News Archives - J Wolfgang Goerlich

Archive for the ‘News’ Category

Cybersecurity Maturity Model Certification (CMMC): considerations for self-attesting

Posted February 13, 2023 by Wolf Goerlich

Suppliers who need to achieve Level 1, the most basic certification, may forgo seeking outside help and perform initial and annual assessments themselves.

Excerpt from: Navigating Cybersecurity Maturity Model Certification (CMMC) 2.0

“Suppliers with strong confidence in their audit and compliance teams, and suppliers with sufficient staffing, are ideally positioned should they decide to achieve Level 1 without external support,” added Wolfgang Goerlich, advisory chief information security officer, Cisco Secure, the portfolio of security products offered by San Francisco-based Cisco. “Such internal compliance initiatives can move quicker than bringing in a third-party when the people on the team have the relationships and understanding of how the practices are performed.”

The approach Goerlich describes may save money, but it won’t provide external validation and new perspectives.

“Achieving Level 1 with an internal project team answers the question, ‘What are we doing?’ but cannot answer the questions, ‘What are others doing, and what should we be doing?’” Goerlich said.

Read the full article: https://www.sme.org/technologies/articles/2023/february/navigating-cybersecurity-maturity-model-certification-cmmc-2.0/

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Cybersecurity resolutions for consumers

Posted January 17, 2023 by Wolf Goerlich

I participated in a Satellite Media Tour to share cybersecurity resolutions for consumers to keep in mind heading into 2023. Resolve to secure your accounts, resolve to protect your toys and tech, and resolve to protect your privacy. These interviews saw more than 300+ airings, including Washington, D.C.’s WJLA, Jackson, Tennessee’s WBBJ-TV, Tampa Bay, Florida’s WFTS, Jacksonville, Florida’s WTLV-TV, Austin, Texas’ KEYE. Here’s the one from South Florida’s WSFL-TV, to give a flavor of the conversation.

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Tech trends for 2023

Posted December 21, 2022 by Wolf Goerlich

Identity and access management solutions continue a hot streak for their capacity to improve operations.

Excerpt from: Tech Trends: Governments Express High Interest in IAM

At the Virginia Department of Transportation, a ransomware hack targeting the state’s traffic management system made it clear that it was time to beef up VPN security. For the state of Illinois, the issue was siloed technology operations within agencies that made it difficult for employees and residents to access tools and services.

The challenge for the city and county of Denver was what the government’s chief data officer described as multifactor authentication “sprawl.”

While each organization had to deal with its own problems, their IT teams all came to the same conclusion: They had to do better with identity and access management.

“I’ve never seen so much interest in this topic,” says Wolfgang Goerlich, Cisco’s advisory CISO for Duo, an identity and access management platform that both Denver and VDOT now rely on for protection from cyberthreats. “The big picture is that zero trust has become a mandate at multiple levels, and agencies are turning to identity and access management as one of the quickest paths to success.”

Read the full article: https://statetechmagazine.com/article/2022/12/tech-trends-governments-express-high-interest-iam

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Cisco Rolls Out Duo Passwordless Authentication, Sees WebAuthn Usage Surge

Posted November 2, 2022 by Wolf Goerlich

Excerpt from: Cisco Rolls Out Duo Passwordless Authentication, Sees WebAuthn Usage Surge

Cisco plans to roll out its Duo Passwordless Authentication globally next Wednesday. This push is in line with the findings from Duo Security’s recent report which showed that passwordless adoption continues to climb.

“We’re starting to reach a tipping point where the hardware is ubiquitous, the standards are in place, and enough services support the standards, and that’s really driving that increase that we see in web authentications. So now … organizations can adopt them with confidence,” Goerlich said.

Read the full article: https://www.sdxcentral.com/articles/news/cisco-rolls-out-duo-passwordless-authentication-sees-webauthn-usage-surge/2022/11/

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

On men named Wolf

Posted March 25, 2022 by Wolf Goerlich

A bit of fun…

MEL interviewed Men named Wolf on the Kardashians dragging their good name through the mud. After Kylie Jenner and Travis Scott announced they were changing their baby’s name to something more fitting than ‘Wolf,’ other Wolfs — Wolves? — started howling.

Excerpt:

Goerlich: I think you need to grow into being “Wolf.” You’ve got to be a little bit scruffy, a little bit older, a little bit worn around the edges. Maybe there’s a chunk taken out of your ear — you’ve got to look like a fighter. You’re not going to look like that when you’re young, so I can see why they said, “He doesn’t look like a ‘Wolf’ yet.” But give the kid time. He’ll get there.

Read the full article: https://melmagazine.com/en-us/story/wolf-kylie-jenner-travis-scott-baby-name

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Steps to take when there’s an active adversary

Posted January 28, 2022 by Wolf Goerlich

CISOs know they must respond quickly and effectively to an incident, yet surveys point to continuing challenges to deliver on that goal. These steps will help you respond quickly, without letting a crisis turn into chaos.

Excerpt from: 12 steps to take when there’s an active adversary on your network

3. Bring in the business

CISOs should be looping in business during the triage process, security leaders say, a point that’s often overlooked during active responses. As part of this, security teams need to immediately identify what impacted components are critical for conducting business, who owns those components and who controls them.

As J. Wolfgang Goerlich, advisory CISO with Cisco Secure, says: “This is a business problem. But in a security breach, a very technical person will be thinking, ‘I have to remediate.’ However, one of the things that CISOs need to remember is that a breach is a business problem not a technical problem. So there should be a secondary process that’s running business continuity and disaster recovery so that the business can keep doing what it needs to be doing.”

12. Stay calm; tend to staff needs

Goerlich says he has seen teams “run themselves into the ground” by working long hours without breaks and even a day or more without sleep. Although that grueling schedule shows a level of dedication, it’s likely to lead to mistakes.

“People get into their zones and work well beyond the times that they should,” Goerlich says, noting that CISOs should plan for clear lines of communications, caps for work hours, staggered schedules, and post-event time off. He adds: “As much as possible, organizations should think out in advance how to handle the human elements.”

Read the full article: https://www.csoonline.com/article/3645690/12-steps-to-take-when-there-s-an-active-adversary-on-your-network.html

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Adoption of hardware-based security keys

Posted October 13, 2021 by Wolf Goerlich

Google last week revealed that it was coordinating efforts with global partners to hand out free USB security keys to 10,000 elected officials, political campaign workers, human rights activists and journalists, and other users considered to be at high risk of getting hacked.

Excerpt from: Tech giants encouraging adoption of hardware-based auth keys

“Whenever a major organization makes a major announcement bolstering their security controls, it sparks conversation and movement in the broader industry,” agreed Wolfgang Goerlich, advisory CISO at Cisco Secure. “Google’s announcement that it is enrolling 10,000 people in authenticating with strong security keys will make it easier to explain a similar need in other organizations.”

And this isn’t the first such corporate endorsement of hardware-based authentication. Among the companies using FIDO’s standards for Universal 2nd Factor (U2F) authentication keys is Yubico, which like Google has been working with DDC to provide its hardware-based authentication keys to campaigns from both major parties.

Read the full article: https://www.scmagazine.com/analysis/physical-security/tech-giants-encouraging-adoption-of-hardware-based-auth-keys

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Remote Work Drives Continued 2FA Adoption

Posted September 15, 2021 by Wolf Goerlich

Seventy-nine percent of people used two-factor authentication at least once in 2021, with 72% regularly using the technology, as remote work, social media, and online retail spur demand.

Excerpt from: Security Fears & Remote Work Drive Continued 2FA Adoption

SMS texts continued to be the most-used type of two-factor authentication, with 85% of people using that 2FA technology. Verification emails are the second most common type at 74%, while passcodes issued by mobile authentication apps came in third with 44%.

Companies need to educate consumers more on the pitfalls of SMS text messages as a second factor, Goerlich says. More than half of people surveyed would choose SMS as the second factor for a new account, while less than 10% would choose a mobile passcode application and 7% would use a push notification. SMS tied with security keys, such as YubiKey and other technology, for highest perceived security and topped the list for usability.

“There is a clear mismatch between what the survey respondents are using in terms of security and what researchers have found and identified in terms of security,” he says. “It makes sense that SMS is rated high in usability, and there is a really strong familiarity with the factor, but a lot of issues have been identified by researchers.”

Attempts to educate people on security problems with SMS should be careful, however, not to dissuade them from using two-factor authentication at all, Goerlich stressed.

Read the full article: https://www.darkreading.com/authentication/security-fears-remote-work-drive-continued-2fa-adoption

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Has Covid-19 killed the password? 

Posted January 15, 2021 by Wolf Goerlich

The pandemic has shone a spotlight on the weaknesses of the most common form of digital authentication.

Excerpt from: Has Covid-19 killed the password?

It is also important to remember that biometric devices have advanced significantly over the past decade, says Goerlich. Continuing to enhance these features – for example, by making it standard to make access to a system contingent on normal user behaviour patterns – will prove essential in shoring up public trust in the technology.

“Some of the set-ups that I’ve seen, a criminal would have to steal your fingerprint, steal your phone, steal your laptop, log in from a region that you’re usually working at… and then start accessing applications that you normally access,” says Goerlich. “That’s a lot of complexity and a lot of hurdles for a criminal to jump through.”

Even so, the end is far from nigh for the password itself. For one thing, upgrading corporate infrastructure to support passwordless authentication remains a gargantuan task. “You’re going to have this really long tail, which could go on [for] years, if not decades, of legacy systems that we’re going to continue to maintain, and we’re going to continue to maintain because they still provide business value,” says Goerlich.

Read the full article: https://techmonitor.ai/cybersecurity/has-covid-19-killed-the-password

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Killing Passwords with Infosecurity Magazine

Posted December 1, 2020 by Wolf Goerlich

Back in September, Gartner detailed its top eight security projects for the coming year. Among those was the concept of ‘passwordless’ authentication, where a second factor such as a known asset like a phone, tablet, keyfob or smart watch can be used instead of a password.

Excerpt from: Interview: J Wolfgang Goerlich, Advisory CISO, Duo Security (Cisco)

Speaking to Infosecurity, Goerlich cited a talk at the 2004 RSA Conference, where Bill Gates said that the password is dead, and Goerlich commented that “16 years later we’re still trying to kill it.” He said that to enable a passwordless strategy, you need both the equipment and technology to enable it, but mostly you need “to have momentum in the organization and a reason to do it.”

However, now that everyone carries a biometric authenticator in their pocket, has hardware in place and given the fact that security wants to enable users, why do passwords still exist?

Read the full article: https://www.infosecurity-magazine.com/interviews/interview-wolfgang-cisco-duo/

Wolf’s Additional Thoughts

What leads one innovation to succeed? What leads another innovation to stall? We need standards, infrastructure, and critical mass. But these come often out of order and require a spark to bring it all together. Sixteen years after Bill Gates declared the password dead, we’ve reached the inflection point. It’s about to get exciting.

The final thought in the article is “He concluded by saying that increasing trust in authentication is vital for passwordless to succeed, as today’s good factor is bypassed tomorrow. “

My strong recommendation is pairing passwordless with additional anti-fraud measures. Include the device identification in the authentication. Include behavior analytics (where, when, how) to further bolster trust in the authentication. We can predict criminals will work around these authentication methods, so let’s move now to put in place compensating controls to detect and prevent their next move.

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.