September 16, 2016

5 security practices hackers say make their lives harder

It's easy to fall into the trap of thinking of privileged accounts in terms of the human users who have them. But privileged accounts are also extended to machines and systems to allow them to interact. Organizations typically have two to three times more privileged accounts than they have employees. Carson notes that every system that gets deployed comes with a default account, and those systems get connected to service accounts to maintain them. Each virtual machine that gets deployed also receives privileges that don't expire when the machine they're associated with get spun down. And if a VM is cloned, those privileges get cloned along with them. As a result, organizations often wind up with large numbers of rogue privileged accounts with access to their environment.


Polymorphism of MVC-esque Web Architecture: Classification

Arguably, the model has experienced the most significant changes since the inception of the MVC almost forty years ago. For this discussion, the model is defined liberally to include the in-memory model object (such as record set), the source data/document/file/signal of system of record (SoR) behind the object, and all the processes synchronizing and bringing them together. The type of data repository of the model has evolved from a small floppy disk to RDBMS, and to MMDBMS (multi-model database management system). The repository has gone from co-locating with the in-memory model object isolated on the user’s desktop to locating remotely from the domain object as broadband-connected, distributed and/or cloud-based systems.


5 Things You Should Know About Nigerian 'Digital Check Washing' Rings

WWG1 uses a simple tool to crawl the Internet and scrape employee email addresses from corporate websites. Those employees are then bombarded with viral emails (the kind with a virus, not the kind that gets Internet-famous). The goal is to infect one machine, and then use that as a foothold to ultimately secure privileged access to the company's Web email server. Once they gain control of the email server, they begin daily monitoring for purchase order communiques. They also prepare lookalike emails, as well as arrangements to wire funds into bank accounts set up to launder stolen payments. None of this requires any special hacking expertise; the necessary software and tutorials are widely available online.


How blockchain is transforming business models

To put it simply, multiple distributed ledgers are just a method of recording data digitally, and can be applied to anything that needs to be independently recorded and verified as having happened e.g. transactions, agreements, contracts, ownership, etc. According to a SWIFT Institute Working Paper, it is the robustness and relative simplicity of the Bitcoin blockchain that has sparked the interest of similar technology to be applied to wholesale markets’ securities settlement as this can potentially reduce costs and risks. And according to a White and Case report, a similar blockchain can also be used to improve and enhance currency exchange, supply chain management, trade execution and settlement, remittance, peer-to-peer transfers, micropayments, asset registration, correspondent banking and regulatory reporting


What Airbnb can teach HR about trust

You may be thinking, sharing a car with someone and then rating them on their driving skills is nowhere near equivalent to the relationships that form in the workplace. In reality, with websites like Glassdoor and Indeed, companies are already developing their own online reputations based on employee reviews. The potential impact of these reviews can be explained by the similarity bias. Job seekers are going to be much more apt to believe in the reviews of current employees than in company recruitment efforts or statements by the CEO. Creating trust between employees and managers should therefore be at the top of every HR department’s agenda. Using best practices from the sharing economy can be easier than you think.Essentially, what Airbnb and other companies have proven is that opening yourself up to feedback will increase trust in the eyes of others.


Cognitive Computing: Five “I wish I would haves” to Avoid

Computing capabilities are unbelievably strong today. There’s a greater discipline in algorithms than we’ve ever seen. Data storage costs, what, around 3 cents to store a gig of data today? Put it all together, and you realize that whatever we’ve done in cognitive computing today will soon be considered quaint early indicators of the seismic changes that follow. We are heading down an exponential change curve. Because cognitive computing is already a burgeoning reality among the businesses I work with every day, I’ve already observed a few serious risky views on it. Why are they risky? Because if they take hold, they’re likely to lead many to say, “I wish I would have” in the not-so-distant future. And in this case, the implications of getting it wrong, or simply not getting on board fast enough, could be serious.


It’s time to practice what we preach in cloud security

Most hackers are after a quick and easy payday. And any savvy hacker knows there’s loot to be had from cloud services. Given today's consumer / corporate crossover world we live in, things like Dropbox are a prime target as they’re a vast cache of IP and corporate databases – and probably a fair amount of personal information that can exploited. At the same time, apps like OneLogin are designed to increase security and anyone looking to procure a few passwords would do well to try their luck here.  The cloud industry has been hard at work dragging people over the line in the security debate for some time. We have worked hard to tackle the issue head on and incidents like these don't help assuage the doubts that many still have.


For regulators, cybersecurity must be more than just site visits and questionnaires

One has to do with the fact that regulatory bodies still rely on a rather old-fashioned technique for assessing compliance in cybersecurity (and really any area): having an examiner visit an organization's site and ask questions, or require the organization to fill out questionnaires. This kind of "point-in-time" monitoring certainly has its value, but too easily can be a once-a-year bureaucratic exercise that provides only a snapshot of an enterprise's cybersecurity health. These exercises are quite financially burdensome for the regulated entities to comply with, and budget-strapped agencies are also hard-pressed to stay on schedule with the assessments. Regulatory agencies, fortunately, are looking at new commercially available technologies that provide critical cybersecurity performance data in a continuous fashion.


Pros and Cons of Cross-Platform Mobile App Development

Since the User Interface (UI) and User Experience Design (UXD) of iOS and Android are quite different from each other, it’s not an easy task to create a uniform GUI wrapper on top of it. Though Xamarin and others have put in significant work on this front, it is far from perfect. It works well if you design your application to live within the framework’s limitation, however, if you need anything that doesn’t fit with the framework’s vision, it requires a lot of work to implement and requires writing platform specific code. To give you an example, in Xamarin Forms, it takes a lot more work if your designer chooses to give custom colored borders to text fields. As this is not obvious to the designer, once you have settled in on the design, the programming team needs to put in a lot of efforts to pull off this seemingly simple design.


Risk Management Best Practices For CISOs

There are a few basic steps that CISOs should take after establishing their resiliency baseline in order to start improving it. We suggest that CISOs perform a value-chain mapping exercise, which will result in a much more detailed pictorial view of the security landscape. The X-axis of this map is “Evolution of Resiliency” and the Y-axis is the “Invisible to Visible Value Chain”—meaning, what solutions currently exist and what can be implemented over the evolution timeline to increase the visibility of security, which has a direct positive effect on resiliency. This exercise will also flesh out any duplicative efforts, which decrease efficiency. After the initial map has been created, it can be used as part of a continuous resiliency improvement process.



Quote for the day:


"As we look ahead into the next century, leaders will be those who empower others." -- @BillGates