Quote for the day:
“You get in life what you have the courage to ask for.” -- Nancy D. Solomon
Breach Notification Service Tackles Infostealing Malware
Infostealers can amass massive quantities of credentials. To handle this glut, many cybercriminals create parsers to quickly ingest usernames and passwords for analysis, said Milivoj Rajić, head of threat intelligence at cybersecurity firm DynaRisk. The leaked internal communications of ransomware group Black Basta demonstrated this tactic, he said. Using a shared spreadsheet, the group identified organizations with emails present in infostealer logs, tested which access credentials worked, checked the organization's annual revenue and if its networks were protected by MFA. Using this information helped the ransomware group prioritize its targeting. Another measure of just how much data gets collected by infostealers: the Alien Txtbase records include 244 million passwords not already recorded as breached by Pwned Passwords. Hunt launched that free service in 2017, which anyone can query for free and anonymously, to help users never pick a password that's appeared in a known data breach, shortly after the U.S. National Institute for Standards and Technology began recommending that practice. Not all of the information contained in stealer logs being sold by criminals is necessarily legit. Some of it might be recycled from previous leaks or data dumps. Even so, Hunt said he was able to verify a random sample of the Alien Txtbase corpus with a "handful" of HIBP users he approached.
The critical role of strategic workforce planning in the age of AI
While some companies have successfully deployed strategic workforce planning in the past to reshape their workforces to meet future market requirements, there are also cautionary tales of organizations that have struggled with the transition to new technologies. For instance, the rapid innovation of smartphones left leading players such as Nokia behind. Periods of rapid technological change highlight the importance of predicting and responding to challenges with a dynamic talent planning model. Gen AI is not just another technological advancement affecting specific tasks; it represents a rewiring of how organizations operate and generate value. This transformation goes beyond automation, innovation, and productivity improvements to fundamentally alter the ratio of humans to technology in organizations. By having SWP in place, organizations can react more quickly and intentionally to these changes, monitoring leading and lagging indicators to stay ahead of the curve. This approach allows for identifying and developing new capabilities, ensuring that the workforce is prepared for the evolving demands these changes will bring. SWP gives a fact base to all talent decisions so that trade-offs can be explicitly discussed and strategic decisions can be made holistically—and with enterprise value top of mind.
Cybersecurity in fintech: Protecting user data and preventing fraud
Fintech companies operate at the intersection of finance and technology, making
them particularly vulnerable to cyber threats. These platforms process vast
amounts of personal and financial data—from bank account details and credit card
numbers to loan records and transaction histories. A single security breach can
have devastating consequences, leading to financial losses, regulatory
penalties, and reputational damage. Beyond individual risks, fintech platforms
are interconnected within a larger financial ecosystem. A vulnerability in one
system can cascade across multiple institutions, disrupting transactions,
exposing sensitive data, and eroding trust. Given this landscape, cybersecurity
in fintech is not just about preventing attacks—it’s about ensuring the
integrity of the entire digital financial infrastructure. ... Governments and
regulatory bodies worldwide recognise the critical role of cybersecurity in
fintech. Frameworks like the General Data Protection Regulation (GDPR) in Europe
and the California Consumer Privacy Act (CCPA) in the U.S. set stringent
standards for data privacy and security. Compliance is not just a legal
necessity—it’s an opportunity for fintech companies to build trust with users.
By adhering to global security best practices, fintech firms can differentiate
themselves in an increasingly competitive market while ensuring customer data
remains protected.
The Smart Entrepreneur's Guide to Thriving in Uncertain Times
If there's one certainty in business, it's change. The most successful
entrepreneurs aren't just those who have great ideas — they are the ones who
know how to adapt. Whether it's economic downturns, shifts in consumer
behavior or emerging competition, the ability to navigate uncertainty is what
separates sustainable businesses from those that struggle to survive. ...
Instead of long-term strategies that assume stability, use quick experiments
to validate new ideas and adjust quickly. When we launched new membership
models at our office, we tested different pricing structures and adjusted
based on user feedback within weeks rather than months. ... Digital engagement
is changing. Entrepreneurs who optimize their messaging based on social media
trends and consumer preferences gain a competitive edge. For example, when we
noticed an increase in demand for remote work solutions, we adjusted our
marketing efforts to highlight our virtual office plans. ... strong company
culture that embraces change enables faster adaptation during challenging
times. Jim Collins, in Good to Great, emphasizes that having the right people
in the right seats is fundamental for long-term success. At Coworking Smart,
we focused on hiring individuals who thrived in dynamic environments rather
than just filling positions based on traditional job descriptions.
Risk Management for the IT Supply Chain
Who are your mission critical vendors? Do they present significant risks (for
example, risk of a merger, or going out of business)? Where are your IT supply
chain “weak links” (such as vendors whose products and services repeatedly
fail). Are they impairing your ability to provide top-grade IT to the
business? What countries do you operate in? Are there technology and support
issues that could emerge in those locations? Do you annually send
questionnaires to vendors that query them so you can ascertain that they are
strong, reliable and trustworthy suppliers? Do you request your auditors
periodically review IT supply chain vendors for resiliency, compliance and
security? ... Most enterprises include security and compliance checkpoints on
their initial dealings with vendors, but few check back with the vendors on a
regular basis after the contracts are signed. Security and governance
guidelines change from year to year. Have your IT vendors kept up? When was
the last time you requested their latest security and governance audit reports
from them? Verifying that vendors stay in step with your company’s security
and governance requirements should be done annually. ... Although companies
include their production supply chains in their corporate risk management
plans, they don’t consistently consider the IT supply chain and its risks.
IT infrastructure: Inventory before AIOps
Even if the advantages are clear, the right story is also needed internally to
initiate an introduction. Benedikt Ernst from the IBM spin-off Kyndryl sees a
certain “shock potential,” especially in the financial dimension, which is
ideally anticipated in advance: “The argumentation of costs is crucial because
the introduction of AIOps is, of course, an investment in the first instance.
Organizations need to ask themselves: How quickly is a problem detected and
resolved today? And how does an accelerated resolution affect operating costs
and downtime?” In addition, there is another aspect that he believes is too
often overlooked: “Ultimately, the introduction of AIOps also reveals
potential on the employee side. The fewer manual interventions in the
infrastructure are necessary, the more employees can focus on things that
really require their attention. For this reason, I see the use of open
integration platforms as helpful in making automation and AIOps usable across
different platforms.” Storm Reply’s Henckel even sees AIOps as a tool for
greater harmony: “The introduction of AIOps also means an end to
finger-pointing between departments. With all the different sources of error —
database, server, operating system — it used to be difficult to pinpoint the
cause of the error. AIOps provides detailed analysis across all areas and
brings more harmony to infrastructure evaluation.”
Navigating Supply Chain Risk in AI Chips
The fragmented nature of semiconductor production poses significant challenges
for supplier risk management. Beyond the risk posed by delays in delivery or
production, which can disrupt operations, such a globalized and complex supply
chain poses challenges from a regulatory angle. C chipmakers must take full
responsibility for ensuring compliance at every level by thoroughly monitoring
and vetting every entity in the supply chain for risks such as forced labor,
sanctions violations, bribery, and corruption. ... Many companies are
diversifying their supplier base, increasing local procurement efforts, and
using predictive modeling to anticipate better demand to address the risk of
disruption triggered by delays in delivery or operations. By leveraging
advanced data analytics and securing multiple supply routes, businesses can
better increase resilience to external shocks and mitigate the risk of supply
chain delays. Additionally, firms can incorporate a “value at risk” model into
supply chain and operational risk management frameworks. This approach
quantifies the financial impact of potential supply chain disruptions, helping
chipmakers prioritize the most critical risk areas. ... The AI chip supply
chain is a cornerstone of modern innovation, but due to its global and
interdependent nature, it is inherently complex.
Charting the AI-fuelled evolution of embedded analytics
The idea behind embedded analytics is to negate a great deal of the friction
around data insights. In theory, line-of-business users have been able to view
relevant insights for a long time, by allowing them to import data into the
self-service business intelligence (SSBI) tool of their choice. In practice,
this disrupts their workflow and interrupts their chain of thought, so a lot
of people choose not to make that switch. They’re even less likely to do so if
they have to manually export and migrate the data to a different tool. That
means they’re missing out on data insights, just when they could be the most
valuable for their decisions. Embedded analytics delivers all the charts and
insights alongside whatever the user is working on at the time – be it an
accounting app, a CRM, a social media management platform or whatever else –
which is far more useful. “It’s a lot more intuitive, a lot more functional if
it’s in the same place,” says Perez. “Also, generally speaking, the people who
use these types of business apps are non-technical, and so the more
complicated you make it for them to get to the analysis, the less of it
they’ll do.” ... So far, so impressive. But Perez emphasises that there are a
number of barriers to embedded analytics utopia. Businesses need to bear these
in mind as they seek to develop their own solutions or find providers who can
deliver them.
Open source software vulnerabilities found in 86% of codebases
jQuery, a JavaScript library, was the most frequent source of vulnerabilities,
as eight of the top 10 high-risk vulnerabilities were found there. Among
scanned applications, 43% contained some version of jQuery — oftentimes, an
outdated version. An XSS vulnerability affecting outdated versions of jQuery,
called CVE-2020-11023, was the most frequently found high-risk vulnerability.
McGuire remarks, “There’s also an interesting shift towards web-based and
multi-tenant (SaaS) applications, meaning more high-severity vulnerabilities
(81% of audited codebases). We also observed an overwhelming majority of high
severity vulnerabilities belonging to jQuery. ... McGuire explains, “Embedded
software providers are going to be increasingly focused on the quality, safety
and reliability of the software they build. Looking at this year’s data, 79%
of the codebases were using components whose latest versions had no
development activity in the last two years. This means that these dependencies
could become less reliable, so industries, like aerospace and medical devices
should look to identify these in their own codebases and start moving on from
them.” ... “Enterprise regulated organizations are being forced to align with
numerous requirements, including providing SBOMs with their applications. If
an SBOM isn’t accurate, it’s useless,” McGuire states.
A 5-step blueprint for cyber resilience
Many claim to practice developer security operations, or DevSecOps, by testing
software for security flaws at every stage. At least that's the theory. In
reality, developers are under constant pressure to get software into
production, and DevSecOps can be an impediment to meeting deadlines. "You hear
all these people saying, 'Yes, we're doing DevSecOps,' but the reality is, a
lot of people aren't," says Lanowitz. "If you're really focused on being
secure by design, you're going to want to do things right from the beginning,
meaning you're going to want to have your network architecture correct, your
software architecture correct." ... "We have to be able to speak the language
of the business," says Lanowitz. "Break down the silos that exist in the
organization, get the cyber team and the business team talking, [and] align
cybersecurity initiatives with overarching business initiatives." Again,
executive leadership needs to point the way, but it often needs convincing.
Compliance is a great place to start, because most industries have rules,
laws, or insurance providers that mandate a basic level of cybersecurity. ...
The more eyes you have on a cybersecurity problem, the more quickly a solution
can be found. Because of this, even large companies rely on external managed
service providers (MSPs), managed security service providers (MSSPs), managed
detection and response (MDR) providers, consultants and advisors.
No comments:
Post a Comment