October 31, 2014

In contrast with the China-based threat actors that FireEye tracks, APT28 does not appear to conduct widespread intellectual property theft for economic gain. Instead, APT28 focuses on collecting intelligence that would be most useful to a government. Specifically, FireEye found that since at least 2007, APT28 has been targeting privileged information related to governments, militaries and security organizations that would likely benefit the Russian government.

Experts: Major cyberattack will hit in next 11 years
Almost two-third of technology experts expect a "major" cyber attack somewhere in the world that will cause significant loss of life or property losses in the tens of billions of dollars by 2025. A survey released Wednesday by the Pew Research Center found that many of analysts expect disruption of online systems like banking, energy and health care to become a pillar of warfare and terrorism. The survey asked over 1,600 technology experts whether a major attack that would cause "widespread harm to a nation's security and capacity to defend itself" would be launched within the next 11 years.

Top CIOs Start the Journey to the 'Digital Enterprise'
The digital enterprise is more than just a CIO catchphrase. In a recent Altimeter Group survey, 88 percent of 59 digital strategy executives interviewed said their organizations are undergoing formal digital transformation efforts this year. Even CIOs who think the phrase "digital enterprise" is mushy, like Mojgan Lefebvre, CIO of Liberty Mutual Global Specialty, say that consumers wielding smartphones have shifted the balance of power. "The one thing that comes in and absolutely disrupts industries is giving the end-user customer, consumers, the ability to do anything and everything they want on their mobile device," Lefebvre says.

Enterprise Cloud Service Broker—A New Identity for IT, CIOs
A cloud service brokerage, as defined by Gartner Group, is “an IT role and business model in which a company or other entity adds value to one or more (public or private) cloud services on behalf of one or more consumers of that service.” Gartner recently challenged CIOs to explore how they should position themselves as CSBs within the enterprise by “establishing a purchasing process that accommodates cloud adoption, and encourages business units to come to the IT organization for advice and support.” Why not just bring in an outside organization to manage cloud vendors? Indeed, many new companies have sprung up recently to help IT departments procure their cloud services.

The science behind the ebb and flow of Ubuntu Unity's popularity
This has surprised a lot of people, but I would argue that it shouldn't. Why? Unity has been around for a while now, and it's had plenty of time to evolve and get things right. The initial release was 2010, and the Unity we have now is not the Unity we had then. Users have had plenty of time to acclimate. The HUD, the Dash, Scopes -- they all work in a harmony that most desktops can't replicate. Even with the current state of popular that Unity is enjoying, I remember the reaction of the Linux community when the desktop first arrived -- it seemed as if Ubuntu was on a collision course with disaster.

Healthcare IT: User Empathy Comes First
Too often we see information systems organizations driving and delivering products and services without first understanding what to deliver. One great companion tool for enabling the customer empathy mindset is an empathy map. ... Underlying an empathetic mindset is a deep curiosity to find out the answers to these and many more questions. It is also supported by a desire to delight users with your product or service. As mentioned in my previous blog, defining a product's or service's success in terms of a "Love Metric" is key to moving an organization toward becoming one that is known for its customer empathy mindset.

Setting Traps, and Other Internet Security Tips
The cold truth is that the JPMorgan breach and the rest are not symptomatic of anything new—online businesses have been under constant cyberattack for well over a decade. What’s different today is that there is a lot more at stake because so much of what we do every day is online. Here is what I recommend: use two-factor authentication—essentially verifying via SMS on your mobile phone that you are the owner of a particular account online, every time you sign on. Google, Facebook, Twitter, and just about every major bank provides this option. Also, since everyone gets hacked online eventually, make sure the damage is limited.

Small Businesses Investing in Mobile Technology
"Small business should pay attention to some of the same places they have been getting their cloud and mobility information," Seth Robinson, senior director for technology analysis at CompTIA, told eWEEK. "These two areas provide the foundation for IoT and will help give some insight as to how SMBs will begin using the technology." obinson said just as small businesses have learned about the benefits of cloud and mobility in their space--which are often different than enterprise benefits--they will learn about the benefits of IoT as the trend takes shape.

Following the launch of Apple Pay, Juniper Research thinks NFC will finally be a success
Juniper had been pessimistic about the market after the dismal showing of the NFC-based Google Wallet, launched in 2011, and Apple's failure to include NFC in the iPhone 5. Apple had also said that BLE (Bluetooth Low Energy) and Wi-Fi had "more desirable characteristics for maintaining the link over time than NFC", and it could have adopted BLE instead. With the arrival of Apple Pay, based on industry-standard EMV contactless protocols running over NFC, Juniper has changed its view. In the context of the US market's development, Apple Pay has arrived at a better time than Google Wallet.

Microsoft Adds IoT, Big Data Orchestration Services to Azure
"Every day, IoT is fueling vast amounts of data from millions of endpoints streaming at high velocity in the cloud," says Joseph Sirosh, corporate vice president of Machine Learning at Microsoft. "Examples of streaming analytics can be found across many businesses, such as stock trading, fraud detection, identity protection services, sensors, web clickstream analytics and alerts from CRM applications. In this new and fast-moving world of cloud and devices, businesses can no longer wait months or weeks for insights generated from data."

Quote for the day:

“You can't connect with something you're not passionate about.” -- Gemma Arterton

October 30, 2014

Insider Threats – the myth of the black swan
Obviously, the average impact of insider threat cases does not tell anything about their overall frequency. Even if an average case is less than $50,000 in cost, when these low-profile cases happen on a daily basis, the cumulative loss will be very significant for most companies. And this says nothing for reputation lost, which is difficult to measure. As we have seen in previous posts of this series, the threat landscape broadens and diversifies with new BYOD policies, reduced and changing employee loyalty to employers, and higher employee churn rates create a large gray area of threats that include unintentional misbehaviors, violation of policies, and minor thefts.

A CIO's guide to the future of work
It can seem like a no-win situation, yet organizations can clearly not do nothing, and in fact, most realize they must do far more than they have until now. The net result of all of these trends and forces is that most organizations are busy undergoing some form of large-scale 'digital transformation.' A recent study by Altimeter found that 88% of the organizations they studied are in middle of such change efforts already, with social media, mobility, and information discovery as key elements of the process for more than half of respondents.

Private Links to Cloud Now Fastest Growing Business Segment
Private cloud connection services like AWS Direct Connect or Azure ExpressRoute were designed to address this problem. Through them, colocation providers like Equinix, CoreSite, TelecityGroup, and Datapipe, among others, can link their enterprise customers’ servers to the cloud data centers privately, bypassing the Internet altogether. In addition to colos, the cloud providers also partner with network carriers, which exponentially increases the amount of data centers around the world that can connect customers to the public clouds privately.

The Interdependence of Technology and Culture
Yes, technology will cause new challenges and further problems. Human creativity will use once again technology to solve those, not a methodology or legislation that restricts and demands safety and conformity. There is no need to fear technology as long as enough humans have the freedom to choose in a democratic environment. Technology that empowers will free the employees minds and unlock creativity and innovation. The same free minds will mostly use freedom to do the moral thing. No matter what your opinion is on the subject, the evolution of technology is tightly linked to our own.

Does NoSQL = NoDBA?
Many companies will keep their relational databases for applications like OLTP where the level of data persistence is, by default, very high. At the same time, when new needs arise because of Big Users or Big Data, revolutionary apps or cloud-based offerings, they’ll think non-relational. And in some cases, both will be chosen. A relational database, for example, is an expensive way to store data, so lots of people will use, say, Hadoop to store the raw data and then process into a relational database for fast service and interactive queries. So it’s actually not a question of SQL or NoSQL, it’s more one of SQL and NoSQL.

UK cyber threat sharing ahead of target, says Cert-UK
Initially, the remit of CISP was to focus on technical network-level defender issues for large organisations, but that is now being broadened to include small and medium enterprises (SMEs). “This means that, in addition to technical information, we are now also pushing out more general information aimed at raising the level of awareness around cyber security topics,” said Gibson. For the September Nato Summit in Wales, Cert-UK set up a CISP-style node for all those involved in the event, from Nato’s incident response teams down to the hotel where the summit was being held.

Flipboard’s latest update integrates Zite’s tech to make you fall in love with digital magazines
The updated Flipboard addresses the problem of finding the best digital magazines by first asking you to select a handful of topics you’re interested in. When you start reading content based on a particular topic, Flipboard will then suggest other topics to follow and related magazines worth checking out. The idea, McCue told me, is to slowly refine how Flipboard delivers and recommends content by occasionally prompting you to follow or favorite the stuff you enjoy.

Facebook gives away homebrewed OS monitoring tool
The tool, called Osquery, allows administrators to run SQL-based queries on operating system characteristics stored in a high-performance database, collecting data such as running processes, loaded kernel modules and open networking connections, wrote Mike Arpaia, a Facebook software engineer. In the last few months, Facebook let other companies try Osquery after "it became clear to us that maintaining insight into the low-level behavior of operating systems is not a problem which is unique to Facebook," he wrote.

CIO relationships and priorities remain conflicted
A closer look at the data raises concerns about the CIO’s ability to achieve the promise of those good intentions. Although 70 percent of respondents say their organization has maturity in delivering business outcomes, only 55 percent prioritize this goal. Likewise in the next dimensions, enhancing customer experience and building a more agile IT delivery model. ... It is interesting to compare relationship importance to relationship quality, in the above diagram. We see that the CIO does not have a “very good” relationship with the CEO, CFO, or COO even though CIOs report these relationships as “very important.”

Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data
Here’s how the attack worked in the case Shape observed: The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware. (Shape declined to name the victim of the attack.) After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explorer—IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer.

Quote for the day:

“The value of a man resides in what he gives and not in what he is capable of receiving." -- Albert Einstein

October 29, 2014

Google Developing Disease Detection Pill
"Nanoparticles are the nexus between biology and engineering, so we can make these nanoparticles behave in ways that we want them to," Conrad explained. "Essentially, the idea is simple: You swallow a pill with these nanoparticles, and they're decorated with antibodies or molecules that detect other molecules. They course through your body, and, because the core of these particles are magnetic, you can call them somewhere... And you can ask them what they saw."

From Wearable to Invisible Technology
One of the big players in this school of thought is a company called MC10. MC10 has been working for almost 10 years to create BioStamp and Checklight. These are tiny, wearable devices that come with wireless capabilities, sensors and a number of other features. In BioStamp’s case, the device isn’t so much worn as it is stuck right on the body. Because of it’s flexibility, it can be worn like a temporary patch, or bandaid. Athletes could use something like this to closely and accurately monitor their heart rate and breathing patterns during physical exercise. The device could even track how their muscles respond to different training and what seems to be most effective or most damaging.

Joining up is hard to do
Just as full integration is impossible at a system level, it is also unlikely at an organisational level. Advocates of integrated solutions are often guilty of the merger illusion, namely that putting functions together in the same organisation is sufficient to make sectionalism subside. But as anyone who works in a large organisation will attest, the fact that managers share the same employer and use the same front door is pretty much irrelevant to whether they put corporate, customer-focussed interests above departmental, producerist ones.

Is it Enterprise Architecture or Wall Art?
The thing you have to be careful of is that if you see your markets disappearing, if your product is outdated, or your whole industry is redefining itself, as we have seen in things like media, you have to be ready to innovate. Architecture can restrict your innovative gene, by saying, “Wait, wait, wait. We want to slow down. We want to do things on our platform.” That can be very dangerous, if you are really facing disruptive technology or market changes. Albert Camus wrote a famous essay exploring the Sisyphus myth called “The Myth of Sisyphus,” where he reinterpreted the central theme of the myth.

Tech Support’s NSFW Problem
One big concern: As McAfee Labs warns in its 2014 Threat Predictions report, "Attacks on mobile devices will also target enterprise infrastructure. These attacks will be enabled by the now ubiquitous bring-your-own-device phenomenon coupled with the relative immaturity of mobile security technology. Users who unwittingly download malware will in turn introduce malware inside the corporate perimeter that is designed to exfiltrate confidential data." Today's malware from porn sites is usually not the kind of spyware that's dangerous to enterprises, says Carlos Castillo, mobile and malware researcher at McAfee Labs -- but that could change.

Top 10 Cloud Myths
"Cloud computing, by its very nature, is uniquely vulnerable to the risks of myths. It is all about capabilities delivered as a service, with a clear boundary between the provider of the service and the consumer," said David Mitchell Smith, vice president and Gartner Fellow. "From a consumer perspective, 'in the cloud' means where the magic happens, where the implementation details are supposed to be hidden. So it should be no surprise that such an environment is rife with myths and misunderstandings." Even with a mostly agreed on formal definition, multiple perspectives and agendas still conspire to mystify the subject ever more.

Five ways to make identity management work best across hybrid computing environments
The idea of holistic management for identity is key. There's no question about that, and something that we'll come back to is this idea of the weakest link -- a very commonly understood security principle. As our environment expands with cloud, mobile, on-prem, and managed hosting, the idea of a weak point in any part of that environment is obviously a strategic flaw.  As we like to say at SailPoint, it’s an anywhere identify principle. That means all people -- employees, contractors, partners, customers, basically from any device, whether you’re on a desktop, cloud, or mobile to anywhere.

Is US Tech Policy Ready For A Zombie Apocalypse?
One Delaware law seeks to solve this problem by allowing all digital content to be passed along to family members after death. However, because eBooks on Amazon and movies on iTunes aren't owned, but rather licensed, these digital goods can be passed on only to the extent allowed by end-user licensing agreements. These agreements handle transfers differently.Apple's EULA defers to California law, while Amazon's and Google's EULAs don't allow for any transfer. Therefore, many state laws (such as Delaware's) will have little effect. Federal legislation is needed to put this issue to rest.

Cloud Sprawl: The Problem of Too Many Clouds
Believe it or not, this is actually becoming a bit of a problem. Administrators are working with a very new technology and are beginning to expand their WAN (or cloud) presence far beyond what they originally thought would be possible. IT consumerization has been the main driver behind this push as has been the demand for more distributed computing systems. Unlike virtualization or even desktop sprawl, administrators have the opportunity to get control of the cloud environment sooner rather than later.

How SOA Governance (and SOA Management) Should Actually Be Done
Organizations do have well-defined separation of governance and management functions in general, but this wisdom seems to be absent when dealing with SOA. After all, the board of directors and the executive management team look at the “what” and “how”, respectively, of everything the organization does. Similarly, project steering committees and working groups do the same at lower levels. So what about SOA governance (and SOA management)? Why is there so much confusion and conflation between these two functions? Shouldn’t it be just a simple matter of extension, based on what we know about SOA and about the functions of governance and management?

Quote for the day:

"The man who complains about the way the ball bounces is likely to be the one who dropped it." -- Lou Holtz