While government dominates the industries purchasing for IoT telecom, technology, and cloud service providers aren’t far behind. Every industry, in fact, had a pretty good purchase rate for the previous twelve months, indicating there’s a lot more work going on with IoT than is obvious if you’re only watching the consumer space. Much of what’s going on is in the infrastructure; in the network that’s providing connectivity and immediacy of response by the applications in the back-end that manage, meter, monitor, secure, and interact with those cute little chips embedded in your kid’s favorite teddy bear. Like any app or client (because that’s really what these remote things are, clients) there are a basic set of services they need to operate consistently, predictably, and reliably. Namely, they need services that enable security, delivery, and visibility.
Typically, stateful applications rely on files on the host, according to Thiruvengadam, and are common in enterprise private cloud scenarios where remote storage of state information in repositories such as Simple Storage Service is not in use. That point of view is typical of a startup that built its IT architecture from scratch, countered Chris Riley, a founding partner at HKM Consulting LLC, in Rochester, Mass. Enterprises running in Amazon Web Services have the option of storing configuration files in Amazon's Elastic File System as external storage for stateful applications, he added. "In the real world, there are still a lot of applications that use file systems for config files, and if you're not building apps yourself and you're leveraging those systems, you have to be aware of host volumes," Riley said.
In the wild, the most common attacks would be social engineering, typically involving some sort of email phishing campaign where the attacker sends an email that looks like it’s from a legitimate organization, or maybe from the company itself, and gets a user to click on a link. That link either asks them to type in their user name and password or opens up a document or something else that exploits the workstation, and then the attacker goes from there. That’s what is typically used in ransomware attacks. The human element tends to be one of the hardest things to secure. ... The percentage rate for clicking on the original email was probably closer to 50%. On most engagements we see 25%-30% actually log in so we can capture credentials, and maybe 20% go through the entire process. Still, in a large organization that’s a really high percentage of users.
Don't believe for a second that Shade has left the party. It's all part of a larger plan to extort as much money from victims as possible. Shade downloads none other than Teamspy, a bot which uses the TeamViewer 6 remote control utility to communicate with a command-and-control (C&C) server and receive a number of commands, including the ability to start/stop audio and video, download a file from a URL provided by the C&C, and enable remote control. ... Once they know how much money their victims can afford, the attackers can command Teamspy to download a tried-and-true locker version of Shade onto the victim's computer. That encryptor in turn demands a customized ransom amount from the victim, all in an effort to increase the likelihood (and amount) that the victim will pay.
"The key to making the technology work is to take the human component out of the mix," says Tim Crawford, former CIO and current strategic adviser with AVOA, which helps companies worldwide connect the dots between today's technologies and tomorrow's state-of-the-art innovation. "The sources of data—sensors for water levels, for instance—can create a heat map of the city's water supply issues. These systems automatically know where the hot spots are during a rain storm and can quickly dispatch the nearest trucks with the necessary equipment to eliminate flooding. There's no need for any human to get involved. You eliminate human error and increase response times all at once."
The challenges posed here are immense. Not only is there an extremely large amount of data being created everyday but businesses still need to manage and leverage their huge store of old data. This stored wealth is not static because every bit of data possesses a lifecycle through which it must be monitored, modified, shared, stored and eventually destroyed. The growing adoption and use of cloud computing technologies layers even more complexity to this mosaic. Another widely unappreciated reality being highlighted in boardrooms everywhere is how these changes are affecting business risk and internal information technology governance. Broadly lumped into cybersecurity, the sparsity of legal precedent in this domain is coupled almost daily with a need for headline driven, rapid fire business decisions.
According to a draft policy paper seen by the Financial Times, the likes of WhatsApp, owned by Facebook, and Skype, owned by Microsoft, would have to abide by “security and confidentiality provisions”. The policy paper, which is due in September, also outlines how these “over-the-top” services – where voice calls and messages are delivered via the internet – would have to comply with requests from security services, as well as regulating how they can make money from customer data. ... “Trying to replicate regulations that were done for a completely different media in a completely different age is well-nigh impossible,” she said, adding that the plans showed the gulf in views on internet regulation between the US and Europe.
Despite what one might think, both the UNIX and POSIX standards are continually under development still even today. The community for each is very active—meeting more than 40 times a year to continue developing the specifications. Things are always changing, so there are new areas of functionality to standardize. The standard is also large so there is a lot of maintenance and ways to improve clarity and portability across systems. Although it might seem that once a technology becomes standardized it becomes static, standardization usually has the opposite effect—once there is a standard, the market tends to grow even more because organizations know that the technology is trusted and stable enough to build upon. Once the platform is there, you can add things to it and run things above it. We have about 2,000 application interfaces in UNIX today.
Interestingly enough, there are two types of attacks that do not require a technical vulnerability to be exploited for an attack to be successful. These are DDoS and social engineering. The latter is the focus of this paper. The simplest way to explain how attackers exploit users to gain unauthorised access to an organisation is simply to look at the kill chain and understand how an attacker gets a foothold into an organisation’s network for nefarious purposes. As an example, ramsomware / malware attacks usually are deployed using methods that require a user to click on a link or similar that then downloads a malicious payload onto their network connected desktop machine. Once the malware is deployed, the attacker then uses the desktop that they now control to gain further access into the network.
Duplo is heavily influenced by PaaS systems, particularly Microsoft Azure, where Zenefits principal engineer Venkat Thiruvengadam once worked. However, unlike PaaS offerings from service providers that abstract infrastructure completely away from the user organization, Duplo allows Zenefits' infrastructure administrators to set policies for underlying resources, including the orchestration of monitoring tools. Thiruvengadam says he finds programmable infrastructure a happy medium between automated configuration tools, which he feels don't have a broad enough scope, and full-fledged PaaS, which he sees as too prescriptive. Programmable infrastructure "is a middle ground," Thiruvengadam said. It can set up the infrastructure by implicitly reading the application needs and providing a declarative interface to application teams ... "
Quote for the day:
"Things get done only if the data we gather can inform and inspire those in a position to make difference." -- Mike Schmoker