Business and IT leaders may want a trusted partner to manage their entire technology environment. By expanding the scope of an existing deal, the customer can retain integrated performance standards and service levels for the entire environment and maintain streamlined governance processes. It also may be a way to minimize any transition or termination costs. However, the integration of disruptive technologies into an existing sourcing arrangement can present a number of new challenges, says Linda Rhodes, partner in the Washington, D.C. office of law firm Mayer Brown. “The contractual rights and protections available to the client in important areas — such as control rights, approval rights, audit rights, intellectual property ownership rights and post-termination rights—are likely to be different in many respects,” Rhodes says.
“Smile, there is nothing ice cream can’t solve.” Despite going to great efforts T-shirt sayings rarely catch the real mood of our times but this one is something special. For one it is true and two, it seems to dovetail neatly as a great example of why one of the biggest technology trends of the past couple of years actually exists. The internet of things (IoT) has had a lot of hype, some of it justifiable and some of it misdirected. It is still climbing the slope of expectation on Gartner’s Hype Cycle and while numerous analyst reports throw around big-number forecasts about future IoT device market penetration, the reality is that in most sectors it still needs a viable use case. But things are changing, certainly in the industrial space. At Dell EMC World in Austin, Texas last month, one booth was dedicated to showing how collaboration through IoT can work to make ice cream manufacture more efficient.
Developing greater resilience in our critical infrastructure systems requires addressing several interrelated factors. On a broad scale, we must identify, assess and address risks while creating continuity practices to ensure essential services are still available when disruptions occur. The best way to contribute to this resilience, from a cybersecurity standpoint, is to build a more resilient cyber threat prevention strategy. One that can adapt to the changing threat landscape to stay a step ahead of attackers’ plans. Such a strategy must begin with the most common entry point for attackers – the endpoint. Other than the recently disclosed nuclear plant breach, for which we have no details, all of the above examples have one thing in common – the attack began at the endpoints. Take the case of attacks on the power grid.
“The DDoS attack is most effective against targets that are inherently dependent on internet communications and the ICS/SCADA (Supervisory Control and Data Acquisition) environment is just not engineered to operate with that sort of dependency,” he said. According to Gabe Gumbs, vice president of product strategy at Spirion, “the IoT should be strictly defined as consumer-connected devices. Much of critical infrastructure is connected, but it is not consumer-grade technology. Organizations that own things like SCADA systems are invested in securing them, in stark contrast to the consumer end of the spectrum.” And Robert M. Lee, CEO of Dragos, said while there are still ICS assets on the internet – “too many, to be honest” – a lot of them are not.
For their part, consumers must first recognise that they are partly to blame for the lack of security in the IoT industry. With customers being focused on ease of installation and use rather than security, there’s no incentive for manufacturers to make more secure devices, and they’ll go out of their way to avoid disenchanting users. While it is the duty of manufacturers to create frictionless security into their devices, customers must come to accept that increasingly connected lives will warrant a change of culture at the consumer level. This effectively means that consumers must understand that connecting vulnerable devices to the internet will not only harm the owner, but all internet users in general. Therefore they should hold companies to account for insecure devices and be mindful of the security of the devices they purchase.
A Trump administration has a “greater likelihood” than the Obama administration of supporting legislation that will force tech companies to break into their customers' encrypted data when ordered by a judge, Rosenthal said. “You have a commander-in-chief, who said at least on the campaign trail he’s more favorable towards a backdoor regime,” Rosenthal said. Earlier this year, one such bill was proposed that met with staunch opposition from privacy advocates. However, in the aftermath of another terrorist attack, Congress might choose to push aside those concerns and pass legislation drafted without the advice of Silicon Valley, he said. Rosenthal said U.S. law enforcement needs surveillance tools to learn about terrorist plots, and that’s where the tech industry can help.
The University of Wisconsin–Madison developed audience-specific education training as part of its five-year Cybersecurity Strategy plan in 2015. One of the plan’s top strategic objectives was to “Build a community of experts and improve institutional user competence through security education, training and awareness.” The plan calls for IT security staff to develop group-specific education for professors, researchers, business staff and IT professionals. To address the need for ongoing education about phishing attempts in particular, the plan also calls for quarterly phishing campaigns. Most important, the university measures campaign results to ensure that the ultimate goal — reducing the number of users who respond to phishing attempts — is being achieved.
Staff running the simulations can tune them on the fly to make the situation more or less complicated to suit the group carrying out the exercise. “We don’t want them to fail but we want them to be challenged,” says Caleb Barlow, IBM Security’s vice president of portfolio marketing. Scenarios can be spiced up with interjections – unexpected new developments that complicate matters. For example, word might come in that a nosey reporter has gotten wind of details about the attack or that the CEO is angry about how the response is going and creating more problems than they are solving. The range includes a TV interview studio where an actor plays a reporter who grills participants about the breach that has affected the fake business set up for the simulation.
New research paints a somewhat bleak picture of network performance. Outages are frequent. Hours typically pass before an issue is reported and resolved. Protective measures are manual and error prone. The source of the data is a survey of 315 network pros at midsize and large enterprises. The survey was sponsored by Veriflow, a San Jose, Calif.-based startup that aims to minimize the risk of network vulnerabilities and outages. Veriflow’s software is designed to catch network problems before they happen by predicting possible network-wide behavior and continually verifying that a network model adheres to an enterprise’s security and resilience policies. The survey results are interesting
Many open source projects were originally created because the developers themselves needed a solution for their own use, and then chose to release the code as open source. This can happen when an individual or a company doesn't really want to be in the software business but want to provide value to others for free. Sometimes, they hope that by releasing their project to open source, they can multiply their development resources for free, without having to hire more coders. Other open source projects begin in educational or nonprofit organizations, or as a result of a hobby project. No matter what, a piece of software comes into being with an open code base, but without the need for a business plan guaranteeing an income stream. For this model, there is no promise of ROI needed before investing in the software.
Quote for the day:
"The sharpest criticism often goes hand in hand with the deepest idealism and love of country." -- Robert F. Kennedy