Daily Tech Digest - December 02, 2016

Travel Security Tips for Personal and Business Trips

While you may not have much say in when and where you travel, understanding your trip’s goals can help determine the best business security practices. A quick, one-day trip to meet a business partner might mean you can leave your computer at home, for example. A month-long globe trot to multiple satellite offices, client meetings and a little R&R would require a more rigorous approach to securing all of your devices. It is equally important to know the purpose of your trip, the systems and access you will require while traveling, the sensitivity of information you will be handling and the available security resources. These points will determine what travel security precautions you should take before you even pull out your suitcase.

Major cybercrime network Avalanche dismantled in global takedown

To shut down Avalanche, law enforcement agencies embarked on an investigation that lasted longer than four years and involved agents and prosecutors in more than 40 countries, according to the U.S. Department of Justice. Europol said 39 servers supporting Avalanche were seized, and another 221 were forced offline with notifications sent to their hosting providers. Investigators used a method known as sinkholing to infiltrate the cybercriminals' computer infrastructure and disrupt their activities. This involved redirecting the internet traffic from Avalanche's infected computers to servers controlled by law enforcement. "The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale," Europol said in a statement.

Why Small Businesses Should Get Smart About Information Security

In many ways, small businesses have even more to lose than large ones simply because an event—whether a hacking, natural disaster, or business resource loss—can be incredibly costly. The report beings by noting that while cybersecurity improvements by some businesses have rendered them more difficult attack targets, this has led hackers and cyber criminals to focus more of their attention on less secure businesses. One reason for this is that small businesses, including startups, often lack the resources to invest in information security as larger businesses can. Many fall victim to cyber-crime. In a later comment on the report, author Pat Toth stated, "[s]mall businesses may even be seen as easy targets to get into bigger businesses through the supply chain or payment portals."

Mobile Device Security is the need of the hour

One of the biggest apprehensions when it comes to using Android devices in any government & enterprise environment is its lack of security for the mobile device & the data on it. Google recently unleashed one of its biggest marketing campaigns and product launches outside the US. It is with the launch of Android One that it wants to capture the other billion. This has been a major success for Google who in spite of world dominance in terms of Android users still is not able to tightly manage its ecosystem. Fragmentation of software, screen size and resolution was hurting the app developer ecosystem. Android one as a strategy comes like a knight in the shining armor for Google, that will reduce fragmentation by strongly controlling what goes into the phone.

Six must-haves for IT's mobile security checklist

Let's face it -- there is no such thing as absolute security, and there likely never will be, simply because allowing even restricted access to any resource means that someone might compromise this access. Hackers can be bright but misguided, but professional information thieves are like any other spies on a critical mission, with the goal of stealing information or disrupting an organization's operations, often with devastating results. Since it's impossible to guarantee absolute security, the mission for IT administrators is to make any compromise to enterprise mobile security so difficult that all but a handful of hackers with access to nation-state-level resources will simply give up. The basics of good security practices are the same, regardless of organizational mission, size or the specific infrastructure and tools.

2017 security predictions

Cybersecurity professionals will struggle to protect critical infrastructure, connected systems and remotely accessed systems and devices while weak password practices remain the norm, but it's not just external threats that are a problem. Mitigating insider threats can also be accomplished through better password management, he says. The best way to do so is to implement a solution that securely store passwords that remain unknown to users, and then regularly validates and rotates those passwords to ensure safety and security, he says. "What we're talking about is credential vaults. In an ideal world, a user would never actually know what their password was -- it would be automatically populated by the vault, and rotated and changed every week. Look -- hackers are intrinsically lazy, and they have time on their side. ..," Dircks says.

Cybersecurity: Steps To Manage Cyber Risks Effectively

Hackers are targeting organizations from all industries, including not-for-profits and charities, by using techniques ranging from Advanced Persistent Threats ("APT") to sophisticated spear phishing campaigns. In such an environment, how should organizations prepare for the unexpected? While the challenge is significant, it is not insurmountable. The impact of a cyberattack on an organization can be significant. In many instances, an organization can lose the trust of its internal and external stakeholders if it comes to light that it had not put sufficient time, resources and energy into preparing for a cyberattack. On the other hand, organizations that invest in planning for the likely eventuality of a cyberattack are much better positioned to deal effectively with and limit any negative consequence.

Implantable medical devices can be hacked to harm patients

At least 10 different types of pacemaker are vulnerable, according to the team, who work at the University of Leuven and University Hospital Gasthuisberg Leuven in Belgium, and the University of Birmingham in England. Their findings add to the evidence of severe security failings in programmable and connected medical devices such as ICDs. ... Previous studies of such devices had found all communications were made in the clear. "Reverse-engineering was possible by only using a black-box approach. Our results demonstrated that security by obscurity is a dangerous design approach that often conceals negligent designs," they wrote, urging the medical devices industry to ditch weak proprietary systems for protecting communications in favor of more open and well-scrutinized security systems.

Should application development have greater security-based regulation?

While he admits the likes of PCI compliance or the incoming GDPR are starting to help, none of them go deep enough down into the code level for O’Sullivan’s liking, and instead he would like to see new rules that focus on secure code development. “If the regulations just went a little bit deeper - to kind of look at a granular level where the problems really are - and mandated using certain types of frameworks and using certain types of controls at a code level, that would help.” “There's all sorts of controls built into your code, they're out there, OWASP [a non-profit repository of security information] is a great resource for that type of thing. There's cheat sheets for avoiding certain vulnerability types. Use them, put them in your code. Mandate that they get used, build that into regulations.”

Data Science Up and Down the Ladder of Abstraction

If you're thinking of developing your skills in data science, you've probably already considered Python or R. Python is an especially popular choice for those coming from a programming background since it's a good general-purpose scripting language which also provides access to excellent statistical and machine learning libraries. When I first started out in data science I used Python and scikit-learn to tackle a clustering project. I had some data gathered from social media on users' interests and I was trying to determine if there were cohorts of users within the whole. I chose spectral clustering because it could identify non-globular clusters (so must be better, I reasoned), and the first results were promising. My confidence quickly evaporated when I re-ran the clustering and got different results.

Quote for the day:

"Leadership is not about making all the decisions. It's about clarifying decisions to be made and supporting your people to make them." -- @NextNate

Daily Tech Digest - December 01, 2016

‘Cybersecurity has become a full-time job’ in healthcare

“Cybersecurity has become a full-time job,” Karl West, CISO of Intermountain Healthcare in Utah, said at AEHIX, an adjunct conference to the College of Healthcare Information Management Executives (CHIME) Fall CIO Summit this month in Phoenix. “There is a call for all of us to do better,” West said. He said that healthcare may only be at 30 percent to 50 percent of compliance with the required security regulations. Healthcare trails other industries in this area because it has spent so much money on transforming care with IT, while cybersecurity has ended up taking a back seat. At the annual U.S. News and World Report Healthcare of Tomorrow summit held earlier this month in Washington, D.C., Dr. Brian Jacobs, CMIO of Children’s National Medical Center, said that the hospital now dedicates 19 percent of its IT budget to security, Politico reported.

Destructive Hacks Strike Saudi Arabia, Posing Challenge to Trump

The ferocity of the attacks appear to have caught Saudi officials by surprise. Thousands of computers were destroyed at the headquarters of Saudi’s General Authority of Civil Aviation, erasing critical data and bringing operations there to a halt for several days, according to the people familiar with the investigation. There have been no reports of widespread transportation interruptions at the King Khalid International Airport in Riyadh or the other major airports. A spokesman for the aviation authority in Riyadh didn’t immediately respond to phone calls and e-mails requesting comment. The people familiar with the probe didn’t identify the other targets but one said they were all inside Saudi Arabia and included other government ministries in the kingdom, a country where information is highly controlled.

Most Organizations Not Adequately Prepared for Cyber Attacks: Marsh Cyber Handbook

While cyber breaches are one of the most likely and expensive threats to corporations, few companies can quantify how great their cyber risk exposure is, which prevents them from protecting themselves,” according to an article in the handbook titled, “Can You Put a Dollar Amount on Your Company’s Cyber Risk?” “Most managers rely on qualitative guidance from ‘heat maps’ that describe their vulnerability as ‘low’ or ‘high’ based on vague estimates that lump together frequent small losses and rare large losses,” adds the article.... The challenge is “to build a smart, well-designed, cyber risk model that’s able to analyze potential direct revenue, liability, and brand loss scenarios.

IoT to Get Security, Gateway Benchmarks

The working group for the gateway benchmark aims to deliver system-level benchmarks measuring overall throughput, latency and energy consumption for node-to-cloud communications. It will probably start with an industrial profile but has not yet specified what parameters it will measure. The group currently includes members from ARM, Dell, Flex and Intel and hopes to deliver a complete spec by next fall. It will use workloads generated across multiple physical ports to test multiple system components including the processor, physical and wireless interfaces and the operating system. “Today, without a standardized methodology, IoT gateway benchmarking is not realistic,” said Paul Teich, a principal analyst at Tirias Research and technical advisor to EEMBC.

MongoDB-as-a-Service on Pivotal Cloud Foundry

Mallika Iyer and Sam Weaver cover a brief overview of Pivotal Cloud Foundry and deep dive into running MongoDB as a managed service on this platform. The MongoDB service for Pivotal Cloud Foundry leverages the capabilities of Bosh 2.0 for on-demand-dynamic provisioning for services while maintaining an integration with MongoDB's Cloud Ops Manager, to provide the best of both: PCF and MongoDB. Mallika Iyer is a Principal Software Engineer at Pivotal, and spends a lot of time building Bosh-managed services on that run on Pivotal Cloud Foundry. She is a cloud architect and has an extensive background in NoSQL and Large-Scale Search. Sam Weaver is the Product Manager for Developer Experience at MongoDB, based in New York.

Data Breach Preparation and Response: Breaches are Certain, Impact is Not

It is a good practice to map out what you believe to be the Breach Breakdown in some sort of visual manner so that you can more clearly define your working hypothesis. You should also include a timeline of events that represents the chronological progression of the attack. This will be of particular interest to executives and general counsel as they prepare statements regarding what happened and when. In addition, you should also maintain a partner list of the impacted systems represented in the diagram. This list should include additional system details such as IP address, hostname, OS, system function (ie, webserver, database, workstation), and method of compromise.

The real effect Google's Pixel phone is having on Android

Features unique to the Pixel, such as the Google Assistant, the Pixel camera, and Daydream ... plus the smartphone's deeper app integration [and] increased prominence of Android Pay ... will ultimately lead to users spending more money on Android, according to the research note. Morgan Stanley's analysts also predict that these features could see the Pixel driving higher mobile search monetization for Google as advertisers will spend more to reach the consumers who spend the most on their mobiles. And there you have it. The Pixel is ultimately a vessel for Google to bring its own mobile vision directly to mainstream users. That benefits Google as a company, and it benefits us as consumers who carry Android phones.

Disaster recovery testing: A vital part of the DR plan

The cost of implementing disaster recovery is directly affected by the level of recovery required so, to contain costs, applications have to be prioritised against a set of metrics that determine recovery requirements. Recovery time objective (RTO) describes the amount of time a business application can tolerate being unavailable, usually measured in hours, minutes or seconds. We can imagine applications that deliver core banking for financial organisations have an RTO=0, whereas some back-end reporting functions may have an RTO of up to 4 hours. Recovery point objective (RPO) describes the previous point in time from which an application should be recovered. To use our banking example again, an RPO of zero will be expected for most applications – we don’t want to accept any lost transactions.

How is runtime as a service different from PaaS or IaaS?

RaaS differs from platform as a service (PaaS) because the environment is long-running in many PaaS systems, but they automatically scale the application up or down like RaaS does. Additionally, a traditional PaaS deployment limits developers to a specific application framework. With many RaaS concepts, developers essentially deploy code in a container that starts on-demand. The major thing to focus on when building an application using RaaS is minimal bootstrapping, so the runtime can start up, execute and close down quickly. Infrastructure as a service (IaaS) is a traditional cloud computing service where companies pay by the hour for compute environments, whether they're actively used or idle. While it's the least efficient form of cloud computing, IaaS is still the go-to for most companies, primarily because it's the most similar to traditional programming

The Hardest Part About Microservices

The journey to microservices is just that: a journey. It will be different for each company. There are no hard and fast rules, only tradeoffs. Copying what works for one company just because it appears to work at this one instant is an attempt to skip the process and journey and will not work. And the point to make here is that your enterprise is not Netflix. In fact, I’d argue that for however complex the domain is at Netflix, it’s not as complicated as it is at your legacy enterprise. Searching for and showing movies, posting tweets, updating a LinkedIn profile, etc., are all a lot simpler than your insurance claims processing systems. These internet companies went to microservices because of speed to market, sheer volume, and scale

Quote for the day:

"I think we ought to read only the kind of books that wound and stab us. If the book we are reading doesn't wake us up with a blow on the head, what are we reading it for?" -- Franz Kafka,

Daily Tech Digest - November 30, 2016

10 ways to gracefully kill an IT project

The factors behind terminating a project may vary; the complexity involved, limited staff resources, unrealistic project expectations, a naive and underdeveloped project plan, the loss of key stakeholders, higher priorities elsewhere, or some other element - but likely it will be a combination of some or many of these possibilities. ...  Halfway through implementation it becomes clear the backup process will consume more bandwidth than expected, will take an inordinate time to complete backing up servers with hefty storage levels, and will cost more in the long run than the existing tape solution which can be refactored for cheaper, more efficient and less complicated administration. Clearly this is the proverbial "record coming off the needle" moment at which a harsh truth must be acknowledged.

Do You Really Have To Migrate To The Cloud?

Call it “digital darwinism.” Cloud brings big benefits to application vendors. On-premise customers using previous versions require maintenance — and that’s are a big drain on vendor resources. And they’re not as happy as new customers because they don’t have the latest innovations. Sales people have to spend lots of time trying to help justify upgrades — time they could use to sell to new customers. Extra costs and slower innovation means that over the long term, vendors offering cloud solutions will win. ... It’s time to remind her that her email — perhaps the most sensitive data you have in the company — already flies freely across public networks, protected only by security protocols. Remind her that money in your company’s bank accounts is really just data stored in ethereal databases around the globe.

4 things you should never say if you want to innovate successfully

For us, realistic innovation means starting with our customers, not our engineering department. Our product team creates bare-bones prototypes in low-tech tools like PowerPoint and shops them around. We learn what resonates with our target market before engaging expensive development resources, which ensures that engineers only work on projects with real legs. The products that pass the PowerPoint test do go to development, but customers remain involved. We ask them not only if the technology fills a need, but whether we are communicating the value proposition in a meaningful way. Successful innovation requires both: the right offering and the right pitch. When you’re lucky and smart enough to find both, pour fuel on the fire. The nature of that fuel will be different for different companies and products.

How the convergence of automotive and tech will create a new ecosystem

The operating models of the two sides differ dramatically. For example, automakers reengineer their core products approximately once every seven years, with noticeable updates every three years, but do not update existing products. Tech companies redo their core products about every two years, make noticeable updates every two months, and provide continual updates for existing products. The OEMs’ systematic “waterfall” approach to product development tends to slow down innovation; the average time to market is about five years. Most tech players depend on agile operating models that enable a time to market of roughly two years.

Branding: A Strategic Imperative For High-Tech Marketers

Unless a company has just hired a brand new CMO who wants to leave a mark, goes through major changes such as a merger, or undergoes a departure from a product line, branding is usually a tool better left for consumer companies. In a world of big data marketing and mandatory ROI, branding spending is difficult to justify as its impact can appear intangible. It takes time for a new brand initiative to bring results when the building of a brand does not occur overnight. The question is: Why would you engage in a branding initiative in an industry where investors and shareholders have little patience? Well, here are a few reasons why we should consider branding as a key strategic imperative for enterprise software or cloud services, especially in a high-growth environment.

Technology Isn’t the Answer to Surviving Digital Disruption

The goal is not to become a tech company. The goal must be to embed technology so ubiquitously and so deeply within the culture and operating model of the company that it becomes transparent - allowing you to enhance the customer experience and deepen your relationships. The challenge is that most traditional organizations have a self-view that is essentially synonymous with the product they sell or the service they provide. The required shift is not to become a tech company, but rather to make the organization synonymous with the value they provide and the relationship they create. The organization can only re-envision its business model from that perspective. The real goal of digital transformation, therefore, is to leverage technology to reshape and enhance the value you deliver to your customers.

A new Digital CIO must emerge from digital economy disruption

Technology has certainly affected the way we do business and companies’ roles. The time is now to refocus, and turn those initiatives into a full-fledged digital transformation strategy, and that means that CIOs must reinvent themselves in order to understand how the disruptions that digital transformation will bring to the businesses as we know them can create opportunities to growth and establish themselves as the strategic digital leader companies expect and need them to be. Before we explore what’s coming with the new digital reality, it is important to look at the present and understand how companies and CIOs are dealing with their IT departments. Reinventing the IT function to support the digital transformation requires far-reaching changes, from talent to infrastructure, and takes multiple years to complete.

What is email security and how can SMEs get it right?

“Email was never intended to be used in the way it is now. It’s not really kitted out for all of the risks associated with the internet; it was designed for a more trusting environment,” he explains. And it’s a mistake to think that SMEs don’t present a worthwhile target. In fact, they present attractive opportunities. ... “What does worthwhile mean?” asks Mr Bauer. “It’s relative to the cost of putting on an attack, and to the downside of getting caught.” Both are low when it comes to an attack on an SME, which makes them more appealing than larger corporations.  Each time an attempt to hack your company is made via email, there are one of two aims at play: to steal money, or gain information.
Small businesses should bear those purposes in mind, because they can be key to spotting – and stopping – hacks.

Why Now Is the Ideal Time for the CIO to Work with Graphs

There’s clearly enormous market growth taking place. Forrester Research estimates that one in four enterprises will be using such technology by 2017 while Gartner reports 70% of leading companies will pilot a graph database project of some significance by 2018. Graph databases aren’t applicable or helpful for all problems; there are transactional and analytical processing needs for which relational technology will probably always be the correct option, and there are NoSQL database alternatives that handle other types of large dataset well. But graphs make sense for any organisation seeking to make the most of its connected data. That is why I would recommend that any CIO looks to NoSQL, including graph databases, as a powerful new tool to supplement their RDBMS investment and deal with the growing data tsunami.

A new way to anonymize data might actually work

This is definitely a good thing, as EHR databases are now popular targets for cybercriminals due to the amount of data available in one location, as well as the fact that data—unlike financial information—cannot be changed or canceled. The paper's authors explain that the PEP framework consists of two components: polymorphic encryption and polymorphic pseudonymisation. The researchers begin with polymorphic encryption by explaining how it differs from more traditional encryption processes: "In traditional encryption, one encrypts for some chosen recipient who then holds the decryption key; whereas in polymorphic encryption one encrypts in a general manner and at a later time the encryption can be transcribed to multiple recipients with different keys."

Quote for the day:

"You have all the reason in the world to achieve your grandest dreams. Imagination plus innovation equals realization." -- Denis Waitley