Daily Tech Digest - May 16, 2017

What are the key functions to look for in API management platforms?

One of the most important questions to ask when weighing the pros and cons of API management software is this: Why is one unified platform better than multiple, targeted tools? If your organization already has an established API, it's entirely possible that you have a piecemeal solution in place for API management. Documentation, testing, security and scalability are all big areas where individual tools exist. While using multiple API tools might feel like less of a commitment, they can often leave something to be desired. These tools may lack in how they integrate with each other, and how accessible they are to employees outside of the engineering team. So, when ultimately considering the purchase of an API management platform, what features should you actually consider? While this might seem like a pretty loaded question, the answer isn't nearly as complicated as you'd think.


5 ways to reduce insider security risks

Policies can be as straightforward as 'employees shouldn't have more access to confidential data than their current job requires' and then implementing a program to review access on a regular basis. Too often employees accumulate access rights that aren't revoked when they move to new projects. Firms often roll out a 'privileged account management' tool to control what their IT admins do, and then ignore the far reaching risks associated with non-privileged employees: the call center reps accessing customer records, contractors accessing finance records, partners accessing design docs, etc. Strong security policies will follow the 'Mini-Max' rule - minimize access where possible, maximize monitoring of that same access, for unusual patterns."


The ‘cobots’ are coming. Is your IT team ready?

Meet today's robot workforce. Manuel is a collaborative robot (or cobot) that's helping Creating Revolutions build electronic tabletop devices for the restaurant industry. The startup didn't always rely on a gunmetal grey robot arm to assemble its devices, which allow restaurant customers to text requests to busy wait staff. But faulty assembly was causing double-digit failure rates. "The problem is you can't efficiently repeat a specific process the exact same over and over again as a human being," says Einar Rosenberg, CIO of Creating Revolutions. With Manuel on the payroll, Creating Revolutions has reduced its product rejection rate to nearly zero. Changes to manufacturing processes can be made in real time for greater flexibility. And by cost-effectively increasing production rates, Creating Revolutions has managed to reduce its overhead by double digits.


Be proactive to minimize exposure to cyberattacks

Recommendations from Shelhart included blocking some commonly used remote access tools; investing in file integrity monitoring systems to validate operating systems and software; locking out or segmenting vendors, whose data systems may be more vulnerable than your own; reducing the lateral movement of data within a company without crimping essential communication; and not spending a lot on “silver bullet” tools that may not work as advertised.  Jeff Jensen, a former FBI agent and federal prosecutor now with the Husch Blackwell law firm, described 10 components of how to respond if a breach occurs. They included quickly securing an information system before the damage spreads, complying with breach notification laws, calling in a digital forensic expert, checking what insurance coverage is in place or getting coverage if it’s not, and thinking through how to respond to press and other inquiries.


Warren Buffett’s cybersecurity wake-up call — are we listening?

he government needs to heed Uncle Warren’s warning and treat cybersecurity with the utmost urgency. Here are four steps the administration can take immediately to better protect the government and industries it regulates from cyber threats. ... There are encouraging signs this could happen. During his Senate confirmation hearing, Clayton — who had spent more than 20 years working for Wall Street companies on mergers, acquisitions and federal regulatory compliance — said he did not think public companies were providing investors with enough information about cybersecurity. He also told the Senate Banking Committee he supports a Senate bill that would require companies to disclose whether their board of directors have a cybersecurity expert.


Medical Device Security Focus in Recent NCCoE Collaboration

A tiered risk management approach will also benefit organizations, the guide states. This involves reviewing the organization, the mission/business process, as well as the information system – the environment of operation. “Vulnerabilities may be present in infusion pumps and their server components since these devices often include embedded operating systems on the endpoints,” NCCoE wrote. “Infusion pumps are designed to maintain a prolonged period of useful life, and, as such, may include system components (e.g., an embedded operating system) that may either reach end-of-life or reach a period of degraded updates prior to the infusion pump being retired from service. Patching and updating may become difficult over the course of time.”


More disruptions feared from cyber attack; Microsoft slams government secrecy

In a blog post on Sunday, Microsoft President Brad Smith appeared to tacitly acknowledge what researchers had already widely concluded: The ransomware attack leveraged a hacking tool, built by the U.S. National Security Agency, that leaked online in April. "This is an emerging pattern in 2017," Smith wrote. "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world." He also poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret - in order to conduct espionage and cyber warfare - against sharing those flaws with technology companies to better secure the internet.


Steps for Fortifying Your Organization’s Data in the Cyber War

The business of cyber war is changing and evolving rapidly. Through our direct engagements helping enterprises improve defenses and improve incident response we have seen direct evidence of how adversaries are evolving in their attacks. We can now view adversary actions in cyberspace as if it is a new, but evil, business market. The adversaries and their capabilities and actions have the same characteristics of actors in a business market and every executive should pay attention to how this horizontal is growing and changing. The evolution to a mature industry has started and will continue at an ever increasing pace as adversaries become more sophisticated. In the past, cyber attacks were aimed at single individuals- stealing your personal information for short-term gain.


Paying The WannaCry Ransom Will Probably Get You Nothing

"The odds of getting back their files decrypted is very small," said Vikram Thakur, technical director at security firm Symantec. "It's better for [the victims] to save their money and rebuild the affected computers." The WannaCry ransomware, also known as WanaDecryptor, broke out last Friday, infecting vulnerable Windows systems like a computer worm. More than 300,000 machines in 150 countries have been hit so far, U.S. homeland security advisor Tom Bossert said in a press briefing on Monday.The infection strikes by encrypting all the files on the PC and then displaying a ransom note demanding US$300 or $600 in bitcoin. Victims who don’t pay will have their files erased after seven days. Owners of these machines may be tempted to pay the ransom, but don’t count on getting your files back, said Matthew Hickey, director of security provider Hacker House.


Google moves Android out of the app and into the auto with Volvo, Audi partnerships

Drivers will not need to plug in an Android phone to access any of the system’s features, and car makers will have the ability to customize the controls, interface, and applications pre-loaded into the operating system, just like phone makers do. The version of the software that Bloomberg saw had “three main windows for users: a central panel for playing music, making calls and navigating; another with a grid of core car functions; and a third that lists installed Android apps. A button on the steering wheel and a voice command can activate the Google Assistant.” Google said it will be previewing the new Volvo and Audi Android Auto systems at I/O this week.



Quote for the day:


"When human judgment and big data intersect there are some funny things that happen." -- Nate Silver