{"id":25502,"date":"2022-07-15T15:18:39","date_gmt":"2022-07-15T19:18:39","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=492206"},"modified":"2022-07-18T10:46:50","modified_gmt":"2022-07-18T14:46:50","slug":"cyber-security-today-week-in-review-for-friday-july-15-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-july-15-2022\/","title":{"rendered":"Cyber Security Today, Week In Review For Friday July 15, 2022"},"content":{"rendered":"<p data-ar-index=\"0\">Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending Friday, July 15th, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for IT World Canada.com.<\/p>\n<p data-ar-index=\"1\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/23715773\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"2\">\n<p data-ar-index=\"3\">There won\u2019t be the usual review of news highlights today because I\u2019m off this week. So I\u2019m going to go straight into a discussion I had recently with American cybersecurity expert Eric Cole.<\/p>\n<p data-ar-index=\"4\">Eric brings a wide range of experience, having been a hacker at the CIA, chief technology officer at McAfee, chief scientist at Lockheed Martin, a commissioner for cybersecurity under President Obama, a ransomware negotiator and cybersecurity consultant with his current firm, <a href=\"https:\/\/secure-anchor.com\/\" rel=\"noopener\">Secure Anchor<\/a>.<\/p>\n<p data-ar-index=\"5\"><em>(The following transcript has been edited for clarity. To hear the full conversation play the podcast)<\/em><\/p>\n<p data-ar-index=\"6\"><strong>Howard:<\/strong> With the Russia-Ukraine war going on, do you wish you were still a hacker with the CIA?<\/p>\n<p class=\"western\" data-ar-index=\"7\"><strong>Eric Cole:<\/strong> I can quickly and confidently say no. And the reason is because now there\u2019s way too much red tape and rules. One of the nice things about being a hacker in the early-to-mid 90s is this was brand new territory. We basically created it, forged it. Which meant we created the rules \u2014 which meant there were no rules. So we really were able to do whatever was needed in order to accomplish the mission. The problem today is that is hard with [the U.S.] government. Hacking requires a high level of creativity. You must be able to colour outside the lines and go outside the box. However, the government now has so many rules that limit creativity. That makes it very, very hard to really be a creative hacker today.<\/p>\n<p class=\"western\" data-ar-index=\"8\"><strong>Howard:<\/strong> Describe the state of cybersecurity in the private sector and government in advanced countries such as U.S. and Canada. Would you call it good, fair awful?<\/p>\n<p class=\"western\" data-ar-index=\"9\"><strong>Eric:<\/strong> I would call it a high state of confusion. And the reason is there\u2019s a lot of misinformation out there. If you talk to a lot of executives and a lot of decision-makers, they really don\u2019t understand how bad the problem is \u2014 whether it\u2019s a real problem, whether it\u2019s not. The media tends to give out partial or incorrect information that sort of misleads people on what\u2019s really happening, And you really don\u2019t have a lot of communication within the organization between the technical staff and the executives. So while there\u2019s money and resources being spent and overall are doing an okay job, there\u2019s a high level of confusion because of that lack of communication of accurate information.<\/p>\n<p class=\"western\" data-ar-index=\"10\"><strong>Howard:<\/strong> You\u2019ve written that the biggest problem in cybersecurity today is that there\u2019s no communication between IT and executives.<\/p>\n<p class=\"western\" data-ar-index=\"11\"><strong>Eric:<\/strong> If I had to summon up the biggest problem with corporations \u2014 and even government \u2014 and cybersecurity is the lack of an effective well-defined chief information security officer. Many companies have somebody with the CISO title, but the problem is in many cases \u2014 not all, but in many cases \u2014 it\u2019s viewed as a technical career track. A CISO is not a technical position. If you take a world-class security engineer and give them the CISO title they will fail because it\u2019s not a technical position. The best way I can describe a CISO is a world-class translator. They must speak technical, they must speak business. Companies that have world-class CISOs that effectively translate are doing a great job with security. The problem is, those companies are few and far between.<\/p>\n<p class=\"western\" data-ar-index=\"12\"><strong>Howard:<\/strong> So how does a CISO learn how to communicate with the business suite?<\/p>\n<p class=\"western\" data-ar-index=\"13\"><strong>Eric:<\/strong> By doing that over and over again. The example I love giving is a muscle in a gym. If you go to most gyms and you look at the real muscle heads most have some muscles that are overdeveloped and some that are underdeveloped. And the reason is simple: You work the muscles you like and ignore the ones you don\u2019t. The same thing happens with technical folks: Their technical component is overworked and the business side is underworked. A couple of quick things I recommend: Read business books. Every night for one or two hours give up Netflix and read business books to get familiar with it. On weekends hang out with business people. Talk in business circles. The problem is most security engineers hang out with security engineers. Which means their technical skills are going to get better and their business skills are going to get weaker. If you want to be a CISO you have to change your environment, change who you associate with and change the information that you focus on and absorb.<\/p>\n<h4 data-ar-index=\"14\"><a href=\"https:\/\/www.itworldcanada.com\/article\/un-begins-three-year-effort-to-create-cybercrime-treaty\/475022\" rel=\"noopener\">Related content: Eric Cole on UN cybercrime treaty negotiations<\/a><\/h4>\n<p class=\"western\" data-ar-index=\"15\"><strong>Howard:<\/strong> You\u2019ve said prevention is ideal, detection is a must. Can you expand on that?<\/p>\n<p class=\"western\" data-ar-index=\"16\"><strong>Eric:<\/strong> The easiest and best thing to do with a cyber attack is to prevent it, to stop it from happening. The problem is with preventive technology. You can only stop things that are 100 per cent bad 100 per cent of the time. So if you have some issues or problems that 80 per cent of the time are bad that means 20 per cent of the time is good \u2014 which is most of the attack vectors we\u2019re talking about. You can\u2019t prevent them because if you do you\u2019re blocking legitimate traffic. Companies today are trying to block all the attacks. But when that fails they have minimal to no detection. So detection is all about looking at traffic correlating: Looking for anomalies, looking for [bad] behaviors and looking for activity that shouldn\u2019t be on the network. And the attack has to be detected in a timely manner, because what a lot of people miss is the goal of cybersecurity is not to prevent attacks. The goal of cybersecurity is timely detection to minimize the damage to your organization.<\/p>\n<p class=\"western\" data-ar-index=\"17\"><strong>Howard:<\/strong> One of the things that I got from your book <a href=\"https:\/\/secure-anchor.com\/cybercrisis\/\" rel=\"noopener\"><i>Cyber Crisis<\/i> <\/a>is there are four things that IT should do: Make sure that all servers that are visible from the internet are up-to-date, fully patched, contain no critical data, and if they have encrypted data make sure the cryptographic keys are stored on a separate server. You\u2019ve said that if these principles would have been followed none of the major breaches that we\u2019ve seen recently would have happened.<\/p>\n<p class=\"western\" data-ar-index=\"18\"><strong>Eric:<\/strong> If you look at almost all of the major breaches that happened when I wrote the book \u2014 the book\u2019s about a year old \u2014 they all really come down to servers that have known exposures, are missing patches, are accessible from the internet and have contain critical data that are not properly encrypted. So it really comes down to those basic solutions. And in a lot of cases we like making things more complicated than they need to be: We want to go in and spend a lot of money \u2014 and please don\u2019t get me wrong. There\u2019s some great tech out there. I\u2019m not saying that if you just do those four things you\u2019re magically secure. But the problem is we\u2019re focusing on advanced techniques and tactics. The simple, foundational items that are needed to support that [great tech] are not being done.<\/p>\n<p class=\"western\" data-ar-index=\"19\"><strong>Howard:<\/strong> Why not? It seems to be the easiest thing.<\/p>\n<p class=\"western\" data-ar-index=\"20\"><strong>Eric:<\/strong> What I always say when I give presentations is common sense is not always common practice. What happens is in a lot of organizations, I believe, is there\u2019s a lot of turnover in IT and security. As new people come in they just make the assumption \u2014 the false assumption \u2014 that the foundation of the house is solid and let\u2019s just focus on renovating the rooms. Let\u2019s go in and focus on the advanced techniques and tactics. But they don\u2019t realize that they need to step back and check and make sure that the foundation is solid.<\/p>\n<p class=\"western\" data-ar-index=\"21\"><strong>Howard:<\/strong> Infected attachments and links. These are some of IT\u2019s biggest problems because that\u2019s how malware gets spread. You\u2019ve said if you block attachments and embedded links from unknown entities that will lower the odds of being victimized. But how does IT determine what\u2019s an unknown entity?<\/p>\n<p class=\"western\" data-ar-index=\"22\"><strong>Eric:<\/strong> A couple of ways. But the simplest is, \u2018Have you had communication with that entity in the past?\u2019 None of this is 100 per cent, but it works very well. Most of the communication that you\u2019re going to have with outside entities is usually initiated internally. So I would send an email out to somebody and then they would send the email back \u2014 and that that would be trusted. If we get an unsolicited or an email where I\u2019ve never communicated with that entity before, those are the ones that we\u2019re talking about. And the thing that\u2019s important here is we\u2019re not saying block the emails. We\u2019re not saying delete them All we\u2019re saying is if it\u2019s a new email from a new source that you\u2019ve never communicated with before why not just temporarily remove the attachments and disable the links until it\u2019s been verified or validated whether it\u2019s legitimate or not?<\/p>\n<p class=\"western\" data-ar-index=\"23\"><strong>Howard:<\/strong> But what does IT do if a hacker has hacked my email and uses that to send you an email with an infected attachment?<\/p>\n<p class=\"western\" data-ar-index=\"24\"><strong>Eric:<\/strong> That\u2019s when you have other options. One is you have other solutions in place like endpoint security. Virtual machine isolation one of the things we do with a lot of our clients: You run email and web browsers in separate virtual machines. That way even if they [staff] do get infected you\u2019re isolating and containing them \u2026 By running applications that have high risk in separate virtual machines you\u2019re basically creating a zero-trust environment. Another question is why are we using email as a file transfer mechanism? That\u2019s not really what it was created for. More mature organizations block all attachments, and they have separate file transfer tools for doing file transfer. You use email just for email.<\/p>\n<p class=\"western\" data-ar-index=\"25\"><strong>Howard:<\/strong> You\u2019ve mentioned <a href=\"https:\/\/www.itworldcanada.com\/post\/white-house-launches-zero-trust-strategy-for-federal-agencies\" rel=\"noopener\">zero trust<\/a>. It\u2019s a big buzzword. There\u2019s a lot of misunderstanding over what zero trust encompasses, and what organizations have to do in order to have a true zero-trust environment. What are your thoughts about how to clean this up?<\/p>\n<p class=\"western\" data-ar-index=\"26\"><strong>Eric:<\/strong> The way you clean it up is by adding other words to zero trust. Are we talking zero trust at a host level, at a network level, at a server? Zero trust is like saying \u2018transportation vehicles.\u2019 Well, that covers a lot of things. Are we talking cars? Airplanes? You need to add a little specificity around it, because at the highest level zero-trust is just saying that you create an environment where if any entity gets compromised it\u2019ll have zero impact on any other entity. The question is, what is the entity? An entity can be a computer, an application or a server. And that\u2019s where the confusion comes in. There are so many categories of the entity that unless we put characterization and specificity around what level of zero trust we talking about it makes it really hard to get to an implementation and detail level.<\/p>\n<p class=\"western\" data-ar-index=\"27\"><strong>Howard:<\/strong> Here\u2019s another problem: Misconfigured data on cloud storage. At least once a week there\u2019s a new story about a researcher discovering unprotected data from an Elasticsearch and it\u2019s stored on AWS or on Azure and it\u2019s open to anyone who can figure out how to find it. And apparently it\u2019s not that hard. All you have to know is how to use <a href=\"https:\/\/en.wikipedia.org\/wiki\/Shodan_(website)\" rel=\"noopener\">Shodan.<\/a> What can IT do about this?<\/p>\n<p class=\"western\" data-ar-index=\"28\"><strong>Eric:<\/strong> That really just comes down to good standard operating procedures and practices that people have to always follow when they\u2019re setting up or storing data. They follow a set of procedures. A lot of it really comes down to<a href=\"https:\/\/www.itworldcanada.com\/article\/find-security-solutions-to-shadow-it-cisos-warned\/380386\" rel=\"noopener\"> shadow IT,<\/a> where it\u2019s so easy for anyone in the organization to basically go and set up AWS. It takes five minutes \u2014 you put it on a credit card. Some of these services are US$5 a month, and boom you\u2019re now running servers that are exposing corporate company data. A lot of it also comes down to really training IT staff to say [to the rest of the firm], \u2018This is what you can do, this is what you can\u2019t do and these are the repercussions for doing that.\u2019 There has to be a lot more control gates and mechanisms in place. The way you stop shadow IT and rogue behavior is enforcement.<\/p>\n<p class=\"western\" data-ar-index=\"29\">One of our clients had employees constantly setting up storage on AWS and leaking sensitive data. I told them every time somebody does that fire them. And I guarantee you after three or four people are let go from the company and you show this is serious they\u2019re not going to do it anymore. But the company said, no, that\u2019s too strict a mechanism.<\/p>\n<p class=\"western\" data-ar-index=\"30\"><strong>Howard:<\/strong> In an interview earlier this year you said that your firm sets up a distributed database system for customers so that only 15 per cent of their records are in any database. Should that be a standard that IT tells management, \u2018We can set things up so that the worst thing that happens is we lose 15 per cent of our data?\u2019<\/p>\n<p class=\"western\" data-ar-index=\"31\"><strong>Eric:<\/strong> It\u2019s a solution to a problem. I always like caveating that if you have a lot of sensitive data from different organizations and different entities, that\u2019s definitely an option. Just to give a little more focus on that solution set, we do a lot of work with law firms where they have a lot of very, very sensitive client data from different customers. So in that case, it\u2019s not only very straightforward but it\u2019s very logical to set up to really minimize or reduce exposure. Now, if you\u2019re in a large financial transaction or healthcare environment we might recommend other solutions where you want to better protect and secure, because that might create a lot of unneeded complexities. But that is an option that should be considered, with other options, of what is the best way to reduce risk while managing and allowing the functionality that\u2019s needed for the business units to operate.<\/p>\n<p class=\"western\" data-ar-index=\"32\"><strong>Howard:<\/strong> Cyber experts always say no technology or combination of technologies that can absolutely guarantee there won\u2019t be a loss of data, so I\u2019m just wondering whether if the IT leaders should give a firm number like that to management \u2014 15 per cent \u2014 is that something that that management would want to hear, is that something that would help IT get management\u2019s head around just what the cybersecurity thing is? Then they can assure management that they\u2019re getting something from for their money.<\/p>\n<p class=\"western\" data-ar-index=\"33\"><strong>Eric:<\/strong> That\u2019s why we do that, and it\u2019s a very effective tool because it goes back to what we said earlier, which is a world-class chief information security officer speaks business. Business is about numbers, risks and per cent. The problem I have is I work with a lot of CIOs and CISOs and they\u2019re like, \u2018Well, Eric, I don\u2019t want to commit to a number, and I\u2019m like \u2018Then, you\u2019re useless in terms of the executives because if you go to an executive \u2014 which is what a lot of CIOs and CISOs do \u2014 it could be bad. It could be really bad. They [executives] want to understand four things: What could happen; what is the likelihood, give me a number\/per cent of that happening; what is the cost if it occurs; and what is the cost to fix it? They want and need numbers to make a business decision, and as long as a CIO or a CISO refuses to give numbers they\u2019re going to be ineffective in their job. It might not be perfect, it might not be exact, but you need to give numbers so they [executives] can make appropriate decisions.<\/p>\n<p class=\"western\" data-ar-index=\"34\"><strong>Howard:<\/strong> In May the<a href=\"https:\/\/www.ropesgray.com\/en\/newsroom\/alerts\/2022\/March\/Expansive-Federal-Breach-Reporting-Requirement-Becomes-Law\" rel=\"noopener\"> United States passed legislation mandating security incident reporting to the government<\/a>. Up here the Canadian government <a href=\"https:\/\/www.itworldcanada.com\/article\/mixed-reaction-to-canadas-proposed-cybersecurity-law\/488573\" rel=\"noopener\">just introduced proposed legislation for mandatory security incident reporting<\/a>. What\u2019s your opinion on the value of this? How important is it that governments know about security incidents or breaches of security controls? And should that information be public? Rght now the proposed reporting is private to to security agencies. But maybe if there was some public naming and shaming that would encourage companies to devote more resources to cybersecurity.<\/p>\n<p class=\"western\" data-ar-index=\"35\"><strong>Eric:<\/strong> I\u2019m okay with the reporting if it\u2019s tied to clear regulation and compliance. So if you have a regulation that says you must do x and if you don\u2019t do x and have a breach then that should be reported. But to me this idea that whenever you have a breach companies now have to not only disclose it but give the details and give everything else what are we accomplishing? Versus the risk or exposure we\u2019re giving to that company, because we know \u2014 especially in the United States \u2014 there\u2019s no such thing as private reporting when it comes to the government. They have more leaks than a bucket with holes in it. The point is if the government now starts getting to this oversight level where you almost tell us about every single breach then the government has to accept liability for the exposure that\u2019s going to occur to those companies. I think what\u2019s happening is we\u2019re reacting to a problem, which is companies are not implementing effective security measures to protect clients\u2019 data. But we\u2019re doing it with the wrong solution. The solution should be what the United States is finally doing, which is passing a federal law on data protection and data security that companies have to follow to protect their data. Just like Europe did with GDPR many years ago. The focus needs to be on setting a bar with regulation and compliance. This whole idea of mandatory reporting is not a solution to a problem that solves anything. It just makes it worse.<\/p>\n<p class=\"western\" data-ar-index=\"36\"><strong>Howard<\/strong>: Who should take the lead for cyber security? Governments through regulations or businesses?<\/p>\n<p class=\"western\" data-ar-index=\"37\"><strong>Eric:<\/strong> In a perfect world it should be done by companies. Companies should step up and implement appropriate security measures. However, if they don\u2019t then the government needs to step in. The<a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2021-06-04\/hackers-breached-colonial-pipeline-using-compromised-password\" rel=\"noopener\"> Colonial Pipeline<\/a> [ransomware attack] last year in my mind was the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Enron\" rel=\"noopener\">Enron<\/a> moment for cybersecurity. Enron was a publicly-traded company and they did a lot of really bad things. At that point the government said, \u2018You should have been able to self-regulate. You clearly weren\u2019t able to, so we\u2019re now going to step in and regulate.\u2019 Private companies should have been able to manage it [cybersecurity], but clearly they haven\u2019t been able to do so, or they\u2019re unwilling to do so. So, unfortunately, we are at the point now where I do believe the government needs to step in and basically provide oversight and direction on what is or is not appropriate security.<\/p>\n<p class=\"western\" data-ar-index=\"38\"><strong>Howard:<\/strong> You\u2019ve said that people \u2014 and I think you mean executives \u2014 should have two computers: A Windows computer for their work and a computer with a different operating system for checking [work] email. Why? What if I download something that I need, like a report, and I need to transfer it to my work computer?<\/p>\n<p class=\"western\" data-ar-index=\"39\"><strong>Eric:<\/strong> Once again, it\u2019s a solution. Not a solution for everyone. But what I always try to do is not what most people in cybersecurity say: \u2018No, no, you can\u2019t do this. You can\u2019t do this. You can\u2019t click on this link. You can\u2019t open this attachment.\u2019 I have a Windows computer at my desk that I use to work on documents, on reports, do spreadsheets. And I have an iPad that I use only for checking email and surfing the web. It\u2019s not that Windows is more vulnerable. Windows is as secure as the other operating systems if you look at the actual data. But because Windows still has one of the highest install bases 90 per cent of most attacks target the Windows operating system. So today if you\u2019re running a non-Windows operating system, such as an iPad or Android, you have a 90 per cent chance that malware isn\u2019t going to run or be effective on that platform. Second, even if it did it was the 10 per cent that was an attack for an iPad. Because all I\u2019m doing is checking email or surfing the web if it gets infected I just reimage it. I just restart it up again and we\u2019re off to the races. So it\u2019s just an easy way to create separation between those two.<\/p>\n<p class=\"western\" data-ar-index=\"40\">To answer your other question, I don\u2019t exchange documents and email. We have a separate platform that we use for exchanging documents with our clients in which you log in, register and set up. So if you need to send me a document we would use a proper mechanism that I could then utilize on my desktop to access that document.<\/p>\n<p class=\"western\" data-ar-index=\"41\"><strong>Howard:<\/strong> If you have three things to say to IT leaders including CISOs about how they can lower the risk of of their company falling to an attack what would you tell them?<\/p>\n<p class=\"western\" data-ar-index=\"42\"><strong>Eric:<\/strong> One, you need to be able to speak and communicate Business. You must be able to translate between technical problems and the business for executives. Second, when you\u2019re a security engineer you focus on identifying problems but when you\u2019re a CISO you must focus on identifying solutions. Be solution-oriented. Don\u2019t focus on what is wrong, focus on the solution you need to be able to fix the problem. And third, have accurate data. You should have network visibility naps. You should know all your servers, all your systems, all your patch levels and where your data is. If you don\u2019t have those basics \u2014 asset inventory, data management and configuration management in place \u2014 do not pass Go, do not collect $200. That needs to be your priority. The problem is most CISOs focus on all the advanced technology and overlook the fact that they have a broken foundation for their house.<\/p>\n<p data-ar-index=\"43\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-july-15-2022\/492206\">Cyber Security Today, Week in Review for Friday July 15, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features a discussion with U.S. cybersecurity expert and author<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-25502","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/25502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=25502"}],"version-history":[{"count":4,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/25502\/revisions"}],"predecessor-version":[{"id":25585,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/25502\/revisions\/25585"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=25502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=25502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=25502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}