organization. Threat actors tend to vary in terms of behavior in their TTPs. And consequently, you need to really tailor your threat intelligence. And if you're not getting that tailored information, drop it."
See publication
Tags: Cybersecurity
The Impact of Remote Work on Enterprise Security
Network World
October 28, 2020
IT and security response to the coronavirus pandemic was heroic. Although many organizations had some degree of remote-work capabilities pre-COVID-19, the past year brought this work to new levels.
Enterprise security has had to quickly evolve alongside the shift to remote work and cloud adoption. For example, companies successfully ramped up VPN infrastructure, shifted to online models of collaboration software, and re-examined security policies in light of a highly distributed workforce.
See publication
Tags: COVID19, Cybersecurity
Interview with Kayne McGladrey – vCISO / Spokesperson / Global Cybersecurity Thought Leader / Strategy and GRC Practice Lead
The Security Noob
October 26, 2020
Today I have an interview with Kayne McGladrey, he is a vCISO / Spokesperson / Global Cybersecurity Thought Leader / Strategy and GRC Practice Lead who I follow on twitter and find extremely interesting J
He is a national cybersecurity expert, helping clients develop proactive programs to manage cyber-risk. He is the cybersecurity strategist at Ascent Solutions and has 20-plus years of experience, including 10 years in blending information technology and management acumen to cultivate and build cybersecurity best practices.
See publication
Tags: Cybersecurity, Leadership
IT's New Normal
CIO
October 26, 2020
"On a related note, #ZeroTrust isn't a sticker on your router or a #cybersecurity product that you buy. It's a shift in architectural patterns that have to be supported by policies."
See publication
Tags: COVID19, Cybersecurity, Future of Work
Cross-Site Scripting Attacks: How to Prevent XSS Vulnerabilities
FedTech Magazine
October 22, 2020
“If an attacker can steal the user’s cookies, that attacker can impersonate that end user,” says Kayne McGladrey, a senior member and impact creator of the Institute of Electrical and Electronics Engineers. “In an XSS exploit, if I can steal your cookies, I can become you or impersonate you. I can change your password. I can change your backup email account. I can take over that entire account.”
See publication
Tags: Cybersecurity
The COVID-19 Pandemic Has Become a Catalyst for Cyberattacks
CIO
October 06, 2020
Kayne McGladrey (@kaynemcgladrey), Cybersecurity Strategist at Ascent Solutions, said delaying or cancelling security projects is “an acceptable trade-off” only if bankruptcy is the alternative.
“Due to the pandemic, this is the choice that some organizations face today,” he continued. “Other organizations should first prioritize their security projects to mitigate those risks with the highest potential impact to the business. Organizations should then have a difficult conversation about residual risks with their cyber insurance providers, and plan to implement monitoring of those risks not transferred to insurance or mitigated through implementation of technical controls.”
See publication
Tags: COVID19, Cybersecurity, Risk Management
Extracting value from data: How the cloud can help
CIO
August 31, 2020
Cloud-based analytics can also help security teams find signals in the noise, said Kayne McGladrey (@kaynemcgladrey), Cybersecurity Strategist at Ascent Solutions. “Where cloud analytics shine is in detecting a repeated series of risky actions by an individual user account [that signal] a business email compromise followed by a ransomware attack,” he said. “Cloud analytics allow organizations to detect and prevent these and other attacks not only at scale but also faster than traditional investigative techniques.”
See publication
Tags: Cybersecurity
How CISOs Follow The Money
CSHub
August 26, 2020
Kayne posits, “If you want to see what your new product features are going to be in the next 12 to 18 months, see where the VCs are spending their dollars. If we've seen something consistently in the past, in the past 10 years we've seen $30 billion of investment inside of cyber security.”
McGladrey is a gadfly for cyber security leaders to forecast budgets based on the newest in new technology. Whether the CISO in question is a bleeding edge, leading edge, fast follower or back-with-the-pack type executive is up to them. Any which way you slice it, you should be able to see where you are spending money in the future based on where venture capitalists are putting their money now.
See publication
Tags: Business Strategy, Cybersecurity, Leadership
Data Is The New Perimeter
CSHub
August 12, 2020
The focus has been on knowing where the crown jewels sit and protecting that space. CSHub Executive Board Member and IEEE Public Visibility Initiative spokesperson Kayne McGladrey notes, “if you don't know where your data live, you can't apply any effective policies around access controls or do any meaningful incident response or do any meaningful security awareness.”
See publication
Tags: Cybersecurity, Risk Management
The New CISO Journey Includes Tried & True Old Steps
CSHub
August 04, 2020
“It remains a very complicated role because you have to ultimately be able to speak, to three separate audiences: the business folks- who are interested in cost controls and also cost savings and cost improvements, and material effect of the business. The technology folks: who want to know that you're doing the cyber right. And legal folks: who want to know that they're adequately shielding the business from legal and regulatory risk.”
See publication
Tags: Cybersecurity, Leadership
Data privacy and data security are not the same
ZDNet
August 03, 2020
"Today's data privacy is primarily concerned with the processing of personal data based on laws, regulations, and social norms," McGladrey said. "Often this is represented by a consumer ignoring an incomprehensible privacy policy (that would take nearly 20 minutes to read) before clicking a button to acknowledge their consent to that policy. Their acceptance of the policy allows the organization to handle their data in documented ways, such as using it to show them targeted advertising based on their inferred interests. However, if that organization sold those personal data to another organization to do something unexpected (like using it to suppress protected free speech) without the consumer's consent, that would be a breach of privacy, either by regulatory control or by a violation of social norms."
See publication
Tags: Cybersecurity, Privacy
What Is The Most Cogent CISO Reporting Structure?
CSHub
July 29, 2020
Kayne McGladrey, CISSP is the Spokesperson for IEEE’s Public Visibility Initiative. He’s been working at a high level with Fortune 500 and Global 1000 companies for decades. He’s got a pretty definitive point of view. “Ultimately the CSO should report to the Chief Risk Officer, the CRO- because ultimately cyber security is about managing risk at a technical level and at a regulatory level. The natural alignment is with risk. Also maintain a very healthy relationship with internal counsel- especially if there's chief counsel. Have a coffee every once in a while. And have a healthy relationship with the CIO.”
See publication
Tags: Cybersecurity, Leadership
Lessons in IT resiliency for the COVID-19 era
CIO
July 10, 2020
“Few companies had a binder marked `global pandemic,’ but many had policies that called for annual DR testing that they didn’t enact,” said Kayne McGladrey, CISSP and cybersecurity expert. “Teams play how they train, but not having table-topped crisis communications, DR, or IR hurt their responses.”
See publication
Tags: COVID19, Cybersecurity
A 10-point plan to vet SaaS provider security
CSO Online
June 08, 2020
Companies should also pay close attention to privacy policies or terms of service pledges by providers to not share personal information. “Although that sounds promising, it’s a glaring omission,” says Kayne McGladrey, cybersecurity strategist at IT consulting firm Ascent Solutions.
It's a red flag if the vendor “does not state that the SaaS provider will not sell your business data or sell pseudonymized aggregate data about your organization’s use of the service for ‘market research’ or similar purposes,” McGladrey says. If it’s not spelled out, confirm that the provider will not resell your data.
See publication
Tags: Cybersecurity, Risk Management
Assessing the Value of Corporate Data
CIO
May 08, 2020
“For some organizations, regulatory and legal risks associated with storing data will be at the top of the [risk] rankings,” says Kayne McGladrey (@kaynemcgladrey), IEEE member. “For others, the reputational damages associated with a data breach will claim the top spot.”
See publication
Tags: Cybersecurity, Risk Management
Post Pandemic, Technologists Pose Secure Certification for Immunity
Dark Reading
April 16, 2020
Yet digital immunity certificates also pose a number of challenges in terms of infrastructure, education, and economics, says Kayne McGladrey, chief information security officer at prototyping firm Pensar Development and a member of the IEEE, the world's largest technical professional organization.
"Businesses and organizations would need to ... educate their workforce on how to validate that a certificate was correct," he says. "And there would need to be a substantial educational investment to combat the inevitable phishing campaigns that’d spring up, such as fake websites to collect personally identifiable information and fake security alerts associated with these digital certificates."
See publication
Tags: Cybersecurity
How to keep business data safe while working from home
Tech Observer
March 24, 2020
Many employees beginning a remote work situation for the first time may not be up to date on how to keep their devices safe, confidential information private and networks secure. We asked cybersecurity experts to weigh in and share their tips for staying safe online while working, as well as practicing social distancing:
See publication
Tags: Cybersecurity, Business Continuity
Beat common types of cyberfraud with security awareness
Tech Target
February 10, 2020
Fraud isn't new, but the internet has provided hackers with the capabilities to easily use the threat vector to trick employees into providing access to their enterprises.
Cyberfraud attacks, often distributed via phishing or spear-phishing campaigns, consistently plague and sometimes even completely disable enterprises. Despite the growing number of technologies available to detect and prevent such social engineering attacks from being successful, the weakest link remains human error -- be it negligence, maliciousness or apathy.
Here, Institute of Electrical and Electronics Engineers member Kayne McGladrey describes the types of cyberfraud attacks enterprises will inevitably face, from credential harvesting to typosquatting attacks. He also offers best practices for creating and instituting a cybersecurity awareness program to prevent employees from falling victim to such threats.
See publication
Tags: Cybersecurity
AI, automation emerge as critical tools for cybersecurity
CIO
January 22, 2020
“The effectiveness of AI solutions this year can be measured via the time-to-discovery metric, which measures how long it takes an organization to detect a breach,” says Kayne McGladrey (@kaynemcgladrey), CISO, Pensar Development. “Reducing time to discovery can be achieved through AI’s tenacity, which doesn’t need holidays, coffee breaks, or sleep, which is unlike Tier 1 security operations center analysts who also get bored reading endless log files and alerts.”
See publication
Tags: AI, Cybersecurity, RPA
7 Tips for Infosec Pros Considering A Lateral Career Move
Dark Reading
January 21, 2020
"Human resources, in a lot of organizations, has become a regulatory control function and inhibits hiring because of its focus on certifications," McGladrey says. This is partly why it's difficult for blue teamers to jump to the red team, a process that "looks to be an insurmountable and very difficult series of certifications," he points out.
See publication
Tags: Cybersecurity
Better HR security could help thwart Iranian cyberattack
Tech Target
January 10, 2020
McGladrey advocated for "persistent engagement" with employees on cybersecurity risks as well as testing. Testing can include fake phishing attacks to see what "your users are susceptible to," he said. The IRS has warned that phishing attacks are a top HR threat.
See publication
Tags: Cybersecurity, HR
Savvy vehicles are defenseless against cyberattacks
Broadcast Offer
January 07, 2020
"because vehicle manufacturers are working with several different hardware and software companies, it has emerged that no one is technically responsible for the vehicles' central computer systems of many smart cars"
See publication
Tags: Cybersecurity
We observe that once an organization has gained awareness about the downsides of Shadow IT and security is brought into earlier-stage discussions, it is less likely to go back to the “bolted on” behavior.
IPQC Digital
December 17, 2019
In our Cyber Security Trends and Predictions 2020 our respondents (enterprise security professionals) shared:
*budget allocations for 2020
*biggest cyber security focus
*status of hacker sophistication
and much more, including insights from Kayne McGladrey
See publication
Tags: Cybersecurity
Ask questions about Internet-connected toys
Jackson Sun
December 11, 2019
Experts say that smart toys are particularly vulnerable to cyber attacks. Kayne McGladrey, a member of the Institute of Electrical and Electronics Engineers, said their desire to keep toy prices low means manufacturers have little incentive to add reasonable security mechanisms.
See publication
Tags: Cybersecurity, IoT
What is the California Consumer Privacy Act of 2018? Influencers in the know break down the details
CIO
December 02, 2019
For some organizations CCPA will require a total overhaul on their privacy policies, while others might only need to make minor changes due to existing GDPR compliance. But as Kayne McGladrey, Chief Information Security Officer at Pensar Development, pointed out, there will certainly be another round of endless privacy disclosure emails.
See publication
Tags: Cybersecurity, Privacy
Thinkers360 Predictions Series – 2020 Predictions for Cybersecurity
Thinkers360
November 23, 2019
Venture capitalists will accelerate feature development via mergers and acquisitions. In recent years, VCs have funded point solution vendors for technologies like SOAR and UEBA. These are features, not stand-alone technologies, and it’s often cheaper for market leaders to buy rather than build new features. CISOs should be aware of this market reality, as buying early-stage cybersecurity from a startup carries the risk of unintentionally having a business relationship with a much larger vendor within two years, and consequently needing to either buy the larger technology solution or rip and replace after the acquisition closes.
See publication
Tags: Cybersecurity
Thinkers360 Predictions Series – 2020 Predictions for Cloud Computing
Thinkers360
November 03, 2019
Cloud computing will continue to grow despite the frequency of breaches due to a lack of administrative controls and unintentional configuration errors. When an administrator had access to an on-premises server, they could only administer that server; a “cloud administrator” can administer all the assets in a given cloud instance, including backing up and exfiltrating entire servers. This is like the unintentional configuration errors that have plagued so many Amazon S3 buckets in 2019, where organizations have stored PII in S3 in a default configuration, and then those data have been accessed by security researchers.
See publication
Tags: Cloud, Cybersecurity
Cyberattacks Make World Economic Forum Top 10 Global Risks For The Next Decade
CSHub
October 29, 2019
Keeping an organization secure is every employee’s job. Instead of the obligatory employee training, Director of Security & IT for Pensar Development Kayne McGladrey recommends continuous engagement with the end-user community. “Provide opportunities and instrumentation to demonstrate policy violations rather than lecture at people.” Examples include leaving a USB data stick in a break room or using phishing tools to falsify emails from known employees that seem suspicious. “This helps educate and creates healthy suspicion,” said McGladrey.
See publication
Tags: Cybersecurity
Thinkers360 Predictions Series – 2020 Predictions for IoT
Thinkers360
October 28, 2019
The Internet of Things is a dumpster fire and upcoming regulatory controls aren’t going to put it out. Putting a sticker on a box with a username and random password and providing an updated privacy policy that consumers ignore isn’t adequate, although it is compliant. Manufacturers need to invest in user behavior analysis, require multi factor authentication, and to force patching of IoT devices. Otherwise, threat actors will continue to violate the privacy of people’s homes and nation states will built botnets as part of battlespace preparations.
See publication
Tags: Cybersecurity, IoT
3 Ways to Begin Strengthening Your Company’s Security Posture
ReadWrite
October 22, 2019
Kayne McGladrey, director of security at design and manufacturing firm Pensar Development, believes company culture is one of the most important aspects of your security posture. He recommends creating a resilient culture by fostering “healthy suspicion” among employees.
Don’t simply mandate employee attendance at a one-time program. Teach your team about security threats by demonstrating them in the real world. Leave a USB stick in the kitchen, or slip a fake phishing email in an employee inbox. Then, show employees how to react to real attacks in the future. The point isn’t to shame or punish employees, but to prepare them for the inevitable.
See publication
Tags: Cybersecurity
Users are the target: How employees can be the strongest line of defense
SC Magazine
October 08, 2019
Recognizing that fact, Kayne McGladrey, director of security and information technology at Pensar Development, an engineering consultancy in Seattle, says continuously phishing end users is the best way to help them identify phishing and other potentially malicious content. “This continuous exposure [to phishing] should take a variety of forms, from email-based phishing to direct messages on social media.”
McGladrey says short, actionable, culturally relevant education initiatives on a regular schedule are recommended because “users don’t want to sleep through the mandatory ‘October is cybersecurity month,’ two-hour, PowerPoint presentations.”
Training modules should be short — five minutes or less — and sent out regularly. If possible, they should be tailored to an individual’s role in the organization, so that the finance department is receiving training about business email compromise (BEC) and identity validation procedures rather than the latest zero-day exploits, he says.
See publication
Tags: Cybersecurity
Yahoo porn hacking breach shows need for better security: 5 ways to protect your company
Tech Republic
October 02, 2019
Security expert Kayne McGladrey, who serves as director of security and IT at Pensar Development and is a member of the Institute of Electrical and Electronics Engineers, said companies need to add extra steps to everything.
"The company could choose to add friction, whether it's multi-factor authentication or an email link just to put a little additional scrutiny and raise the bar so it is materially more difficult for threat actors who have obtained someone's credentials to be able to reuse those," he said.
"The benefit of this strategy is that it applies universally. All of the automated attacks these days around credential stuffing and credential spraying do what the Yahoo hacker had done on a much larger scale. They get compromised credentials and test them across a whole bunch of websites using a distributed botnet."
See publication
Tags: Cybersecurity
Cyber Security Digital Summit Explores Who Owns Enterprise Security
Cyber Security Hub
October 02, 2019
A comprehensive information security program is a standard practice for every organization. In addition to securing company and employee data, organizations must also consider the privacy of their clients. For integrated design and manufacturing firm Pensar Development, clients need confidence that their intellectual property (IP) is only accessible to Pensar employees contributing to that specific project. The Seattle-based design firm is known for mechanical integration for medical devices and the enclosure design of gaming consoles among other client solutions.
Cyber Security Hub recently had the chance to speak with Pensar’s Director of Security Kayne McGladrey to learn about his approach to maintaining the confidentiality of both employee and client data.
In addition to his company security role, Kayne is an IEEE member, the professional engineers association often associated with developing technology standards. Members agree to a code of ethics to help people and society understand the social implications of emerging technologies. For his part, McGladrey is a spokesperson for cyber security and the broader technology to both industry and the general public. He is also proud of building a cyber security team at Pensar of entirely military veterans.
See publication
Tags: Cybersecurity
Daily briefing.
The Cyberwire
September 27, 2019
The traditional network endpoint was isolated to desktop PCs and laptop computers that attached to the organization’s network. A dramatic increase in mobile devices, cloud and IoT has broadened the definition. Security leader Kayne McGladrey weighs in on enterprise endpoint defense tactics.
See publication
Tags: Cybersecurity, IoT
12 Signs Your Computer Has a Virus
Reader's Digest
September 06, 2019
“Viruses are most commonly spread through phishing, which is a technique of sending emails designed to prey on a person’s emotions to make them click a link or open a malicious attachment,” says Kayne McGladrey IEEE member and director of security and IT for Pensar Development. “Besides running up-to-date commercial antivirus software, the easiest way to avoid viruses is to pause before acting on messages. Get a cup of coffee, or at least get up and stretch, before deciding if the email is trying to manipulate your emotions through a sense of authority (someone impersonating your boss or a police officer), a sense of urgency (because of an artificial time constraint), or scarcity (supplies are limited, act now).” These are the same psychological techniques used by con artists since time immemorial, with the only difference being that con artists had to con one person at a time. “With email, social media, and text messages, threat actors can con thousands of people. No antivirus software is perfect, but pausing before acting can stop most of today’s viruses.”
See publication
Tags: Cybersecurity
Lack of cyber investment could spell trouble for smart cities: report
SC Magazine
August 22, 2019
For smart cities, investing in cyber defense means being able to support a cyber workforce capable of supporting their IoT initiatives. “We’ve seen many failures with widespread deployment of IoT devices, whether due to insecure authentication methods, static passwords, or a lack of centralized and automated patch distribution. As city governments look to the future.....
See publication
Tags: Cybersecurity, IoT, Smart Cities
Intuitive, Cognitive Technologies Are Changing the Business and Its Workforce
CIO.com
July 17, 2019
The workforce of tomorrow still will be technically savvy, well-versed in machine learning and data science. Advanced machine learning skills will be important, but Kayne McGladrey (@kaynemcgladrey), Director of Security and Information Technology at Pensar Development, recommended that those looking for future employment also consider learning a programming language.
“The intent here is not to master it,” McGladrey explained, “but rather to gain an understanding and appreciation of how things work from the inside out. Employers are also looking for career stability so that they can invest in their people, so don’t hop from company to company on an annual basis.”
See publication
Tags: Business Strategy, Digital Transformation
How hackers used little-known credit-card feature to defraud Lansdale woman, $1.99 at a time
The Philadelphia Inquirer
June 13, 2019
“It’s low effort for them. Once they set up the subscription and unless the subscription is canceled, they don’t have to do any other work and they can resell access to that subscription," he said. "So it’s a guaranteed line of profit for them until somebody goes and notices there’s been a problem.”
Criminals typically resell access to the services on secondary markets, McGladrey said. Criminals may resell a streaming service that’s normally $10 per month for $5, netting the thieves $5 monthly. While a single crime is not that profitable, there have been cases where groups have reaped millions of dollars by charging small amounts to hundreds of thousands of consumers, he said.
See publication
Tags: Cybersecurity, Privacy
Successful Digital Transformation Begins with a Cultural Transformation
CIO.com
June 12, 2019
Kayne McGladrey (@kaynemcgladrey), Director of Security and Information Technology at Pensar Development, observed that IT leaders are recognizing that building and operating on-premises servers is not a competitive advantage.
“As part of the purchasing cycle they’re replacing outdated infrastructure with infrastructure as a service,” he said. “This gradual transition to the cloud lowers risks and makes disaster recovery simpler and more reliable than in past years. This strategy also significantly lowers the threats of a physical site compromise by threat actors.”
See publication
Tags: Culture, Cybersecurity, Digital Transformation
Prepping for the Data Deluge
CIO.com
May 22, 2019
Companies should pay special attention to consistent classification and labeling of data, as it’s one of the biggest hurdles to effective data governance. Setting default labels for new data (for example, dubbing them confidential) can ensure that policies and technical controls are applied consistently across the organization. This also frees up data creators from having to manually label all newly created information. “In that way, a data steward only needs to review data labels when that data is crossing a security barrier such as preparing a file to send to a client or third-party vendor,” notes Kayne McGladrey (@kaynemcgladrey), director of security and information technology at Pensar Development.
See publication
Tags: Cybersecurity, Digital Transformation
How to effectively align security with IT
The Economic Times
May 21, 2019
“The CIO won’t see the business impact if there’s not a culture of risk mitigation,” says Kayne McGladrey, director of security and IT for Pensar Development and a member of the professional association IEEE (The Institute of Electrical and Electronics Engineers).
“A culture where security is seen as someone else’s problem will derail any conversation around security, so the biggest thing for CISOs is to make the conversation with CIOs around risk – not around technologies or shiny objects but around risks to the business.”
See publication
Tags: Cybersecurity
22 Red Flags Someone Is Spying on Your Phone
Reader's Digest
May 11, 2019
You receive a text message or an email notification from your mobile carrier about an account change you didn’t make and, thirty minutes later, your cell phone has no signal, even after a reboot. You can’t log into your email. You’re locked out of your bank account.
See publication
Tags: Cybersecurity, Privacy
CrowdStrike tackles BIOS attacks with new Falcon features
TechTarget.com
May 03, 2019
In the past few years, security researchers and advanced persistent threat actors have demonstrated attacks on the BIOS, said Kayne McGladrey, IEEE member and director of security and IT at Seattle-based Pensar Development.
These rare attacks can provide a persistent and hidden bridgehead into an enterprise network, McGladrey said.
See publication
Tags: Cybersecurity
What Does 5G Mean For Cybersecurity?
Express Computer
May 02, 2019
For Kayne McGladrey, IEEE Member and Director of Security and Information Technology at Pensar Development, “Consumers should use the ‘guest’ network of their home Wi-Fi routers as a dedicated network for IoT devices, so if one of those devices were compromised, the threat actor can’t easily pivot to more valuable data.” That’s the case for newer devices, he says. “For older, cheap, IP-based security cameras and digital video recorders (DVRs), the easiest way to secure them is to recycle them responsibly as there often are no security updates available.” The ability to update devices over their lifetime is essential to security, and should factor into buying decisions, he says.
See publication
Tags: Cybersecurity, 5G
5G and What it Means for Cybersecurity
bisinfotech.com
May 02, 2019
“Consumers should use the ‘guest’ network of their home Wi-Fi routers as a dedicated network for IoT devices, so if one of those devices were compromised, the threat actor can’t easily pivot to more valuable data.” That’s the case for newer devices, he says. “For older, cheap, IP-based security cameras and digital video recorders (DVRs), the easiest way to secure them is to recycle them responsibly as there often are no security updates available.” The ability to update devices over their lifetime is essential to security, and should factor into buying decisions, he says.
See publication
Tags: Cybersecurity, Mobility, 5G
Why security-IT alignment still fails
CSO Online
April 16, 2019
An organization that doesn’t understand or appreciate security won’t be able to adequately identify and prioritize risk, nor articulate its tolerance for those risks based on business goals and objectives, says Kayne McGladrey, director of security and IT for Pensar Development and a member of the professional association IEEE (The Institute of Electrical and Electronics Engineers).
“The CIO won’t see the business impact if there’s not a culture of risk mitigation,” McGladrey says. “A culture where security is seen as someone else’s problem will derail any conversation around security, so the biggest thing for CISOs is to make the conversation with CIOs around risk – not around technologies or shiny objects but around risks to the business.”
See publication
Tags: Cybersecurity, Leadership, Risk Management
DHS-led agency works to visualize, share cyber-risk information
Tech Target
April 09, 2019
Sharing information about threats can help boost overall cybersecurity by alerting others to those risks, as well as providing successful ways to counteract them, said Kayne McGladrey, national cybersecurity expert, director of security and information technology for Pensar Development, and member of the Institute of Electrical and Electronics Engineers.
"They could actually see a reduction in those threats that are commodity threats -- threats that are crimes of opportunity [vs. targeted attacks]," he said.
See publication
Tags: Cybersecurity, Govtech, Risk Management
Insider Threats: A Big Fear for Small Businesses
Security Boulevard
March 21, 2019
This goes hand in hand with the increasing number of vendors, solutions and buzzword technologies. There’s a fear that an SMB will buy the solution that solves a problem defined by a venture capitalist and not address a genuine threat to their business.
See publication
Tags: Cybersecurity
7 hot cybersecurity trends (and 4 going cold)
CSO Online
March 13, 2019
While we hope these points have brought into focus some of the evolving challenges in IT security, we also want to point out that certain best practices will continue to underpin how smart security pros approach problems, no matter what the flavor of the month is. "Enterprises are going back to the basics: patching, inventory management, password policies compliant with recent NIST directives," says Kayne McGladrey, IEEE Member and Director of Security and Information Technology at Pensar Development. "Enterprises are recognizing that it’s impossible to defend what can't be seen and that the easiest wins are to keep systems up to date and to protect against credential stuffing attacks."
See publication
Tags: Cybersecurity
6 Strategies for Transitioning to a Digital World
CIO.com
March 12, 2019
“Identify those elements of your business that are core competitive differentiators,” says Kayne McGladrey, Director of Security and Information Technology. “Focus on improving those. If accounting, cybersecurity, legal affairs, or marketing is not core to your organizational identity, then plan to migrate away from your legacy systems and processes in those areas. Organizations can then focus their limited time and resources on improving what they do well, and what customers value most about those organizations.”
See publication
Tags: Cybersecurity
6 Questions to Ask While Buying a Connected Car
Dark Reading
March 06, 2019
"People need to ask the car companies where they stand on security," says Kayne McGladrey, director of security and IT at Pensar Development and an IEEE member, who cites companies such as Apple and Google, which have made strong public statements on these matters.
When asked if the car companies have followed suit, McGladrey says, "Not really."
See publication
Tags: Autonomous Vehicles, Cybersecurity
How AI cybersecurity thwarts attacks — and how hackers fight back
Elysium Analytics
February 20, 2019
While CIOs should not consider AI a magic bullet, experts also stress they should not overlook its unique capabilities either.
According to IT consultant Kayne McGladrey, a member of the Institute of Electrical and Electronics Engineers, one of the unique benefits of AI is its ability to create individual profiles for each user and then consider what would be abnormal behavior for that particular person. This forces the hackers to limit their actions within the boundaries of normal activity for a specific target account, significantly preventing them from mass-attacking the system.
Another way to strengthen AI would be to give it more data. After all, the AI can only be as strong as the data it gets, and the more data it’s given, the more it can help with classifying what’s natural and what’s not.
“If the end user logs on from Seattle, where their mobile phone and laptop is, a connection from New York would be unusual,” McGladrey explained. “It is also possible to note the typing style and speed of a user and use that biometric signature to determine if the user is legitimate. These data [points] make it more difficult for a threat actor to operate silently in the environment.”
Finally, it is also important to look at the primary risk factor in any security system, and — as CIOs have heard before — it is not software.
See publication
Tags: Cybersecurity
How AI cybersecurity thwarts attacks -- and how hackers fight back
Tech Target
February 19, 2019
"If the end user logs on from Seattle, where their mobile phone and laptop is, a connection from New York would be unusual," McGladrey explained. "It is also possible to note the typing style and speed of a user and use that biometric signature to determine if the user is legitimate. These data [points] make it more difficult for a threat actor to operate silently in the environment."
See publication
Tags: AI, Cybersecurity
6 Tips for Conducting a Digital Literacy Assessment
CMS Wire
January 29, 2019
An assessment of digital literacy isn’t a one-time event in an organization, according to McGladrey. “This is a continuous cycle for businesses to assess how employees use the tools provided, how they process information, how they’re creating content, and their critical thinking skills,” McGladrey said. And don't make this a class that's going to drag people down and eat most of their day, he added. “This continuous assessment process should be buttressed by brief just-in-time learning opportunities. No one wants to sit down for a four-hour digital literacy class for things they do know if they can instead get a five-minute tutorial on a new topic or technique they can apply to their current work.”
See publication
Tags: Digital Transformation, Future of Work
Navigating the Rocky Road of Data-Driven Insights
CIO
January 08, 2019
It’s no longer enough to have a Security Information and Even Management (SIEM) system or layer in commercial threat data, deploy a deception system, or prioritize assets--there’s simply no one-size-fits-all security solution. “This is still more art than science,” says Kayne McGladrey (@kaynemcgladrey), a director of security and information technology. “An effective solution needs to incorporate elements of all of those products or solutions to create meaningful and actionable intelligence.”
See publication
Tags: Cybersecurity
How IoT can improve IT operations
The Cyberwire
January 04, 2019
A phone or smart watch with near field communication (NFC) capabilities — the same tech used to pay with a tap at checkout registers — can also be used for authentication, says McGladrey.
Pensar allows this use of devices for authentication, via NFC or similar mechanism, but again could not provide specifics for security reasons. As the number of smart wearable devices proliferates, McGladrey expects this to become more common, as wearables have a particular benefit for authentication, making it both easier and more reliable.
See publication
Tags: Cybersecurity, IoT
Beware the holiday ‘smart toys’ that spy on your kids
The Philadelphia Inquirer
December 04, 2018
Smart toys seemingly come to life utilizing “Internet of Things” [IoT] technology that has wirelessly connected coffeemakers, thermostats, and yes, toilets. But smart toys have proven to be particularly vulnerable to cyber attacks. Manufacturers try to keep toy prices low and lack an incentive to add reasonable security mechanisms, said Kayne McGladrey, member of the Institute of Electrical and Electronics Engineers, the world’s largest technical professional organization
See publication
Tags: Cybersecurity, IoT
How to Make Data More Accessible at All Levels With Access Controls and Strong Governance
CIO
December 03, 2018
What’s needed is “an effective provisioning and de-provisioning system that defines rules for what users can do with data and provides quick auditing of who granted access to the data. There needs to be training around the approval process for granting and revoking access to data; otherwise, organizations risk compliance fatigue and start rubber-stamping all the access requests.”
See publication
Tags: Cybersecurity, Risk Management
Member Spotlight: Kayne McGladrey, Director Of Security And IT, Pensar Development
CSHub
November 05, 2018
Kayne McGladrey is a national cyber security expert helping clients develop proactive risk-based security programs. He's the Director of Security and IT for Pensar Development and has 20+ years of experience, including 10 years in blending information technology and management acumen to cultivate and build best practices within the Professional Services team. He’s a frequent contributor to Cyber Security Hub with valued content you can access here. He took a few minutes out of his busy day to answer 5 questions for Cyber Security Hub's “Member Spotlight” series.
See publication
Tags: Cybersecurity, Leadership
Q&A: Security Thought Leaders Discuss Certs, SMEs & Hiring Process
CSHub
October 19, 2018
One way to combat that involves grassroots efforts to boost the ranks. But do security teams search for qualified, seasoned experts, and do they look for specialization or the proverbial “generalist” who can cover many corners of the cyber space? It is an ongoing debate in the industry, and today, we’ve brought together two security thought leaders to provide their take. We sat down with Kayne McGladrey, Co-Founder and Spokesperson, Include Security, and Rebecca Wynn, Head of Information Security and Data Protection Officer (DPO), Senior Director, Matrix Medical Network.
See publication
Tags: Cybersecurity
AT&T Business Summit 2018 - First Impressions and Recap
AT&T
October 16, 2018
Some talks that particularly stuck out in my mind included a panel with Kayne Mcgladrey and Derek Scheid who discussed what the future of the SOC (Security Operations Centre) looks like and what companies should do. A particular quote that stuck out for me from the discussion was around the importance of an actual action plan, and how companies can sometimes get fixated on pulling in all the information they can without much thought as to what would happen next.
See publication
Tags: Cybersecurity
The IT exec's reading list
HP Enterprise
October 16, 2018
For creative direction on hiring, Kayne McGladrey, co-founder of Include Cybersecurity, turned to "Who," by Geoff Smart and Randy Street. “This is a book I consistently recommend to all managers and directors who are responsible for hiring personnel, in that it defines a consistent and repeatable technique for identifying and hiring high-performing candidates,” McGladrey says. “When I started as a manager, I followed a lot of the pseudo-science that I’d seen from prior managers and found it wasn’t reliable advice.”
See publication
Tags: Leadership, Management
The Future Workspace: Secure and Collaborative
CIO
October 03, 2018
“The most essential technology for tomorrow’s workspace is a reliable and agreed-upon primary communications technology, with a backup,” says Kayne McGladrey (@kaynemcgladrey), director of Security and IT at Pensar Development. “As organizations recognize the benefits of remote work for employees and contractors, they still need to reach people quickly.”
See publication
Tags: Cybersecurity, Future of Work
How is Hybrid Cloud helping to accelerate innovation? Let’s count the ways.
CIO
September 19, 2018
"Hybrid cloud solutions can help organizations deploy cybersecurity solutions faster, without deploying additional infrastructure or spending staff hours on software and platform updates,” said Kayne McGladrey (@kaynemcgladrey), director of security and IT at Pensar Development. “This will help organizations to deploy innovative solutions rapidly such as deception technologies, which can reduce the ‘dwell time’ associated with breaches.”
See publication
Tags: Cloud, Cybersecurity
Certifications A Part Of ‘Vicious Circle’ In Cyber Security Space?
CS Hub
September 06, 2018
“This (factors into) the broader economic outlook,” McGladrey told the Cyber Security Hub. “If the economy is thriving and people are considering asking for a raise, they may pursue a new certification. If they do not receive the raise, they may mentally justify the time spent by putting the certification on their resume and searching for new openings.”
See publication
Tags: Cybersecurity
AI in cybersecurity: what works and what doesn't
CSO
August 15, 2018
Kayne McGladrey, IEEE member, gave this advice: "Evaluate an AI-based security solution by standing up in a lab, alongside a replica of your environment. Then contract a reputable external red team to repeatedly attempt to breach the environment."
See publication
Tags: AI, Cybersecurity
FBI warns of 'devastating' cyber attacks on IoT networks
Telecom TV
August 07, 2018
As Kayne McGladrey, the Director of Information Security Services at Integral Partners, the cyber security, access and identity management specialist company headquartered in Boulder, Colorado, says, “IoT security remains one of the most challenging security vulnerabilities to businesses and consumers. The Mirai and Reaper botnets are results of threat actors leveraging poor security controls on IoT devices, building attack infrastructure out of those devices, and using that stolen infrastructure to attack organinations. Companies and organisations purchasing IoT/IIoT devices should treat them the same as any other endpoint device connecting to the corporate network.”
See publication
Tags: Cybersecurity, IoT
IoT, Cloud, or Mobile: All Ripe for Exploit and Need Security’s Attention
CSO
April 17, 2018
“IoT security remains one of the most challenging security vulnerabilities to businesses and consumers,” says Kayne McGladrey (@kaynemcgladrey), Director of Information Security Services at Integral Partners. “The Mirai and Reaper botnets are results of threat actors leveraging poor security controls on IoT devices, building attack infrastructure out of those devices, and using that stolen infrastructure to attack organizations. Organizations purchasing IoT/IIoT devices should treat them the same as any other endpoint device connecting to the corporate network.”
See publication
Tags: Cybersecurity, IoT
Passwords, Multi-Factor Authentication and Cybersecurity
IEEE Transmitter
April 16, 2018
When the word “cybersecurity” comes up, “password” is often not far behind. You’ve doubtlessly heard that people are rather bad at coming up with secure passwords, and that “password” itself makes for a terrible one. (If you’re looking for tips on what makes for a good password, be sure to check out this article from IEEE Spectrum).
See publication
Tags: Cybersecurity
Cybersecurity experts talk about the digital world
AT&T
April 16, 2018
“Administrative passwords — they're sort of interesting," McGladrey says. "If you can get an application’s password, that's what got us to the Panama Papers a few years ago, where the third-party attacker was able to compromise the WordPress password, which, because of poor password storage technologies, happened to be the same as their database password.
"All of a sudden we got — three terabytes or something like that; it was something absurd — of ex-filtrated client data. The prime minister of Iceland got in a little bit of trouble about that, as well as people like Jackie Chan, all because the organization didn't have a good mentality around rotating the passwords that were associated with apps. That problem transitions. It's not a technology problem. It's a cultural problem. And it transitions, regardless of environment.”
See publication
Tags: AI, Cybersecurity
USA Today: Cool cyber jobs
USA Today
April 13, 2018
Cybersecurity is a game of cat and mouse. As a threat hunter, you're the cat. "This role is close to that of a field biologist, as the threat hunter observes their prey - third party attackers - in the wild," says Kayne McGladrey, director of information security services at Integral Partners, a cybersecurity firm whose specialty is identity and access management, and a member of the Institute of Electrical and Electronics Engineers. "Threat hunters set traps and snares that appeal to (cybercriminals) and lead to fake computers where the threat hunter can monitor an attacker's behavior before shutting down the breach."
See publication
Tags: AI, Cybersecurity
Health IT Infrastructure Necessities for AI Cybersecurity
CIO Review
April 10, 2018
According to IEEE Member and Integral Partners Director of Information Security Services, Kayne McGladrey, healthcare sectors embody “Lean IT” as they are not in the cybersecurity line of business.
See publication
Tags: AI, Cybersecurity
The future of enterprise IoT
Network World
April 09, 2018
On a more explicitly enterprise level, “IoT technologies that have a rapid return on investment (ROI) are the most likely to take off first, and that means “reducing costs through automation,” said Kayne McGladrey, IEEE Member.
See publication
Tags: AI, Cybersecurity
Panera Bread ‘Ignored’ Report Of Leaked Customer Data For Months, Report Suggests
CBS Sacramento
April 03, 2018
The #data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via http://panerabread.com
See publication
Tags: Cybersecurity
Health IT Infrastructure Requirements for AI Cybersecurity
HIT Infrastructure
March 18, 2018
“There are too few defenders to collect, process, and analyze the overwhelming amount of available data to produce threat intelligence,” McGladrey told HITInfrastruture.com. “The promise of machine learning is to allow computers to do what they do well, in automating the collection and processing of indicators of compromise, and analyzing those data against both known and emerging threats.”
See publication
Tags: AI, Cybersecurity, Healthtech
AI's Future in Cybersecurity
eSecurity Planet
February 07, 2018
"We will continue to see artificial intelligence deployed in the security operations center (SOC). Most SOC jobs are checklist-driven, particularly for first- and second-tier analysts who review logs for indicators of compromise (IoCs)," said Kayne McGladrey, an IEEE member and director of information security services at cybersecurity consultancy Integral Partners.
"This is challenging in a retail environment due to the combination of low margins and a tight labor market, as companies struggle to train and retain analysts for this dull but necessary role," continued McGladrey. It's a big concern, particularly in light of a recently-patched point-of-sale vulnerability like the one found by ERPScan researchers that affects over 300,000 Oracle MICROS terminals.
"The promise of an AI SOC analyst is that it will not get bored and skip a step in a checklist, missing an IoC. Companies can then pivot from the current struggle of train and retain to allow analysts to apply human judgment and experience to current and emerging threats," McGladrey said.
See publication
Tags: AI, Cybersecurity
What Are the Implications of Meltdown and Spectre for IoT?
DZone
January 16, 2018
"Patching is a reactive strategy, and there are a couple of challenges that have led us to the current situation. One of those challenges is that the market has rewarded companies that develop and produce products rapidly, and the market has shown a willingness to accept post-release patching as an acceptable trade-off. As a result, developers and architects are rewarded by their employers for producing code and architecture very quickly with less thought given to cybersecurity.
"The other significant challenge is that the cybersecurity community is generally homogenous. We have a diversity problem when just 11% of women work in cybersecurity. This lack of diversity in backgrounds and life experiences has influenced the analytic methodologies that are used to evaluate potential security issues with products. This lack of diversity of thought has led to the unfortunate set of expectations that breaches are inevitable, and this situation will continue until the cybersecurity industry does a better job of including diverse voices and opinions in the global conversation about security."
See publication
Tags: Cybersecurity, IoT
How to Adopt a Human-Centric Approach to Security
CSO
January 10, 2018
“Organizations should focus on defining a least-privilege security model for each permanent or temporary role a user may inhabit, and then apply those roles to every device, server, and service that an individual may interact with over the course of each day,” says Kayne McGladrey (@kaynemcgladrey), Director of Information Security Services at Integral Partners.
“Organizations need to move past the quaint but antiquated concept of a network perimeter and recognize that the only measurable unit of security is the individual. Individuals include employees, project team members, contractors, third-party service providers, customers, prospects, and guests at a minimum. “
See publication
Tags: Cybersecurity
3 Tips to Reduce Cybersecurity Gaps
CS Hub
November 03, 2017
“Organizations should focus first on protecting heartbeat user identities with strong identity governance, multifactor authentication and privileged command escalation roles,” says Kayne McGladrey (@kaynemcgladrey), director of information security services at Integral Partners.“Nonheartbeat users, such as service accounts and shared accounts, require protection levels that include vaulting and automatic password rotation, on a defined schedule.”
See publication
Tags: Cybersecurity
Are You Doing All You Can to Protect Your Confidential Documents?
CSO Online
September 30, 2017
Kayne McGladrey (@kaynemcgladrey), director of information security services at Integral Partners, notes that, for several years, we’ve been hearing predictions about millions of Internet of Things (IoT) devices with poor security joining networks and providing an easy attack vector for third parties.
“Printers are a culturally trusted technology because they’re perceived as not being new,” he says. “However, this doesn’t mean that modern organizations should not consider printers separately from a comprehensive strategy for the IoT.”
See publication
Tags: Cybersecurity, IoT
THE ‘GOTCHAS’ OF MULTI-CLOUD MANAGEMENT
Rackspace & CIO.com
September 18, 2017
“Effectively distributing, rotating, and de-provisioning secrets such as SSH keys, service account passwords, and application passwords that are used in DevOps environments is one of the more challenging, yet obscure issues that companies face in multi-cloud environments,” points out Kayne McGladrey, director of information security services at Integral Partners.
See publication
Tags: Cybersecurity
For travelers, chatbots and AI can't quite take you there
USA Today
August 27, 2017
"It can replace some of the simpler tasks," explains Kayne McGladrey, a computer security consultant in Bellingham, Wash. AI can help plan trips, recommend the least agonizing flight itineraries and handle some of the easier tasks handled by a hotel concierge, like recommending restaurants.
See publication
Tags: AI
The Scary Reason Companies Like Verizon Keep Blowing Your Digital Privacy
Fast Company
July 17, 2017
Even software developers often lack formal security training, says Kayne McGladrey, director of information security services at Boulder, Colorado security consulting firm Integral Partners. And even those who do can face pressure to roll code out quickly from employers impatient to see new features and fixes in production, he says.
See publication
Tags: Cybersecurity, Privacy
What the US and UK electronics bans mean for international business travelers
Quartz
March 25, 2017
Even so, make sure its memory is cleared of sensitive information. Someone who “wants to compromise the device could get unfettered long-term access” to it, says Kayne McGladrey, director of information security services at cybersecurity consulting firm Integral Partners. Passwords and encryption may not be enough to protect your data: “They can just clone your drive.”
See publication
Tags: Cybersecurity
Cyber Security Hub Advisory Board
Setting The Four Cornerstones Of Cloud Security: Accountability, Strategy, Visibility & Enablement
Educated Endpoints
Senior IEEE Member
Top Cyber Pro Awards for 2020
Top 50 Global Thought Leaders and Influencers on Internet of Things
100 B2B Thought Leaders and Influencers to Follow in 2020
ISSA Article of the Year 2017
Telehealth is Booming: Here’s What You Need to Know
How to Keep Your Video Conferences Secure From Intruders
Decreasing Risk Through Enterprise Compliance
Should You Be Worried About Airport Cybersecurity Threats?
Opening keynote speech at the Seattle Electrical Conference
Keynote speech at CIA Conference 2020
24th Annual Colloquium for Information Systems Security Education - November 4th, 2020
TAG Cybersecurity - February 2020 Meeting
Deter, Deny, and Defend Against the Three Most Common Cyber Attacks
Cybersecurity Career Accelerator EXPO
Include Cybersecurity Event 2018
Cybersecurity workshop and job opportunities for veterans
How Hackers Used and Abused the Pandemic to Profit
CISO Perspectives: Zero Trust-As-A-Service
#IDGTechtalk : A 2019 Recap and 2020 Predictions
Panel Discussion: Who is responsible for Cyber Security in the enterprise?
TagNW Closing Panel and Comments
Diversity of Mindset: Why It’s Not Just About Gender, Race, or Age
Future of the Security Operations Center
Episode 6: Securing the fast-moving digital world
Making cybersecurity more effective in the age of cloud and COVID-19
Episode 179: CISO Eye on the Virus Guy – Assessing COVID’s Cyber Risks
Don't Forget the Cybersecurity!" on The Wave of Change with Tony Flath
What is 5G and What Does it Mean for Cybersecurity?
The Resilience of Humanity
Cyber security for Bellingham families and neighborhoods
IoT & Ethical Obligations of Engineers
Who is responsible for Cyber Security in the enterprise?
Cyber Privacy, Ethics, and Abuse CISS 417 at WWU
Webinar: Zero Trust-As-A-Service
CISO Perspectives: Zero Trust-As-A-Service
CISO Strategies & Tactics For Incident Repsonse
Enterprise Cyber Security Trends and Predictions 2020
Market Report: Cutting-Edge Defense Tactics For Network Endpoints
