Culture Spotlight with Jared Karol: Using Social Capital to Drive Impact and Affect Change

We’ve all been excluded and made to feel less-than. And, we’ve all had someone stick up for us and make us feel like we belong. We’ve all had opportunities to step out of our comfort zone and be an ally for people who need our support. Culture doesn’t happen to us; we create culture. 

In today’s Culture Spotlight, Jared K. shares stories about getting bullied for wearing short shorts, choosing not to be bourgeois, being an ally even though it’s not always easy, and having the courage and clarity to end a thirty-five-year friendship. 

– – – – – 

Please share an experience from your personal or professional life when you were excluded. How did that affect you?

I grew up poor in the eighties in Southern California. When I was in seventh grade, I desperately wanted a pair of longer surf-style shorts that all the kids were wearing, but my family couldn’t afford them. I was stuck wearing my short, nerdy, out-of-style soccer shorts that I’d been wearing since fourth grade. Kids teased me every day. The worst incident was when two bigger kids raised me by my armpits, slammed me up against the lockers, and made a big show about my short shorts. Pinned up against the lockers, I was humiliated in front of everyone, as kid after kid walked by and laughed and pointed. 

My mom eventually found enough money to buy me longer shorts, but the damage had been done. It was at that moment that I realized how much our socioeconomic status shapes our everyday experiences. People with more financial capital have more social capital, which leads to more power and privilege, which leads to greater access to opportunities for success. If you’re poor, on the other hand, a lot more hard work is required of you to succeed. 

Please share an experience when you were included but noticed that someone else was left out. How did that affect you?

My family and I periodically get invited by our friends to spend an evening at a swim club where they are members. It’s a nice place – a big pool for the kids to swim, an adults-only spa, a beautiful view of the mountains, covered canopies to socialize, barbecue, and drink wine. It’s pretty bourgeois. And very white. There’s no officially policy that excludes people of color, but it’s clear by the membership that whiteness is the dominant – and comfortable – narrative. 

Our friends frequently urge us to buy a membership so we can hang out with them more often at the club. Thanks for the invite, but it’s not even an option. We have no interest in using our financial, social, and racial capital to intentionally position ourselves in an exclusive, privileged environment. While our relationship with our friends is important, equally important is being true to our values of inclusivity and diversity. When you know what you stand for, it’s much easier to make decisions. It is curious though. . . I notice we don’t get invited up there as much as we used to.

Cybersecurity Firm Imperva Discloses Breach

Aug 19

Cybersecurity Firm Imperva Discloses Breach

Imperva, a leading provider of Internet firewall services that help Web sites block malicious cyberattacks, alerted customers on Tuesday that a recent data breach exposed email addresses, scrambled passwords, API keys and SSL certificates for a subset of its firewall users.

Redwood Shores, Calif.-based Imperva sells technology and services designed to detect and block various types of malicious Web traffic, from denial-of-service attacks to digital probes aimed at undermining the security of Web-based software applications.

Image: Imperva

Earlier today, Imperva told customers that it learned on Aug. 20 about a security incident that exposed sensitive information for some users of Incapsula, the company’s cloud-based Web Application Firewall (WAF) product.

“On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017,” wrote Heli Erickson, director of analyst relations at Imperva.

“We want to be very clear that this data exposure is limited to our Cloud WAF product,” Erickson’s message continued. “While the situation remains under investigation, what we know today is that elements of our Incapsula customer database from 2017, including email addresses and hashed and salted passwords, and, for a subset of the Incapsula customers from 2017, API keys and customer-provided SSL certificates, were exposed.”

Companies that use the Incapsula WAF route all of their Web site traffic through the service, which scrubs the communications for any suspicious activity or attacks and then forwards the benign traffic on to its intended destination.

Rich Mogull, founder and vice president of product at Kansas City-based cloud security firm DisruptOps, said Imperva is among the top three Web-based firewall providers in business today.

According to Mogull, an attacker in possession of a customer’s API keys and SSL certificates could use that access to significantly undermine the security of traffic flowing to and from a customer’s various Web sites.

At a minimum, he said, an attacker in possession of these key assets could reduce the security of the WAF settings and exempt or “whitelist” from the WAF’s scrubbing technology any traffic coming from the attacker. A worst-case scenario could allow an attacker to intercept, view or modify traffic destined for an Incapsula client Web site, and even to divert all traffic for that site to or through a site owned by the attacker.

“Attackers could whitelist themselves and begin attacking the site without the WAF’s protection,” Mogull told KrebsOnSecurity. “They could modify any of the security Incapsula security settings, and if they got [the target’s SSL] certificate, that can potentially expose traffic. For a security-as-a-service provider like Imperva, this is the kind of mistake that’s up there with their worst nightmare.”

Imperva urged all of its customers to take several steps that might mitigate the threat from the data exposure, such as changing passwords for user accounts at Incapsula, enabling multi-factor authentication, resetting API keys, and generating/uploading new SSL certificates.

Alissa Knight, a senior analyst at Aite Group, said the exposure of Incapsula users’ scrambled passwords and email addresses was almost incidental given that the intruders also made off with customer API keys and SSL certificates.

Knight said although we don’t yet know the cause of this incident, such breaches at cloud-based firms often come down to small but ultimately significant security failures on the part of the provider.

“The moral of the story here is that people need to be asking tough questions of software-as-a-service firms they rely upon, because those vendors are being trusted with the keys to the kingdom,” Knight said. “Even if the vendor in question is a cybersecurity company, it doesn’t necessarily mean they’re eating their own dog food.”

Tags: Alissa Knight, DisruptOPS, Heli Erickson, imperva, Incapsula, Rich Mogull, Web Application Firewall

You can skip to the end and leave a comment. Pinging is currently not allowed.

The Two Keys to Zero Trust: Data Loss Prevention and Machine Learning

Symantec DLP and ICA

Keeping data under lock and key defeats the purpose of digital business. Workers need to work with data, even sensitive data, and sometimes move it outside an organization. For example, a hospital administrator might need to send an insurance company HIPAA-protected information from a patient’s health record. However, that administrator would not need to save the data to a removable USB drive. Symantec DLP stands guard by automatically discovering sensitive data, enforcing protective measures such as encryption and DRM, and preventing it from leaving the enterprise in unwanted or noncompliant ways.                

Symantec DLP doesn’t stop there. It enables you to surveil behaviors relating to suspicious user-installed applications and prevent exfiltration of sensitive data. Symantec DLP also is configured to identify GDPR-protected information, enabling you to track its use and location, and regulate its flow. And it integrates with encryption and cloud-access security broker (CASB) technologies to protect email, removable media, individual files and data in the cloud.

Working hand-in-hand with DLP, Symantec Information-Centric Analytics (ICA) implements UEBA, providing AI-and ML-enabled insight into user behavior. Every employee has a normal behavior pattern, which ICA observes, records, and compares to that of employees with similar responsibilities. When an employee’s behavior, or usage of an employee’s system, departs from the normal pattern – a 3AM download of sensitive data, for example — ICA takes note, assigning a risk score and reporting to an organization’s security operations center (SOC).