The tooling is critical. If you have a solid, well tested pipeline with code reviews which includes infrastructure code, then you are already ticking a lot of the boxes and can iterate faster. This means you can be more secure by responding faster to issues. Sharing ownership of DEV/QA with Operations and Dev teams means any concerns on security or performance happen faster, and you expose Operations teams to the challenges faced by Engineering when environments are different. The tool chain now available means it’s easier to share and these are significant improvements for compliance, particularly if automation means little to no production access. Why would you need it if logging and instrumentation give you all the insight you need? In a container world the notion of RDP or SSH to systems doesn’t make sense anymore unless you’re dealing with state and data where things can get a little more complex.
One is that there are a lot of instances where we allowed the culture to drive the security governance, and, a lot of the time, we found ourselves behind the adversary. You have to let security governance drive things -- for example, with multifactor authentication. There may be a better way of doing that, but when we let the culture in a company or agency drive security governance or innovation, that's a problem. The second thing that I learned was that there really isn't a lot of difference between there and here. ... Xerox has no nuclear secrets, but hackers are still attacking us and trying to get data using the same tools and technology. What they want to get is different, but how they get it is the same. All organizations have unique aspects, but when you peel it back and look at the way the attackers come in, [it] is largely the same.
Organisations need to look after their information assets with the utmost care because they are responsible for its safe keeping as custodians. GDPR is a great reminder to businesses that people lend their information and organisations have a responsibility to look after it. It’s not just about confidentiality, it’s about integrity, accuracy and availability – and it’s just plain good business practice. If you’re managing customer information in a fit and proper way, then requests for that information – known as subject access requests – are nothing to fear. GDPR is expected to lead to a significant increase in consumers submitting subject access requests, which require businesses to disclose copies of the data they hold on individuals. If a company has done all the right work, finding and disclosing information for a subject access request will be easy to do, and there should be a streamlined approach in place for this.
If all cars on the road were autonomous, accidents would decline, Ramsey told TechRepublic after the Uber accident. "While they are mixed together, the inflexibility of computers may lead to accidents that wouldn't have happened before even as some other accidents are prevented," he said. In May 2016, a Tesla driver was killed in an accident while the car was operating in its semi-autonomous Autopilot mode. A US Department of Transportation investigation did not identify any defects in design or performance of the Autopilot system. According to data released by Tesla during the investigation, Autopilot has lowered the number of crashes among its drivers by 40%. It remains to be seen if these accidents will hinder self-driving efforts moving forward.
“In industry, 95 percent of your time is spent operating on the thing that you’re currently engaged in,” Banks says. “In the military, even if you’re in the midst of combat operation, you will still conduct these training exercises to continue building capacity. Imagine if a company was in the midst of delivering goods and services to its customers. Yet it still created some scenarios—like, what would HR have to do in order to merge systems associated with an acquisition?—and ran through them via a short-duration exercise while also meeting its external obligations.” Some businesses have begun to latch onto this idea, creating innovation incubators that let them experiment in real time, or even sending employees to immersive, multiple-day business simulations. Banks expects more organizations will soon follow suit.
There are now several prominent examples of how things can go wrong. Earlier this year, global law firm DLA Piper was hit by a strain of ransomware that forced management to shut down its offices for several days while IT dealt with the problem. In 2016, a breach referred to as the Panama Papers entailed a massive document disclosure of 2.6 terabytes of data from Panamanian-based law firm Mossack Fonseca. German newspaper Süddeutsche Zeitung got hold of the documents, resulting in coverage of celebrities' and politicians' financial transactions and other personal details. If events like these have a silver lining, it is the possibility that other firms might learn from them in hopes of avoiding the same fate. Here are four best practices law firms should consider as they seek to make information security a higher priority:
Despite the huge numbers, only seven percent of credentials exposed in data breaches match the password currently being used by its billion Gmail users, whereas a quarter of 3.8 million credentials exposed in phishing attacks match the current Google password. The study finds that victims of phishing are 400 times more likely to have their account hijacked than a random Google user, a figure that falls to 10 times for victims of a data breach. The difference is due to the type of information that so-called phishing kits collect. Phishing kits contain prepackaged fake login pages for popular and valuable sites, such as Gmail, Yahoo, Hotmail, and online banking. They're often uploaded to compromised websites, and automatically email captured credentials to the attacker's account.
Generally, an API marketplace comprises several components. In a typical scenario, producers first publish APIs, and these are then catalogued and displayed via an API developer portal. This encourages consumers of the APIs to access the developer portal directly or indirectly (via system APIs for instance) to find, discover, and explore them. The developer portal displays different types of APIs, grouped by division, category, type etc. With specific APIs, users can then test and subscribe to them. ... Successfully implementing a marketplace requires taking a more advanced approach to implementing some aspects of the API management system, most notably the API developer portal and analytics. At the same time, organizational practices will also play an important role in establishing a highly functional marketplace.
People are starting to understand that we can hand off cognitive tasks -- not just physical tasks -- that we used to ask experts to do. They're not exactly robotic tasks; they're very difficult tasks. For example, if you look at the oil and gas industry, a lot of oil and gas discovery is reading seismic responses. These things are monochrome; they look like a bunch of waves on a piece of paper. It's going to take a geoscientist with years of experience to recognize the pattern. What they're really doing is mentally extracting a set of features from the data, making some inferences about it and then trying to interpolate that against other forms of information. That other information includes things like maps, other types of surveys or even just information from local people who say, 'Once upon a time, there was a legend that there were puddles of oil in the ground there.'
A report last month by the Information Systems Security Association (ISSA) and the IT analyst firm Enterprise Strategy Group (ESG), shed light on the scope of the problem and offered guidelines to businesses for easing the skill crunch. This was the second year in a row that the two organizations have partnered to conduct the study, and the results depict a widespread business problem that is becoming more severe. Nearly three-fourths of the respondents (70%) of the ISSA and ESG survey respondents indicate that the shortage of people with cyber-security skills has had an impact on their organization. Yet 62% of them also concede that they are falling behind in providing an adequate level of training for their data security personnel. And that figure is up almost 10% percent from last year’s study.
Quote for the day:
"Leaders must know where they are going if they expect others to willingly join them on the journey." -- Kouzes & Posner